github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-10 19:19:42 +00:00
Code Issues Projects Releases Wiki Activity

update(userspace): make sure that async event is always matched in rules

Browse Source 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
This commit is contained in:
Jason Dellaluce
2023-05-18 09:37:36 +00:00
committed by poiana
parent 26d9448ba7
commit 9bfce8cfae
3 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
userspace/engine/rule_loader_compiler.cpp
View File

@@ -495,12 +495,11 @@ void rule_loader::compiler::compile_rule_infos(
}
// populate set of event types and emit an special warning
libsinsp::events::set<ppm_event_code> evttypes = { ppm_event_code::PPME_PLUGINEVENT_E };
if(rule.source == falco_common::syscall_source)
{
evttypes = libsinsp::filter::ast::ppm_event_codes(ast.get());
if ((evttypes.empty() || evttypes.size() > 100)
&& r.warn_evttypes)
auto evttypes = libsinsp::filter::ast::ppm_event_codes(ast.get());
evttypes.insert(ppm_event_code::PPME_ASYNCEVENT_E);
if ((evttypes.empty() || evttypes.size() > 100) && r.warn_evttypes)
{
cfg.res->add_warning(
falco::load_result::load_result::LOAD_NO_EVTTYPE,