From f33d5b43febac42ac1fd42445767e91c6cbdb045 Mon Sep 17 00:00:00 2001 From: Leonardo Grasso Date: Fri, 18 Jul 2025 13:07:00 +0200 Subject: [PATCH] new(userspapace/engine): add `capture` and `capture_duration` to rules loader Signed-off-by: Leonardo Grasso --- userspace/engine/rule_loader.cpp | 4 +++- userspace/engine/rule_loader.h | 5 +++++ userspace/engine/rule_loader_collector.cpp | 10 ++++++++- userspace/engine/rule_loader_compiler.cpp | 4 +++- userspace/engine/rule_loader_reader.cpp | 24 +++++++++++++++++++++- 5 files changed, 43 insertions(+), 4 deletions(-) diff --git a/userspace/engine/rule_loader.cpp b/userspace/engine/rule_loader.cpp index 83a2b92d..d58708cd 100644 --- a/userspace/engine/rule_loader.cpp +++ b/userspace/engine/rule_loader.cpp @@ -1,6 +1,6 @@ // SPDX-License-Identifier: Apache-2.0 /* -Copyright (C) 2023 The Falco Authors. +Copyright (C) 2025 The Falco Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -532,6 +532,8 @@ rule_loader::rule_info::rule_info(context& ctx): visibility(0), unknown_source(false), priority(falco_common::PRIORITY_DEBUG), + capture(false), + capture_duration(0), enabled(true), warn_evttypes(true), skip_if_unknown_filter(false) {} diff --git a/userspace/engine/rule_loader.h b/userspace/engine/rule_loader.h index d80c8787..a96d2905 100644 --- a/userspace/engine/rule_loader.h +++ b/userspace/engine/rule_loader.h @@ -460,6 +460,8 @@ struct rule_info { std::set tags; std::vector exceptions; falco_common::priority_type priority; + bool capture; + uint32_t capture_duration; bool enabled; bool warn_evttypes; bool skip_if_unknown_filter; @@ -480,6 +482,7 @@ struct rule_update_info { bool has_any_value() { return cond.has_value() || output.has_value() || desc.has_value() || tags.has_value() || exceptions.has_value() || priority.has_value() || enabled.has_value() || + capture.has_value() || capture_duration.has_value() || warn_evttypes.has_value() || skip_if_unknown_filter.has_value(); } @@ -493,6 +496,8 @@ struct rule_update_info { std::optional> tags; std::optional> exceptions; std::optional priority; + std::optional capture; + std::optional capture_duration; std::optional enabled; std::optional warn_evttypes; std::optional skip_if_unknown_filter; diff --git a/userspace/engine/rule_loader_collector.cpp b/userspace/engine/rule_loader_collector.cpp index 3d26b3e7..2b13644a 100644 --- a/userspace/engine/rule_loader_collector.cpp +++ b/userspace/engine/rule_loader_collector.cpp @@ -1,6 +1,6 @@ // SPDX-License-Identifier: Apache-2.0 /* -Copyright (C) 2023 The Falco Authors. +Copyright (C) 2025 The Falco Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -313,6 +313,14 @@ void rule_loader::collector::selective_replace(configuration& cfg, rule_update_i prev->priority = *info.priority; } + if(info.capture.has_value()) { + prev->capture = *info.capture; + } + + if(info.capture_duration.has_value()) { + prev->capture_duration = *info.capture_duration; + } + if(info.enabled.has_value()) { prev->enabled = *info.enabled; } diff --git a/userspace/engine/rule_loader_compiler.cpp b/userspace/engine/rule_loader_compiler.cpp index 7cbe2e5e..49f07d1e 100644 --- a/userspace/engine/rule_loader_compiler.cpp +++ b/userspace/engine/rule_loader_compiler.cpp @@ -1,6 +1,6 @@ // SPDX-License-Identifier: Apache-2.0 /* -Copyright (C) 2023 The Falco Authors. +Copyright (C) 2025 The Falco Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -523,6 +523,8 @@ void rule_loader::compiler::compile_rule_infos(configuration& cfg, rule.source = r.source; rule.description = r.desc; rule.priority = r.priority; + rule.capture = r.capture; + rule.capture_duration = r.capture_duration; rule.tags = r.tags; auto rule_id = out.insert(rule, rule.name); out.at(rule_id)->id = rule_id; diff --git a/userspace/engine/rule_loader_reader.cpp b/userspace/engine/rule_loader_reader.cpp index 960e3340..01ce2d9f 100644 --- a/userspace/engine/rule_loader_reader.cpp +++ b/userspace/engine/rule_loader_reader.cpp @@ -1,6 +1,6 @@ // SPDX-License-Identifier: Apache-2.0 /* -Copyright (C) 2023 The Falco Authors. +Copyright (C) 2025 The Falco Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -634,6 +634,8 @@ void rule_loader::reader::read_item(rule_loader::configuration& cfg, "output", "desc", "priority", + "capture", + "capture_duration", "tags", "exceptions", "enabled", @@ -756,6 +758,22 @@ void rule_loader::reader::read_item(rule_loader::configuration& cfg, v.priority = parsed_priority; } + if(check_update_expected(expected_keys, + override_replace, + "replace", + "capture", + ctx)) { + decode_val(item, "capture", v.capture, ctx); + } + + if(check_update_expected(expected_keys, + override_replace, + "replace", + "capture_duration", + ctx)) { + decode_val(item, "capture_duration", v.capture_duration, ctx); + } + if(check_update_expected(expected_keys, override_replace, "replace", @@ -818,6 +836,8 @@ void rule_loader::reader::read_item(rule_loader::configuration& cfg, rule_loader::rule_info v(ctx); v.name = name; v.enabled = true; + v.capture = false; + v.capture_duration = 0; v.warn_evttypes = true; v.skip_if_unknown_filter = false; @@ -863,6 +883,8 @@ void rule_loader::reader::read_item(rule_loader::configuration& cfg, prictx); decode_optional_val(item, "source", v.source, ctx); decode_optional_val(item, "enabled", v.enabled, ctx); + decode_optional_val(item, "capture", v.capture, ctx); + decode_optional_val(item, "capture_duration", v.capture_duration, ctx); decode_optional_val(item, "warn_evttypes", v.warn_evttypes, ctx); decode_optional_val(item, "skip-if-unknown-filter", v.skip_if_unknown_filter, ctx); decode_tags(item, v.tags, ctx);