github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-03-19 19:22:05 +00:00
Code Issues Projects Releases Wiki Activity
3,592 Commits 124 Branches 184 Tags
test/PR959
Commit Graph

372 Commits

Author SHA1 Message Date
Federico Di Pierro
e6078c8d16 chore(userspace): updated fields checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2023-03-22 11:17:07 +01:00
rabbitstack
03285f4140 define Windows equivalent for srandom and random functions 
Signed-off-by: rabbitstack <nedim.sabic@sysdig.com>
 2023-03-17 10:23:26 +01:00
Jason Dellaluce
e8b776a9cb update(userspace/engine): bump engine version to 17 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-03-09 09:39:12 +01:00
Jason Dellaluce
19ffadc763 update(userspace/engine): support searching ppm_sc events in rulesets 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-03-09 09:39:12 +01:00
Jason Dellaluce
5ed5c63202 refactor: adapt event set configuration changes to new libs definition 
Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-21 14:31:28 +01:00
Jason Dellaluce
010f6c6a9e update(userspace/engine): bump fields checksum 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-21 14:31:28 +01:00
Jason Dellaluce
6c38ecaf0e update(userspace/engine): adapt engine classes to new libsinsp event definitions 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-21 14:31:28 +01:00
Jason Dellaluce
34ea7a8245 cleanup(userspace/engine): drop filtr_evttype_resolver 
Its logic was ported into libsinsp in:
3d8550e70e

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-21 14:31:28 +01:00
Melissa Kilby
72439b2eed cleanup(app_actions): adjust configure_interesting_sets 
* address reviewers feedback
* improve clarity around new -A and -i behavior
* additional cleanup (e.g. use generic set operations only)
* extend unit tests

Note: sinsp ppm sc API is undergoing a refactor, therefore current lookups are interim
and will subsequently be refactored as well.

Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2023-02-21 14:31:28 +01:00
Jason Dellaluce
ff68311629 fix(userspace/engine): add missing include 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-14 17:33:31 +01:00
Lorenzo Susini
88ac30650c fix(userspace/engine): correctly bump engine version after introduction of new fields 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2023-02-14 13:03:06 +01:00
Jason Dellaluce
79b3f81a02 chore: fix typos 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-14 12:47:07 +01:00
Jason Dellaluce
2495827e0c fix(userspace/engine): correctly handle evttype indexing corner cases 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-14 12:47:07 +01:00
Federico Di Pierro
75dc8c050c new(userspace,tests): add proper support for generic events indexing. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2023-02-13 14:54:03 +01:00
Andrea Terzolo
dca76ba93c chore: fix building with njson 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2023-02-10 11:41:24 +01:00
Jason Dellaluce
eaeec7c079 fix(userspace): avoid using std namespace in sources 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-08 15:30:29 +01:00
Jason Dellaluce
54f117141b update(userspace/engine): avoid relying on leaked std namespace 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-02-08 15:30:29 +01:00
Jason Dellaluce
c1985a7c99 fix(userspace/engine): absolute rule condition position in validation context 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-10 12:55:43 +01:00
Jason Dellaluce
d79d7112a0 fix(userspace/engine): catch YAML parsing and validation errors with right context 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2023-01-10 12:55:43 +01:00
Jason Dellaluce
5552bcab76 chore: fix typo 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-12-13 15:06:10 +01:00
Jason Dellaluce
25ddc3c6a2 update(userspace/engine): broader err catching support in macro resolver 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-12-13 15:06:10 +01:00
Jason Dellaluce
35dd0fc153 fix(userspace/engine): implement loop detection in macro resolver 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-12-13 15:06:10 +01:00
Andrea Terzolo
52ee61b800 chore(userspace): add njson lib as a dependency for falco_engine 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-12-10 17:07:06 +01:00
Andrea Terzolo
94ed56df95 chore: bump libs 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-12-06 12:59:50 +01:00
Federico Di Pierro
87371492c5 update(userspace/engine): updated checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-12-06 12:59:50 +01:00
Mark Stemm
356a4a0749 Also copy ruleset when copying falco source 
In the copy constructor and assignment operator for falco_source, also
copy the ruleset along with factories/name.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-12-01 17:07:52 +01:00
Mark Stemm
910b8ff858 Fix(engine) Save parse positions when finding unresolved macros 
Now that ASTs contain parse positions, use them when reporting errors
about unknown macros.

When doing the first pass to find all macro references, save macros as
a map<macro name,parse position> instead of a set<macro name>. While
making that change, change the visitor struct to use references
instead of pointers.

In the second pass, when reporting any unresolved macro references,
also report the parse position.

The unit tests also check that the positions of macros are properly
returned in the resolved/unresolved maps.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-12-01 17:03:52 +01:00
Mark Stemm
83b12bab1d Fix(engine): include parse positions in compile errors 
Now that ASTs have parse positions and the compiler will return the
position of the last error, use that in falco rules to return errors
within condition strings instead of reporting the position as the
beginning of the condition.

This led to a change in the filter_ruleset interface--now, an ast is
compiled to a filter before being passed to the filter_ruleset
object. That avoids polluting the interface with a lot of details
about rule_loader contexts, errors, etc. The ast is still provided in
case the filter_ruleset wants to do indexing/analysis of the filter.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-12-01 17:03:52 +01:00
Jason Dellaluce
15b57bd972 fix: remove minor string view dependencies 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-11-29 16:27:42 +01:00
Leonardo Grasso
68f4d5bb59 fix(userspace/engine): no need to use external deps 
Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-11-29 16:27:42 +01:00
Leonardo Grasso
47fd90bb7f chore: remove not used dependency - string-view-lite 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-11-29 16:27:42 +01:00
Luca Guerra
e3dbae3259 fix(engine): fix warning about redundant std::move 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-11-11 16:19:11 +01:00
Mark Stemm
acf5c4ce5f fix(engine): save syscall source only when processing events 
The optimization in https://github.com/falcosecurity/falco/pull/2210
had a bug when the engine uses multiple sources at the same
time--m_syscall_source is a pointer to an entry in the indexed vector
m_sources, but if add_source is called multiple times, the vector is
resized, which copies the structs but invalidates any pointer to the
vector entries.

So instead of caching m_syscall_source in add_source(), cache it in
process_events(). m_sources won't change once processing events starts.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-10-27 18:23:25 +02:00
Jason Dellaluce
9ee0298c4d fix(userspace/engine): avoid macro/list used checks if we encounter an error 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 14:03:20 +02:00
Jason Dellaluce
57b26530b6 update(userspace) fix cppcheck warnings 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 12:07:20 +02:00
Jason Dellaluce
3629c4dc4a update(userspace): solve cppcheck performance suggestions 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 12:07:20 +02:00
Jason Dellaluce
5e531870a9 fix(userspace/engine): fix unit test segfault 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 11:17:20 +02:00
Jason Dellaluce
4cb556aed2 update(userspace/engine): use sinsp api to access event table information 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-12 11:17:20 +02:00
Jason Dellaluce
11160f8463 fix(userspace): safely check string bounded access 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-11 11:23:15 +02:00
Jason Dellaluce
3c02b40a21 chore(userspace/falco): make log message termination consistent 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-06 21:27:06 +02:00
Jason Dellaluce
83a83a5853 update(userspace): pass string as const refs when possible 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-06 21:27:06 +02:00
Jason Dellaluce
5781c53ddc fix(userspace): add explicit constructors and initializations 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-03 13:04:15 +02:00
Jason Dellaluce
8aea0935c9 chore(userspace/engine): remove unused var 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
9c240198a0 refactor(userspace/engine): refactor falco_engine with new loader defs 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
f6f763fe84 refactor(userspace/engine): clean up rule collector 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
9b5f3ee99e refactor(userspace/engine): clean up rule compiler 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
89e8f70de0 refactor(userspace/engine): clean up and rename rule reader 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
b0f0105116 refactor(userspace/engine): clean up rule loader 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
5f2267f716 update(userspace/engine): add new loader files to CMakeLists 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00
Jason Dellaluce
b65157af5e refactor(userspace/engine): split rule loader git history (5) 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-09-27 10:42:59 +02:00