Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ability to run on all events. #107

Merged
merged 1 commit into from
Aug 5, 2016
Merged

Add ability to run on all events. #107

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 11 additions & 3 deletions userspace/falco/falco.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ static void usage()
" -L Show the name and description of all rules and exit.\n"
" -l <rule> Show the name and description of the rule with name <rule> and exit.\n"
" -v Verbose output.\n"
" -A Monitor all events, including those with EF_DROP_FALCO flag.\n"
"\n"
);
}
Expand Down Expand Up @@ -255,6 +256,7 @@ int falco_init(int argc, char **argv)
bool describe_all_rules = false;
string describe_rule = "";
bool verbose = false;
bool all_events = false;

static struct option long_options[] =
{
Expand All @@ -274,7 +276,7 @@ int falco_init(int argc, char **argv)
// Parse the args
//
while((op = getopt_long(argc, argv,
"c:ho:e:r:dp:Ll:v",
"c:ho:e:r:dp:Ll:vA",
long_options, &long_index)) != -1)
{
switch(op)
Expand Down Expand Up @@ -306,6 +308,9 @@ int falco_init(int argc, char **argv)
case 'v':
verbose = true;
break;
case 'A':
all_events = true;
break;
case 'l':
describe_rule = optarg;
break;
Expand Down Expand Up @@ -402,8 +407,11 @@ int falco_init(int argc, char **argv)
falco_rules::init(ls);


inspector->set_drop_event_flags(EF_DROP_FALCO);
rules->load_rules(config.m_rules_filename, verbose);
if(!all_events)
{
inspector->set_drop_event_flags(EF_DROP_FALCO);
}
rules->load_rules(config.m_rules_filename, verbose, all_events);
falco_logger::log(LOG_INFO, "Parsed rules from file " + config.m_rules_filename + "\n");

if (describe_all_rules)
Expand Down
13 changes: 11 additions & 2 deletions userspace/falco/lua/compiler.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,17 @@ local parser = require("parser")
local compiler = {}

compiler.verbose = false
compiler.all_events = false

function compiler.set_verbose(verbose)
compiler.verbose = verbose
parser.set_verbose(verbose)
end

function compiler.set_all_events(all_events)
compiler.all_events = all_events
end

function map(f, arr)
local res = {}
for i,v in ipairs(arr) do
Expand Down Expand Up @@ -274,7 +279,9 @@ function compiler.compile_macro(line, list_defs)

-- Traverse the ast looking for events/syscalls in the ignored
-- syscalls table. If any are found, return an error.
check_for_ignored_syscalls_events(ast, 'macro', line)
if not compiler.all_events then
check_for_ignored_syscalls_events(ast, 'macro', line)
end

return ast
end
Expand All @@ -297,7 +304,9 @@ function compiler.compile_filter(name, source, macro_defs, list_defs)

-- Traverse the ast looking for events/syscalls in the ignored
-- syscalls table. If any are found, return an error.
check_for_ignored_syscalls_events(ast, 'rule', source)
if not compiler.all_events then
check_for_ignored_syscalls_events(ast, 'rule', source)
end

if (ast.type == "Rule") then
-- Line is a filter, so expand macro references
Expand Down
3 changes: 2 additions & 1 deletion userspace/falco/lua/rule_loader.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,9 +117,10 @@ end
-- to a rule.
local state = {macros={}, lists={}, filter_ast=nil, rules_by_name={}, n_rules=0, rules_by_idx={}}

function load_rules(filename, rules_mgr, verbose)
function load_rules(filename, rules_mgr, verbose, all_events)

compiler.set_verbose(verbose)
compiler.set_all_events(all_events)

local f = assert(io.open(filename, "r"))
local s = f:read("*all")
Expand Down
5 changes: 3 additions & 2 deletions userspace/falco/rules.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ void falco_rules::load_compiler(string lua_main_filename)
}
}

void falco_rules::load_rules(string rules_filename, bool verbose)
void falco_rules::load_rules(string rules_filename, bool verbose, bool all_events)
{
lua_getglobal(m_ls, m_lua_load_rules.c_str());
if(lua_isfunction(m_ls, -1))
Expand Down Expand Up @@ -161,7 +161,8 @@ void falco_rules::load_rules(string rules_filename, bool verbose)
lua_pushstring(m_ls, rules_filename.c_str());
lua_pushlightuserdata(m_ls, this);
lua_pushboolean(m_ls, (verbose ? 1 : 0));
if(lua_pcall(m_ls, 3, 0, 0) != 0)
lua_pushboolean(m_ls, (all_events ? 1 : 0));
if(lua_pcall(m_ls, 4, 0, 0) != 0)
{
const char* lerr = lua_tostring(m_ls, -1);
string err = "Error loading rules:" + string(lerr);
Expand Down
2 changes: 1 addition & 1 deletion userspace/falco/rules.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ class falco_rules
public:
falco_rules(sinsp* inspector, lua_State *ls, string lua_main_filename);
~falco_rules();
void load_rules(string rules_filename, bool verbose);
void load_rules(string rules_filename, bool verbose, bool all_events);
void describe_rule(string *rule);
sinsp_filter* get_filter();

Expand Down