Emit a warning when a rule with a condition using "evt.dir" field is
encountered.
The direction have been deprecated in the scope of enter event
suppression initiative.
Signed-off-by: Iacopo Rozzo <iacopo.rozzo@iacopo.rozzo>
Make Falco's libs internal auto thread purging interval and timeout
configurable and set their default values to 5 minutes. This helps
controlling the memory impact of process exit events dropping and
events re-ordering.
Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
Merge-strategy for included config files must now be
specified as yaml map of the form:
- path: foo
strategy: bar
If `strategy` is omitted, or the old `string-only` form is used,
`append` strategy is enforced.
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
By default we now use the `append` merge-strategy:
* existing sequence keys will be appended
* existing scalar keys will be overridden
* non-existing keys will be added
We also have an `override` merge-strategy:
* existing keys will be overridden
* non-existing keys will be added
Finally, there is an `add-only` merge-strategy:
* existing keys will be ignored
* non-existing keys will be added
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
Defining `exceptions` with empty `values` is a legitimate use case since the values can be added to another rules file. Even when values are not populated elsewhere, Falco can work without issues; that's the reason why the `values` field is not required. With this change, we avoid emitting useless validation warnings in situations where exceptions are just defined but not actually used because values are not being provided.
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
Also, remove `container_id container_name` fields from `-pc` output.
These fields are now automatically appended since the `container` plugin
marks them as suggested.
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
In places where a second rule definition might replace, append to, or
replace items from a base rule, ensure that the source of the second
rule definiton matches the first.
This already existed for defines, but for other changes. There was a
bug where a second definition might exist for a different source, but
the additional rule was used anyway.
This now returns the same error for these other changes e.g. "Rule has
been re-defined..." as define.
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
It's possible that someone might want to override a property for a
non-syscall rule source. To assist in this, decode any source property
for rules with append/override and save it in the rule_update_info
object. For the source property only, the value for source can be
empty e.g. 'source: ' or an empty string e.g. 'source: ""'. Both of
those are considered valid but result in an empty source.
A later change will ensure that the sources match up when
appending/redefining/overriding/enabling.
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Add an equality operator for indexed_vector.
As indexed_vectors commonly hold falco lists/macros/rules, also add
equality operators for those structs. For condition/sinsp_filter
shared_ptrs, the operator checks that the shared_ptrs point to the
same underlying memory.
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Add a clone() method that can be overridden by subclasses. This allows
copying compile state when needed in a way that preserves
polymorphism.
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
