From 8e6ffc6fc9724c3b5bbab1873f435340f866f516 Mon Sep 17 00:00:00 2001 From: Federico Di Pierro Date: Thu, 27 Jan 2022 14:08:46 +0100 Subject: [PATCH] fix(userspace/engine): actually make m_filter_all_event_types useful by properly using it as fallback when no filter event types is provided. Signed-off-by: Federico Di Pierro --- userspace/engine/ruleset.cpp | 25 ++++++++++--------------- 1 file changed, 10 insertions(+), 15 deletions(-) diff --git a/userspace/engine/ruleset.cpp b/userspace/engine/ruleset.cpp index fe8f5398..16eef124 100644 --- a/userspace/engine/ruleset.cpp +++ b/userspace/engine/ruleset.cpp @@ -68,9 +68,6 @@ void falco_ruleset::ruleset_filters::add_filter(std::shared_ptr { std::set fevttypes = wrap->filter->evttypes(); - // TODO: who fills this one for rules without evt.type specified? - // Can this be actually empty? - // Is m_filter_all_event_types useful? if(fevttypes.empty()) { // Should run for all event types @@ -121,18 +118,16 @@ uint64_t falco_ruleset::ruleset_filters::num_filters() bool falco_ruleset::ruleset_filters::run(gen_event *evt) { - if(evt->get_type() >= m_filter_by_event_type.size()) - { - return false; - } - - for(auto &wrap : m_filter_by_event_type[evt->get_type()]) - { - if(wrap->filter->run(evt)) - { - return true; - } - } + if(evt->get_type() < m_filter_by_event_type.size()) + { + for(auto &wrap : m_filter_by_event_type[evt->get_type()]) + { + if(wrap->filter->run(evt)) + { + return true; + } + } + } // Finally, try filters that are not specific to an event type. for(auto &wrap : m_filter_all_event_types)