From eee4acc48862e83eca7eae59d0a72381dfb91a8c Mon Sep 17 00:00:00 2001
From: Tero Kauppinen <tero.kauppinen@est.tech>
Date: Wed, 24 Sep 2025 13:16:56 +0300
Subject: [PATCH] fix(userspace/falco): fix actions taken when events are
 dropped

User can configure a list of actions that are taken when Falco
detects a threshold exceeding value in drop statistics.

However, the logic that handles the list of configured actions
is designed to process only a single action; it takes only the
first action of the list. This approach has the problem that the
order of the actions comes as the deciding factor in choosing
which action is taken in case there are more than one action.

This fix enables Falco to process all actions on the list.

Signed-off-by: Tero Kauppinen <tero.kauppinen@est.tech>
---
 userspace/falco/event_drops.cpp | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/userspace/falco/event_drops.cpp b/userspace/falco/event_drops.cpp
index 96bc84af..65408700 100644
--- a/userspace/falco/event_drops.cpp
+++ b/userspace/falco/event_drops.cpp
@@ -138,15 +138,16 @@ bool syscall_evt_drop_mgr::perform_actions(uint64_t now,
 	std::string rule = "Falco internal: syscall event drop";
 	std::string msg =
 	        rule + ". " + std::to_string(delta.n_drops) + " system calls dropped in last second.";
+	bool ret = true;
 
 	for(auto &act : m_actions) {
 		switch(act) {
 		case syscall_evt_drop_action::DISREGARD:
-			return true;
+			continue;
 
 		case syscall_evt_drop_action::LOG:
 			falco_logger::log(falco_logger::level::DEBUG, std::move(msg));
-			return true;
+			continue;
 
 		case syscall_evt_drop_action::ALERT: {
 			nlohmann::json output_fields;
@@ -199,19 +200,20 @@ bool syscall_evt_drop_mgr::perform_actions(uint64_t now,
 			                               kernel instrumentation). */
 			output_fields["ebpf_enabled"] = std::to_string(bpf_enabled);
 			m_outputs->handle_msg(now, falco_common::PRIORITY_DEBUG, msg, rule, output_fields);
-			return true;
+			continue;
 		}
 		case syscall_evt_drop_action::EXIT:
 			falco_logger::log(falco_logger::level::CRIT, std::move(msg));
 			falco_logger::log(falco_logger::level::CRIT, "Exiting.");
-			return false;
+			ret = false;
+			continue;
 
 		default:
 			falco_logger::log(falco_logger::level::ERR,
 			                  "Ignoring unknown action " + std::to_string(int(act)));
-			return true;
+			continue;
 		}
 	}
 
-	return true;
+	return ret;
 }