Add enabled flag

test/falco_tests.yaml.in

@@ -113,6 +113,12 @@ trace_files: !mux
       - "open.*"
     trace_file: trace_files/cat_write.scap
 
+  disabled_rules_using_enabled_flag:
+    detect: False
+    rules_file:
+      - rules/single_rule_enabled_flag.yaml
+    trace_file: trace_files/cat_write.scap
+
   file_output:
     detect: True
     detect_level: WARNING

test/rules/single_rule_enabled_flag.yaml

@@ -0,0 +1,9 @@
+- macro: is_cat
+  condition: proc.name=cat
+
+- rule: open_from_cat
+  desc: A process named cat does an open
+  condition: evt.type=open and is_cat
+  output: "An open was seen (command=%proc.cmdline)"
+  priority: WARNING
+  enabled: false

userspace/engine/lua/rule_loader.lua

@@ -188,6 +188,15 @@ function load_rules(rules_content, rules_mgr, verbose, all_events)
 	    else
 	       state.filter_ast = { type = "BinaryBoolOp", operator = "or", left = state.filter_ast, right = filter_ast.filter.value }
 	    end
+
+	    -- Enable/disable the rule
+	    if (v['enabled'] == nil) then
+	       v['enabled'] = true
+	    end
+
+	    if (v['enabled'] == false) then
+	       falco_rules.enable_rule(rules_mgr, v['rule'], 0)
+	    end
 	 else
 	    error ("Unexpected type in load_rule: "..filter_ast.type)
 	 end

userspace/engine/rules.cpp

@@ -11,6 +11,7 @@ extern "C" {
 const static struct luaL_reg ll_falco_rules [] =
 {
 	{"add_filter", &falco_rules::add_filter},
+	{"enable_rule", &falco_rules::enable_rule},
 	{NULL,NULL}
 };
 
@@ -65,6 +66,30 @@ void falco_rules::add_filter(string &rule, list<uint32_t> &evttypes)
 	m_engine->add_evttype_filter(rule, evttypes, filter);
 }
 
+int falco_rules::enable_rule(lua_State *ls)
+{
+	if (! lua_islightuserdata(ls, -3) ||
+	    ! lua_isstring(ls, -2) ||
+	    ! lua_isnumber(ls, -1))
+	{
+		throw falco_exception("Invalid arguments passed to enable_rule()\n");
+	}
+
+	falco_rules *rules = (falco_rules *) lua_topointer(ls, -3);
+	const char *rulec = lua_tostring(ls, -2);
+	std::string rule = rulec;
+	bool enabled = (lua_tonumber(ls, -1) ? true : false);
+
+	rules->enable_rule(rule, enabled);
+
+	return 0;
+}
+
+void falco_rules::enable_rule(string &rule, bool enabled)
+{
+	m_engine->enable_rule(rule, enabled);
+}
+
 void falco_rules::load_rules(const string &rules_content, bool verbose, bool all_events)
 {
 	lua_getglobal(m_ls, m_lua_load_rules.c_str());

userspace/engine/rules.h

@@ -18,9 +18,11 @@ class falco_rules
 
 	static void init(lua_State *ls);
 	static int add_filter(lua_State *ls);
+	static int enable_rule(lua_State *ls);
 
  private:
 	void add_filter(string &rule, list<uint32_t> &evttypes);
+	void enable_rule(string &rule, bool enabled);
 
 	lua_parser* m_lua_parser;
 	sinsp* m_inspector;