mirror of
https://github.com/falcosecurity/falco.git
synced 2026-04-02 10:02:12 +00:00
ac190ca457
* Properly support syscalls in filter conditions Syscalls have their own numbers but they weren't really handled within falco. This meant that there wasn't a way to handle filters with evt.type=xxx clauses where xxx was a value that didn't have a corresponding event entry (like "madvise", for examples), or where a syscall like open could also be done indirectly via syscall(__NR_open, ...). First, add a new top-level global syscalls that maps from a string like "madvise" to all the syscall nums for that id, just as we do for event names/numbers. In the compiler, when traversing the AST for evt.type=XXX or evt.type in (XXX, ...) clauses, also try to match XXX against the global syscalls table, and return any ids in a standalone table. Also throw an error if an XXX doesn't match any event name or syscall name. The syscall numbers are passed as an argument to sinsp_evttype_filter so it can preindex the filters by syscall number. This depends on https://github.com/draios/sysdig/pull/1100 * Add unit test for syscall support This does a madvise, which doesn't have a ppm event type, both directly and indirectly via syscall(__NR_madvise, ...), as well as an open directly + indirectly. The corresponding rules file matches on madvise and open. The test ensures that both opens and both madvises are detected.
63 lines
1.7 KiB
C++
63 lines
1.7 KiB
C++
/*
|
|
Copyright (C) 2016 Draios inc.
|
|
|
|
This file is part of falco.
|
|
|
|
falco is free software; you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License version 2 as
|
|
published by the Free Software Foundation.
|
|
|
|
falco is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with falco. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
#pragma once
|
|
|
|
#include <set>
|
|
|
|
#include "sinsp.h"
|
|
|
|
#include "lua_parser.h"
|
|
|
|
#include "falco_common.h"
|
|
|
|
class falco_engine;
|
|
|
|
class falco_rules
|
|
{
|
|
public:
|
|
falco_rules(sinsp* inspector, falco_engine *engine, lua_State *ls);
|
|
~falco_rules();
|
|
void load_rules(const string &rules_content, bool verbose, bool all_events,
|
|
std::string &extra, bool replace_container_info,
|
|
falco_common::priority_type min_priority);
|
|
void describe_rule(string *rule);
|
|
|
|
static void init(lua_State *ls);
|
|
static int clear_filters(lua_State *ls);
|
|
static int add_filter(lua_State *ls);
|
|
static int enable_rule(lua_State *ls);
|
|
|
|
private:
|
|
void clear_filters();
|
|
void add_filter(string &rule, std::set<uint32_t> &evttypes, std::set<uint32_t> &syscalls, std::set<string> &tags);
|
|
void enable_rule(string &rule, bool enabled);
|
|
|
|
lua_parser* m_lua_parser;
|
|
sinsp* m_inspector;
|
|
falco_engine *m_engine;
|
|
lua_State* m_ls;
|
|
|
|
string m_lua_load_rules = "load_rules";
|
|
string m_lua_ignored_syscalls = "ignored_syscalls";
|
|
string m_lua_ignored_events = "ignored_events";
|
|
string m_lua_events = "events";
|
|
string m_lua_syscalls = "syscalls";
|
|
string m_lua_describe_rule = "describe_rule";
|
|
};
|