More rule error/warnings handling cleanups

More exceptions handling cleanups.
Update tests to add error counts
2026-03-28 07:32:26 +00:00 · 2020-10-02 16:56:22 -07:00 · 2020-10-02 16:56:03 -07:00 · 2020-10-02 16:54:55 -07:00 · 2020-10-02 16:52:44 -07:00 · 2020-10-02 16:51:43 -07:00
42 changed files with 696 additions and 1258 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -306,33 +306,6 @@ jobs:
      - run:
          name: Execute driver-loader integration tests
          command: /tmp/ws/source/falco/test/driver-loader/run_test.sh /tmp/ws/build/release/
-  # Code quality
-  "quality/static-analysis":
-    docker:
-      - image: falcosecurity/falco-builder:latest
-        environment:
-          BUILD_TYPE: "release"
-    steps:
-      - run:
-          name: Install cppcheck
-          command: |
-            yum update -y
-            yum install epel-release -y
-            yum install cppcheck cppcheck-htmlreport -y
-      - checkout:
-          path: /source/falco
-      - run:
-          name: Prepare project
-          command: /usr/bin/entrypoint cmake
-      - run:
-          name: cppcheck
-          command: /usr/bin/entrypoint cppcheck
-      - run:
-          name: cppcheck html report
-          command: /usr/bin/entrypoint cppcheck_htmlreport
-      - store_artifacts:
-          path: /build/release/static-analysis-reports
-          destination: /static-analysis-reports
  # Sign rpm packages
  "rpm/sign":
    docker:
@@ -573,7 +546,6 @@ workflows:
          requires:
            - "publish/packages-dev"
            - "tests/driver-loader/integration"
-      - "quality/static-analysis"
  release:
    jobs:
      - "build/musl":
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,51 +1,6 @@
 # Change Log

-## v0.26.1
-
-Released on 2020-10-01
-
-### Major Changes
-
-* new: CLI flag `--alternate-lua-dir` to load Lua files from arbitrary paths [[#1419](https://github.com/falcosecurity/falco/pull/1419)] - [@admiral0](https://github.com/admiral0)
-
-
-### Rule Changes
-
-* rule(Delete or rename shell history): fix warnings/FPs + container teardown [[#1423](https://github.com/falcosecurity/falco/pull/1423)] - [@mstemm](https://github.com/mstemm)
-* rule(Write below root): ensure proc_name_exists too [[#1423](https://github.com/falcosecurity/falco/pull/1423)] - [@mstemm](https://github.com/mstemm)
-
-
-## v0.26.0
-
-Released on 2020-24-09
-
-### Major Changes
-
-* new: address several sources of FPs, primarily from GKE environments. [[#1372](https://github.com/falcosecurity/falco/pull/1372)] - [@mstemm](https://github.com/mstemm)
-* new: driver updated to 2aa88dcf6243982697811df4c1b484bcbe9488a2 [[#1410](https://github.com/falcosecurity/falco/pull/1410)] - [@leogr](https://github.com/leogr)
-* new(scripts/falco-driver-loader): detect and try to build the Falco kernel module driver using different GCC versions available in the current environment. [[#1408](https://github.com/falcosecurity/falco/pull/1408)] - [@fntlnz](https://github.com/fntlnz)
-* new: tgz (tarball) containing the statically-linked (musl) binary of Falco is now automatically built and published on bintray [[#1377](https://github.com/falcosecurity/falco/pull/1377)] - [@leogr](https://github.com/leogr)
-
-
-### Minor Changes
-
-* update: bump Falco engine version to 7 [[#1381](https://github.com/falcosecurity/falco/pull/1381)] - [@leogr](https://github.com/leogr)
-* update: the required_engine_version is now on by default [[#1381](https://github.com/falcosecurity/falco/pull/1381)] - [@leogr](https://github.com/leogr)
-* update: falcosecurity/falco-no-driver image now uses the statically-linked Falco [[#1377](https://github.com/falcosecurity/falco/pull/1377)] - [@leogr](https://github.com/leogr)
-* docs(proposals): artifacts storage [[#1375](https://github.com/falcosecurity/falco/pull/1375)] - [@leodido](https://github.com/leodido)
-* docs(proposals): artifacts cleanup [[#1375](https://github.com/falcosecurity/falco/pull/1375)] - [@leodido](https://github.com/leodido)
-
-
-### Rule Changes
-
-* rule(macro inbound_outbound): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)] - [@ldegio](https://github.com/ldegio)
-* rule(macro redis_writing_conf): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)] - [@ldegio](https://github.com/ldegio)
-* rule(macro run_by_foreman): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)] - [@ldegio](https://github.com/ldegio)
-* rule(macro consider_packet_socket_communication): enable "Packet socket created in container" rule by default. [[#1402](https://github.com/falcosecurity/falco/pull/1402)] - [@rung](https://github.com/rung)
-* rule(Delete or rename shell history): skip docker overlay filesystems when considering bash history [[#1393](https://github.com/falcosecurity/falco/pull/1393)] - [@mstemm](https://github.com/mstemm)
-* rule(Disallowed K8s User): quote colons in user names [[#1393](https://github.com/falcosecurity/falco/pull/1393)] - [@mstemm](https://github.com/mstemm)
-* rule(macro falco_sensitive_mount_containers): Adds a trailing slash to avoid repo naming issues [[#1394](https://github.com/falcosecurity/falco/pull/1394)] - [@bgeesaman](https://github.com/bgeesaman)
-* rule: adds user.loginuid to the default Falco rules that also contain user.name [[#1369](https://github.com/falcosecurity/falco/pull/1369)] - [@csschwe](https://github.com/csschwe)
+This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).

 ## v0.25.0

--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -57,7 +57,7 @@ if(MINIMAL_BUILD)
 endif()

 if(MUSL_OPTIMIZED_BUILD)
-  set(MUSL_FLAGS "-static -Os")
+  set(MUSL_FLAGS "-static -Os -D__NEED_struct_timespec -D__NEED_time_t")
 endif()

 set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS} ${MINIMAL_BUILD_FLAGS} ${MUSL_FLAGS}")
@@ -254,9 +254,6 @@ add_subdirectory(docker)
 # Clang format
 # add_custom_target(format COMMAND clang-format --style=file -i $<TARGET_PROPERTY:falco,SOURCES> COMMENT "Formatting ..." VERBATIM)

-# Static analysis
-include(static-analysis)
-
 # Shared build variables
 set(FALCO_SINSP_LIBRARY sinsp)
 set(FALCO_SHARE_DIR share/falco)
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -4,16 +4,14 @@ Our release process is mostly automated, but we still need some manual steps to

 Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released.

-A release happens every two months ([as per community discussion](https://github.com/falcosecurity/community/blob/master/meeting-notes/2020-09-30.md#agenda)), and we need to assign owners for each (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the [weekly community call](https://github.com/falcosecurity/community). Note that hotfix releases can happen as soon as it is needed.
+Releases happen on a monthly cadence, towards the 16th of the on-going month, and we need to assign owners for each (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the [weekly community call](https://github.com/falcosecurity/community). Note that hotfix releases can happen as soon as it is needed.

 Finally, on the proposed due date the assignees for the upcoming release proceed with the processes described below.

 ## Pre-Release Checklist

-Before cutting a release we need to do some homework in the Falco repository. This should take 5 minutes using the GitHub UI.
-
 ### 1. Release notes
- Find the LAST release (-1) and use `YYYY-MM-DD` as the day before of the [latest release](https://github.com/falcosecurity/falco/releases)
+- Let `YYYY-MM-DD` the day before of the [latest release](https://github.com/falcosecurity/falco/releases)
 - Check the release note block of every PR matching the `is:pr is:merged closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+closed%3A%3EYYYY-MM-DD)
    - Ensure the release note block follows the [commit convention](https://github.com/falcosecurity/falco/blob/master/CONTRIBUTING.md#commit-convention), otherwise fix its content
    - If the PR has no milestone, assign it to the milestone currently undergoing release
@@ -30,15 +28,14 @@ Before cutting a release we need to do some homework in the Falco repository. Th
    - If any, manually correct it then open an issue to automate version number bumping later
    - Versions table in the `README.md` update itself automatically
 - Generate the change log https://github.com/leodido/rn2md, or https://fs.fntlnz.wtf/falco/milestones-changelog.txt for the lazy people (it updates every 5 minutes)
-    - If you review timeout errors with `rn2md` try to generate an GitHub Oauth access token and use `-t`
- Add the latest changes on top the previous `CHANGELOG.md`
+- Add the lastest changes on top the previous `CHANGELOG.md`
 - Submit a PR with the above modifications
 - Await PR approval
- Close the completed milestone as soon as the PR is merged
+- Close the completed milestone as soon PR is merged

 ## Release

-Now assume `x.y.z` is the new version.
+Let `x.y.z` the new version.

 ### 1. Create a tag

@@ -61,29 +58,15 @@ Now assume `x.y.z` is the new version.
 - Use `x.y.z` both as tag version and release title
 - Use the following template to fill the release description:
    ```
-    <!-- Substitute x.y.z with the current release version -->
-
-    | Packages | Download                                                                                                                                               |
-    | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
-    | rpm      | [![rpm](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/rpm/falco-x.y.z-x86_64.rpm)        |
-    | deb      | [![deb](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/deb/stable/falco-x.y.z-x86_64.deb) |
-    | tgz      | [![tgz](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/bin/x86_64/falco-x.y.z-x86_64.deb) |
-
-    | Images                                                          |
-    | --------------------------------------------------------------- |
-    | `docker pull docker.io/falcosecurity/falco:_tag_`               |
-    | `docker pull docker.io/falcosecurity/falco-driver-loader:_tag_` |
-    | `docker pull docker.io/falcosecurity/falco-no-driver:_tag_`     |
-
    <!-- Copy the relevant part of the changelog here -->

    ### Statistics

-    | Merged PRs      | Number |
-    | --------------- | ------ |
-    | Not user-facing | x      |
-    | Release note    | x      |
-    | Total           | x      |
+    | Merged PRs        | Number  |
+    |-------------------|---------|
+    | Not user-facing   | x       |
+    | Release note      | x       |
+    | Total             | x       |

    <!-- Calculate stats and fill the above table -->
    ```
--- a/brand/README.md
+++ b/brand/README.md
@@ -15,21 +15,6 @@ There are 3 logos available for use in this directory. Use the primary logo unle

 The Falco logo is Apache 2 licensed and free to use in media and publication for the CNCF Falco project.

-### Colors
-
-| Name      | PMS  | RGB         |
-|-----------|------|-------------|
-| Teal      | 3125 |   0 174 199 |
-| Cool Gray |   11 |  83  86  90 |
-| Black     |      |   0   0   0 |
-| Blue-Gray | 7700 |  22 92 125  |
-| Gold      | 1375 | 255 158  27 |
-| Orange    |  171 | 255  92  57 |
-| Emerald   | 3278 |   0 155 119 |
-| Green     |  360 | 108 194  74 |
-
-The primary colors are those in the first two rows.
-
 ### Slogan

 > Cloud Native Runtime Security
--- a/cmake/modules/static-analysis.cmake
+++ b/cmake/modules/static-analysis.cmake
@@ -1,42 +0,0 @@
-# create the reports folder
-file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports)
-file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck)
-
-# cppcheck
-find_program(CPPCHECK cppcheck)
-find_program(CPPCHECK_HTMLREPORT cppcheck-htmlreport)
-
-if(NOT CPPCHECK)
-  message(STATUS "cppcheck command not found, static code analysis using cppcheck will not be available.")
-else()
-  message(STATUS "cppcheck found at: ${CPPCHECK}")
-  # we are aware that cppcheck can be run
-  # along with the software compilation in a single step
-  # using the CMAKE_CXX_CPPCHECK variables.
-  # However, for practical needs we want to keep the
-  # two things separated and have a specific target for it.
-  # Our cppcheck target reads the compilation database produced by CMake
-  set(CMAKE_EXPORT_COMPILE_COMMANDS On)
-  add_custom_target(
-      cppcheck
-      COMMAND ${CPPCHECK}
-      "--enable=all"
-      "--force"
-      "--inconclusive"
-      "--inline-suppr" # allows to specify suppressions directly in source code
-      "--project=${CMAKE_CURRENT_BINARY_DIR}/compile_commands.json" # use the compilation database as source
-      "--quiet"
-      "--xml" # we want to generate a report
-      "--output-file=${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck/cppcheck.xml" # generate the report under the reports folder in the build folder
-      "-i${CMAKE_CURRENT_BINARY_DIR}"# exclude the build folder
-  )
-endif() # CPPCHECK
-
-if(NOT CPPCHECK_HTMLREPORT)
-  message(STATUS "cppcheck-htmlreport command not found, will not be able to produce html reports for cppcheck results")
-else()
-  message(STATUS "cppcheck-htmlreport found at: ${CPPCHECK_HTMLREPORT}")
-  add_custom_target(
-    cppcheck_htmlreport
-    COMMAND ${CPPCHECK_HTMLREPORT} --title=${CMAKE_PROJECT_NAME} --report-dir=${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck --file=static-analysis-reports/cppcheck/cppcheck.xml)
-endif() # CPPCHECK_HTMLREPORT
--- a/cmake/modules/sysdig.cmake
+++ b/cmake/modules/sysdig.cmake
@@ -29,8 +29,8 @@ file(MAKE_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
 # default below In case you want to test against another sysdig version just pass the variable - ie., `cmake
 # -DSYSDIG_VERSION=dev ..`
 if(NOT SYSDIG_VERSION)
-  set(SYSDIG_VERSION "2aa88dcf6243982697811df4c1b484bcbe9488a2")
-  set(SYSDIG_CHECKSUM "SHA256=a737077543a6f3473ab306b424bcf7385d788149829ed1538252661b0f20d0f6")
+  set(SYSDIG_VERSION "73554b9c48b06612eb50494ee6fa5b779c57edc0") # todo(leogr): set the correct version and checksum before merging
+  set(SYSDIG_CHECKSUM "SHA256=c1c73498a834533dea61c979786a4ac3866743c17829d81aef209ddaa1b31538")
 endif()
 set(PROBE_VERSION "${SYSDIG_VERSION}")

--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
--- a/rules/k8s_audit_rules.yaml
+++ b/rules/k8s_audit_rules.yaml
@@ -49,7 +49,7 @@
    "kubernetes-admin",
    vertical_pod_autoscaler_users,
    cluster-autoscaler,
-    "system:addon-manager"
+    system:addon-manager
    ]

 - rule: Disallowed K8s User
--- a/test/falco_tests_exceptions.yaml
+++ b/test/falco_tests_exceptions.yaml
@@ -33,7 +33,21 @@ trace_files: !mux
        priority: error
      ---
    validate_rules_file:
-      - rules/exceptions/item_no_fields.yaml
+      - rules/exceptions/rule_item_no_fields.yaml
+    trace_file: trace_files/cat_write.scap
+
+  exception_no_values:
+    exit_status: 1
+    stdout_is: |+
+      1 errors:
+      Exception item ex1: must have values property with a list of values
+      ---
+      - exception: My Rule
+        items:
+          - name: ex1
+      ---
+    validate_rules_file:
+      - rules/exceptions/exception_item_no_values.yaml
    trace_file: trace_files/cat_write.scap

  rule_exception_no_name:
@@ -51,23 +65,39 @@ trace_files: !mux
        priority: error
      ---
    validate_rules_file:
-      - rules/exceptions/item_no_name.yaml
+      - rules/exceptions/rule_item_no_name.yaml
    trace_file: trace_files/cat_write.scap

-  rule_exception_append_no_name:
+  exception_no_name:
    exit_status: 1
    stdout_is: |+
      1 errors:
-      Rule exception item must have name property
+      Exception item must have name property
      ---
-      - rule: My Rule
-        exceptions:
+      - exception: My Rule
+        items:
          - values:
              - [nginx, /tmp/foo]
+      ---
+    validate_rules_file:
+      - rules/exceptions/exception_item_no_name.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_append:
+    exit_status: 1
+    stdout_is: |+
+      1 errors:
+      Can not append exceptions to existing rule, only conditions
+      ---
+      - rule: My Rule
+        condition: and proc.name=apache
+        exceptions:
+          - name: ex2
+            fields: [proc.name, fd.filename]
        append: true
      ---
    validate_rules_file:
-      - rules/exceptions/append_item_no_name.yaml
+      - rules/exceptions/rule_append_exception.yaml
    trace_file: trace_files/cat_write.scap

  rule_exception_unknown_fields:
@@ -86,7 +116,7 @@ trace_files: !mux
        priority: error
      ---
    validate_rules_file:
-      - rules/exceptions/item_unknown_fields.yaml
+      - rules/exceptions/rule_item_unknown_fields.yaml
    trace_file: trace_files/cat_write.scap

  rule_exception_comps_fields_len_mismatch:
@@ -106,7 +136,7 @@ trace_files: !mux
        priority: error
      ---
    validate_rules_file:
-      - rules/exceptions/item_comps_fields_len_mismatch.yaml
+      - rules/exceptions/rule_item_comps_fields_len_mismatch.yaml
    trace_file: trace_files/cat_write.scap

  rule_exception_unknown_comp:
@@ -126,63 +156,32 @@ trace_files: !mux
        priority: error
      ---
    validate_rules_file:
-      - rules/exceptions/item_unknown_comp.yaml
+      - rules/exceptions/rule_item_unknown_comp.yaml
    trace_file: trace_files/cat_write.scap

-  rule_exception_fields_values_len_mismatch:
+  exception_fields_values_len_mismatch:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Exception item ex1: fields and values lists must have equal length
      ---
-      - rule: My Rule
-        desc: Some desc
-        condition: evt.type=open and proc.name=cat
-        output: Some output
-        exceptions:
-          - name: ex1
-            fields: [proc.name, fd.filename]
-            values:
-              - [nginx]
-        priority: error
-      ---
-    validate_rules_file:
-      - rules/exceptions/item_fields_values_len_mismatch.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_append_fields_values_len_mismatch:
-    exit_status: 1
-    stdout_is: |+
-      1 errors:
-      Exception item ex1: fields and values lists must have equal length
-      ---
-      - rule: My Rule
-        desc: Some desc
-        condition: evt.type=open and proc.name=cat
-        output: Some output
-        exceptions:
-          - name: ex1
-            fields: [proc.name, fd.filename]
-        priority: error
-
-      - rule: My Rule
-        exceptions:
+      - exception: My Rule
+        items:
          - name: ex1
            values:
              - [nginx]
-        append: true
      ---
    validate_rules_file:
-      - rules/exceptions/append_item_fields_values_len_mismatch.yaml
+      - rules/exceptions/exception_item_fields_values_len_mismatch.yaml
    trace_file: trace_files/cat_write.scap

-  rule_exception_append_item_not_in_rule:
+  exception_item_not_in_rule:
    exit_status: 0
    stderr_contains: |+
      1 warnings:
-      Rule My Rule with append=true: no set of fields matching name ex2
+      Exception My Rule: no set of fields matching name ex2
    validate_rules_file:
-      - rules/exceptions/append_item_not_in_rule.yaml
+      - rules/exceptions/exception_item_not_in_rule.yaml
    trace_file: trace_files/cat_write.scap

  rule_without_exception:
@@ -208,13 +207,6 @@ trace_files: !mux
      - rules/exceptions/rule_exception_one_value.yaml
    trace_file: trace_files/cat_write.scap

-  rule_exception_append_one_value:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_append_one_value.yaml
-    trace_file: trace_files/cat_write.scap
-
  rule_exception_second_value:
    detect: False
    detect_level: WARNING
@@ -222,13 +214,6 @@ trace_files: !mux
      - rules/exceptions/rule_exception_second_value.yaml
    trace_file: trace_files/cat_write.scap

-  rule_exception_append_second_value:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_append_second_value.yaml
-    trace_file: trace_files/cat_write.scap
-
  rule_exception_second_item:
    detect: False
    detect_level: WARNING
@@ -236,13 +221,6 @@ trace_files: !mux
      - rules/exceptions/rule_exception_second_item.yaml
    trace_file: trace_files/cat_write.scap

-  rule_exception_append_second_item:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_append_second_item.yaml
-    trace_file: trace_files/cat_write.scap
-
  rule_exception_third_item:
    detect: False
    detect_level: WARNING
@@ -250,13 +228,6 @@ trace_files: !mux
      - rules/exceptions/rule_exception_third_item.yaml
    trace_file: trace_files/cat_write.scap

-  rule_exception_append_third_item:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_append_third_item.yaml
-    trace_file: trace_files/cat_write.scap
-
  rule_exception_quoted:
    detect: False
    detect_level: WARNING
@@ -264,11 +235,18 @@ trace_files: !mux
      - rules/exceptions/rule_exception_quoted.yaml
    trace_file: trace_files/cat_write.scap

-  rule_exception_append_multiple_values:
+  rule_exception_append_values:
    detect: False
    detect_level: WARNING
    rules_file:
-      - rules/exceptions/rule_exception_append_multiple.yaml
+      - rules/exceptions/rule_exception_append.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_values_before:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_values_before.yaml
    trace_file: trace_files/cat_write.scap

  rule_exception_comp:
@@ -278,46 +256,4 @@ trace_files: !mux
      - rules/exceptions/rule_exception_comp.yaml
    trace_file: trace_files/cat_write.scap

-  rule_exception_append_comp:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_append_comp.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_values_listref:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_values_listref.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_values_listref_noparens:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_values_listref_noparens.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_values_list:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_values_list.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_single_field:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_single_field.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_single_field_append:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_single_field_append.yaml
-    trace_file: trace_files/cat_write.scap
-

--- a/test/rules/exceptions/exception_item_fields_values_len_mismatch.yaml
+++ b/test/rules/exceptions/exception_item_fields_values_len_mismatch.yaml
@@ -23,9 +23,8 @@
      fields: [proc.name, fd.filename]
  priority: error

- rule: My Rule
-  exceptions:
+- exception: My Rule
+  items:
    - name: ex1
      values:
        - [nginx]
-  append: true
--- a/test/rules/exceptions/exception_item_no_name.yaml
+++ b/test/rules/exceptions/exception_item_no_name.yaml
@@ -23,8 +23,7 @@
      fields: [proc.name, fd.filename]
  priority: error

- rule: My Rule
-  exceptions:
+- exception: My Rule
+  items:
    - values:
        - [nginx, /tmp/foo]
-  append: true
--- a/test/rules/exceptions/item_fields_values_len_mismatch.yaml
+++ b/test/rules/exceptions/item_fields_values_len_mismatch.yaml
@@ -21,6 +21,8 @@
  exceptions:
    - name: ex1
      fields: [proc.name, fd.filename]
-      values:
-        - [nginx]
  priority: error
+
+- exception: My Rule
+  items:
+    - name: ex1
--- a/test/rules/exceptions/exception_item_not_in_rule.yaml
+++ b/test/rules/exceptions/exception_item_not_in_rule.yaml
@@ -23,9 +23,8 @@
      fields: [proc.name, fd.filename]
  priority: error

- rule: My Rule
-  exceptions:
+- exception: My Rule
+  items:
    - name: ex2
      values:
        - [apache, /tmp]
-  append: true
--- a/test/rules/exceptions/rule_append_exception.yaml
+++ b/test/rules/exceptions/rule_append_exception.yaml
@@ -0,0 +1,31 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+- rule: My Rule
+  desc: Some desc
+  condition: evt.type=open and proc.name=cat
+  output: Some output
+  exceptions:
+    - name: ex1
+      fields: [proc.name, fd.filename]
+  priority: error
+
+- rule: My Rule
+  condition: and proc.name=apache
+  exceptions:
+    - name: ex2
+      fields: [proc.name, fd.filename]
+  append: true
--- a/test/rules/exceptions/rule_exception_append_multiple.yaml
+++ b/test/rules/exceptions/rule_exception_append_multiple.yaml
@@ -27,16 +27,14 @@
      fields: [proc.name, proc.cmdline, proc.pname]
  priority: WARNING

- rule: Open From Cat
-  exceptions:
+- exception: Open From Cat
+  items:
    - name: proc_name
      values:
        - [not-cat]
-  append: true

- rule: Open From Cat
-  exceptions:
+- exception: Open From Cat
+  items:
    - name: proc_name
      values:
        - [cat]
-  append: true
--- a/test/rules/exceptions/rule_exception_append_comp.yaml
+++ b/test/rules/exceptions/rule_exception_append_comp.yaml
@@ -1,38 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
- rule: Open From Cat
-  desc: A process named cat does an open
-  condition: evt.type=open and proc.name=cat
-  output: "An open was seen (command=%proc.cmdline)"
-  exceptions:
-    - name: proc_name
-      fields: [proc.name]
-    - name: proc_name_contains
-      fields: [proc.name]
-      comps: [contains]
-    - name: proc_name_cmdline
-      fields: [proc.name, proc.cmdline]
-    - name: proc_name_cmdline_pname
-      fields: [proc.name, proc.cmdline, proc.pname]
-  priority: WARNING
-
- rule: Open From Cat
-  exceptions:
-    - name: proc_name_contains
-      values:
-        - [cat]
-  append: true
--- a/test/rules/exceptions/rule_exception_append_second_item.yaml
+++ b/test/rules/exceptions/rule_exception_append_second_item.yaml
@@ -1,41 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
- rule: Open From Cat
-  desc: A process named cat does an open
-  condition: evt.type=open and proc.name=cat
-  output: "An open was seen (command=%proc.cmdline)"
-  exceptions:
-    - name: proc_name
-      fields: [proc.name]
-    - name: proc_name_cmdline
-      fields: [proc.name, proc.cmdline]
-    - name: proc_name_cmdline_pname
-      fields: [proc.name, proc.cmdline, proc.pname]
-  priority: WARNING
-
- rule: Open From Cat
-  exceptions:
-    - name: proc_name
-      values:
-        - [not-cat]
-    - name: proc_name_cmdline
-      values:
-        - [cat, "cat /dev/null"]
-    - name: proc_name_cmdline_pname
-      values:
-        - [not-cat, "cat /dev/null", bash]
-  append: true
--- a/test/rules/exceptions/rule_exception_append_second_value.yaml
+++ b/test/rules/exceptions/rule_exception_append_second_value.yaml
@@ -1,36 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
- rule: Open From Cat
-  desc: A process named cat does an open
-  condition: evt.type=open and proc.name=cat
-  output: "An open was seen (command=%proc.cmdline)"
-  exceptions:
-    - name: proc_name
-      fields: [proc.name]
-    - name: proc_name_cmdline
-      fields: [proc.name, proc.cmdline]
-    - name: proc_name_cmdline_pname
-      fields: [proc.name, proc.cmdline, proc.pname]
-  priority: WARNING
-
- rule: Open From Cat
-  exceptions:
-    - name: proc_name_cmdline
-      values:
-        - [not-cat, not-cat]
-        - [cat, "cat /dev/null"]
-  append: true
--- a/test/rules/exceptions/rule_exception_append_third_item.yaml
+++ b/test/rules/exceptions/rule_exception_append_third_item.yaml
@@ -1,41 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
- rule: Open From Cat
-  desc: A process named cat does an open
-  condition: evt.type=open and proc.name=cat
-  output: "An open was seen (command=%proc.cmdline)"
-  exceptions:
-    - name: proc_name
-      fields: [proc.name]
-    - name: proc_name_cmdline
-      fields: [proc.name, proc.cmdline]
-    - name: proc_name_cmdline_pname
-      fields: [proc.name, proc.cmdline, proc.pname]
-  priority: WARNING
-
- rule: Open From Cat
-  exceptions:
-    - name: proc_name
-      values:
-        - [not-cat]
-    - name: proc_name_cmdline
-      values:
-        - [not-cat, "cat /dev/null"]
-    - name: proc_name_cmdline_pname
-      values:
-        - [cat, "cat /dev/null", bash]
-  append: true
--- a/test/rules/exceptions/rule_exception_comp.yaml
+++ b/test/rules/exceptions/rule_exception_comp.yaml
@@ -24,11 +24,14 @@
    - name: proc_name_contains
      fields: [proc.name]
      comps: [contains]
-      values:
-        - [cat]
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
    - name: proc_name_cmdline_pname
      fields: [proc.name, proc.cmdline, proc.pname]
  priority: WARNING

+- exception: Open From Cat
+  items:
+    - name: proc_name_contains
+      values:
+        - [cat]
--- a/test/rules/exceptions/rule_exception_one_value.yaml
+++ b/test/rules/exceptions/rule_exception_one_value.yaml
@@ -21,10 +21,14 @@
  exceptions:
    - name: proc_name
      fields: [proc.name]
-      values:
-        - [cat]
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
    - name: proc_name_cmdline_pname
      fields: [proc.name, proc.cmdline, proc.pname]
  priority: WARNING
+
+- exception: Open From Cat
+  items:
+    - name: proc_name
+      values:
+        - [cat]
--- a/test/rules/exceptions/rule_exception_quoted.yaml
+++ b/test/rules/exceptions/rule_exception_quoted.yaml
@@ -27,10 +27,9 @@
      fields: [proc.name, proc.cmdline, proc.pname]
  priority: WARNING

- rule: Open From Cat
-  exceptions:
+- exception: Open From Cat
+  items:
    - name: proc_name_cmdline
      values:
        - [not-cat, not-cat]
        - [cat, '"cat /dev/null"']
-  append: true
--- a/test/rules/exceptions/rule_exception_second_item.yaml
+++ b/test/rules/exceptions/rule_exception_second_item.yaml
@@ -21,14 +21,20 @@
  exceptions:
    - name: proc_name
      fields: [proc.name]
+    - name: proc_name_cmdline
+      fields: [proc.name, proc.cmdline]
+    - name: proc_name_cmdline_pname
+      fields: [proc.name, proc.cmdline, proc.pname]
+  priority: WARNING
+
+- exception: Open From Cat
+  items:
+    - name: proc_name
      values:
        - [not-cat]
    - name: proc_name_cmdline
-      fields: [proc.name, proc.cmdline]
      values:
        - [cat, "cat /dev/null"]
    - name: proc_name_cmdline_pname
-      fields: [proc.name, proc.cmdline, proc.pname]
      values:
        - [not-cat, "cat /dev/null", bash]
-  priority: WARNING
--- a/test/rules/exceptions/rule_exception_second_value.yaml
+++ b/test/rules/exceptions/rule_exception_second_value.yaml
@@ -23,10 +23,13 @@
      fields: [proc.name]
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
-      values:
-        - [not-cat, not-cat]
-        - [cat, "cat /dev/null"]
    - name: proc_name_cmdline_pname
      fields: [proc.name, proc.cmdline, proc.pname]
  priority: WARNING

+- exception: Open From Cat
+  items:
+    - name: proc_name_cmdline
+      values:
+        - [not-cat, not-cat]
+        - [cat, "cat /dev/null"]
--- a/test/rules/exceptions/rule_exception_single_field.yaml
+++ b/test/rules/exceptions/rule_exception_single_field.yaml
@@ -1,30 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
- rule: Open From Cat
-  desc: A process named cat does an open
-  condition: evt.type=open and proc.name=cat
-  output: "An open was seen (command=%proc.cmdline)"
-  exceptions:
-    - name: proc_cmdline
-      fields: proc.cmdline
-      comps: in
-      values:
-        - cat /dev/zero
-        - "cat /dev/null"
-  priority: WARNING
-
--- a/test/rules/exceptions/rule_exception_single_field_append.yaml
+++ b/test/rules/exceptions/rule_exception_single_field_append.yaml
@@ -1,37 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
- rule: Open From Cat
-  desc: A process named cat does an open
-  condition: evt.type=open and proc.name=cat
-  output: "An open was seen (command=%proc.cmdline)"
-  exceptions:
-    - name: proc_cmdline
-      fields: proc.cmdline
-      comps: in
-      values:
-        - cat /dev/zero
-  priority: WARNING
-
- rule: Open From Cat
-  exceptions:
-    - name: proc_cmdline
-      values:
-        - "cat /dev/null"
-  append: true
-
-
--- a/test/rules/exceptions/rule_exception_third_item.yaml
+++ b/test/rules/exceptions/rule_exception_third_item.yaml
@@ -21,14 +21,20 @@
  exceptions:
    - name: proc_name
      fields: [proc.name]
+    - name: proc_name_cmdline
+      fields: [proc.name, proc.cmdline]
+    - name: proc_name_cmdline_pname
+      fields: [proc.name, proc.cmdline, proc.pname]
+  priority: WARNING
+
+- exception: Open From Cat
+  items:
+    - name: proc_name
      values:
        - [not-cat]
    - name: proc_name_cmdline
-      fields: [proc.name, proc.cmdline]
      values:
        - [not-cat, "cat /dev/null"]
    - name: proc_name_cmdline_pname
-      fields: [proc.name, proc.cmdline, proc.pname]
      values:
        - [cat, "cat /dev/null", bash]
-  priority: WARNING
--- a/test/rules/exceptions/rule_exception_append_one_value.yaml
+++ b/test/rules/exceptions/rule_exception_append_one_value.yaml
@@ -14,6 +14,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
+
+- exception: Open From Cat
+  items:
+    - name: proc_name
+      values:
+        - [cat]
+
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
@@ -21,17 +28,9 @@
  exceptions:
    - name: proc_name
      fields: [proc.name]
-      values:
-        - [cat]
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
    - name: proc_name_cmdline_pname
      fields: [proc.name, proc.cmdline, proc.pname]
  priority: WARNING

- rule: Open From Cat
-  exceptions:
-    - name: proc_name
-      values:
-        - [cat]
-  append: true
--- a/test/rules/exceptions/rule_exception_values_list.yaml
+++ b/test/rules/exceptions/rule_exception_values_list.yaml
@@ -1,29 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
- rule: Open From Cat
-  desc: A process named cat does an open
-  condition: evt.type=open and proc.name=cat
-  output: "An open was seen (command=%proc.cmdline)"
-  exceptions:
-    - name: proc_name_cmdline
-      fields: [proc.name, proc.cmdline]
-      comps: [=, in]
-      values:
-        - [cat, [cat /dev/zero, "cat /dev/null"]]
-  priority: WARNING
-
--- a/test/rules/exceptions/rule_exception_values_listref.yaml
+++ b/test/rules/exceptions/rule_exception_values_listref.yaml
@@ -1,32 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
- list: cat_cmdlines
-  items: [cat /dev/zero, "cat /dev/null"]
-
- rule: Open From Cat
-  desc: A process named cat does an open
-  condition: evt.type=open and proc.name=cat
-  output: "An open was seen (command=%proc.cmdline)"
-  exceptions:
-    - name: proc_name_cmdline
-      fields: [proc.name, proc.cmdline]
-      comps: [=, in]
-      values:
-        - [cat, (cat_cmdlines)]
-  priority: WARNING
-
--- a/test/rules/exceptions/rule_exception_values_listref_noparens.yaml
+++ b/test/rules/exceptions/rule_exception_values_listref_noparens.yaml
@@ -1,32 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
- list: cat_cmdlines
-  items: [cat /dev/zero, "cat /dev/null"]
-
- rule: Open From Cat
-  desc: A process named cat does an open
-  condition: evt.type=open and proc.name=cat
-  output: "An open was seen (command=%proc.cmdline)"
-  exceptions:
-    - name: proc_name_cmdline
-      fields: [proc.name, proc.cmdline]
-      comps: [=, in]
-      values:
-        - [cat, cat_cmdlines]
-  priority: WARNING
-
--- a/test/rules/exceptions/rule_item_comps_fields_len_mismatch.yaml
+++ b/test/rules/exceptions/rule_item_comps_fields_len_mismatch.yaml
--- a/test/rules/exceptions/rule_item_no_fields.yaml
+++ b/test/rules/exceptions/rule_item_no_fields.yaml
--- a/test/rules/exceptions/rule_item_no_name.yaml
+++ b/test/rules/exceptions/rule_item_no_name.yaml
--- a/test/rules/exceptions/rule_item_unknown_comp.yaml
+++ b/test/rules/exceptions/rule_item_unknown_comp.yaml
--- a/test/rules/exceptions/rule_item_unknown_fields.yaml
+++ b/test/rules/exceptions/rule_item_unknown_fields.yaml
--- a/userspace/engine/falco_engine_version.h
+++ b/userspace/engine/falco_engine_version.h
@@ -16,7 +16,7 @@ limitations under the License.

 // The version of rules/filter fields/etc supported by this falco
 // engine.
-#define FALCO_ENGINE_VERSION (8)
+#define FALCO_ENGINE_VERSION (7)

 // This is the result of running "falco --list -N | sha256sum" and
 // represents the fields supported by this version of falco. It's used
--- a/userspace/engine/lua/rule_loader.lua
+++ b/userspace/engine/lua/rule_loader.lua
@@ -145,17 +145,12 @@ defined_comp_operators = {
   ["pmatch"] = 1
 }

-defined_list_comp_operators = {
-   ["in"] = 1,
-   ["intersects"] = 1,
-   ["pmatch"] = 1
-}
-
 -- Note that the rules_by_name and rules_by_idx refer to the same rule
 -- object. The by_name index is used for things like describing rules,
 -- and the by_idx index is used to map the relational node index back
 -- to a rule.
 local state = {macros={}, lists={}, filter_ast=nil, rules_by_name={},
+	       exceptions_by_name={},
 	       skipped_rules_by_name={}, macros_by_name={}, lists_by_name={},
 	       n_rules=0, rules_by_idx={}, ordered_rule_names={}, ordered_macro_names={}, ordered_list_names={}}

@@ -278,22 +273,6 @@ function get_lines(rules_lines, row, num_lines)
   return ret
 end

-function quote_item(item)
-   if string.sub(item, 1, 1) ~= "'" and string.sub(item, 1, 1) ~= '"' then
-      item = "\""..item.."\""
-   end
-
-   return item
-end
-
-function paren_item(item)
-   if string.sub(item, 1, 1) ~= "(" then
-      item = "("..item..")"
-   end
-
-   return item
-end
-
 function build_error(rules_lines, row, num_lines, err)
   local ret = err.."\n---\n"..get_lines(rules_lines, row, num_lines).."---"

@@ -305,58 +284,6 @@ function build_error_with_context(ctx, err)
   return {ret}
 end

-function validate_exception_item_multi_fields(eitem, context)
-
-   local name = eitem['name']
-   local fields = eitem['fields']
-   local values = eitem['values']
-   local comps = eitem['comps']
-
-   if comps == nil then
-      comps = {}
-      for c=1,#fields do
-	 table.insert(comps, "=")
-      end
-      eitem['comps'] = comps
-   else
-      if #fields ~= #comps then
-	 return false, build_error_with_context(context, "Rule exception item "..name..": fields and comps lists must have equal length"), warnings
-      end
-   end
-   for k, fname in ipairs(fields) do
-      if defined_noarg_filters[fname] == nil then
-	 return false, build_error_with_context(context, "Rule exception item "..name..": field name "..fname.." is not a supported filter field"), warnings
-      end
-   end
-   for k, comp in ipairs(comps) do
-      if defined_comp_operators[comp] == nil then
-	 return false, build_error_with_context(context, "Rule exception item "..name..": comparison operator "..comp.." is not a supported comparison operator"), warnings
-      end
-   end
-end
-
-function validate_exception_item_single_field(eitem, context)
-
-   local name = eitem['name']
-   local fields = eitem['fields']
-   local values = eitem['values']
-   local comps = eitem['comps']
-
-   if comps == nil then
-      eitem['comps'] = "in"
-   else
-      if type(fields) ~= "string" or type(comps) ~= "string" then
-	 return false, build_error_with_context(context, "Rule exception item "..name..": fields and comps must both be strings"), warnings
-      end
-   end
-   if defined_noarg_filters[fields] == nil then
-      return false, build_error_with_context(context, "Rule exception item "..name..": field name "..fields.." is not a supported filter field"), warnings
-   end
-   if defined_comp_operators[comps] == nil then
-      return false, build_error_with_context(context, "Rule exception item "..name..": comparison operator "..comps.." is not a supported comparison operator"), warnings
-   end
-end
-
 function load_rules_doc(rules_mgr, doc, load_state)

   local warnings = {}
@@ -488,6 +415,46 @@ function load_rules_doc(rules_mgr, doc, load_state)
 	    v['exceptions'] = {}
 	 end

+	 -- Validate the contents of the rule exception
+	 if next(v['exceptions']) ~= nil then
+
+	    for i, eitem in ipairs(v['exceptions']) do
+	       local name = eitem['name']
+	       local fields = eitem['fields']
+	       local comps = eitem['comps']
+
+	       if name == nil then
+		  return false, build_error_with_context(v['context'], "Rule exception item must have name property"), warnings
+	       end
+
+	       if fields == nil then
+		  return false, build_error_with_context(v['context'], "Rule exception item "..name..": must have fields property with a list of fields"), warnings
+	       end
+
+	       if comps == nil then
+		  comps = {}
+		  for c=1,#fields do
+		     table.insert(comps, "=")
+		  end
+		  eitem['comps'] = comps
+	       else
+		  if #fields ~= #comps then
+		     return false, build_error_with_context(v['context'], "Rule exception item "..name..": fields and comps lists must have equal length"), warnings
+		  end
+	       end
+	       for j, fname in ipairs(fields) do
+		  if defined_noarg_filters[fname] == nil then
+		     return false, build_error_with_context(v['context'], "Rule exception item "..name..": field name "..fname.." is not a supported filter field"), warnings
+		  end
+	       end
+	       for j, comp in ipairs(comps) do
+		  if defined_comp_operators[comp] == nil then
+		     return false, build_error_with_context(v['context'], "Rule exception item "..name..": comparison operator "..comp.." is not a supported comparison operator"), warnings
+		  end
+	       end
+	    end
+	 end
+
 	 -- Possibly append to the condition field of an existing rule
 	 append = false

@@ -495,47 +462,13 @@ function load_rules_doc(rules_mgr, doc, load_state)
 	    append = v['append']
 	 end

-	 -- Validate the contents of the rule exception
-	 if next(v['exceptions']) ~= nil then
-
-	    -- This validation only applies if append=false. append=true validation is handled below
-	    if append == false then
-
-	       for _, eitem in ipairs(v['exceptions']) do
-
-		  if eitem['name'] == nil then
-		     return false, build_error_with_context(v['context'], "Rule exception item must have name property"), warnings
-		  end
-
-		  if eitem['fields'] == nil then
-		     return false, build_error_with_context(v['context'], "Rule exception item "..eitem['name']..": must have fields property with a list of fields"), warnings
-		  end
-
-		  if eitem['values'] == nil then
-		     -- An empty values array is okay
-		     eitem['values'] = {}
-		  end
-
-		  -- Different handling if the fields property is a single item vs a list
-		  local valid, err
-		  if type(eitem['fields']) == "table" then
-		     valid, err = validate_exception_item_multi_fields(eitem, v['context'])
-		  else
-		     valid, err = validate_exception_item_single_field(eitem, v['context'])
-		  end
-
-		  if valid == false then
-		     return valid, err
-		  end
-	       end
-	    end
-	 end
-
 	 if append then

-	    -- For append rules, either condition or exceptions must be specified
-	    if (v['condition'] == nil and v['exceptions'] == nil) then
-	       return false, build_error_with_context(v['context'], "Rule must have exceptions or condition property"), warnings
+	    -- For append rules, all you need is the condition
+	    for j, field in ipairs({'condition'}) do
+	       if (v[field] == nil) then
+		  return false, build_error_with_context(v['context'], "Rule must have property "..field), warnings
+	       end
 	    end

 	    if state.rules_by_name[v['rule']] == nil then
@@ -544,51 +477,12 @@ function load_rules_doc(rules_mgr, doc, load_state)
 	       end
 	    else

-	       if next(v['exceptions']) ~= nil then
-
-		  for _, eitem in ipairs(v['exceptions']) do
-		     local name = eitem['name']
-		     local fields = eitem['fields']
-		     local comps = eitem['comps']
-
-		     if name == nil then
-			return false, build_error_with_context(v['context'], "Rule exception item must have name property"), warnings
-		     end
-
-		     -- You can't append exception fields or comps to a rule
-		     if fields ~= nil then
-			return false, build_error_with_context(v['context'], "Can not append exception fields to existing rule, only values"), warnings
-		     end
-
-		     if comps ~= nil then
-			return false, build_error_with_context(v['context'], "Can not append exception comps to existing rule, only values"), warnings
-		     end
-
-		     -- You can append values. They are added to the
-		     -- corresponding name, if it exists. If no
-		     -- exception with that name exists, add a
-		     -- warning.
-		     if eitem['values'] ~= nil then
-			local found=false
-			for _, reitem in ipairs(state.rules_by_name[v['rule']]['exceptions']) do
-			   if reitem['name'] == eitem['name'] then
-			      found=true
-			      for _, values in ipairs(eitem['values']) do
-				 reitem['values'][#reitem['values'] + 1] = values
-			      end
-			   end
-			end
-
-			if found == false then
-			   warnings[#warnings + 1] = "Rule "..v['rule'].." with append=true: no set of fields matching name "..eitem['name']
-			end
-		     end
-		  end
+	       -- You can't append exceptions to a rule
+	       if v['exceptions'] ~= nil then
+		  return false, build_error_with_context(v['context'], "Can not append exceptions to existing rule, only conditions"), warnings
 	       end

-	       if v['condition'] ~= nil then
-		  state.rules_by_name[v['rule']]['condition'] = state.rules_by_name[v['rule']]['condition'] .. " " .. v['condition']
-	       end
+	       state.rules_by_name[v['rule']]['condition'] = state.rules_by_name[v['rule']]['condition'] .. " " .. v['condition']

 	    -- Add the current object to the context of the base rule
 	       state.rules_by_name[v['rule']]['context'] = state.rules_by_name[v['rule']]['context'].."\n"..v['context']
@@ -626,6 +520,21 @@ function load_rules_doc(rules_mgr, doc, load_state)
 	       state.skipped_rules_by_name[v['rule']] = v
 	    end
 	 end
+      elseif (v['exception']) then
+
+	 for i, eitem in ipairs(v['items']) do
+	    local name = eitem['name']
+	    local fields = eitem['values']
+
+	    if name == nil then
+	       return false, build_error_with_context(v['context'], "Exception item must have name property"), warnings
+	    end
+
+	    if fields == nil then
+	       return false, build_error_with_context(v['context'], "Exception item "..name..": must have values property with a list of values"), warnings
+	    end
+	 end
+	 state.exceptions_by_name[v['exception']] = v
      else
 	 local context = v['context']

@@ -637,11 +546,11 @@ function load_rules_doc(rules_mgr, doc, load_state)
   return true, {}, warnings
 end

-- cond and not ((proc.name=apk and fd.directory=/usr/lib/alpine) or (proc.name=npm and fd.directory=/usr/node/bin) or ...)
-function build_exception_condition_string_multi_fields(eitem)
+-- cond and not ((proc.name=apk and fd.directory=/usr/lib/alpine) or (proc.name=npm and fd.directory=/usr/node/bin) or (con
+function build_exception_condition_string(eitem, rexitems)

-   local fields = eitem['fields']
-   local comps = eitem['comps']
+   local fields = rexitems[eitem['name']]['fields']
+   local comps = rexitems[eitem['name']]['comps']

   local icond = ""

@@ -661,30 +570,13 @@ function build_exception_condition_string_multi_fields(eitem)
 	 if k > 1 then
 	    icond=icond.." and "
 	 end
+	 -- Quote the value if not already quoted
 	 local ival = values[k]
-	 local istr = ""
-
-	 -- If ival is a table, express it as (titem1, titem2, etc)
-	 if type(ival) == "table" then
-	    istr = "("
-	    for _, item in ipairs(ival) do
-	       if istr ~= "(" then
-		  istr = istr..", "
-	       end
-	       istr = istr..quote_item(item)
-	    end
-	    istr = istr..")"
-	 else
-	    -- If the corresponding operator is one that works on lists, possibly add surrounding parentheses.
-	    if defined_list_comp_operators[comps[k]] then
-	       istr = paren_item(ival)
-	    else
-	       -- Quote the value if not already quoted
-	       istr = quote_item(ival)
-	    end
+	 if string.sub(values[k], 1, 1) ~= "'" and string.sub(values[k], 1, 1) ~= '"' then
+	    ival = "\""..ival.."\""
 	 end

-	 icond = icond..fields[k].." "..comps[k].." "..istr
+	 icond = icond..fields[k].." "..comps[k]..ival
      end

      icond=icond..")"
@@ -694,27 +586,6 @@ function build_exception_condition_string_multi_fields(eitem)

 end

-function build_exception_condition_string_single_field(eitem)
-
-   local icond = ""
-
-   for i, value in ipairs(eitem['values']) do
-
-      if icond == "" then
-	 icond = "("..eitem['fields'].." "..eitem['comps'].." ("
-      else
-	 icond = icond..", "
-      end
-
-      icond = icond..quote_item(value)
-   end
-
-   icond = icond.."))"
-
-   return icond, nil
-
-end
-
 -- Returns:
 -- - Load Result: bool
 -- - required engine version. will be nil when load result is false
@@ -798,6 +669,52 @@ function load_rules(sinsp_lua_parser,
   -- in which they appeared in the file(s).
   reset_rules(rules_mgr)

+   -- Turn exceptions into condition strings and add them to each
+   -- rule's condition
+   for ename, exc in pairs(state.exceptions_by_name) do
+
+      if state.rules_by_name[ename] == nil then
+	 warnings[#warnings + 1] = "No rule matching exception name "..exc['exception']
+      else
+
+	 local rexitems = {}
+
+	 -- Create a map from item name to object, speeds up matching
+	 for i, iobj in ipairs(state.rules_by_name[ename].exceptions) do
+	    rexitems[iobj['name']] = iobj
+	 end
+	 -- Usep the exception items, combined with any exceptions in
+	 -- the rules, to build condition strings to append to the
+	 -- rule's condition.
+	 local econd = ""
+
+	 for i, eitem in ipairs(exc['items']) do
+
+	    if rexitems[eitem['name']] == nil then
+	       warnings[#warnings + 1] = "Exception "..ename..": no set of fields matching name "..eitem['name']
+	    else
+	       icond, err = build_exception_condition_string(eitem, rexitems)
+
+	       if err ~= nil then
+		  return false, nil, build_error_with_context(exc['context'], err), warnings
+	       end
+
+	       if econd == "" then
+		  econd = econd.." and not ("..icond
+	       else
+		  econd = econd.." or "..icond
+	       end
+	    end
+	 end
+
+	 if econd ~= "" then
+	    econd=econd..")"
+
+	    state.rules_by_name[ename]['condition'] = "("..state.rules_by_name[ename]['condition']..") "..econd
+	 end
+      end
+   end
+
   for i, name in ipairs(state.ordered_list_names) do

      local v = state.lists_by_name[name]
@@ -810,7 +727,7 @@ function load_rules(sinsp_lua_parser,
      -- the items and expand any references to the items in the list
      for i, item in ipairs(v['items']) do
 	 if (state.lists[item] == nil) then
-	    items[#items+1] = quote_item(item)
+	    items[#items+1] = item
 	 else
 	    for i, exp_item in ipairs(state.lists[item].items) do
 	       items[#items+1] = exp_item
@@ -844,38 +761,6 @@ function load_rules(sinsp_lua_parser,

      local v = state.rules_by_name[name]

-      local econd = ""
-
-      -- Turn exceptions into condition strings and add them to each
-      -- rule's condition
-      for _, eitem in ipairs(v['exceptions']) do
-
-	 local icond, err
-	 if type(eitem['fields']) == "table" then
-	    icond, err = build_exception_condition_string_multi_fields(eitem)
-	 else
-	    icond, err = build_exception_condition_string_single_field(eitem)
-	 end
-
-	 if err ~= nil then
-	    return false, nil, build_error_with_context(v['context'], err), warnings
-	 end
-
-	 if icond ~= "" then
-	    if econd == "" then
-	       econd = econd.." and not ("..icond
-	    else
-	       econd = econd.." or "..icond
-	    end
-	 end
-      end
-
-      if econd ~= "" then
-	 econd=econd..")"
-
-	 state.rules_by_name[name]['condition'] = "("..state.rules_by_name[name]['condition']..") "..econd
-      end
-
      warn_evttypes = true
      if v['warn_evttypes'] ~= nil then
 	 warn_evttypes = v['warn_evttypes']
--- a/userspace/falco/falco.cpp
+++ b/userspace/falco/falco.cpp
@@ -86,7 +86,6 @@ static void usage()
 	   " -h, --help                    Print this page\n"
 	   " -c                            Configuration file (default " FALCO_SOURCE_CONF_FILE ", " FALCO_INSTALL_CONF_FILE ")\n"
 	   " -A                            Monitor all events, including those with EF_DROP_SIMPLE_CONS flag.\n"
-	   " --alternate-lua-dir <path>    Specify an alternate path for loading Falco lua files\n"
 	   " -b, --print-base64            Print data buffers in base64.\n"
 	   "                               This is useful for encoding binary data that needs to be used over media designed to.\n"
 	   " --cri <path>                  Path to CRI socket for container metadata.\n"
@@ -479,38 +478,37 @@ int falco_init(int argc, char **argv)
 #endif

 	static struct option long_options[] =
-		{
-			{"alternate-lua-dir", required_argument, 0},
-			{"cri", required_argument, 0},
-			{"daemon", no_argument, 0, 'd'},
-			{"disable-cri-async", no_argument, 0, 0},
-			{"disable-source", required_argument, 0},
-			{"help", no_argument, 0, 'h'},
-			{"ignored-events", no_argument, 0, 'i'},
-			{"k8s-api-cert", required_argument, 0, 'K'},
-			{"k8s-api", required_argument, 0, 'k'},
-			{"list", optional_argument, 0},
-			{"mesos-api", required_argument, 0, 'm'},
-			{"option", required_argument, 0, 'o'},
-			{"pidfile", required_argument, 0, 'P'},
-			{"print-base64", no_argument, 0, 'b'},
-			{"print", required_argument, 0, 'p'},
-			{"snaplen", required_argument, 0, 'S'},
-			{"stats-interval", required_argument, 0},
-			{"support", no_argument, 0},
-			{"unbuffered", no_argument, 0, 'U'},
-			{"userspace", no_argument, 0, 'u'},
-			{"validate", required_argument, 0, 'V'},
-			{"version", no_argument, 0, 0},
-			{"writefile", required_argument, 0, 'w'},
-			{0, 0, 0, 0}};
+	{
+		{"cri", required_argument, 0},
+        {"daemon", no_argument, 0, 'd'},
+        {"disable-cri-async", no_argument, 0, 0},
+        {"disable-source", required_argument, 0},
+        {"help", no_argument, 0, 'h'},
+        {"ignored-events", no_argument, 0, 'i'},
+        {"k8s-api-cert", required_argument, 0, 'K'},
+        {"k8s-api", required_argument, 0, 'k'},
+        {"list", optional_argument, 0},
+        {"mesos-api", required_argument, 0, 'm'},
+        {"option", required_argument, 0, 'o'},
+        {"pidfile", required_argument, 0, 'P'},
+        {"print-base64", no_argument, 0, 'b'},
+        {"print", required_argument, 0, 'p'},
+        {"snaplen", required_argument, 0, 'S'},
+        {"stats-interval", required_argument, 0},
+        {"support", no_argument, 0},
+        {"unbuffered", no_argument, 0, 'U'},
+        {"userspace", no_argument, 0, 'u'},
+        {"validate", required_argument, 0, 'V'},
+        {"version", no_argument, 0, 0},
+        {"writefile", required_argument, 0, 'w'},
+		{0, 0, 0, 0}
+	};

 	try
 	{
 		set<string> disabled_rule_substrings;
 		string substring;
 		string all_rules = "";
-		string alternate_lua_dir = FALCO_ENGINE_SOURCE_LUA_DIR;
 		set<string> disabled_rule_tags;
 		set<string> enabled_rule_tags;

@@ -688,16 +686,6 @@ int falco_init(int argc, char **argv)
 						disable_sources.insert(optarg);
 					}
 				}
-				else if (string(long_options[long_index].name)== "alternate-lua-dir")
-				{
-					if(optarg != NULL)
-					{
-						alternate_lua_dir = optarg;
-						if (alternate_lua_dir.back() != '/') {
-							alternate_lua_dir += '/';
-						}
-					}
-				}
 				break;

 			default:
@@ -733,7 +721,7 @@ int falco_init(int argc, char **argv)
 			return EXIT_SUCCESS;
 		}

-		engine = new falco_engine(true, alternate_lua_dir);
+		engine = new falco_engine();
 		engine->set_inspector(inspector);
 		engine->set_extra(output_format, replace_container_info);

@@ -985,8 +973,7 @@ int falco_init(int argc, char **argv)
 			      config.m_notifications_rate, config.m_notifications_max_burst,
 			      config.m_buffered_outputs,
 			      config.m_time_format_iso_8601,
-			      hostname,
-			      alternate_lua_dir);
+			      hostname);

 		if(!all_events)
 		{
--- a/userspace/falco/falco_outputs.cpp
+++ b/userspace/falco/falco_outputs.cpp
@@ -78,8 +78,7 @@ falco_outputs::~falco_outputs()
 void falco_outputs::init(bool json_output,
 			 bool json_include_output_property,
 			 uint32_t rate, uint32_t max_burst, bool buffered,
-			 bool time_format_iso_8601, string hostname,
-			 const string& alternate_lua_dir)
+			 bool time_format_iso_8601, string hostname)
 {
 	// The engine must have been given an inspector by now.
 	if(!m_inspector)
@@ -89,7 +88,7 @@ void falco_outputs::init(bool json_output,

 	m_json_output = json_output;

-	falco_common::init(m_lua_main_filename.c_str(), alternate_lua_dir.c_str());
+	falco_common::init(m_lua_main_filename.c_str(), FALCO_SOURCE_LUA_DIR);

 	// Note that falco_formats is added to both the lua state used
 	// by the falco engine as well as the separate lua state used
--- a/userspace/falco/falco_outputs.h
+++ b/userspace/falco/falco_outputs.h
@@ -54,8 +54,7 @@ public:
 	void init(bool json_output,
 		  bool json_include_output_property,
 		  uint32_t rate, uint32_t max_burst, bool buffered,
-		  bool time_format_iso_8601, std::string hostname,
-		  const std::string& alternate_lua_dir);
+		  bool time_format_iso_8601, std::string hostname);

 	void add_output(output_config oc);
Author	SHA1	Message	Date
Mark Stemm	bc570c58df	More rule error/warnings handling cleanups	2020-10-02 16:56:22 -07:00
Mark Stemm	68018d3a69	More exceptions handling cleanups.	2020-10-02 16:56:03 -07:00
Mark Stemm	defde05c90	Update tests to add error counts When validating, the output has a summary of error/warning counts, so update tests appropriately.	2020-10-02 16:54:55 -07:00
Mark Stemm	21ed93aa53	Don't look for event counts with -V/validate When running falco with -V/valdiate <rules file>, you won't get any event counts. All prior tests didn't get this far as they also resulted in rules parsing errors. However, validating can now result in warnings only. This won't exit but won't print event counts either. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2020-10-02 16:52:44 -07:00
Mark Stemm	2eb286fd02	Automated tests for exceptions Handle various positive and negative cases. Should handle every error and warning path when reading exceptions objects or rule exception fields, and various positive cases of using exceptions to prevent alerts. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2020-10-02 16:51:43 -07:00
Mark Stemm	ab5a39c994	Cleanups Handle new layout for exceptions, etc.	2020-10-02 10:37:18 -07:00
Mark Stemm	c4cc1d7996	Restructure exceptions Rule exception is an object now with fields and optional comps.	2020-10-01 17:05:27 -07:00
Mark Stemm	b9671f936d	Ensure that exception fields are valid When parsing the exception attribute of a rule, ensure that the fields are actually defined ones for the event source.	2020-09-23 09:23:46 -07:00
Mark Stemm	0ffd1e9c5c	WIP: most of exceptions parsing support Support top level exception objects and exceptions field for rules: - Save exceptions in state.exceptions_by_name along with a context. - When parsing rules, error if a rule has append=true but also defines exceptions--exceptions can only be defined in the original rule. - After loading all rules and exceptions, iterate through the exception values, finding the matching field names (field1, field2, ...), then iterating over the list of field values (val1a, val1b, ...), (val2a, val2b, ...), building up a string of the form: and not ((field1=val1a and field2=val1b and ...) or (field1=val2a and field2=val2b and ...)... )" This string is appended to the rule's condition. Remaining work is: - More ad-hoc testing - Unit tests - Verifying that field names are valid when loading rules. - Converting existing rules as much as possible to use exceptions. - (Maybe) support operators other than = when definining exception fields?	2020-09-17 18:21:00 -07:00
Mark Stemm	81cdab21be	Allow unknown top level obs as warnings When parsing a rules file, if a top level object is not one of the known types rule, macro, list, required_engine_version, instead of failing parsing, add a warning instead. This adds some forwards-compatibility to rules files. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2020-09-17 16:18:31 -07:00
Mark Stemm	60052bffcb	Pass back warnings when loading rules Add the notion of warnings when loading rules, which are printed if verbose is true: - load_rules now returns a tuple (success, required engine version, error array, warnings array) instead of (true, required engine version) or (false, error string) - build_error/build_error_with_context now returns an array instead of string value. - warnings are combined across calls to load_rules_doc - Current warnings include: - a rule that contains an unknown filter - a macro not referred to by any rule - a list not referred to by any rule/macro/list Any errors/warnings are concatenated into the exception if success was false. Any errors/warnings will be printed if verbose is true. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2020-09-17 16:02:42 -07:00