From 88a57bfd1a93b24e49bc9ce6284273b6139ca3d1 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 11 Jan 2024 13:03:35 -0800 Subject: [PATCH] Add ability for rulesets to access falco engine state Some rulesets may need information which is held by the falco_engine that created this ruleset. So define a set of functions in a struct and have setters/getters for those functions in the base class. Derived classes can use the struct's functions to obtain the falco engine information. The only function so far is to obtain the filter_ruleset for a given event source. Signed-off-by: Mark Stemm --- userspace/engine/CMakeLists.txt | 1 + userspace/engine/falco_engine.cpp | 31 +++++++++++++++++++++++++++-- userspace/engine/falco_engine.h | 8 ++++++++ userspace/engine/filter_ruleset.cpp | 28 ++++++++++++++++++++++++++ userspace/engine/filter_ruleset.h | 17 ++++++++++++++++ 5 files changed, 83 insertions(+), 2 deletions(-) create mode 100644 userspace/engine/filter_ruleset.cpp diff --git a/userspace/engine/CMakeLists.txt b/userspace/engine/CMakeLists.txt index 78f681ce..b3d6f086 100644 --- a/userspace/engine/CMakeLists.txt +++ b/userspace/engine/CMakeLists.txt @@ -16,6 +16,7 @@ add_library(falco_engine STATIC falco_engine.cpp falco_load_result.cpp falco_utils.cpp + filter_ruleset.cpp evttype_index_ruleset.cpp formats.cpp filter_details_resolver.cpp diff --git a/userspace/engine/falco_engine.cpp b/userspace/engine/falco_engine.cpp index e02711b4..cc13461f 100644 --- a/userspace/engine/falco_engine.cpp +++ b/userspace/engine/falco_engine.cpp @@ -66,6 +66,8 @@ falco_engine::falco_engine(bool seed_rng) } m_default_ruleset_id = find_ruleset_id(s_default_ruleset); + + fill_engine_state_funcs(m_engine_state); } falco_engine::~falco_engine() @@ -208,7 +210,7 @@ std::unique_ptr falco_engine::load_rules(const std::string &rules_c // add rules to each ruleset { - src.ruleset = src.ruleset_factory->new_ruleset(); + src.ruleset = create_ruleset(src.ruleset_factory); src.ruleset->add_compile_output(*(m_last_compile_output.get()), m_min_priority, src.name); @@ -467,7 +469,7 @@ std::size_t falco_engine::add_source(const std::string &source, src.filter_factory = filter_factory; src.formatter_factory = formatter_factory; src.ruleset_factory = ruleset_factory; - src.ruleset = ruleset_factory->new_ruleset(); + src.ruleset = create_ruleset(src.ruleset_factory); return m_sources.insert(src, source); } @@ -1007,6 +1009,31 @@ bool falco_engine::check_plugin_requirements( return true; } +std::shared_ptr falco_engine::create_ruleset(std::shared_ptr &ruleset_factory) +{ + auto ret = ruleset_factory->new_ruleset(); + + ret->set_engine_state(m_engine_state); + + return ret; +} + +void falco_engine::fill_engine_state_funcs(filter_ruleset::engine_state_funcs &engine_state) +{ + engine_state.get_ruleset = [this](const std::string &source_name, std::shared_ptr &ruleset) -> bool + { + falco_source *src = m_sources.at(source_name); + if(src == nullptr) + { + return false; + } + + ruleset = src->ruleset; + + return true; + }; +}; + void falco_engine::complete_rule_loading() const { for (const auto &src : m_sources) diff --git a/userspace/engine/falco_engine.h b/userspace/engine/falco_engine.h index cc9487aa..07b0f4ba 100644 --- a/userspace/engine/falco_engine.h +++ b/userspace/engine/falco_engine.h @@ -321,6 +321,14 @@ public: std::string& err) const; private: + // Create a ruleset using the provided factory and set the + // engine state funcs for it. + std::shared_ptr create_ruleset(std::shared_ptr& ruleset_factory); + + // Functions to retrieve state from this engine + void fill_engine_state_funcs(filter_ruleset::engine_state_funcs& engine_state); + + filter_ruleset::engine_state_funcs m_engine_state; // Throws falco_exception if the file can not be read void read_file(const std::string& filename, std::string& contents); diff --git a/userspace/engine/filter_ruleset.cpp b/userspace/engine/filter_ruleset.cpp new file mode 100644 index 00000000..f99c2434 --- /dev/null +++ b/userspace/engine/filter_ruleset.cpp @@ -0,0 +1,28 @@ +// SPDX-License-Identifier: Apache-2.0 +/* +Copyright (C) 2024 The Falco Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +#include "filter_ruleset.h" + +void filter_ruleset::set_engine_state(filter_ruleset::engine_state_funcs& engine_state) +{ + m_engine_state = engine_state; +} + +filter_ruleset::engine_state_funcs& filter_ruleset::get_engine_state() +{ + return m_engine_state; +} diff --git a/userspace/engine/filter_ruleset.h b/userspace/engine/filter_ruleset.h index 34f9be7a..1214b983 100644 --- a/userspace/engine/filter_ruleset.h +++ b/userspace/engine/filter_ruleset.h @@ -21,6 +21,7 @@ limitations under the License. #include "rule_loader_compile_output.h" #include #include +#include #include #include #include @@ -29,11 +30,24 @@ limitations under the License. \brief Manages a set of rulesets. A ruleset is a set of enabled rules that is able to process events and find matches for those rules. */ + class filter_ruleset { public: + // A set of functions that can be used to retrieve state from + // the falco engine that created this ruleset. + struct engine_state_funcs + { + using ruleset_retriever_func_t = std::function &ruleset)>; + + ruleset_retriever_func_t get_ruleset; + }; + virtual ~filter_ruleset() = default; + void set_engine_state(engine_state_funcs &engine_state); + engine_state_funcs &get_engine_state(); + /*! \brief Adds a rule and its filtering filter + condition inside the manager. This method only adds the rule inside the internal collection, @@ -211,6 +225,9 @@ public: virtual void disable_tags( const std::set &tags, uint16_t ruleset_id) = 0; + +private: + engine_state_funcs m_engine_state; }; /*!