Add ability for rulesets to access falco engine state

Some rulesets may need information which is held by the falco_engine that created this ruleset. So define a set of functions in a struct and have setters/getters for those functions in the base class. Derived classes can use the struct's functions to obtain the falco engine information. The only function so far is to obtain the filter_ruleset for a given event source. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2025-09-08 01:59:33 +00:00 · 2024-01-11 13:03:35 -08:00
parent ce5a50cbb5
commit 88a57bfd1a
5 changed files with 83 additions and 2 deletions
--- a/userspace/engine/falco_engine.cpp
+++ b/userspace/engine/falco_engine.cpp
@@ -66,6 +66,8 @@ falco_engine::falco_engine(bool seed_rng)
 	}

 	m_default_ruleset_id = find_ruleset_id(s_default_ruleset);
+
+	fill_engine_state_funcs(m_engine_state);
 }

 falco_engine::~falco_engine()
@@ -208,7 +210,7 @@ std::unique_ptr<load_result> falco_engine::load_rules(const std::string &rules_c

 		// add rules to each ruleset
 		{
-			src.ruleset = src.ruleset_factory->new_ruleset();
+			src.ruleset = create_ruleset(src.ruleset_factory);
 			src.ruleset->add_compile_output(*(m_last_compile_output.get()),
 							m_min_priority,
 							src.name);
@@ -467,7 +469,7 @@ std::size_t falco_engine::add_source(const std::string &source,
 	src.filter_factory = filter_factory;
 	src.formatter_factory = formatter_factory;
 	src.ruleset_factory = ruleset_factory;
-	src.ruleset = ruleset_factory->new_ruleset();
+	src.ruleset = create_ruleset(src.ruleset_factory);
 	return m_sources.insert(src, source);
 }

@@ -1007,6 +1009,31 @@ bool falco_engine::check_plugin_requirements(
 	return true;
 }

+std::shared_ptr<filter_ruleset> falco_engine::create_ruleset(std::shared_ptr<filter_ruleset_factory> &ruleset_factory)
+{
+	auto ret = ruleset_factory->new_ruleset();
+
+	ret->set_engine_state(m_engine_state);
+
+	return ret;
+}
+
+void falco_engine::fill_engine_state_funcs(filter_ruleset::engine_state_funcs &engine_state)
+{
+	engine_state.get_ruleset = [this](const std::string &source_name, std::shared_ptr<filter_ruleset> &ruleset) -> bool
+	{
+		falco_source *src = m_sources.at(source_name);
+		if(src == nullptr)
+		{
+			return false;
+		}
+
+		ruleset = src->ruleset;
+
+		return true;
+	};
+};
+
 void falco_engine::complete_rule_loading() const
 {
 	for (const auto &src : m_sources)