github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-04 18:36:48 +00:00
Code Issues Projects Releases Wiki Activity

fix(userspace/engine): actually make m_filter_all_event_types useful by properly using it as fallback when no filter event types is provided.

Browse Source 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
This commit is contained in:
Federico Di Pierro 2022-01-27 14:08:46 +01:00 committed by poiana
parent 6a42f4a133
commit 8e6ffc6fc9
1 changed files with 10 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
userspace/engine/ruleset.cpp
View File

@ -68,9 +68,6 @@ void falco_ruleset::ruleset_filters::add_filter(std::shared_ptr<filter_wrapper>
{ {
std::set<uint16_t> fevttypes = wrap->filter->evttypes(); std::set<uint16_t> fevttypes = wrap->filter->evttypes();
// TODO: who fills this one for rules without evt.type specified?
// Can this be actually empty?
// Is m_filter_all_event_types useful?
if(fevttypes.empty()) if(fevttypes.empty())
{ {
// Should run for all event types // Should run for all event types
@ -121,18 +118,16 @@ uint64_t falco_ruleset::ruleset_filters::num_filters()
bool falco_ruleset::ruleset_filters::run(gen_event *evt) bool falco_ruleset::ruleset_filters::run(gen_event *evt)
{ {
if(evt->get_type() >= m_filter_by_event_type.size()) if(evt->get_type() < m_filter_by_event_type.size())
{ {
return false; for(auto &wrap : m_filter_by_event_type[evt->get_type()])
} {
if(wrap->filter->run(evt))
for(auto &wrap : m_filter_by_event_type[evt->get_type()]) {
{ return true;
if(wrap->filter->run(evt)) }
{ }
return true; }
}
}
// Finally, try filters that are not specific to an event type. // Finally, try filters that are not specific to an event type.
for(auto &wrap : m_filter_all_event_types) for(auto &wrap : m_filter_all_event_types)