mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-22 03:49:36 +00:00
426097241d
This is needed so that rule_loader (which should be renamed in a later pass..) can tag filters with their index.
85 lines
2.2 KiB
Lua
85 lines
2.2 KiB
Lua
--[[
|
|
Compile and install digwatch rules.
|
|
|
|
This module exports functions that are called from digwatch c++-side to compile and install a set of rules.
|
|
|
|
--]]
|
|
|
|
local compiler = require "compiler"
|
|
|
|
local function install_filter(node)
|
|
local t = node.type
|
|
|
|
if t == "BinaryBoolOp" then
|
|
filter.nest() --io.write("(")
|
|
install_filter(node.left)
|
|
filter.bool_op(node.operator) --io.write(" "..node.operator.." ")
|
|
install_filter(node.right)
|
|
filter.unnest() --io.write(")")
|
|
|
|
elseif t == "UnaryBoolOp" then
|
|
filter.nest() --io.write("(")
|
|
filter.bool_op(node.operator) -- io.write(" "..node.operator.." ")
|
|
install_filter(node.argument)
|
|
filter.unnest() -- io.write(")")
|
|
|
|
elseif t == "BinaryRelOp" then
|
|
filter.rel_expr(node.left.value, node.operator, node.right.value)
|
|
-- io.write(node.left.value.." "..node.operator.." "..node.right.value)
|
|
|
|
elseif t == "UnaryRelOp" then
|
|
filter.rel_expr(node.argument.value, node.operator)
|
|
--io.write(node.argument.value.." "..node.operator)
|
|
|
|
else
|
|
error ("Unexpected type in install_filter: "..t)
|
|
end
|
|
end
|
|
|
|
|
|
-- filter.rel_expr("proc.name", "=", "cat")
|
|
-- filter.bool_op("and")
|
|
-- filter.nest()
|
|
-- filter.nest()
|
|
-- filter.rel_expr("fd.num", "=", "1")
|
|
-- filter.bool_op("or")
|
|
-- filter.rel_expr("fd.num", "=", "2")
|
|
-- filter.unnest()
|
|
-- filter.unnest()
|
|
|
|
local state
|
|
|
|
--[[
|
|
Sets up compiler state and returns it.
|
|
|
|
It holds state such as macro definitions that must be kept across calls
|
|
to the line-oriented compiler.
|
|
--]]
|
|
local function init()
|
|
return {macros={}, filter_ast=nil}
|
|
end
|
|
|
|
|
|
function load_rule(r)
|
|
if (state == nil) then
|
|
state = init()
|
|
end
|
|
local line_ast = compiler.compile_line(r, state.macros)
|
|
|
|
if (line_ast.type == "MacroDef") then
|
|
return
|
|
elseif (not (line_ast.type == "Rule")) then
|
|
error ("Unexpected type in load_rule: "..line_ast.type)
|
|
end
|
|
|
|
if (state.filter_ast == nil) then
|
|
state.filter_ast = line_ast.filter.value
|
|
else
|
|
state.filter_ast = { type = "BinaryBoolOp", operator = "or", left = state.filter_ast, right = line_ast.filter.value }
|
|
end
|
|
end
|
|
|
|
function on_done()
|
|
install_filter(state.filter_ast)
|
|
end
|