update(userspace/engine): make rule_matching strategy stateless in fa…

…lco engine Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
falcosecurity · Aug 10, 2023 · 46e5821 · 46e5821
1 parent 6e50d2a
commit 46e5821
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 20 deletions.
diff --git a/userspace/engine/falco_engine.cpp b/userspace/engine/falco_engine.cpp
@@ -56,7 +56,6 @@ falco_engine::falco_engine(bool seed_rng)
 	  m_syscall_source_idx(SIZE_MAX),
 	  m_next_ruleset_id(0),
 	  m_min_priority(falco_common::PRIORITY_DEBUG),
-	  m_rule_matching(falco_common::FIRST),
 	  m_sampling_ratio(1), m_sampling_multiplier(0),
 	  m_replace_container_info(false)
 {
@@ -311,11 +310,6 @@ void falco_engine::set_min_priority(falco_common::priority_type priority)
 	m_min_priority = priority;
 }
 
-void falco_engine::set_rule_matching(falco_common::rule_matching rule_matching)
-{
-	m_rule_matching = rule_matching;
-}
-
 uint16_t falco_engine::find_ruleset_id(const std::string &ruleset)
 {
 	auto it = m_known_rulesets.lower_bound(ruleset);
@@ -359,7 +353,8 @@ std::shared_ptr<gen_event_formatter> falco_engine::create_formatter(const std::s
 	return find_source(source)->formatter_factory->create_formatter(output);
 }
 
-std::unique_ptr<std::vector<falco_engine::rule_result>> falco_engine::process_event(std::size_t source_idx, gen_event *ev, uint16_t ruleset_id)
+std::unique_ptr<std::vector<falco_engine::rule_result>> falco_engine::process_event(std::size_t source_idx,
+	gen_event *ev, uint16_t ruleset_id, falco_common::rule_matching strategy)
 {
 	// note: there are no thread-safety guarantees on the filter_ruleset::run()
 	// method, but the thread-safety assumptions of falco_engine::process_event()
@@ -388,7 +383,7 @@ std::unique_ptr<std::vector<falco_engine::rule_result>> falco_engine::process_ev
 		return nullptr;
 	}
 
-	switch (m_rule_matching)
+	switch (strategy)
 	{
 	case falco_common::rule_matching::ALL:
 		if (source->m_rules.size() > 0)
@@ -430,9 +425,10 @@ std::unique_ptr<std::vector<falco_engine::rule_result>> falco_engine::process_ev
 	return res;
 }
 
-std::unique_ptr<std::vector<falco_engine::rule_result>> falco_engine::process_event(std::size_t source_idx, gen_event *ev)
+std::unique_ptr<std::vector<falco_engine::rule_result>> falco_engine::process_event(std::size_t source_idx,
+	gen_event *ev, falco_common::rule_matching strategy)
 {
-	return process_event(source_idx, ev, m_default_ruleset_id);
+	return process_event(source_idx, ev, m_default_ruleset_id, strategy);
 }
 
 std::size_t falco_engine::add_source(const std::string &source,

diff --git a/userspace/engine/falco_engine.h b/userspace/engine/falco_engine.h
@@ -106,11 +106,6 @@ class falco_engine
 	// Only load rules having this priority or more severe.
 	void set_min_priority(falco_common::priority_type priority);
 
-	// Whether or not continuing to evaluate rules for other potential matches 
-	// even if a match already occurred. This option can be set to avoid shadowing
-	// of rules.
-	void set_rule_matching(falco_common::rule_matching rule_matching);
-
 	//
 	// Return the ruleset id corresponding to this ruleset name,
 	// creating a new one if necessary. If you provide any ruleset
@@ -194,14 +189,16 @@ class falco_engine
 	// event source is not thread-safe of its own, so invoking this method
 	// concurrently with the same source_idx would inherently cause data races
 	// and lead to undefined behavior.
-	std::unique_ptr<std::vector<rule_result>> process_event(std::size_t source_idx, gen_event *ev, uint16_t ruleset_id);
+	std::unique_ptr<std::vector<rule_result>> process_event(std::size_t source_idx,
+		gen_event *ev, uint16_t ruleset_id, falco_common::rule_matching strategy);
 
 	//
 	// Wrapper assuming the default ruleset.
 	//
 	// This inherits the same thread-safety guarantees.
 	//
-	std::unique_ptr<std::vector<rule_result>> process_event(std::size_t source_idx, gen_event *ev);
+	std::unique_ptr<std::vector<rule_result>> process_event(std::size_t source_idx,
+		gen_event *ev, falco_common::rule_matching strategy);
 
 	//
 	// Configure the engine to support events with the provided
@@ -325,7 +322,6 @@ class falco_engine
 	uint16_t m_next_ruleset_id;
 	std::map<std::string, uint16_t> m_known_rulesets;
 	falco_common::priority_type m_min_priority;
-	falco_common::rule_matching m_rule_matching;
 
 	//
 	// Here's how the sampling ratio and multiplier influence

diff --git a/userspace/falco/app/actions/init_falco_engine.cpp b/userspace/falco/app/actions/init_falco_engine.cpp
@@ -120,7 +120,6 @@ falco::app::run_result falco::app::actions::init_falco_engine(falco::app::state&
 
 	configure_output_format(s);
 	s.engine->set_min_priority(s.config->m_min_priority);
-	s.engine->set_rule_matching(s.config->m_rule_matching);
 
 	return run_result::ok();
 }
diff --git a/userspace/falco/app/actions/process_events.cpp b/userspace/falco/app/actions/process_events.cpp
@@ -330,7 +330,7 @@ static falco::app::run_result do_inspect(
 		// engine, which will match the event against the set
 		// of rules. If a match is found, pass the event to
 		// the outputs.
-		auto res = s.engine->process_event(source_engine_idx, ev);
+		auto res = s.engine->process_event(source_engine_idx, ev, s.config->m_rule_matching);
 		if(res != nullptr)
 		{
 			for(auto& rule_res : *res.get())