mirror of
https://github.com/falcosecurity/falco.git
synced 2026-01-15 14:55:42 +00:00
bbbac6203c
Update rules loader to be more general purpose by using factories and the general purpose engine: - A lua callback create_lua_parser creates a lua_parser with a filter object of the right type. The lua parser can then iterate the AST and populate the filter object. - Like the falco engine, the rules loader is configured with a list of factories, and add_filter is now general purpose, taking a source. Given the fix in https://github.com/falcosecurity/libs/pull/72, there isn't any need to pass down the entire set of sinsp event types/syscalls and validate that all filter event types are valid. That job is now handled by the sinsp filter parsing code. add_filter now returns the number of event types used by the new filter, and if that number is excessive the lua code will return a warning. Format handling is mostly not handled by the rules loader any more. As a convienence, there's a new lua callback is_format_valid which takes a source and output string and uses the right formatter factory to create a formatter. As long as that doesn't throw an exception, the format is valid. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>