diff --git a/userspace/falco/app/actions/helpers_interesting_sets.cpp b/userspace/falco/app/actions/helpers_interesting_sets.cpp index 4592eae6..075a0272 100644 --- a/userspace/falco/app/actions/helpers_interesting_sets.cpp +++ b/userspace/falco/app/actions/helpers_interesting_sets.cpp @@ -19,6 +19,19 @@ limitations under the License. using namespace falco::app; using namespace falco::app::actions; +static std::unordered_set extract_negative_base_syscalls_names(const std::unordered_set& base_syscalls_names) +{ + std::unordered_set negative_names = {}; + for (const std::string &ev : base_syscalls_names) + { + if(ev.at(0) == '!') + { + negative_names.insert(ev.substr(1, ev.size())); + } + } + return negative_names; +} + static libsinsp::events::set extract_rules_event_set(falco::app::state& s) { /* Get all (positive) PPME events from all rules as idx codes. @@ -75,6 +88,37 @@ static void select_event_set(falco::app::state& s, const libsinsp::events::set

m_base_syscalls; + if (!user_base_syscalls_names.empty()) + { + auto valid_events = libsinsp::events::names_to_event_set(user_base_syscalls_names); + auto negative_names = extract_negative_base_syscalls_names(user_base_syscalls_names); + auto valid_negative_events = libsinsp::events::names_to_event_set(negative_names); + + auto n_invalid_positive_names = (user_base_syscalls_names.size() - negative_names.size()) - libsinsp::events::names_to_sc_set(user_base_syscalls_names).size(); + if (n_invalid_positive_names > 0) + { + std::cerr << "User config base_syscalls includes (" + + std::to_string(n_invalid_positive_names) + ") invalid event names -> check for typos: warning (invalid-evttype)" << std::endl; + } + auto n_invalid_negative_names = (negative_names.size()) - libsinsp::events::names_to_sc_set(negative_names).size(); + if (n_invalid_negative_names > 0) + { + std::cerr << "User config base_syscalls includes (" + + std::to_string(n_invalid_negative_names) + ") invalid event names -> check for typos: warning (invalid-evttype)" << std::endl; + } + s.selected_event_set = rules_event_set.merge(valid_events).diff(valid_negative_events); + auto valid_negative_events_names = libsinsp::events::event_set_to_names(valid_negative_events); + falco_logger::log(LOG_DEBUG, "-(" + std::to_string(valid_negative_events_names.size()) + + ") events removed from rules (base_syscalls override): " + + concat_set_in_order(valid_negative_events_names) + "\n"); + } + else + { + base_event_set = libsinsp::events::sinsp_state_event_set(); + s.selected_event_set = rules_event_set.merge(base_event_set); + } + /* Derive the diff between the additional syscalls added via libsinsp state enforcement and the syscalls from each Falco rule. */ auto non_rules_event_set = s.selected_event_set.diff(rules_event_set); @@ -82,7 +126,7 @@ static void select_event_set(falco::app::state& s, const libsinsp::events::set

#include +#include +#include #include #include @@ -311,6 +313,8 @@ void falco_configuration::load_yaml(const std::string& config_name, const yaml_h m_cpus_for_each_syscall_buffer = config.get_scalar("modern_bpf.cpus_for_each_syscall_buffer", 2); + config.get_sequence>(m_base_syscalls, std::string("base_syscalls")); + std::set load_plugins; bool load_plugins_node_defined = config.is_defined("load_plugins"); diff --git a/userspace/falco/configuration.h b/userspace/falco/configuration.h index b3d43756..e4f864e1 100644 --- a/userspace/falco/configuration.h +++ b/userspace/falco/configuration.h @@ -106,6 +106,9 @@ public: // Number of CPUs associated with a single ring buffer. uint16_t m_cpus_for_each_syscall_buffer; + // User supplied base_syscalls, overrides any Falco state engine enforcement. + std::unordered_set m_base_syscalls; + std::vector m_plugins; private: