From 46e5821b944f853f9c80d26bbe821459fd8caf50 Mon Sep 17 00:00:00 2001 From: Lorenzo Susini Date: Thu, 10 Aug 2023 10:30:14 +0000 Subject: [PATCH] update(userspace/engine): make rule_matching strategy stateless in falco engine Signed-off-by: Lorenzo Susini --- userspace/engine/falco_engine.cpp | 16 ++++++---------- userspace/engine/falco_engine.h | 12 ++++-------- .../falco/app/actions/init_falco_engine.cpp | 1 - userspace/falco/app/actions/process_events.cpp | 2 +- 4 files changed, 11 insertions(+), 20 deletions(-) diff --git a/userspace/engine/falco_engine.cpp b/userspace/engine/falco_engine.cpp index 009a6efd3b2..57622b1dda5 100644 --- a/userspace/engine/falco_engine.cpp +++ b/userspace/engine/falco_engine.cpp @@ -56,7 +56,6 @@ falco_engine::falco_engine(bool seed_rng) m_syscall_source_idx(SIZE_MAX), m_next_ruleset_id(0), m_min_priority(falco_common::PRIORITY_DEBUG), - m_rule_matching(falco_common::FIRST), m_sampling_ratio(1), m_sampling_multiplier(0), m_replace_container_info(false) { @@ -311,11 +310,6 @@ void falco_engine::set_min_priority(falco_common::priority_type priority) m_min_priority = priority; } -void falco_engine::set_rule_matching(falco_common::rule_matching rule_matching) -{ - m_rule_matching = rule_matching; -} - uint16_t falco_engine::find_ruleset_id(const std::string &ruleset) { auto it = m_known_rulesets.lower_bound(ruleset); @@ -359,7 +353,8 @@ std::shared_ptr falco_engine::create_formatter(const std::s return find_source(source)->formatter_factory->create_formatter(output); } -std::unique_ptr> falco_engine::process_event(std::size_t source_idx, gen_event *ev, uint16_t ruleset_id) +std::unique_ptr> falco_engine::process_event(std::size_t source_idx, + gen_event *ev, uint16_t ruleset_id, falco_common::rule_matching strategy) { // note: there are no thread-safety guarantees on the filter_ruleset::run() // method, but the thread-safety assumptions of falco_engine::process_event() @@ -388,7 +383,7 @@ std::unique_ptr> falco_engine::process_ev return nullptr; } - switch (m_rule_matching) + switch (strategy) { case falco_common::rule_matching::ALL: if (source->m_rules.size() > 0) @@ -430,9 +425,10 @@ std::unique_ptr> falco_engine::process_ev return res; } -std::unique_ptr> falco_engine::process_event(std::size_t source_idx, gen_event *ev) +std::unique_ptr> falco_engine::process_event(std::size_t source_idx, + gen_event *ev, falco_common::rule_matching strategy) { - return process_event(source_idx, ev, m_default_ruleset_id); + return process_event(source_idx, ev, m_default_ruleset_id, strategy); } std::size_t falco_engine::add_source(const std::string &source, diff --git a/userspace/engine/falco_engine.h b/userspace/engine/falco_engine.h index f2a9b08c121..36f58221426 100644 --- a/userspace/engine/falco_engine.h +++ b/userspace/engine/falco_engine.h @@ -106,11 +106,6 @@ class falco_engine // Only load rules having this priority or more severe. void set_min_priority(falco_common::priority_type priority); - // Whether or not continuing to evaluate rules for other potential matches - // even if a match already occurred. This option can be set to avoid shadowing - // of rules. - void set_rule_matching(falco_common::rule_matching rule_matching); - // // Return the ruleset id corresponding to this ruleset name, // creating a new one if necessary. If you provide any ruleset @@ -194,14 +189,16 @@ class falco_engine // event source is not thread-safe of its own, so invoking this method // concurrently with the same source_idx would inherently cause data races // and lead to undefined behavior. - std::unique_ptr> process_event(std::size_t source_idx, gen_event *ev, uint16_t ruleset_id); + std::unique_ptr> process_event(std::size_t source_idx, + gen_event *ev, uint16_t ruleset_id, falco_common::rule_matching strategy); // // Wrapper assuming the default ruleset. // // This inherits the same thread-safety guarantees. // - std::unique_ptr> process_event(std::size_t source_idx, gen_event *ev); + std::unique_ptr> process_event(std::size_t source_idx, + gen_event *ev, falco_common::rule_matching strategy); // // Configure the engine to support events with the provided @@ -325,7 +322,6 @@ class falco_engine uint16_t m_next_ruleset_id; std::map m_known_rulesets; falco_common::priority_type m_min_priority; - falco_common::rule_matching m_rule_matching; // // Here's how the sampling ratio and multiplier influence diff --git a/userspace/falco/app/actions/init_falco_engine.cpp b/userspace/falco/app/actions/init_falco_engine.cpp index ac50ce355a2..54b1019239f 100644 --- a/userspace/falco/app/actions/init_falco_engine.cpp +++ b/userspace/falco/app/actions/init_falco_engine.cpp @@ -120,7 +120,6 @@ falco::app::run_result falco::app::actions::init_falco_engine(falco::app::state& configure_output_format(s); s.engine->set_min_priority(s.config->m_min_priority); - s.engine->set_rule_matching(s.config->m_rule_matching); return run_result::ok(); } diff --git a/userspace/falco/app/actions/process_events.cpp b/userspace/falco/app/actions/process_events.cpp index a798b050a85..dc7a56a27ef 100644 --- a/userspace/falco/app/actions/process_events.cpp +++ b/userspace/falco/app/actions/process_events.cpp @@ -330,7 +330,7 @@ static falco::app::run_result do_inspect( // engine, which will match the event against the set // of rules. If a match is found, pass the event to // the outputs. - auto res = s.engine->process_event(source_engine_idx, ev); + auto res = s.engine->process_event(source_engine_idx, ev, s.config->m_rule_matching); if(res != nullptr) { for(auto& rule_res : *res.get())