github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-06 01:00:36 +00:00
Code Issues Projects Releases Wiki Activity

Provide the entire compile output to ruleset vs individual add()s

Browse Source 
In order to support external rules loaders that may extend the falco
rules format with new top level objects, move away from providing
individual filter objects to the filter_ruleset via calls to add().

Instead, pass the entire compile output returned by the compiler to
the ruleset using a new method add_compile_output(). Custom users can
then cast back the compile output to the appropriate derived class for
use in the ruleset.

Move the declaration of the compile output to a standalone class so it
can be used by rulesets without including the entire rules loader
header files, and add a new factory method new_compile_output() to the
compiler so it can create a derived class if necessary.

This change is
backwards-compatible with existing rulesets, as the default
implementation of add_compile_output() simply iterates over rules and
calls add() for each rule.

This change also speeds up rule loading. Previously, each rule
condition was compiled twice:

1. First, in the compiler, to see if it was valid.
2. Second, in the falco engine before providing each rule to the
ruleset.

Add the compiled filter to the falco_rule object instead of throwing
it away in the compiler.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This commit is contained in:
Mark Stemm
2024-01-11 12:52:13 -08:00
committed by poiana
parent 2d0159ae05
commit eed5b906a8
7 changed files with 86 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
userspace/engine/falco_engine.cpp
View File

@@ -205,8 +205,13 @@ std::unique_ptr<load_result> falco_engine::load_rules(const std::string &rules_c
// clear the rules known by the engine and each ruleset
m_rules.clear();
for (auto &src : m_sources)
// add rules to each ruleset
{
src.ruleset = src.ruleset_factory->new_ruleset();
src.ruleset->add_compile_output(*(m_last_compile_output.get()),
m_min_priority,
src.name);
}
// add rules to the engine and the rulesets
@@ -225,15 +230,9 @@ std::unique_ptr<load_result> falco_engine::load_rules(const std::string &rules_c
throw falco_exception("can't find internal rule info at name: " + name);
}
// the rule is ok, we can add it to the engine and the rulesets
// note: the compiler should guarantee that the rule's condition
// is a valid sinsp filter
auto source = find_source(rule.source);
std::shared_ptr<gen_event_filter> filter(
sinsp_filter_compiler(source->filter_factory, rule.condition.get()).compile());
auto rule_id = m_rules.insert(rule, rule.name);
m_rules.at(rule_id)->id = rule_id;
source->ruleset->add(rule, filter, rule.condition);
// By default rules are enabled/disabled for the default ruleset
if(info->enabled)