Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update: improve support and tests for live-capture event selection #2432

Merged
merged 15 commits into from
Mar 9, 2023
Merged
Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions cmake/modules/driver.cmake
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,8 @@ else()
# In case you want to test against another driver version (or branch, or commit) just pass the variable -
# ie., `cmake -DDRIVER_VERSION=dev ..`
if(NOT DRIVER_VERSION)
set(DRIVER_VERSION "e1d0fd9b043f1c7dfd91c9d030c11cfe2c062931")
set(DRIVER_CHECKSUM "SHA256=17ae38a730e9022bdf26d22e54db0c4cdc40fce1bdc9de9cd885d0f325c5a13f")
set(DRIVER_VERSION "f0468f32d8d730d0e70d8e103d57f97d74dd374f")
set(DRIVER_CHECKSUM "SHA256=7006bbd9819e75bc5c2232b937a35db1446e87cdd8d2ad5f6d419f45b745282e")
endif()

# cd /path/to/build && cmake /path/to/source
Expand Down
4 changes: 2 additions & 2 deletions cmake/modules/falcosecurity-libs.cmake
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,8 @@ else()
# In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
# ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..`
if(NOT FALCOSECURITY_LIBS_VERSION)
set(FALCOSECURITY_LIBS_VERSION "e1d0fd9b043f1c7dfd91c9d030c11cfe2c062931")
set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=17ae38a730e9022bdf26d22e54db0c4cdc40fce1bdc9de9cd885d0f325c5a13f")
set(FALCOSECURITY_LIBS_VERSION "f0468f32d8d730d0e70d8e103d57f97d74dd374f")
set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=7006bbd9819e75bc5c2232b937a35db1446e87cdd8d2ad5f6d419f45b745282e")
endif()

# cd /path/to/build && cmake /path/to/source
Expand Down
410 changes: 305 additions & 105 deletions unit_tests/falco/app/actions/test_configure_interesting_sets.cpp

Large diffs are not rendered by default.

58 changes: 43 additions & 15 deletions userspace/engine/evttype_index_ruleset.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -65,14 +65,14 @@ void evttype_index_ruleset::ruleset_filters::remove_wrapper_from_list(filter_wra

void evttype_index_ruleset::ruleset_filters::add_filter(std::shared_ptr<filter_wrapper> wrap)
{
if(wrap->evttypes.empty())
if(wrap->event_codes.empty())
{
// Should run for all event types
add_wrapper_to_list(m_filter_all_event_types, wrap);
}
else
{
for(auto &etype : wrap->evttypes)
for(auto &etype : wrap->event_codes)
{
if(m_filter_by_event_type.size() <= etype)
{
Expand All @@ -88,13 +88,13 @@ void evttype_index_ruleset::ruleset_filters::add_filter(std::shared_ptr<filter_w

void evttype_index_ruleset::ruleset_filters::remove_filter(std::shared_ptr<filter_wrapper> wrap)
{
if(wrap->evttypes.empty())
if(wrap->event_codes.empty())
{
remove_wrapper_from_list(m_filter_all_event_types, wrap);
}
else
{
for(auto &etype : wrap->evttypes)
for(auto &etype : wrap->event_codes)
{
if( etype < m_filter_by_event_type.size() )
{
Expand Down Expand Up @@ -138,17 +138,24 @@ bool evttype_index_ruleset::ruleset_filters::run(gen_event *evt, falco_rule& mat
return false;
}

void evttype_index_ruleset::ruleset_filters::evttypes_for_ruleset(std::set<uint16_t> &evttypes)
libsinsp::events::set<ppm_sc_code> evttype_index_ruleset::ruleset_filters::sc_codes()
{
evttypes.clear();
libsinsp::events::set<ppm_sc_code> res;
for(auto &wrap : m_filters)
{
res.insert(wrap->sc_codes.begin(), wrap->sc_codes.end());
}
return res;
}

libsinsp::events::set<ppm_event_code> evttype_index_ruleset::ruleset_filters::event_codes()
{
libsinsp::events::set<ppm_event_code> res;
for(auto &wrap : m_filters)
{
for (const auto& e : wrap->evttypes)
{
evttypes.insert((uint16_t) e);
}
res.insert(wrap->event_codes.begin(), wrap->event_codes.end());
}
return res;
}

void evttype_index_ruleset::add(
Expand All @@ -163,11 +170,15 @@ void evttype_index_ruleset::add(
wrap->filter = filter;
if(rule.source == falco_common::syscall_source)
{
wrap->evttypes = libsinsp::filter::ast::ppm_event_codes(condition.get());
wrap->sc_codes = libsinsp::filter::ast::ppm_sc_codes(condition.get());
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please see some more libs fixes in falcosecurity/libs@338bff0 that aim to make sure we handle the tough corner cases and special snow flakes. This is probably a perfect reflection of why we were going back and forth between first resolving the evt.type string names to event codes vs syscall codes ... meaning we need a combination of the two approaches after all.

// todo(jasondellaluce): once libsinsp has its fixes, optimize this
// by using libsinsp::events::ppm_set_to_event_set(wrap->sc_codes)
wrap->event_codes = libsinsp::filter::ast::ppm_event_codes(condition.get());
}
else
{
wrap->evttypes = { ppm_event_code::PPME_PLUGINEVENT_E };
wrap->sc_codes = { };
wrap->event_codes = { ppm_event_code::PPME_PLUGINEVENT_E };
}
m_filters.insert(wrap);
}
Expand Down Expand Up @@ -300,10 +311,27 @@ bool evttype_index_ruleset::run(gen_event *evt, falco_rule& match, uint16_t rule

void evttype_index_ruleset::enabled_evttypes(std::set<uint16_t> &evttypes, uint16_t ruleset_id)
{
if(m_rulesets.size() < (size_t)ruleset_id + 1)
evttypes.clear();
for (const auto& e : enabled_event_codes(ruleset_id))
{
return;
evttypes.insert((uint16_t) e);
}
}

return m_rulesets[ruleset_id]->evttypes_for_ruleset(evttypes);
libsinsp::events::set<ppm_sc_code> evttype_index_ruleset::enabled_sc_codes(uint16_t ruleset)
{
if(m_rulesets.size() < (size_t)ruleset + 1)
{
return {};
}
return m_rulesets[ruleset]->sc_codes();
}

libsinsp::events::set<ppm_event_code> evttype_index_ruleset::enabled_event_codes(uint16_t ruleset)
{
if(m_rulesets.size() < (size_t)ruleset + 1)
{
return {};
}
return m_rulesets[ruleset]->event_codes();
}
15 changes: 12 additions & 3 deletions userspace/engine/evttype_index_ruleset.h
Original file line number Diff line number Diff line change
Expand Up @@ -70,11 +70,17 @@ class evttype_index_ruleset: public filter_ruleset
const std::set<std::string> &tags,
uint16_t rulset_id) override;

// evttypes for a ruleset
// note(jasondellaluce): this is deprecated, must use the new
// typing-improved `enabled_event_codes` and `enabled_sc_codes` instead
// todo(jasondellaluce): remove this in future code refactors
void enabled_evttypes(
std::set<uint16_t> &evttypes,
uint16_t ruleset) override;

libsinsp::events::set<ppm_sc_code> enabled_sc_codes(uint16_t ruleset) override;

libsinsp::events::set<ppm_event_code> enabled_event_codes(uint16_t ruleset) override;

private:

// Helper used by enable()/disable()
Expand All @@ -93,7 +99,8 @@ class evttype_index_ruleset: public filter_ruleset
struct filter_wrapper
{
falco_rule rule;
libsinsp::events::set<ppm_event_code> evttypes;
libsinsp::events::set<ppm_sc_code> sc_codes;
libsinsp::events::set<ppm_event_code> event_codes;
std::shared_ptr<gen_event_filter> filter;
};

Expand All @@ -113,7 +120,9 @@ class evttype_index_ruleset: public filter_ruleset

bool run(gen_event *evt, falco_rule& match);

void evttypes_for_ruleset(std::set<uint16_t> &evttypes);
libsinsp::events::set<ppm_sc_code> sc_codes();

libsinsp::events::set<ppm_event_code> event_codes();

private:
void add_wrapper_to_list(filter_wrapper_list &wrappers, std::shared_ptr<filter_wrapper> wrap);
Expand Down
10 changes: 10 additions & 0 deletions userspace/engine/falco_engine.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -327,6 +327,16 @@ void falco_engine::evttypes_for_ruleset(std::string &source, std::set<uint16_t>
find_source(source)->ruleset->enabled_evttypes(evttypes, find_ruleset_id(ruleset));
}

libsinsp::events::set<ppm_sc_code> falco_engine::sc_codes_for_ruleset(const std::string &source, const std::string &ruleset)
{
return find_source(source)->ruleset->enabled_sc_codes(find_ruleset_id(ruleset));
}

libsinsp::events::set<ppm_event_code> falco_engine::event_codes_for_ruleset(const std::string &source, const std::string &ruleset)
{
return find_source(source)->ruleset->enabled_event_codes(find_ruleset_id(ruleset));
}

std::shared_ptr<gen_event_formatter> falco_engine::create_formatter(const std::string &source,
const std::string &output) const
{
Expand Down
19 changes: 19 additions & 0 deletions userspace/engine/falco_engine.h
Original file line number Diff line number Diff line change
Expand Up @@ -222,11 +222,30 @@ class falco_engine
//
// Given an event source and ruleset, fill in a bitset
// containing the event types for which this ruleset can run.
// note(jasondellaluce): this is deprecated, must use the new
// typing-improved `enabled_event_codes` and `enabled_sc_codes` instead
// todo(jasondellaluce): remove this in future code refactors
//
void evttypes_for_ruleset(std::string &source,
std::set<uint16_t> &evttypes,
const std::string &ruleset = s_default_ruleset);

//
// Given an event source and ruleset, return the set of ppm_sc_codes
// for which this ruleset can run and match events.
//
libsinsp::events::set<ppm_sc_code> sc_codes_for_ruleset(
const std::string &source,
const std::string &ruleset = s_default_ruleset);

//
// Given an event source and ruleset, return the set of ppm_event_codes
// for which this ruleset can run and match events.
//
libsinsp::events::set<ppm_event_code> event_codes_for_ruleset(
const std::string &source,
const std::string &ruleset = s_default_ruleset);

//
// Given a source and output string, return an
// gen_event_formatter that can format output strings for an
Expand Down
20 changes: 20 additions & 0 deletions userspace/engine/filter_ruleset.h
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ limitations under the License.
#include <filter.h>
#include <event.h>
#include <gen_filter.h>
#include <events/sinsp_events.h>

/*!
\brief Manages a set of rulesets. A ruleset is a set of
Expand Down Expand Up @@ -83,10 +84,29 @@ class filter_ruleset
\brief Returns the union of the evttypes of all the rules enabled
in a given ruleset
\param ruleset_id The id of the ruleset to be used
\deprecated Must use the new typing-improved `enabled_event_codes`
and `enabled_sc_codes` instead
\note todo(jasondellaluce): remove this in future refactors
*/
virtual void enabled_evttypes(
std::set<uint16_t> &evttypes,
uint16_t ruleset) = 0;

/*!
\brief Returns the all the ppm_sc_codes matching the rules
enabled in a given ruleset.
\param ruleset_id The id of the ruleset to be used
*/
virtual libsinsp::events::set<ppm_sc_code> enabled_sc_codes(
uint16_t ruleset) = 0;

/*!
\brief Returns the all the ppm_event_codes matching the rules
enabled in a given ruleset.
\param ruleset_id The id of the ruleset to be used
*/
virtual libsinsp::events::set<ppm_event_code> enabled_event_codes(
uint16_t ruleset) = 0;

/*!
\brief Find those rules matching the provided substring and enable
Expand Down
2 changes: 1 addition & 1 deletion userspace/falco/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ set(
app/options.cpp
app/actions/helpers_generic.cpp
app/actions/helpers_inspector.cpp
app/actions/helpers_interesting_sets.cpp
app/actions/configure_interesting_sets.cpp
app/actions/create_signal_handlers.cpp
app/actions/daemonize.cpp
app/actions/init_falco_engine.cpp
Expand Down
Loading