Properly support syscalls in filter conditions (#352)

* Properly support syscalls in filter conditions Syscalls have their own numbers but they weren't really handled within falco. This meant that there wasn't a way to handle filters with evt.type=xxx clauses where xxx was a value that didn't have a corresponding event entry (like "madvise", for examples), or where a syscall like open could also be done indirectly via syscall(__NR_open, ...). First, add a new top-level global syscalls that maps from a string like "madvise" to all the syscall nums for that id, just as we do for event names/numbers. In the compiler, when traversing the AST for evt.type=XXX or evt.type in (XXX, ...) clauses, also try to match XXX against the global syscalls table, and return any ids in a standalone table. Also throw an error if an XXX doesn't match any event name or syscall name. The syscall numbers are passed as an argument to sinsp_evttype_filter so it can preindex the filters by syscall number. This depends on https://github.com/draios/sysdig/pull/1100 * Add unit test for syscall support This does a madvise, which doesn't have a ppm event type, both directly and indirectly via syscall(__NR_madvise, ...), as well as an open directly + indirectly. The corresponding rules file matches on madvise and open. The test ensures that both opens and both madvises are detected.
2025-09-06 01:00:36 +00:00 · 2018-04-17 17:14:45 -07:00
parent 96b4ff0ee5
commit ac190ca457
9 changed files with 140 additions and 30 deletions
--- a/userspace/engine/falco_engine.cpp
+++ b/userspace/engine/falco_engine.cpp
@@ -162,6 +162,13 @@ void falco_engine::evttypes_for_ruleset(std::vector<bool> &evttypes, const std::
 	return m_evttype_filter->evttypes_for_ruleset(evttypes, ruleset_id);
 }

+void falco_engine::syscalls_for_ruleset(std::vector<bool> &syscalls, const std::string &ruleset)
+{
+	uint16_t ruleset_id = find_ruleset_id(ruleset);
+
+	return m_evttype_filter->syscalls_for_ruleset(syscalls, ruleset_id);
+}
+
 unique_ptr<falco_engine::rule_result> falco_engine::process_event(sinsp_evt *ev, uint16_t ruleset_id)
 {
 	if(should_drop_evt())
@@ -237,10 +244,11 @@ void falco_engine::print_stats()

 void falco_engine::add_evttype_filter(string &rule,
 				      set<uint32_t> &evttypes,
+				      set<uint32_t> &syscalls,
 				      set<string> &tags,
 				      sinsp_filter* filter)
 {
-	m_evttype_filter->add(rule, evttypes, tags, filter);
+	m_evttype_filter->add(rule, evttypes, syscalls, tags, filter);
 }

 void falco_engine::clear_filters()