Also include all exception fields in rule_result

When returning a rule_result struct, also include a set of field names used by all exceptions for this rule. This may make building exception values a bit easier. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2026-01-29 21:48:32 +00:00 · 2021-01-07 17:34:00 -08:00
parent 49b8f87db4
commit 8c4040b610
3 changed files with 51 additions and 38 deletions
--- a/userspace/engine/lua/rule_loader.lua
+++ b/userspace/engine/lua/rule_loader.lua
@@ -674,7 +674,8 @@ function load_rules_doc(rules_mgr, doc, load_state)
 end

 -- cond and not ((proc.name=apk and fd.directory=/usr/lib/alpine) or (proc.name=npm and fd.directory=/usr/node/bin) or ...)
-function build_exception_condition_string_multi_fields(eitem)
+-- Populates exfields with all fields used
+function build_exception_condition_string_multi_fields(eitem, exfields)

   local fields = eitem['fields']
   local comps = eitem['comps']
@@ -721,6 +722,7 @@ function build_exception_condition_string_multi_fields(eitem)
 	 end

 	 icond = icond..fields[k].." "..comps[k].." "..istr
+	 exfields[fields[k]] = true
      end

      icond=icond..")"
@@ -737,7 +739,7 @@ function build_exception_condition_string_multi_fields(eitem)

 end

-function build_exception_condition_string_single_field(eitem)
+function build_exception_condition_string_single_field(eitem, exfields)

   local icond = ""

@@ -753,6 +755,8 @@ function build_exception_condition_string_single_field(eitem)
 	 icond = icond..", "
      end

+      exfields[eitem['fields']] = true
+
      icond = icond..quote_item(value)
   end

@@ -896,15 +900,17 @@ function load_rules(sinsp_lua_parser,

      local econd = ""

+      local exfields = {}
+
      -- Turn exceptions into condition strings and add them to each
      -- rule's condition
      for _, eitem in ipairs(v['exceptions']) do

 	 local icond, err
 	 if type(eitem['fields']) == "table" then
-	    icond, err = build_exception_condition_string_multi_fields(eitem)
+	    icond, err = build_exception_condition_string_multi_fields(eitem, exfields)
 	 else
-	    icond, err = build_exception_condition_string_single_field(eitem)
+	    icond, err = build_exception_condition_string_single_field(eitem, exfields)
 	 end

 	 if err ~= nil then
@@ -916,6 +922,8 @@ function load_rules(sinsp_lua_parser,
 	 end
      end

+      state.rules_by_name[name]['exception_fields'] = exfields
+
      if econd ~= "" then
 	 state.rules_by_name[name]['compile_condition'] = "("..state.rules_by_name[name]['condition']..") "..econd
      else
@@ -1143,7 +1151,14 @@ function on_event(rule_id)
   -- Prefix output with '*' so formatting is permissive
   output = "*"..rule.output

-   return rule.rule, rule.priority_num, output
+   -- Also return all fields from all exceptions
+   combined_rule = state.rules_by_name[rule.rule]
+
+   if combined_rule == nil then
+      error ("rule_loader.on_event(): could not find rule by name: ", rule.rule)
+   end
+
+   return rule.rule, rule.priority_num, output, combined_rule.exception_fields
 end

 function print_stats()