Add ability for rulesets to access falco engine state

Some rulesets may need information which is held by the falco_engine that created this ruleset. So define a set of functions in a struct and have setters/getters for those functions in the base class. Derived classes can use the struct's functions to obtain the falco engine information. The only function so far is to obtain the filter_ruleset for a given event source. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2025-07-03 01:46:38 +00:00 · 2024-01-11 13:03:35 -08:00 · 2024-01-11 13:03:35 -08:00 · 88a57bfd1a
commit 88a57bfd1a
parent ce5a50cbb5
5 changed files with 83 additions and 2 deletions
--- a/userspace/engine/CMakeLists.txt
+++ b/userspace/engine/CMakeLists.txt
@ -16,6 +16,7 @@ add_library(falco_engine STATIC
    falco_engine.cpp
    falco_load_result.cpp
    falco_utils.cpp
+    filter_ruleset.cpp
    evttype_index_ruleset.cpp
    formats.cpp
    filter_details_resolver.cpp
--- a/userspace/engine/falco_engine.cpp
+++ b/userspace/engine/falco_engine.cpp
@ -66,6 +66,8 @@ falco_engine::falco_engine(bool seed_rng)
 	}

 	m_default_ruleset_id = find_ruleset_id(s_default_ruleset);
+
+	fill_engine_state_funcs(m_engine_state);
 }

 falco_engine::~falco_engine()
@ -208,7 +210,7 @@ std::unique_ptr<load_result> falco_engine::load_rules(const std::string &rules_c

 		// add rules to each ruleset
 		{
-			src.ruleset = src.ruleset_factory->new_ruleset();
+			src.ruleset = create_ruleset(src.ruleset_factory);
 			src.ruleset->add_compile_output(*(m_last_compile_output.get()),
 							m_min_priority,
 							src.name);
@ -467,7 +469,7 @@ std::size_t falco_engine::add_source(const std::string &source,
 	src.filter_factory = filter_factory;
 	src.formatter_factory = formatter_factory;
 	src.ruleset_factory = ruleset_factory;
-	src.ruleset = ruleset_factory->new_ruleset();
+	src.ruleset = create_ruleset(src.ruleset_factory);
 	return m_sources.insert(src, source);
 }

@ -1007,6 +1009,31 @@ bool falco_engine::check_plugin_requirements(
 	return true;
 }

+std::shared_ptr<filter_ruleset> falco_engine::create_ruleset(std::shared_ptr<filter_ruleset_factory> &ruleset_factory)
+{
+	auto ret = ruleset_factory->new_ruleset();
+
+	ret->set_engine_state(m_engine_state);
+
+	return ret;
+}
+
+void falco_engine::fill_engine_state_funcs(filter_ruleset::engine_state_funcs &engine_state)
+{
+	engine_state.get_ruleset = [this](const std::string &source_name, std::shared_ptr<filter_ruleset> &ruleset) -> bool
+	{
+		falco_source *src = m_sources.at(source_name);
+		if(src == nullptr)
+		{
+			return false;
+		}
+
+		ruleset = src->ruleset;
+
+		return true;
+	};
+};
+
 void falco_engine::complete_rule_loading() const
 {
 	for (const auto &src : m_sources)
--- a/userspace/engine/falco_engine.h
+++ b/userspace/engine/falco_engine.h
@ -321,6 +321,14 @@ public:
 		std::string& err) const;

 private:
+	// Create a ruleset using the provided factory and set the
+	// engine state funcs for it.
+	std::shared_ptr<filter_ruleset> create_ruleset(std::shared_ptr<filter_ruleset_factory>& ruleset_factory);
+
+	// Functions to retrieve state from this engine
+	void fill_engine_state_funcs(filter_ruleset::engine_state_funcs& engine_state);
+
+	filter_ruleset::engine_state_funcs m_engine_state;

 	// Throws falco_exception if the file can not be read
 	void read_file(const std::string& filename, std::string& contents);
--- a/userspace/engine/filter_ruleset.cpp
+++ b/userspace/engine/filter_ruleset.cpp
@ -0,0 +1,28 @@
+// SPDX-License-Identifier: Apache-2.0
+/*
+Copyright (C) 2024 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "filter_ruleset.h"
+
+void filter_ruleset::set_engine_state(filter_ruleset::engine_state_funcs& engine_state)
+{
+	m_engine_state = engine_state;
+}
+
+filter_ruleset::engine_state_funcs& filter_ruleset::get_engine_state()
+{
+	return m_engine_state;
+}
--- a/userspace/engine/filter_ruleset.h
+++ b/userspace/engine/filter_ruleset.h
@ -21,6 +21,7 @@ limitations under the License.
 #include "rule_loader_compile_output.h"
 #include <filter/ast.h>
 #include <filter.h>
+#include <functional>
 #include <event.h>
 #include <gen_filter.h>
 #include <events/sinsp_events.h>
@ -29,11 +30,24 @@ limitations under the License.
 	\brief Manages a set of rulesets. A ruleset is a set of
 	enabled rules that is able to process events and find matches for those rules.
 */
+
 class filter_ruleset
 {
 public:
+	// A set of functions that can be used to retrieve state from
+	// the falco engine that created this ruleset.
+	struct engine_state_funcs
+	{
+		using ruleset_retriever_func_t = std::function<bool(const std::string &, std::shared_ptr<filter_ruleset> &ruleset)>;
+
+		ruleset_retriever_func_t get_ruleset;
+	};
+
 	virtual ~filter_ruleset() = default;

+	void set_engine_state(engine_state_funcs &engine_state);
+	engine_state_funcs &get_engine_state();
+
 	/*!
 		\brief Adds a rule and its filtering filter + condition inside the manager.
 	        This method only adds the rule inside the internal collection,
@ -211,6 +225,9 @@ public:
 	virtual void disable_tags(
 		const std::set<std::string> &tags,
 		uint16_t ruleset_id) = 0;
+
+private:
+	engine_state_funcs m_engine_state;
 };

 /*!