docs: add sections about drivers into RELEASE.md file

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>

RELEASE.md

@@ -10,7 +10,14 @@ Finally, on the proposed due date the assignees for the upcoming release proceed
 
 ## Pre-Release Checklist
 
-### 1. Release notes
+### 1. Drivers
+
+- Check whether the [driver version](https://github.com/falcosecurity/falco/blob/master/cmake/modules/sysdig.cmake#L32) has changed since the last stable release of Falco
+    - Verify the release notes (point 2) eventually communicate this change 
+- Update the [Drivers Build Grid](https://github.com/falcosecurity/test-infra/tree/master/driverkit) so to ship prebuilt drivers for it (**best-effort** task)
+
+### 2. Release notes
+
 - Let `YYYY-MM-DD` the day before of the [latest release](https://github.com/falcosecurity/falco/releases)
 - Check the release note block of every PR matching the `is:pr is:merged closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+closed%3A%3EYYYY-MM-DD)
     - Ensure the release note block follows the [commit convention](https://github.com/falcosecurity/falco/blob/master/CONTRIBUTING.md#commit-convention), otherwise fix its content
@@ -18,11 +25,11 @@ Finally, on the proposed due date the assignees for the upcoming release proceed
 - Check issues without a milestone (using [is:pr is:merged no:milestone closed:>YYYY-MM-DD](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD) filter) and add them to the milestone currently undergoing release
 - Double-check that there are no more merged PRs without the target milestone assigned with the `is:pr is:merged no:milestone closed:>YYYY-MM-DD` [filters](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD), if any, fix them
 
-### 2. Milestones
+### 3. Milestones
 
 - Move the [tasks not completed](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Aopen) to a new minor milestone
 
-### 3. Release PR
+### 4. Release PR
 
 - Double-check if any hard-coded version number is present in the code, it should be not present anywhere:
     - If any, manually correct it then open an issue to automate version number bumping later

test/falco_test.py

@@ -585,8 +585,7 @@ class FalcoTest(Test):
         self.check_rules_warnings(res)
         if len(self.rules_events) > 0:
             self.check_rules_events(res)
-        if len(self.validate_rules_file) == 0:
-            self.check_detections(res)
+        self.check_detections(res)
         if len(self.detect_counts) > 0:
             self.check_detections_by_rule(res)
         self.check_json_output(res)

test/falco_tests.yaml

@@ -262,7 +262,6 @@ trace_files: !mux
   invalid_not_yaml:
     exit_status: 1
     stdout_is: |+
-      1 errors:
       Rules content is not yaml
       ---
       This is not yaml
@@ -274,7 +273,6 @@ trace_files: !mux
   invalid_not_array:
     exit_status: 1
     stdout_is: |+
-      1 errors:
       Rules content is not yaml array of objects
       ---
       foo: bar
@@ -286,7 +284,6 @@ trace_files: !mux
   invalid_array_item_not_object:
     exit_status: 1
     stdout_is: |+
-      1 errors:
       Unexpected element of type string. Each element should be a yaml associative array.
       ---
       - foo
@@ -298,7 +295,6 @@ trace_files: !mux
   invalid_unexpected object:
     exit_status: 1
     stdout_is: |+
-      1 errors:
       Unknown rule object: {foo="bar"}
       ---
       - foo: bar
@@ -310,7 +306,6 @@ trace_files: !mux
   invalid_engine_version_not_number:
     exit_status: 1
     stdout_is: |+
-      1 errors:
       Value of required_engine_version must be a number
       ---
       - required_engine_version: not-a-number
@@ -322,7 +317,6 @@ trace_files: !mux
   invalid_yaml_parse_error:
     exit_status: 1
     stdout_is: |+
-      1 errors:
       mapping values are not allowed in this context
       ---
       this : is : not : yaml
@@ -334,7 +328,6 @@ trace_files: !mux
   invalid_list_without_items:
     exit_status: 1
     stdout_is: |+
-      1 errors:
       List must have property items
       ---
       - list: bad_list
@@ -347,7 +340,6 @@ trace_files: !mux
   invalid_macro_without_condition:
     exit_status: 1
     stdout_is: |+
-      1 errors:
       Macro must have property condition
       ---
       - macro: bad_macro
@@ -360,7 +352,6 @@ trace_files: !mux
   invalid_rule_without_output:
     exit_status: 1
     stdout_is: |+
-      1 errors:
       Rule must have property output
       ---
       - rule: no output rule
@@ -375,7 +366,6 @@ trace_files: !mux
   invalid_append_rule_without_condition:
     exit_status: 1
     stdout_is: |+
-      1 errors:
       Rule must have property condition
       ---
       - rule: no condition rule
@@ -388,7 +378,6 @@ trace_files: !mux
   invalid_append_macro_dangling:
     exit_status: 1
     stdout_is: |+
-      1 errors:
       Macro dangling append has 'append' key but no macro by that name already exists
       ---
       - macro: dangling append
@@ -402,7 +391,6 @@ trace_files: !mux
   invalid_list_append_dangling:
     exit_status: 1
     stdout_is: |+
-      1 errors:
       List my_list has 'append' key but no list by that name already exists
       ---
       - list: my_list
@@ -416,7 +404,6 @@ trace_files: !mux
   invalid_rule_append_dangling:
     exit_status: 1
     stdout_is: |+
-      1 errors:
       Rule my_rule has 'append' key but no rule by that name already exists
       ---
       - rule: my_rule
@@ -463,7 +450,6 @@ trace_files: !mux
   invalid_overwrite_macro_multiple_docs:
     exit_status: 1
     stdout_is: |+
-      1 errors:
       Compilation error when compiling "foo": Undefined macro 'foo' used in filter.
       ---
       - macro: some macro
@@ -477,7 +463,6 @@ trace_files: !mux
   invalid_append_macro_multiple_docs:
     exit_status: 1
     stdout_is: |+
-      1 errors:
       Compilation error when compiling "evt.type=execve foo": 17: syntax error, unexpected 'foo', expecting 'or', 'and'
       ---
       - macro: some macro
@@ -536,7 +521,6 @@ trace_files: !mux
   invalid_overwrite_rule_multiple_docs:
     exit_status: 1
     stdout_is: |+
-      1 errors:
       Undefined macro 'bar' used in filter.
       ---
       - rule: some rule
@@ -575,7 +559,6 @@ trace_files: !mux
   invalid_missing_rule_name:
     exit_status: 1
     stdout_is: |+
-      1 errors:
       Rule name is empty
       ---
       - rule:
@@ -590,7 +573,6 @@ trace_files: !mux
   invalid_missing_list_name:
     exit_status: 1
     stdout_is: |+
-      1 errors:
       List name is empty
       ---
       - list:
@@ -603,7 +585,6 @@ trace_files: !mux
   invalid_missing_macro_name:
     exit_status: 1
     stdout_is: |+
-      1 errors:
       Macro name is empty
       ---
       - macro:

test/falco_tests_exceptions.yaml

@@ -1,259 +0,0 @@
-#
-# Copyright (C) 2016-2020 The Falco Authors..
-#
-# This file is part of falco.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-trace_files: !mux
-
-  rule_exception_no_fields:
-    exit_status: 1
-    stdout_is: |+
-      1 errors:
-      Rule exception item ex1: must have fields property with a list of fields
-      ---
-      - rule: My Rule
-        desc: Some desc
-        condition: evt.type=open and proc.name=cat
-        output: Some output
-        exceptions:
-          - name: ex1
-        priority: error
-      ---
-    validate_rules_file:
-      - rules/exceptions/rule_item_no_fields.yaml
-    trace_file: trace_files/cat_write.scap
-
-  exception_no_values:
-    exit_status: 1
-    stdout_is: |+
-      1 errors:
-      Exception item ex1: must have values property with a list of values
-      ---
-      - exception: My Rule
-        items:
-          - name: ex1
-      ---
-    validate_rules_file:
-      - rules/exceptions/exception_item_no_values.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_no_name:
-    exit_status: 1
-    stdout_is: |+
-      1 errors:
-      Rule exception item must have name property
-      ---
-      - rule: My Rule
-        desc: Some desc
-        condition: evt.type=open and proc.name=cat
-        output: Some output
-        exceptions:
-          - fields: [proc.name, fd.filename]
-        priority: error
-      ---
-    validate_rules_file:
-      - rules/exceptions/rule_item_no_name.yaml
-    trace_file: trace_files/cat_write.scap
-
-  exception_no_name:
-    exit_status: 1
-    stdout_is: |+
-      1 errors:
-      Exception item must have name property
-      ---
-      - exception: My Rule
-        items:
-          - values:
-              - [nginx, /tmp/foo]
-      ---
-    validate_rules_file:
-      - rules/exceptions/exception_item_no_name.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_append:
-    exit_status: 1
-    stdout_is: |+
-      1 errors:
-      Can not append exceptions to existing rule, only conditions
-      ---
-      - rule: My Rule
-        condition: and proc.name=apache
-        exceptions:
-          - name: ex2
-            fields: [proc.name, fd.filename]
-        append: true
-      ---
-    validate_rules_file:
-      - rules/exceptions/rule_append_exception.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_unknown_fields:
-    exit_status: 1
-    stdout_is: |+
-      1 errors:
-      Rule exception item ex1: field name not.exist is not a supported filter field
-      ---
-      - rule: My Rule
-        desc: Some desc
-        condition: evt.type=open and proc.name=cat
-        output: Some output
-        exceptions:
-          - name: ex1
-            fields: [not.exist]
-        priority: error
-      ---
-    validate_rules_file:
-      - rules/exceptions/rule_item_unknown_fields.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_comps_fields_len_mismatch:
-    exit_status: 1
-    stdout_is: |+
-      1 errors:
-      Rule exception item ex1: fields and comps lists must have equal length
-      ---
-      - rule: My Rule
-        desc: Some desc
-        condition: evt.type=open and proc.name=cat
-        output: Some output
-        exceptions:
-          - name: ex1
-            fields: [proc.name, fd.filename]
-            comps: [=]
-        priority: error
-      ---
-    validate_rules_file:
-      - rules/exceptions/rule_item_comps_fields_len_mismatch.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_unknown_comp:
-    exit_status: 1
-    stdout_is: |+
-      1 errors:
-      Rule exception item ex1: comparison operator no-comp is not a supported comparison operator
-      ---
-      - rule: My Rule
-        desc: Some desc
-        condition: evt.type=open and proc.name=cat
-        output: Some output
-        exceptions:
-          - name: ex1
-            fields: [proc.name, fd.filename]
-            comps: [=, no-comp]
-        priority: error
-      ---
-    validate_rules_file:
-      - rules/exceptions/rule_item_unknown_comp.yaml
-    trace_file: trace_files/cat_write.scap
-
-  exception_fields_values_len_mismatch:
-    exit_status: 1
-    stdout_is: |+
-      1 errors:
-      Exception item ex1: fields and values lists must have equal length
-      ---
-      - exception: My Rule
-        items:
-          - name: ex1
-            values:
-              - [nginx]
-      ---
-    validate_rules_file:
-      - rules/exceptions/exception_item_fields_values_len_mismatch.yaml
-    trace_file: trace_files/cat_write.scap
-
-  exception_item_not_in_rule:
-    exit_status: 0
-    stderr_contains: |+
-      1 warnings:
-      Exception My Rule: no set of fields matching name ex2
-    validate_rules_file:
-      - rules/exceptions/exception_item_not_in_rule.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_without_exception:
-    exit_status: 0
-    stderr_contains: |+
-      1 warnings:
-      Rule My Rule: consider adding an exceptions property to define supported exceptions fields
-    validate_rules_file:
-      - rules/exceptions/rule_without_exception.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_no_values:
-    detect: True
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_no_values.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_one_value:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_one_value.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_second_value:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_second_value.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_second_item:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_second_item.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_third_item:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_third_item.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_quoted:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_quoted.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_append_values:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_append.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_values_before:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_values_before.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_comp:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_comp.yaml
-    trace_file: trace_files/cat_write.scap
-
-

test/rules/exceptions/exception_item_fields_values_len_mismatch.yaml

@@ -1,30 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-- rule: My Rule
-  desc: Some desc
-  condition: evt.type=open and proc.name=cat
-  output: Some output
-  exceptions:
-    - name: ex1
-      fields: [proc.name, fd.filename]
-  priority: error
-
-- exception: My Rule
-  items:
-    - name: ex1
-      values:
-        - [nginx]

test/rules/exceptions/exception_item_no_name.yaml

@@ -1,29 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-- rule: My Rule
-  desc: Some desc
-  condition: evt.type=open and proc.name=cat
-  output: Some output
-  exceptions:
-    - name: ex1
-      fields: [proc.name, fd.filename]
-  priority: error
-
-- exception: My Rule
-  items:
-    - values:
-        - [nginx, /tmp/foo]

test/rules/exceptions/exception_item_no_values.yaml

@@ -1,28 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-- rule: My Rule
-  desc: Some desc
-  condition: evt.type=open and proc.name=cat
-  output: Some output
-  exceptions:
-    - name: ex1
-      fields: [proc.name, fd.filename]
-  priority: error
-
-- exception: My Rule
-  items:
-    - name: ex1

test/rules/exceptions/exception_item_not_in_rule.yaml

@@ -1,30 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-- rule: My Rule
-  desc: Some desc
-  condition: evt.type=open and proc.name=cat
-  output: Some output
-  exceptions:
-    - name: ex1
-      fields: [proc.name, fd.filename]
-  priority: error
-
-- exception: My Rule
-  items:
-    - name: ex2
-      values:
-        - [apache, /tmp]

test/rules/exceptions/rule_append_exception.yaml

@@ -1,31 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-- rule: My Rule
-  desc: Some desc
-  condition: evt.type=open and proc.name=cat
-  output: Some output
-  exceptions:
-    - name: ex1
-      fields: [proc.name, fd.filename]
-  priority: error
-
-- rule: My Rule
-  condition: and proc.name=apache
-  exceptions:
-    - name: ex2
-      fields: [proc.name, fd.filename]
-  append: true

test/rules/exceptions/rule_exception_append.yaml

@@ -1,40 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-- rule: Open From Cat
-  desc: A process named cat does an open
-  condition: evt.type=open and proc.name=cat
-  output: "An open was seen (command=%proc.cmdline)"
-  exceptions:
-    - name: proc_name
-      fields: [proc.name]
-    - name: proc_name_cmdline
-      fields: [proc.name, proc.cmdline]
-    - name: proc_name_cmdline_pname
-      fields: [proc.name, proc.cmdline, proc.pname]
-  priority: WARNING
-
-- exception: Open From Cat
-  items:
-    - name: proc_name
-      values:
-        - [not-cat]
-
-- exception: Open From Cat
-  items:
-    - name: proc_name
-      values:
-        - [cat]

test/rules/exceptions/rule_exception_comp.yaml

@@ -1,37 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-- rule: Open From Cat
-  desc: A process named cat does an open
-  condition: evt.type=open and proc.name=cat
-  output: "An open was seen (command=%proc.cmdline)"
-  exceptions:
-    - name: proc_name
-      fields: [proc.name]
-    - name: proc_name_contains
-      fields: [proc.name]
-      comps: [contains]
-    - name: proc_name_cmdline
-      fields: [proc.name, proc.cmdline]
-    - name: proc_name_cmdline_pname
-      fields: [proc.name, proc.cmdline, proc.pname]
-  priority: WARNING
-
-- exception: Open From Cat
-  items:
-    - name: proc_name_contains
-      values:
-        - [cat]

test/rules/exceptions/rule_exception_no_values.yaml

@@ -1,28 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-- rule: Open From Cat
-  desc: A process named cat does an open
-  condition: evt.type=open and proc.name=cat
-  output: "An open was seen (command=%proc.cmdline)"
-  exceptions:
-    - name: proc_name
-      fields: [proc.name]
-    - name: proc_name_cmdline
-      fields: [proc.name, proc.cmdline]
-    - name: proc_name_cmdline_pname
-      fields: [proc.name, proc.cmdline, proc.pname]
-  priority: WARNING

test/rules/exceptions/rule_exception_one_value.yaml

@@ -1,34 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-- rule: Open From Cat
-  desc: A process named cat does an open
-  condition: evt.type=open and proc.name=cat
-  output: "An open was seen (command=%proc.cmdline)"
-  exceptions:
-    - name: proc_name
-      fields: [proc.name]
-    - name: proc_name_cmdline
-      fields: [proc.name, proc.cmdline]
-    - name: proc_name_cmdline_pname
-      fields: [proc.name, proc.cmdline, proc.pname]
-  priority: WARNING
-
-- exception: Open From Cat
-  items:
-    - name: proc_name
-      values:
-        - [cat]

test/rules/exceptions/rule_exception_quoted.yaml

@@ -1,35 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-- rule: Open From Cat
-  desc: A process named cat does an open
-  condition: evt.type=open and proc.name=cat
-  output: "An open was seen (command=%proc.cmdline)"
-  exceptions:
-    - name: proc_name
-      fields: [proc.name]
-    - name: proc_name_cmdline
-      fields: [proc.name, proc.cmdline]
-    - name: proc_name_cmdline_pname
-      fields: [proc.name, proc.cmdline, proc.pname]
-  priority: WARNING
-
-- exception: Open From Cat
-  items:
-    - name: proc_name_cmdline
-      values:
-        - [not-cat, not-cat]
-        - [cat, '"cat /dev/null"']

test/rules/exceptions/rule_exception_second_item.yaml

@@ -1,40 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-- rule: Open From Cat
-  desc: A process named cat does an open
-  condition: evt.type=open and proc.name=cat
-  output: "An open was seen (command=%proc.cmdline)"
-  exceptions:
-    - name: proc_name
-      fields: [proc.name]
-    - name: proc_name_cmdline
-      fields: [proc.name, proc.cmdline]
-    - name: proc_name_cmdline_pname
-      fields: [proc.name, proc.cmdline, proc.pname]
-  priority: WARNING
-
-- exception: Open From Cat
-  items:
-    - name: proc_name
-      values:
-        - [not-cat]
-    - name: proc_name_cmdline
-      values:
-        - [cat, "cat /dev/null"]
-    - name: proc_name_cmdline_pname
-      values:
-        - [not-cat, "cat /dev/null", bash]

test/rules/exceptions/rule_exception_second_value.yaml

@@ -1,35 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-- rule: Open From Cat
-  desc: A process named cat does an open
-  condition: evt.type=open and proc.name=cat
-  output: "An open was seen (command=%proc.cmdline)"
-  exceptions:
-    - name: proc_name
-      fields: [proc.name]
-    - name: proc_name_cmdline
-      fields: [proc.name, proc.cmdline]
-    - name: proc_name_cmdline_pname
-      fields: [proc.name, proc.cmdline, proc.pname]
-  priority: WARNING
-
-- exception: Open From Cat
-  items:
-    - name: proc_name_cmdline
-      values:
-        - [not-cat, not-cat]
-        - [cat, "cat /dev/null"]

test/rules/exceptions/rule_exception_third_item.yaml

@@ -1,40 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-- rule: Open From Cat
-  desc: A process named cat does an open
-  condition: evt.type=open and proc.name=cat
-  output: "An open was seen (command=%proc.cmdline)"
-  exceptions:
-    - name: proc_name
-      fields: [proc.name]
-    - name: proc_name_cmdline
-      fields: [proc.name, proc.cmdline]
-    - name: proc_name_cmdline_pname
-      fields: [proc.name, proc.cmdline, proc.pname]
-  priority: WARNING
-
-- exception: Open From Cat
-  items:
-    - name: proc_name
-      values:
-        - [not-cat]
-    - name: proc_name_cmdline
-      values:
-        - [not-cat, "cat /dev/null"]
-    - name: proc_name_cmdline_pname
-      values:
-        - [cat, "cat /dev/null", bash]

test/rules/exceptions/rule_exception_values_before.yaml

@@ -1,36 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-- exception: Open From Cat
-  items:
-    - name: proc_name
-      values:
-        - [cat]
-
-- rule: Open From Cat
-  desc: A process named cat does an open
-  condition: evt.type=open and proc.name=cat
-  output: "An open was seen (command=%proc.cmdline)"
-  exceptions:
-    - name: proc_name
-      fields: [proc.name]
-    - name: proc_name_cmdline
-      fields: [proc.name, proc.cmdline]
-    - name: proc_name_cmdline_pname
-      fields: [proc.name, proc.cmdline, proc.pname]
-  priority: WARNING
-

test/rules/exceptions/rule_item_comps_fields_len_mismatch.yaml

@@ -1,25 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-- rule: My Rule
-  desc: Some desc
-  condition: evt.type=open and proc.name=cat
-  output: Some output
-  exceptions:
-    - name: ex1
-      fields: [proc.name, fd.filename]
-      comps: [=]
-  priority: error

test/rules/exceptions/rule_item_no_fields.yaml

@@ -1,23 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-- rule: My Rule
-  desc: Some desc
-  condition: evt.type=open and proc.name=cat
-  output: Some output
-  exceptions:
-    - name: ex1
-  priority: error

test/rules/exceptions/rule_item_no_name.yaml

@@ -1,23 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-- rule: My Rule
-  desc: Some desc
-  condition: evt.type=open and proc.name=cat
-  output: Some output
-  exceptions:
-    - fields: [proc.name, fd.filename]
-  priority: error

test/rules/exceptions/rule_item_unknown_comp.yaml

@@ -1,25 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-- rule: My Rule
-  desc: Some desc
-  condition: evt.type=open and proc.name=cat
-  output: Some output
-  exceptions:
-    - name: ex1
-      fields: [proc.name, fd.filename]
-      comps: [=, no-comp]
-  priority: error

test/rules/exceptions/rule_item_unknown_fields.yaml

@@ -1,24 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-- rule: My Rule
-  desc: Some desc
-  condition: evt.type=open and proc.name=cat
-  output: Some output
-  exceptions:
-    - name: ex1
-      fields: [not.exist]
-  priority: error

test/rules/exceptions/rule_without_exception.yaml

@@ -1,21 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-- rule: My Rule
-  desc: Some desc
-  condition: evt.type=open and proc.name=cat
-  output: Some output
-  priority: error

test/run_regression_tests.sh

@@ -98,7 +98,7 @@ function run_tests() {
     # as we're watching the return status when running avocado.
     set +e
     TEST_RC=0
-    suites=($SCRIPTDIR/falco_traces.yaml $SCRIPTDIR/falco_tests.yaml $SCRIPTDIR/falco_k8s_audit_tests.yaml $SCRIPTDIR/falco_tests_psp.yaml $SCRIPTDIR/falco_tests_exceptions.yaml)
+    suites=($SCRIPTDIR/falco_traces.yaml $SCRIPTDIR/falco_tests.yaml $SCRIPTDIR/falco_k8s_audit_tests.yaml $SCRIPTDIR/falco_tests_psp.yaml)
 
     if [ "$SKIP_PACKAGES_TESTS" = false ] ; then
         suites+=($SCRIPTDIR/falco_tests_package.yaml)

userspace/engine/lua/rule_loader.lua

@@ -126,31 +126,11 @@ function set_output(output_format, state)
    end
 end
 
--- This should be keep in sync with parser.lua
-defined_comp_operators = {
-   ["="]=1,
-   ["=="] = 1,
-   ["!"] = 1,
-   ["<="] = 1,
-   [">="] = 1,
-   ["<"] = 1,
-   [">"] = 1,
-   ["contains"] = 1,
-   ["icontains"] = 1,
-   ["glob"] = 1,
-   ["startswith"] = 1,
-   ["endswith"] = 1,
-   ["in"] = 1,
-   ["intersects"] = 1,
-   ["pmatch"] = 1
-}
-
 -- Note that the rules_by_name and rules_by_idx refer to the same rule
 -- object. The by_name index is used for things like describing rules,
 -- and the by_idx index is used to map the relational node index back
 -- to a rule.
 local state = {macros={}, lists={}, filter_ast=nil, rules_by_name={},
-	       exceptions_by_name={},
 	       skipped_rules_by_name={}, macros_by_name={}, lists_by_name={},
 	       n_rules=0, rules_by_idx={}, ordered_rule_names={}, ordered_macro_names={}, ordered_list_names={}}
 
@@ -276,18 +256,16 @@ end
 function build_error(rules_lines, row, num_lines, err)
    local ret = err.."\n---\n"..get_lines(rules_lines, row, num_lines).."---"
 
-   return {ret}
+   return ret
 end
 
 function build_error_with_context(ctx, err)
    local ret = err.."\n---\n"..ctx.."---"
-   return {ret}
+   return ret
 end
 
 function load_rules_doc(rules_mgr, doc, load_state)
 
-   local warnings = {}
-
    -- Iterate over yaml list. In this pass, all we're doing is
    -- populating the set of rules, macros, and lists. We're not
    -- expanding/compiling anything yet. All that will happen in a
@@ -301,7 +279,7 @@ function load_rules_doc(rules_mgr, doc, load_state)
 					load_state.indices[load_state.cur_item_idx])
 
       if (not (type(v) == "table")) then
-	 return false, build_error_with_context(context, "Unexpected element of type " ..type(v)..". Each element should be a yaml associative array."), warnings
+	 return false, build_error_with_context(context, "Unexpected element of type " ..type(v)..". Each element should be a yaml associative array.")
       end
 
       v['context'] = context
@@ -313,13 +291,13 @@ function load_rules_doc(rules_mgr, doc, load_state)
 	 end
 
 	 if falco_rules.engine_version(rules_mgr) < v['required_engine_version'] then
-	    return false, build_error_with_context(v['context'], "Rules require engine version "..v['required_engine_version']..", but engine version is "..falco_rules.engine_version(rules_mgr)), warnings
+	    return false, build_error_with_context(v['context'], "Rules require engine version "..v['required_engine_version']..", but engine version is "..falco_rules.engine_version(rules_mgr))
 	 end
 
       elseif (v['macro']) then
 
 	 if (v['macro'] == nil or type(v['macro']) == "table") then
-	    return false, build_error_with_context(v['context'], "Macro name is empty"), warnings
+	    return false, build_error_with_context(v['context'], "Macro name is empty")
 	 end
 
 	 if v['source'] == nil then
@@ -332,7 +310,7 @@ function load_rules_doc(rules_mgr, doc, load_state)
 
 	 for j, field in ipairs({'condition'}) do
 	    if (v[field] == nil) then
-	       return false, build_error_with_context(v['context'], "Macro must have property "..field), warnings
+	       return false, build_error_with_context(v['context'], "Macro must have property "..field)
 	    end
 	 end
 
@@ -345,7 +323,7 @@ function load_rules_doc(rules_mgr, doc, load_state)
 
 	 if append then
 	    if state.macros_by_name[v['macro']] == nil then
-	       return false, build_error_with_context(v['context'], "Macro " ..v['macro'].. " has 'append' key but no macro by that name already exists"), warnings
+	       return false, build_error_with_context(v['context'], "Macro " ..v['macro'].. " has 'append' key but no macro by that name already exists")
 	    end
 
 	    state.macros_by_name[v['macro']]['condition'] = state.macros_by_name[v['macro']]['condition'] .. " " .. v['condition']
@@ -360,7 +338,7 @@ function load_rules_doc(rules_mgr, doc, load_state)
       elseif (v['list']) then
 
 	 if (v['list'] == nil or type(v['list']) == "table") then
-	    return false, build_error_with_context(v['context'], "List name is empty"), warnings
+	    return false, build_error_with_context(v['context'], "List name is empty")
 	 end
 
 	 if state.lists_by_name[v['list']] == nil then
@@ -369,7 +347,7 @@ function load_rules_doc(rules_mgr, doc, load_state)
 
 	 for j, field in ipairs({'items'}) do
 	    if (v[field] == nil) then
-	       return false, build_error_with_context(v['context'], "List must have property "..field), warnings
+	       return false, build_error_with_context(v['context'], "List must have property "..field)
 	    end
 	 end
 
@@ -382,7 +360,7 @@ function load_rules_doc(rules_mgr, doc, load_state)
 
 	 if append then
 	    if state.lists_by_name[v['list']] == nil then
-	       return false, build_error_with_context(v['context'], "List " ..v['list'].. " has 'append' key but no list by that name already exists"), warnings
+	       return false, build_error_with_context(v['context'], "List " ..v['list'].. " has 'append' key but no list by that name already exists")
 	    end
 
 	    for j, elem in ipairs(v['items']) do
@@ -395,7 +373,7 @@ function load_rules_doc(rules_mgr, doc, load_state)
       elseif (v['rule']) then
 
 	 if (v['rule'] == nil or type(v['rule']) == "table") then
-	    return false, build_error_with_context(v['context'], "Rule name is empty"), warnings
+	    return false, build_error_with_context(v['context'], "Rule name is empty")
 	 end
 
 	 -- By default, if a rule's condition refers to an unknown
@@ -408,53 +386,6 @@ function load_rules_doc(rules_mgr, doc, load_state)
 	    v['source'] = "syscall"
 	 end
 
-	 -- Add an empty exceptions property to the rule if not
-	 -- defined, but add a warning about defining one
-	 if v['exceptions'] == nil then
-	    warnings[#warnings + 1] = "Rule "..v['rule']..": consider adding an exceptions property to define supported exceptions fields"
-	    v['exceptions'] = {}
-	 end
-
-	 -- Validate the contents of the rule exception
-	 if next(v['exceptions']) ~= nil then
-
-	    for i, eitem in ipairs(v['exceptions']) do
-	       local name = eitem['name']
-	       local fields = eitem['fields']
-	       local comps = eitem['comps']
-
-	       if name == nil then
-		  return false, build_error_with_context(v['context'], "Rule exception item must have name property"), warnings
-	       end
-
-	       if fields == nil then
-		  return false, build_error_with_context(v['context'], "Rule exception item "..name..": must have fields property with a list of fields"), warnings
-	       end
-
-	       if comps == nil then
-		  comps = {}
-		  for c=1,#fields do
-		     table.insert(comps, "=")
-		  end
-		  eitem['comps'] = comps
-	       else
-		  if #fields ~= #comps then
-		     return false, build_error_with_context(v['context'], "Rule exception item "..name..": fields and comps lists must have equal length"), warnings
-		  end
-	       end
-	       for j, fname in ipairs(fields) do
-		  if defined_noarg_filters[fname] == nil then
-		     return false, build_error_with_context(v['context'], "Rule exception item "..name..": field name "..fname.." is not a supported filter field"), warnings
-		  end
-	       end
-	       for j, comp in ipairs(comps) do
-		  if defined_comp_operators[comp] == nil then
-		     return false, build_error_with_context(v['context'], "Rule exception item "..name..": comparison operator "..comp.." is not a supported comparison operator"), warnings
-		  end
-	       end
-	    end
-	 end
-
 	 -- Possibly append to the condition field of an existing rule
 	 append = false
 
@@ -467,21 +398,15 @@ function load_rules_doc(rules_mgr, doc, load_state)
 	    -- For append rules, all you need is the condition
 	    for j, field in ipairs({'condition'}) do
 	       if (v[field] == nil) then
-		  return false, build_error_with_context(v['context'], "Rule must have property "..field), warnings
+		  return false, build_error_with_context(v['context'], "Rule must have property "..field)
 	       end
 	    end
 
 	    if state.rules_by_name[v['rule']] == nil then
 	       if state.skipped_rules_by_name[v['rule']] == nil then
-		  return false, build_error_with_context(v['context'], "Rule " ..v['rule'].. " has 'append' key but no rule by that name already exists"), warnings
+		  return false, build_error_with_context(v['context'], "Rule " ..v['rule'].. " has 'append' key but no rule by that name already exists")
 	       end
 	    else
-
-	       -- You can't append exceptions to a rule
-	       if v['exceptions'] ~= nil then
-		  return false, build_error_with_context(v['context'], "Can not append exceptions to existing rule, only conditions"), warnings
-	       end
-
 	       state.rules_by_name[v['rule']]['condition'] = state.rules_by_name[v['rule']]['condition'] .. " " .. v['condition']
 
 	    -- Add the current object to the context of the base rule
@@ -492,7 +417,7 @@ function load_rules_doc(rules_mgr, doc, load_state)
 
 	    for j, field in ipairs({'condition', 'output', 'desc', 'priority'}) do
 	       if (v[field] == nil) then
-		  return false, build_error_with_context(v['context'], "Rule must have property "..field), warnings
+		  return false, build_error_with_context(v['context'], "Rule must have property "..field)
 	       end
 	    end
 
@@ -520,77 +445,17 @@ function load_rules_doc(rules_mgr, doc, load_state)
 	       state.skipped_rules_by_name[v['rule']] = v
 	    end
 	 end
-      elseif (v['exception']) then
-
-	 for i, eitem in ipairs(v['items']) do
-	    local name = eitem['name']
-	    local fields = eitem['values']
-
-	    if name == nil then
-	       return false, build_error_with_context(v['context'], "Exception item must have name property"), warnings
-	    end
-
-	    if fields == nil then
-	       return false, build_error_with_context(v['context'], "Exception item "..name..": must have values property with a list of values"), warnings
-	    end
-	 end
-	 state.exceptions_by_name[v['exception']] = v
       else
+	 -- Remove the context from the table, so the table is exactly what was parsed
 	 local context = v['context']
-
-	 arr = build_error_with_context(context, "Unknown top level object: "..table.tostring(v))
-	 warnings[#warnings + 1] = arr[1]
+	 v['context'] = nil
+	 return false, build_error_with_context(context, "Unknown rule object: "..table.tostring(v))
       end
    end
 
-   return true, {}, warnings
+   return true, ""
 end
 
--- cond and not ((proc.name=apk and fd.directory=/usr/lib/alpine) or (proc.name=npm and fd.directory=/usr/node/bin) or (con
-function build_exception_condition_string(eitem, rexitems)
-
-   local fields = rexitems[eitem['name']]['fields']
-   local comps = rexitems[eitem['name']]['comps']
-
-   local icond = ""
-
-   for i, values in ipairs(eitem['values']) do
-
-      if #fields ~= #values then
-	 return nil, "Exception item "..eitem['name']..": fields and values lists must have equal length"
-      end
-
-      if icond ~= "" then
-	 icond=icond.." or "
-      end
-
-      icond=icond.."("
-
-      for k=1,#fields do
-	 if k > 1 then
-	    icond=icond.." and "
-	 end
-	 -- Quote the value if not already quoted
-	 local ival = values[k]
-	 if string.sub(values[k], 1, 1) ~= "'" and string.sub(values[k], 1, 1) ~= '"' then
-	    ival = "\""..ival.."\""
-	 end
-
-	 icond = icond..fields[k].." "..comps[k]..ival
-      end
-
-      icond=icond..")"
-   end
-
-   return icond, nil
-
-end
-
--- Returns:
--- - Load Result: bool
--- - required engine version. will be nil when load result is false
--- - List of Errors
--- - List of Warnings
 function load_rules(sinsp_lua_parser,
 		    json_lua_parser,
 		    rules_content,
@@ -601,8 +466,6 @@ function load_rules(sinsp_lua_parser,
 		    replace_container_info,
 		    min_priority)
 
-   local warnings = {}
-
    local load_state = {lines={}, indices={}, cur_item_idx=0, min_priority=min_priority, required_engine_version=0}
 
    load_state.lines, load_state.indices = split_lines(rules_content)
@@ -624,42 +487,36 @@ function load_rules(sinsp_lua_parser,
       row = tonumber(row)
       col = tonumber(col)
 
-      return false, nil, build_error(load_state.lines, row, 3, docs), warnings
+      return false, build_error(load_state.lines, row, 3, docs)
    end
 
    if docs == nil then
       -- An empty rules file is acceptable
-      return true, load_state.required_engine_version, {}, warnings
+      return true, load_state.required_engine_version
    end
 
    if type(docs) ~= "table" then
-      return false, nil, build_error(load_state.lines, 1, 1, "Rules content is not yaml"), warnings
+      return false, build_error(load_state.lines, 1, 1, "Rules content is not yaml")
    end
 
    for docidx, doc in ipairs(docs) do
 
       if type(doc) ~= "table" then
-	 return false, nil, build_error(load_state.lines, 1, 1, "Rules content is not yaml"), warnings
+	 return false, build_error(load_state.lines, 1, 1, "Rules content is not yaml")
       end
 
       -- Look for non-numeric indices--implies that document is not array
       -- of objects.
       for key, val in pairs(doc) do
 	 if type(key) ~= "number" then
-	    return false, nil, build_error(load_state.lines, 1, 1, "Rules content is not yaml array of objects"), warnings
+	    return false, build_error(load_state.lines, 1, 1, "Rules content is not yaml array of objects")
 	 end
       end
 
-      res, errors, doc_warnings = load_rules_doc(rules_mgr, doc, load_state)
-
-      if (doc_warnings ~= nil) then
-	 for idx, warning in pairs(doc_warnings) do
-	    table.insert(warnings, warning)
-	 end
-      end
+      res, errstr = load_rules_doc(rules_mgr, doc, load_state)
 
       if not res then
-	 return res, nil, errors, warnings
+	 return res, errstr
       end
    end
 
@@ -669,52 +526,6 @@ function load_rules(sinsp_lua_parser,
    -- in which they appeared in the file(s).
    reset_rules(rules_mgr)
 
-   -- Turn exceptions into condition strings and add them to each
-   -- rule's condition
-   for ename, exc in pairs(state.exceptions_by_name) do
-
-      if state.rules_by_name[ename] == nil then
-	 warnings[#warnings + 1] = "No rule matching exception name "..exc['exception']
-      else
-
-	 local rexitems = {}
-
-	 -- Create a map from item name to object, speeds up matching
-	 for i, iobj in ipairs(state.rules_by_name[ename].exceptions) do
-	    rexitems[iobj['name']] = iobj
-	 end
-	 -- Usep the exception items, combined with any exceptions in
-	 -- the rules, to build condition strings to append to the
-	 -- rule's condition.
-	 local econd = ""
-
-	 for i, eitem in ipairs(exc['items']) do
-
-	    if rexitems[eitem['name']] == nil then
-	       warnings[#warnings + 1] = "Exception "..ename..": no set of fields matching name "..eitem['name']
-	    else
-	       icond, err = build_exception_condition_string(eitem, rexitems)
-
-	       if err ~= nil then
-		  return false, nil, build_error_with_context(exc['context'], err), warnings
-	       end
-
-	       if econd == "" then
-		  econd = econd.." and not ("..icond
-	       else
-		  econd = econd.." or "..icond
-	       end
-	    end
-	 end
-
-	 if econd ~= "" then
-	    econd=econd..")"
-
-	    state.rules_by_name[ename]['condition'] = "("..state.rules_by_name[ename]['condition']..") "..econd
-	 end
-      end
-   end
-
    for i, name in ipairs(state.ordered_list_names) do
 
       local v = state.lists_by_name[name]
@@ -745,7 +556,7 @@ function load_rules(sinsp_lua_parser,
       local status, ast = compiler.compile_macro(v['condition'], state.macros, state.lists)
 
       if status == false then
-	 return false, nil, build_error_with_context(v['context'], ast), warnings
+	 return false, build_error_with_context(v['context'], ast)
       end
 
       if v['source'] == "syscall" then
@@ -770,7 +581,7 @@ function load_rules(sinsp_lua_parser,
 								  state.macros, state.lists)
 
       if status == false then
-	 return false, nil, build_error_with_context(v['context'], filter_ast), warnings
+	 return false, build_error_with_context(v['context'], filter_ast)
       end
 
       local evtttypes = {}
@@ -820,10 +631,12 @@ function load_rules(sinsp_lua_parser,
 	 end
 
 	 if not found then
-	    msg = "rule \""..v['rule'].."\" contains unknown filter "..filter
-	    warnings[#warnings + 1] = msg
-
-	    if not v['skip-if-unknown-filter'] then
+	    if v['skip-if-unknown-filter'] then
+	       if verbose then
+		  print("Skipping rule \""..v['rule'].."\" that contains unknown filter "..filter)
+	       end
+	       goto next_rule
+	    else
 	       error("Rule \""..v['rule'].."\" contains unknown filter "..filter)
 	    end
 	 end
@@ -906,30 +719,30 @@ function load_rules(sinsp_lua_parser,
 	 formatter = formats.formatter(v['source'], v['output'])
 	 formats.free_formatter(v['source'], formatter)
       else
-	 return false, nil, build_error_with_context(v['context'], "Unexpected type in load_rule: "..filter_ast.type), warnings
+	 return false, build_error_with_context(v['context'], "Unexpected type in load_rule: "..filter_ast.type)
       end
 
       ::next_rule::
    end
 
-   -- Print info on any dangling lists or macros that were not used anywhere
-   for name, macro in pairs(state.macros) do
-      if macro.used == false then
-	 msg = "macro "..name.." not refered to by any rule/macro"
-	 warnings[#warnings + 1] = msg
+   if verbose then
+      -- Print info on any dangling lists or macros that were not used anywhere
+      for name, macro in pairs(state.macros) do
+	 if macro.used == false then
+	    print("Warning: macro "..name.." not refered to by any rule/macro")
+	 end
       end
-   end
 
-   for name, list in pairs(state.lists) do
-      if list.used == false then
-	 msg = "list "..name.." not refered to by any rule/macro/list"
-	 warnings[#warnings + 1] = msg
+      for name, list in pairs(state.lists) do
+	 if list.used == false then
+	    print("Warning: list "..name.." not refered to by any rule/macro/list")
+	 end
       end
    end
 
    io.flush()
 
-   return true, load_state.required_engine_version, {}, warnings
+   return true, load_state.required_engine_version
 end
 
 local rule_fmt = "%-50s %s"

userspace/engine/rules.cpp

@@ -14,9 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-#include <sstream>
-
 #include "rules.h"
+#include "logger.h"
 
 extern "C" {
 #include "lua.h"
@@ -220,31 +219,6 @@ int falco_rules::engine_version(lua_State *ls)
 	return 1;
 }
 
-static std::list<std::string> get_lua_table_values(lua_State *ls, int idx)
-{
-	std::list<std::string> ret;
-
-	if (lua_isnil(ls, idx)) {
-		return ret;
-	}
-
-	lua_pushnil(ls);  /* first key */
-	while (lua_next(ls, idx-1) != 0) {
-                // key is at index -2, value is at index
-                // -1. We want the values.
-		if (! lua_isstring(ls, -1)) {
-			std::string err = "Non-string value in table of strings";
-			throw falco_exception(err);
-		}
-		ret.push_back(string(lua_tostring(ls, -1)));
-
-		// Remove value, keep key for next iteration
-		lua_pop(ls, 1);
-	}
-
-	return ret;
-}
-
 void falco_rules::load_rules(const string &rules_content,
 			     bool verbose, bool all_events,
 			     string &extra, bool replace_container_info,
@@ -450,7 +424,7 @@ void falco_rules::load_rules(const string &rules_content,
 		lua_pushstring(m_ls, extra.c_str());
 		lua_pushboolean(m_ls, (replace_container_info ? 1 : 0));
 		lua_pushnumber(m_ls, min_priority);
-		if(lua_pcall(m_ls, 9, 4, 0) != 0)
+		if(lua_pcall(m_ls, 9, 2, 0) != 0)
 		{
 			const char* lerr = lua_tostring(m_ls, -1);
 
@@ -459,49 +433,20 @@ void falco_rules::load_rules(const string &rules_content,
 			throw falco_exception(err);
 		}
 
-		// Returns:
-		// Load result: bool
-		// required engine version: will be nil when load result is false
-		// array of errors
-		// array of warnings
-		bool successful = lua_toboolean(m_ls, -4);
-		required_engine_version = lua_tonumber(m_ls, -3);
-		std::list<std::string> errors = get_lua_table_values(m_ls, -2);
-		std::list<std::string> warnings = get_lua_table_values(m_ls, -1);
+		// Either returns (true, required_engine_version), or (false, error string)
+		bool successful = lua_toboolean(m_ls, -2);
 
-		// Concatenate errors/warnings
-		std::ostringstream os;
-		if (errors.size() > 0)
+		if(successful)
 		{
-			os << errors.size() << " errors:" << std::endl;
-			for(auto err : errors)
-			{
-				os << err << std::endl;
-			}
+			required_engine_version = lua_tonumber(m_ls, -1);
 		}
-
-		if (warnings.size() > 0)
+		else
 		{
-			os << warnings.size() << " warnings:" << std::endl;
-			for(auto warn : warnings)
-			{
-				os << warn << std::endl;
-			}
+			std::string err = lua_tostring(m_ls, -1);
+			throw falco_exception(err);
 		}
 
-		if(!successful)
-		{
-			throw falco_exception(os.str());
-		}
-
-		if (verbose && os.str() != "") {
-			// We don't really have a logging callback
-			// from the falco engine, but this would be a
-			// good place to use it.
-			fprintf(stderr, "When reading rules content: %s", os.str().c_str());
-		}
-
-		lua_pop(m_ls, 4);
+		lua_pop(m_ls, 2);
 
 	} else {
 		throw falco_exception("No function " + m_lua_load_rules + " found in lua rule module");

userspace/falco/falco.cpp

@@ -804,7 +804,7 @@ int falco_init(int argc, char **argv)
 				}
 				catch(falco_exception &e)
 				{
-					printf("%s%s", prefix.c_str(), e.what());
+					printf("%s%s\n", prefix.c_str(), e.what());
 					throw;
 				}
 				printf("%sOk\n", prefix.c_str());
@@ -861,15 +861,7 @@ int falco_init(int argc, char **argv)
 			falco_logger::log(LOG_INFO, "Loading rules from file " + filename + ":\n");
 			uint64_t required_engine_version;
 
-			try {
-				engine->load_rules_file(filename, verbose, all_events, required_engine_version);
-			}
-			catch(falco_exception &e)
-			{
-				std::string prefix = "Could not load rules file " + filename + ": ";
-
-				throw falco_exception(prefix + e.what());
-			}
+			engine->load_rules_file(filename, verbose, all_events, required_engine_version);
 			required_engine_versions[filename] = required_engine_version;
 		}
 
@@ -1179,8 +1171,8 @@ int falco_init(int argc, char **argv)
 						falco_logger::log(LOG_ERR, "Unable to load the driver.\n");
 					}
 					open_f(inspector);
-				}
-				else
+				} 
+				else 
 				{
 					rethrow_exception(current_exception());
 				}
@@ -1289,7 +1281,7 @@ int falco_init(int argc, char **argv)
 
 		if(!trace_filename.empty() && !trace_is_scap)
 		{
-#ifndef MINIMAL_BUILD
+#ifndef MINIMAL_BUILD			
 			read_k8s_audit_trace_file(engine,
 						  outputs,
 						  trace_filename);