github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-19 17:16:53 +00:00
Code Issues Projects Releases Wiki Activity

refactor(userspace/engine): improve ruleset interface definitions

Browse Source 
The filter_ruleset interface its implementation evt_type_index_ruleset
have been modified as follows:
- Only keep track of ruleset ids and not names. The falco engine will take
care of mapping easy-to-remember ruleset names to ruleset ids.
To emphasize this, use ruleset_id everywhere and not ruleset.
Also, make it non-optional.
- Have explicit separate functions to enable/disable rules, instead of a single enable() method combined with a boolean flag.
This does *not* change the falco_engine interface, which has
similar methods, to avoid breaking API changes.

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Co-authored-by: Mark Stemm <mark.stemm@gmail.com>
This commit is contained in:
Jason Dellaluce 2022-05-23 10:17:05 +00:00 committed by poiana
parent 833fec8537
commit a1bdf95a0f
3 changed files with 111 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
userspace/engine/evttype_index_ruleset.cpp
View File

@ -179,17 +179,6 @@ void evttype_index_ruleset::add(
} }
} }
uint16_t evttype_index_ruleset::ruleset_id(const std::string &name)
{
auto it = find(m_ruleset_names.begin(), m_ruleset_names.end(), name);
if (it != m_ruleset_names.end())
{
return it - m_ruleset_names.begin();
}
m_ruleset_names.push_back(name);
return m_ruleset_names.size() - 1;
}
void evttype_index_ruleset::on_loading_complete() void evttype_index_ruleset::on_loading_complete()
{ {
// nothing to do for now // nothing to do for now
@ -205,9 +194,19 @@ void evttype_index_ruleset::clear()
m_filters.clear(); m_filters.clear();
} }
void evttype_index_ruleset::enable(const string &substring, bool match_exact, bool enabled, uint16_t ruleset) void evttype_index_ruleset::enable(const string &substring, bool match_exact, uint16_t ruleset_id)
{ {
while(m_rulesets.size() < (size_t)ruleset + 1) enable_disable(substring, match_exact, true, ruleset_id);
}
void evttype_index_ruleset::disable(const string &substring, bool match_exact, uint16_t ruleset_id)
{
enable_disable(substring, match_exact, false, ruleset_id);
}
void evttype_index_ruleset::enable_disable(const string &substring, bool match_exact, bool enabled, uint16_t ruleset_id)
{
while(m_rulesets.size() < (size_t)ruleset_id + 1)
{ {
m_rulesets.emplace_back(new ruleset_filters()); m_rulesets.emplace_back(new ruleset_filters());
} }
@ -232,19 +231,29 @@ void evttype_index_ruleset::enable(const string &substring, bool match_exact, bo
{ {
if(enabled) if(enabled)
{ {
m_rulesets[ruleset]->add_filter(wrap); m_rulesets[ruleset_id]->add_filter(wrap);
} }
else else
{ {
m_rulesets[ruleset]->remove_filter(wrap); m_rulesets[ruleset_id]->remove_filter(wrap);
} }
} }
} }
} }
void evttype_index_ruleset::enable_tags(const set<string> &tags, bool enabled, uint16_t ruleset) void evttype_index_ruleset::enable_tags(const set<string> &tags, uint16_t ruleset_id)
{ {
while(m_rulesets.size() < (size_t)ruleset + 1) enable_disable_tags(tags, true, ruleset_id);
}
void evttype_index_ruleset::disable_tags(const set<string> &tags, uint16_t ruleset_id)
{
enable_disable_tags(tags, false, ruleset_id);
}
void evttype_index_ruleset::enable_disable_tags(const set<string> &tags, bool enabled, uint16_t ruleset_id)
{
while(m_rulesets.size() < (size_t)ruleset_id + 1)
{ {
m_rulesets.emplace_back(new ruleset_filters()); m_rulesets.emplace_back(new ruleset_filters());
} }
@ -261,42 +270,42 @@ void evttype_index_ruleset::enable_tags(const set<string> &tags, bool enabled, u
{ {
if(enabled) if(enabled)
{ {
m_rulesets[ruleset]->add_filter(wrap); m_rulesets[ruleset_id]->add_filter(wrap);
} }
else else
{ {
m_rulesets[ruleset]->remove_filter(wrap); m_rulesets[ruleset_id]->remove_filter(wrap);
} }
} }
} }
} }
uint64_t evttype_index_ruleset::enabled_count(uint16_t ruleset) uint64_t evttype_index_ruleset::enabled_count(uint16_t ruleset_id)
{ {
while(m_rulesets.size() < (size_t)ruleset + 1) while(m_rulesets.size() < (size_t)ruleset_id + 1)
{ {
m_rulesets.emplace_back(new ruleset_filters()); m_rulesets.emplace_back(new ruleset_filters());
} }
return m_rulesets[ruleset]->num_filters(); return m_rulesets[ruleset_id]->num_filters();
} }
bool evttype_index_ruleset::run(gen_event *evt, falco_rule& match, uint16_t ruleset) bool evttype_index_ruleset::run(gen_event *evt, falco_rule& match, uint16_t ruleset_id)
{ {
if(m_rulesets.size() < (size_t)ruleset + 1) if(m_rulesets.size() < (size_t)ruleset_id + 1)
{ {
return false; return false;
} }
return m_rulesets[ruleset]->run(evt, match); return m_rulesets[ruleset_id]->run(evt, match);
} }
void evttype_index_ruleset::enabled_evttypes(set<uint16_t> &evttypes, uint16_t ruleset) void evttype_index_ruleset::enabled_evttypes(set<uint16_t> &evttypes, uint16_t ruleset_id)
{ {
if(m_rulesets.size() < (size_t)ruleset + 1) if(m_rulesets.size() < (size_t)ruleset_id + 1)
{ {
return; return;
} }
return m_rulesets[ruleset]->evttypes_for_ruleset(evttypes); return m_rulesets[ruleset_id]->evttypes_for_ruleset(evttypes);
} }

38
userspace/engine/evttype_index_ruleset.h
View File

@ -42,27 +42,32 @@ public:
void add( void add(
const falco_rule& rule, const falco_rule& rule,
std::shared_ptr<libsinsp::filter::ast::expr> condition) override; std::shared_ptr<libsinsp::filter::ast::expr> condition) override;
void clear() override; void clear() override;
uint16_t ruleset_id(const std::string &name) override; bool run(gen_event *evt, falco_rule& match, uint16_t rulset_id);
bool run(gen_event *evt, falco_rule& match, uint16_t ruleset = 0); uint64_t enabled_count(uint16_t ruleset_id) override;
uint64_t enabled_count(uint16_t ruleset = 0) override;
void on_loading_complete() override; void on_loading_complete() override;
void enable( void enable(
const std::string &substring, const std::string &substring,
bool match_exact, bool match_exact,
bool enabled, uint16_t rulset_id) override;
uint16_t ruleset = 0) override;
void disable(
const std::string &substring,
bool match_exact,
uint16_t rulset_id) override;
void enable_tags( void enable_tags(
const std::set<std::string> &tags, const std::set<std::string> &tags,
bool enabled, uint16_t rulset_id) override;
uint16_t ruleset = 0) override;
void disable_tags(
const std::set<std::string> &tags,
uint16_t rulset_id) override;
// evttypes for a ruleset // evttypes for a ruleset
void enabled_evttypes( void enabled_evttypes(
@ -71,6 +76,19 @@ public:
private: private:
// Helper used by enable()/disable()
void enable_disable(
const std::string &substring,
bool match_exact,
bool enabled,
uint16_t rulset_id);
// Helper used by enable_tags()/disable_tags()
void enable_disable_tags(
const std::set<std::string> &tags,
bool enabled,
uint16_t rulset_id);
struct filter_wrapper struct filter_wrapper
{ {
falco_rule rule; falco_rule rule;
@ -137,4 +155,4 @@ public:
private: private:
std::shared_ptr<gen_event_filter_factory> m_filter_factory; std::shared_ptr<gen_event_filter_factory> m_filter_factory;
}; };

74
userspace/engine/ruleset.h
View File

@ -44,21 +44,13 @@ public:
virtual void add( virtual void add(
const falco_rule& rule, const falco_rule& rule,
std::shared_ptr<libsinsp::filter::ast::expr> condition) = 0; std::shared_ptr<libsinsp::filter::ast::expr> condition) = 0;
/*! /*!
\brief Erases the internal state. All rules are disabled in each \brief Erases the internal state. All rules are disabled in each
ruleset, and all the rules defined with add() are removed. ruleset, and all the rules defined with add() are removed.
*/ */
virtual void clear() = 0; virtual void clear() = 0;
/*!
\brief Returns the numeric id of a ruleset given its name.
If a ruleset has been used before, its previously assigned id is
returned. Otherwise, a new ruleset is created with the given name
and a new id is assigned to it.
*/
virtual uint16_t ruleset_id(const std::string &name) = 0;
/*! /*!
\brief This is meant to be called after all rules have been added \brief This is meant to be called after all rules have been added
with add() and enabled on the given ruleset with enable()/enable_tags(). with add() and enabled on the given ruleset with enable()/enable_tags().
@ -71,61 +63,87 @@ public:
\param evt The event to be processed \param evt The event to be processed
\param match If true is returned, this is filled-out with the rule \param match If true is returned, this is filled-out with the rule
that matched the event that matched the event
\param ruleset The id of the ruleset to be used \param ruleset_id The id of the ruleset to be used
*/ */
virtual bool run( virtual bool run(
gen_event *evt, gen_event *evt,
falco_rule& match, falco_rule& match,
uint16_t ruleset = 0) = 0; uint16_t ruleset_id) = 0;
/*! /*!
\brief Returns the number of rules enabled in a given ruleset \brief Returns the number of rules enabled in a given ruleset
\param ruleset The id of the ruleset to be used \param ruleset_id The id of the ruleset to be used
*/ */
virtual uint64_t enabled_count(uint16_t ruleset = 0) = 0; virtual uint64_t enabled_count(uint16_t ruleset_id) = 0;
/*! /*!
\brief Returns the union of the evttypes of all the rules enabled \brief Returns the union of the evttypes of all the rules enabled
in a given ruleset in a given ruleset
\param ruleset The id of the ruleset to be used \param ruleset_id The id of the ruleset to be used
*/ */
virtual void enabled_evttypes( virtual void enabled_evttypes(
std::set<uint16_t> &evttypes, std::set<uint16_t> &evttypes,
uint16_t ruleset) = 0; uint16_t ruleset) = 0;
/*! /*!
\brief Find those rules matching the provided substring and set \brief Find those rules matching the provided substring and enable
their enabled status to enabled in a given ruleset. them in the provided ruleset.
\param substring Substring used to match rule names. \param substring Substring used to match rule names.
If empty, all rules are matched. If empty, all rules are matched.
\param match_exact If true, substring must be an exact match for a \param match_exact If true, substring must be an exact match for a
given rule name. Otherwise, any rules having substring as a substring given rule name. Otherwise, any rules having substring as a substring
in the rule name are enabled/disabled. in the rule name are enabled/disabled.
\param enabled The enabled status to set on all matching rules \param ruleset_id The id of the ruleset to be used
\param ruleset The id of the ruleset to be used
*/ */
virtual void enable( virtual void enable(
const std::string &substring, const std::string &substring,
bool match_exact, bool match_exact,
bool enabled, uint16_t ruleset_id) = 0;
uint16_t ruleset = 0) = 0;
/*!
\brief Find those rules matching the provided substring and disable
them in the provided ruleset.
\param substring Substring used to match rule names.
If empty, all rules are matched.
\param match_exact If true, substring must be an exact match for a
given rule name. Otherwise, any rules having substring as a substring
in the rule name are enabled/disabled.
\param ruleset_id The id of the ruleset to be used
*/
virtual void disable(
const std::string &substring,
bool match_exact,
uint16_t ruleset_id) = 0;
/*! /*!
\brief Find those rules that have a tag in the set of tags and \brief Find those rules that have a tag in the set of tags and
set their enabled status to enabled. Note that the enabled enable them for the provided ruleset. Note that the enabled
status is on the rules, and not the tags--if a rule R has status is on the rules, and not the tags--if a rule R has
tags (a, b), and you call enable_tags([a], true) and then tags (a, b), and you call enable_tags([a]) and then
enable_tags([b], false), R will be disabled despite the disable_tags([b]), R will be disabled despite the
fact it has tag a and was enabled by the first call to fact it has tag a and was enabled by the first call to
enable_tags. enable_tags.
\param substring Tags used to match ruless \param substring Tags used to match ruless
\param enabled The enabled status to set on all matching rules \param ruleset_id The id of the ruleset to be used
\param ruleset The id of the ruleset to be used
*/ */
virtual void enable_tags( virtual void enable_tags(
const std::set<std::string> &tags, const std::set<std::string> &tags,
bool enabled, uint16_t ruleset_id) = 0;
uint16_t ruleset = 0) = 0;
/*!
\brief Find those rules that have a tag in the set of tags and
disable them for the provided ruleset. Note that the disabled
status is on the rules, and not the tags--if a rule R has
tags (a, b), and you call enable_tags([a]) and then
disable_tags([b]), R will be disabled despite the
fact it has tag a and was enabled by the first call to
enable_tags.
\param substring Tags used to match ruless
\param ruleset_id The id of the ruleset to be used
*/
virtual void disable_tags(
const std::set<std::string> &tags,
uint16_t ruleset_id) = 0;
}; };
/*! /*!