Process falco_engine events outside of inspector.

Handle falco_engine events entirely outside of the inspector. falco_engine now contains an sinsp_evttype_filter object containing the set of eventtype filters. Instead of calling m_inspector->add_evttype_filter() to add a filter created by the compiler, call falco_engine::add_evttype_filter() instead. This means that the inspector runs with a NULL filter and all events are returned from do_inspect. falco_engine::process_event now matches the event against all rules and returns NULL if no rule matched, details on the matching rule otherwise. This depends on draios/sysdig#633.
falcosecurity · Jul 20, 2016 · 9b9cafb · 9b9cafb
1 parent efb899e
commit 9b9cafb
Show file tree

Hide file tree

Showing 5 changed files with 56 additions and 33 deletions.
diff --git a/userspace/falco/falco.cpp b/userspace/falco/falco.cpp
@@ -110,9 +110,17 @@ void do_inspect(falco_engine *engine,
 			continue;
 		}
 
-		falco_engine::rule_result *res = engine->handle_event(ev);
-		outputs->handle_event(res->evt, res->rule, res->priority, res->format);
-		delete(res);
+		// As the inspector has no filter at its level, all
+		// events are returned here. Pass them to the falco
+		// engine, which will match the event against the set
+		// of rules. If a match is found, pass the event to
+		// the outputs.
+		falco_engine::rule_result *res = engine->process_event(ev);
+		if(res)
+		{
+			outputs->handle_event(res->evt, res->rule, res->priority, res->format);
+			delete(res);
+		}
 	}
 }
 

diff --git a/userspace/falco/falco_engine.cpp b/userspace/falco/falco_engine.cpp
@@ -24,7 +24,12 @@ using namespace std;
 //  - DONE come up with a falco_engine logging mechanism separate from falco_logger
 //  - DONE don't read a rules file, instead be handed rules content
 //  - DONE Better document main methods.
-//  - lua_close is being called multiple times--change lua_parser.cpp to not own lua state and try to close it. Currently falco_rules is leaking.
+//  - DONE lua_close is being called multiple times--change lua_parser.cpp to not own lua state and try to close it. Currently falco_rules is leaking.
+//  - DONE Break out evttype filters within sysdig into standalone class sinsp_evttype_filter.
+//  - DONE Include a sinsp_evttype_filter object within falco_engine and
+//         add filters to it instead of inspector. Add
+//         falco_engine::process_evt() method and try calling it from
+//         outside the inspector entirely.
 //  - create falco_engine library, link with it in falco.
 
 falco_engine::falco_engine()
@@ -54,7 +59,7 @@ void falco_engine::load_rules(string &rules_content, bool verbose)
 	falco_common::init(m_lua_main_filename);
 	falco_rules::init(m_ls);
 
-	m_rules = new falco_rules(m_inspector, m_ls);
+	m_rules = new falco_rules(m_inspector, this, m_ls);
 	m_rules->load_rules(rules_content, verbose);
 }
 
@@ -76,8 +81,13 @@ void falco_engine::load_rules_file(string &rules_filename, bool verbose)
 	load_rules(rules_content, verbose);
 }
 
-falco_engine::rule_result *falco_engine::handle_event(sinsp_evt *ev)
+falco_engine::rule_result *falco_engine::process_event(sinsp_evt *ev)
 {
+	if(!m_evttype_filter.run(ev))
+	{
+		return NULL;
+	}
+
 	struct rule_result *res = new rule_result();
 
 	lua_getglobal(m_ls, lua_on_event.c_str());
@@ -107,6 +117,11 @@ falco_engine::rule_result *falco_engine::handle_event(sinsp_evt *ev)
 	return res;
 }
 
+void falco_engine::describe_rule(string *rule)
+{
+	return m_rules->describe_rule(rule);
+}
+
 // Print statistics on the the rules that triggered
 void falco_engine::print_stats()
 {
@@ -128,7 +143,10 @@ void falco_engine::print_stats()
 
 }
 
-void falco_engine::describe_rule(string *rule)
+void falco_engine::add_evttype_filter(list<uint32_t> &evttypes,
+				      sinsp_filter* filter)
 {
-	return m_rules->describe_rule(rule);
+	m_evttype_filter.add(evttypes, filter);
 }
+
+
diff --git a/userspace/falco/falco_engine.h b/userspace/falco/falco_engine.h
@@ -3,6 +3,7 @@
 #include <string>
 
 #include "sinsp.h"
+#include "filter.h"
 
 #include "rules.h"
 
@@ -35,13 +36,12 @@ class falco_engine : public falco_common
 	};
 
 	//
-	// After loading rules and after matching events against the
-	// rules, ev is an event that matched some rule. Call
-	// handle_event to get details on the exact tule that matched
-	// the event.
+	// Given an event, check it against the set of rules in the
+	// engine and if a matching rule is found, return details on
+	// the rule that matched. If no rule matched, returns NULL.
 	//
 	// the reutrned rule_result is allocated and must be delete()d.
-	rule_result *handle_event(sinsp_evt *ev);
+	rule_result *process_event(sinsp_evt *ev);
 
 	//
 	// Print details on the given rule. If rule is NULL, print
@@ -50,20 +50,21 @@ class falco_engine : public falco_common
 	void describe_rule(std::string *rule);
 
 	//
-	// Get the filter associated with the current ruleset.
+	// Print statistics on how many events matched each rule.
 	//
-	sinsp_filter *get_filter()
-	{
-		return m_rules->get_filter();
-	}
+	void print_stats();
 
 	//
-	// Print statistics on how many events matched each rule.
+	// Add a filter, which is related to the specified list of
+	// event types, to the engine.
 	//
-	void print_stats();
+	void add_evttype_filter(list<uint32_t> &evttypes,
+				sinsp_filter* filter);
 
 private:
 	falco_rules *m_rules;
+        sinsp_evttype_filter m_evttype_filter;
+
 	std::string m_lua_main_filename = "rule_loader.lua";
 };
 
diff --git a/userspace/falco/rules.cpp b/userspace/falco/rules.cpp
@@ -14,11 +14,9 @@ const static struct luaL_reg ll_falco_rules [] =
 	{NULL,NULL}
 };
 
-falco_rules::falco_rules(sinsp* inspector, lua_State *ls)
+falco_rules::falco_rules(sinsp* inspector, falco_engine *engine, lua_State *ls)
+	: m_inspector(inspector), m_engine(engine), m_ls(ls)
 {
-        m_inspector = inspector;
-	m_ls = ls;
-
 	m_lua_parser = new lua_parser(inspector, m_ls);
 }
 
@@ -58,10 +56,10 @@ void falco_rules::add_filter(list<uint32_t> &evttypes)
 {
 	// While the current rule was being parsed, a sinsp_filter
 	// object was being populated by lua_parser. Grab that filter
-	// and pass it to the inspector.
+	// and pass it to the engine.
 	sinsp_filter *filter = m_lua_parser->get_filter(true);
 
-	m_inspector->add_evttype_filter(evttypes, filter);
+	m_engine->add_evttype_filter(evttypes, filter);
 }
 
 void falco_rules::load_rules(string &rules_content, bool verbose)
@@ -172,11 +170,6 @@ void falco_rules::describe_rule(std::string *rule)
 }
 
 
-sinsp_filter* falco_rules::get_filter()
-{
-	return m_lua_parser->get_filter();
-}
-
 falco_rules::~falco_rules()
 {
 	delete m_lua_parser;

diff --git a/userspace/falco/rules.h b/userspace/falco/rules.h
@@ -3,16 +3,18 @@
 #include <list>
 
 #include "sinsp.h"
+
 #include "lua_parser.h"
 
+class falco_engine;
+
 class falco_rules
 {
  public:
-	falco_rules(sinsp* inspector, lua_State *ls);
+	falco_rules(sinsp* inspector, falco_engine *engine, lua_State *ls);
 	~falco_rules();
 	void load_rules(string &rules_content, bool verbose);
 	void describe_rule(string *rule);
-	sinsp_filter* get_filter();
 
 	static void init(lua_State *ls);
 	static int add_filter(lua_State *ls);
@@ -22,6 +24,7 @@ class falco_rules
 
 	lua_parser* m_lua_parser;
 	sinsp* m_inspector;
+	falco_engine *m_engine;
 	lua_State* m_ls;
 
 	string m_lua_load_rules = "load_rules";