Support enabled flag for rules.

If a rule has a enabled attribute, and if the value is false, call the engine's enable_rule() method to disable the rule. Like add_filter, there's a static method which takes the object as the first argument and a non-static method that calls the engine. This fixes #72.
falcosecurity · Sep 3, 2016 · f974922 · f974922
1 parent 08c3bef
commit f974922
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 0 deletions.
diff --git a/userspace/engine/lua/rule_loader.lua b/userspace/engine/lua/rule_loader.lua
@@ -188,6 +188,15 @@ function load_rules(rules_content, rules_mgr, verbose, all_events)
 	    else
 	       state.filter_ast = { type = "BinaryBoolOp", operator = "or", left = state.filter_ast, right = filter_ast.filter.value }
 	    end
+
+	    -- Enable/disable the rule
+	    if (v['enabled'] == nil) then
+	       v['enabled'] = true
+	    end
+
+	    if (v['enabled'] == false) then
+	       falco_rules.enable_rule(rules_mgr, v['rule'], 0)
+	    end
 	 else
 	    error ("Unexpected type in load_rule: "..filter_ast.type)
 	 end

diff --git a/userspace/engine/rules.cpp b/userspace/engine/rules.cpp
@@ -11,6 +11,7 @@ extern "C" {
 const static struct luaL_reg ll_falco_rules [] =
 {
 	{"add_filter", &falco_rules::add_filter},
+	{"enable_rule", &falco_rules::enable_rule},
 	{NULL,NULL}
 };
 
@@ -65,6 +66,30 @@ void falco_rules::add_filter(string &rule, list<uint32_t> &evttypes)
 	m_engine->add_evttype_filter(rule, evttypes, filter);
 }
 
+int falco_rules::enable_rule(lua_State *ls)
+{
+	if (! lua_islightuserdata(ls, -3) ||
+	    ! lua_isstring(ls, -2) ||
+	    ! lua_isnumber(ls, -1))
+	{
+		throw falco_exception("Invalid arguments passed to enable_rule()\n");
+	}
+
+	falco_rules *rules = (falco_rules *) lua_topointer(ls, -3);
+	const char *rulec = lua_tostring(ls, -2);
+	std::string rule = rulec;
+	bool enabled = (lua_tonumber(ls, -1) ? true : false);
+
+	rules->enable_rule(rule, enabled);
+
+	return 0;
+}
+
+void falco_rules::enable_rule(string &rule, bool enabled)
+{
+	m_engine->enable_rule(rule, enabled);
+}
+
 void falco_rules::load_rules(const string &rules_content, bool verbose, bool all_events)
 {
 	lua_getglobal(m_ls, m_lua_load_rules.c_str());

diff --git a/userspace/engine/rules.h b/userspace/engine/rules.h
@@ -18,9 +18,11 @@ class falco_rules
 
 	static void init(lua_State *ls);
 	static int add_filter(lua_State *ls);
+	static int enable_rule(lua_State *ls);
 
  private:
 	void add_filter(string &rule, list<uint32_t> &evttypes);
+	void enable_rule(string &rule, bool enabled);
 
 	lua_parser* m_lua_parser;
 	sinsp* m_inspector;