diff --git a/userspace/engine/evttype_index_ruleset.cpp b/userspace/engine/evttype_index_ruleset.cpp index 31b6be56..e52655eb 100644 --- a/userspace/engine/evttype_index_ruleset.cpp +++ b/userspace/engine/evttype_index_ruleset.cpp @@ -179,17 +179,6 @@ void evttype_index_ruleset::add( } } -uint16_t evttype_index_ruleset::ruleset_id(const std::string &name) -{ - auto it = find(m_ruleset_names.begin(), m_ruleset_names.end(), name); - if (it != m_ruleset_names.end()) - { - return it - m_ruleset_names.begin(); - } - m_ruleset_names.push_back(name); - return m_ruleset_names.size() - 1; -} - void evttype_index_ruleset::on_loading_complete() { // nothing to do for now @@ -205,9 +194,19 @@ void evttype_index_ruleset::clear() m_filters.clear(); } -void evttype_index_ruleset::enable(const string &substring, bool match_exact, bool enabled, uint16_t ruleset) +void evttype_index_ruleset::enable(const string &substring, bool match_exact, uint16_t ruleset_id) { - while(m_rulesets.size() < (size_t)ruleset + 1) + enable_disable(substring, match_exact, true, ruleset_id); +} + +void evttype_index_ruleset::disable(const string &substring, bool match_exact, uint16_t ruleset_id) +{ + enable_disable(substring, match_exact, false, ruleset_id); +} + +void evttype_index_ruleset::enable_disable(const string &substring, bool match_exact, bool enabled, uint16_t ruleset_id) +{ + while(m_rulesets.size() < (size_t)ruleset_id + 1) { m_rulesets.emplace_back(new ruleset_filters()); } @@ -232,19 +231,29 @@ void evttype_index_ruleset::enable(const string &substring, bool match_exact, bo { if(enabled) { - m_rulesets[ruleset]->add_filter(wrap); + m_rulesets[ruleset_id]->add_filter(wrap); } else { - m_rulesets[ruleset]->remove_filter(wrap); + m_rulesets[ruleset_id]->remove_filter(wrap); } } } } -void evttype_index_ruleset::enable_tags(const set &tags, bool enabled, uint16_t ruleset) +void evttype_index_ruleset::enable_tags(const set &tags, uint16_t ruleset_id) { - while(m_rulesets.size() < (size_t)ruleset + 1) + enable_disable_tags(tags, true, ruleset_id); +} + +void evttype_index_ruleset::disable_tags(const set &tags, uint16_t ruleset_id) +{ + enable_disable_tags(tags, false, ruleset_id); +} + +void evttype_index_ruleset::enable_disable_tags(const set &tags, bool enabled, uint16_t ruleset_id) +{ + while(m_rulesets.size() < (size_t)ruleset_id + 1) { m_rulesets.emplace_back(new ruleset_filters()); } @@ -261,42 +270,42 @@ void evttype_index_ruleset::enable_tags(const set &tags, bool enabled, u { if(enabled) { - m_rulesets[ruleset]->add_filter(wrap); + m_rulesets[ruleset_id]->add_filter(wrap); } else { - m_rulesets[ruleset]->remove_filter(wrap); + m_rulesets[ruleset_id]->remove_filter(wrap); } } } } -uint64_t evttype_index_ruleset::enabled_count(uint16_t ruleset) +uint64_t evttype_index_ruleset::enabled_count(uint16_t ruleset_id) { - while(m_rulesets.size() < (size_t)ruleset + 1) + while(m_rulesets.size() < (size_t)ruleset_id + 1) { m_rulesets.emplace_back(new ruleset_filters()); } - return m_rulesets[ruleset]->num_filters(); + return m_rulesets[ruleset_id]->num_filters(); } -bool evttype_index_ruleset::run(gen_event *evt, falco_rule& match, uint16_t ruleset) +bool evttype_index_ruleset::run(gen_event *evt, falco_rule& match, uint16_t ruleset_id) { - if(m_rulesets.size() < (size_t)ruleset + 1) + if(m_rulesets.size() < (size_t)ruleset_id + 1) { return false; } - return m_rulesets[ruleset]->run(evt, match); + return m_rulesets[ruleset_id]->run(evt, match); } -void evttype_index_ruleset::enabled_evttypes(set &evttypes, uint16_t ruleset) +void evttype_index_ruleset::enabled_evttypes(set &evttypes, uint16_t ruleset_id) { - if(m_rulesets.size() < (size_t)ruleset + 1) + if(m_rulesets.size() < (size_t)ruleset_id + 1) { return; } - return m_rulesets[ruleset]->evttypes_for_ruleset(evttypes); + return m_rulesets[ruleset_id]->evttypes_for_ruleset(evttypes); } diff --git a/userspace/engine/evttype_index_ruleset.h b/userspace/engine/evttype_index_ruleset.h index 9ae94456..acdd1aaf 100644 --- a/userspace/engine/evttype_index_ruleset.h +++ b/userspace/engine/evttype_index_ruleset.h @@ -42,27 +42,32 @@ public: void add( const falco_rule& rule, std::shared_ptr condition) override; - + void clear() override; - uint16_t ruleset_id(const std::string &name) override; + bool run(gen_event *evt, falco_rule& match, uint16_t rulset_id); - bool run(gen_event *evt, falco_rule& match, uint16_t ruleset = 0); - - uint64_t enabled_count(uint16_t ruleset = 0) override; + uint64_t enabled_count(uint16_t ruleset_id) override; void on_loading_complete() override; void enable( const std::string &substring, bool match_exact, - bool enabled, - uint16_t ruleset = 0) override; + uint16_t rulset_id) override; + + void disable( + const std::string &substring, + bool match_exact, + uint16_t rulset_id) override; void enable_tags( const std::set &tags, - bool enabled, - uint16_t ruleset = 0) override; + uint16_t rulset_id) override; + + void disable_tags( + const std::set &tags, + uint16_t rulset_id) override; // evttypes for a ruleset void enabled_evttypes( @@ -71,6 +76,19 @@ public: private: + // Helper used by enable()/disable() + void enable_disable( + const std::string &substring, + bool match_exact, + bool enabled, + uint16_t rulset_id); + + // Helper used by enable_tags()/disable_tags() + void enable_disable_tags( + const std::set &tags, + bool enabled, + uint16_t rulset_id); + struct filter_wrapper { falco_rule rule; @@ -137,4 +155,4 @@ public: private: std::shared_ptr m_filter_factory; -}; \ No newline at end of file +}; diff --git a/userspace/engine/ruleset.h b/userspace/engine/ruleset.h index 33bdb273..8ae5475e 100644 --- a/userspace/engine/ruleset.h +++ b/userspace/engine/ruleset.h @@ -44,21 +44,13 @@ public: virtual void add( const falco_rule& rule, std::shared_ptr condition) = 0; - + /*! \brief Erases the internal state. All rules are disabled in each ruleset, and all the rules defined with add() are removed. */ virtual void clear() = 0; - /*! - \brief Returns the numeric id of a ruleset given its name. - If a ruleset has been used before, its previously assigned id is - returned. Otherwise, a new ruleset is created with the given name - and a new id is assigned to it. - */ - virtual uint16_t ruleset_id(const std::string &name) = 0; - /*! \brief This is meant to be called after all rules have been added with add() and enabled on the given ruleset with enable()/enable_tags(). @@ -71,61 +63,87 @@ public: \param evt The event to be processed \param match If true is returned, this is filled-out with the rule that matched the event - \param ruleset The id of the ruleset to be used + \param ruleset_id The id of the ruleset to be used */ virtual bool run( gen_event *evt, falco_rule& match, - uint16_t ruleset = 0) = 0; - + uint16_t ruleset_id) = 0; + /*! \brief Returns the number of rules enabled in a given ruleset - \param ruleset The id of the ruleset to be used + \param ruleset_id The id of the ruleset to be used */ - virtual uint64_t enabled_count(uint16_t ruleset = 0) = 0; + virtual uint64_t enabled_count(uint16_t ruleset_id) = 0; /*! \brief Returns the union of the evttypes of all the rules enabled in a given ruleset - \param ruleset The id of the ruleset to be used + \param ruleset_id The id of the ruleset to be used */ virtual void enabled_evttypes( std::set &evttypes, uint16_t ruleset) = 0; /*! - \brief Find those rules matching the provided substring and set - their enabled status to enabled in a given ruleset. + \brief Find those rules matching the provided substring and enable + them in the provided ruleset. \param substring Substring used to match rule names. If empty, all rules are matched. \param match_exact If true, substring must be an exact match for a given rule name. Otherwise, any rules having substring as a substring in the rule name are enabled/disabled. - \param enabled The enabled status to set on all matching rules - \param ruleset The id of the ruleset to be used + \param ruleset_id The id of the ruleset to be used */ virtual void enable( const std::string &substring, bool match_exact, - bool enabled, - uint16_t ruleset = 0) = 0; + uint16_t ruleset_id) = 0; + + /*! + \brief Find those rules matching the provided substring and disable + them in the provided ruleset. + \param substring Substring used to match rule names. + If empty, all rules are matched. + \param match_exact If true, substring must be an exact match for a + given rule name. Otherwise, any rules having substring as a substring + in the rule name are enabled/disabled. + \param ruleset_id The id of the ruleset to be used + */ + virtual void disable( + const std::string &substring, + bool match_exact, + uint16_t ruleset_id) = 0; /*! \brief Find those rules that have a tag in the set of tags and - set their enabled status to enabled. Note that the enabled + enable them for the provided ruleset. Note that the enabled status is on the rules, and not the tags--if a rule R has - tags (a, b), and you call enable_tags([a], true) and then - enable_tags([b], false), R will be disabled despite the + tags (a, b), and you call enable_tags([a]) and then + disable_tags([b]), R will be disabled despite the fact it has tag a and was enabled by the first call to enable_tags. \param substring Tags used to match ruless - \param enabled The enabled status to set on all matching rules - \param ruleset The id of the ruleset to be used + \param ruleset_id The id of the ruleset to be used */ virtual void enable_tags( const std::set &tags, - bool enabled, - uint16_t ruleset = 0) = 0; + uint16_t ruleset_id) = 0; + + /*! + \brief Find those rules that have a tag in the set of tags and + disable them for the provided ruleset. Note that the disabled + status is on the rules, and not the tags--if a rule R has + tags (a, b), and you call enable_tags([a]) and then + disable_tags([b]), R will be disabled despite the + fact it has tag a and was enabled by the first call to + enable_tags. + \param substring Tags used to match ruless + \param ruleset_id The id of the ruleset to be used + */ + virtual void disable_tags( + const std::set &tags, + uint16_t ruleset_id) = 0; }; /*!