Rule order is not preserved between rules that have an event type and those that don't #354
Comments
Previously, catchall filters were always matched against an event first, followed by any filters specificially linked to that event's type. This didn't preserve the order of filters as they appeared in the file, though. Instead, assign a filter order for each filter and walk the catchall and evttype-specific filters in order, trying to match each against the event. This fixes falcosecurity/falco#354.
Test the fix for #354. A rules file has a event-specific rule first and a catchall rule second. Without the changes in draios/sysdig#1103, the first rule does not match the event.
|
What's the goal of this fix? Is there a reason why falco must match the rules in the order in which they appear in the file? PS - I cannot find the test rules file |
Test the fix for #354. A rules file has a event-specific rule first and a catchall rule second. Without the changes in draios/sysdig#1103, the first rule does not match the event.
|
I think generally preserving rule order is useful as you can ensure that earlier rules will match an event first. I ran into this bug when I had a rules file that first checked filesystem paths related to an open, and later checked system calls. I wanted the filesystem paths rule to take precedence over the system calls rule, so I put it earlier in the file. However, because the system calls rule wasn't specifically tied to any particular system call (its condition was something like When I tried to open a file below a disallowed path, the system call rule triggered instead of the filesystem rule. Thanks about |
|
Oh ok now I got it, it's a rule precedence issue. |
Previously, catchall filters were always matched against an event first, followed by any filters specificially linked to that event's type. This didn't preserve the order of filters as they appeared in the file, though. Instead, assign a filter order for each filter and walk the catchall and evttype-specific filters in order, trying to match each against the event. This fixes falcosecurity/falco#354.
* Only check whole rule names when matching counts Tweak the regex so a rule my_great_rule doesn't pick up event counts for a rule "great_rule: nnn". * Add ability to skip evttype warnings for rules A new attribute warn_evttypes, if present, suppresses printing warnings related to a rule not matching any event type. Useful if you have a rule where not including an event type is intentional. * Add test for preserving rule order Test the fix for #354. A rules file has a event-specific rule first and a catchall rule second. Without the changes in draios/sysdig#1103, the first rule does not match the event.
It's possible to have rules that don't explicitly name an event type, or have conditions that make it difficult to map to a specific set of event types. These rules run for all event types. This compares to most rules that name an event type, which are stored in a list of rules indexed by event type.
There isn't anything that preserves rule order between the two collections, so it's possible that a rule that appears later in a rules file and runs for all event types will be considered before a rule that appears earlier in a rules file runs for a specific event type.
Here's an example:
In this case,
related_to_tmpwill run first even though it appears second in the file.The fix is to keep track of overall rule order and preserve it when comparing rules in the two collections.
The text was updated successfully, but these errors were encountered: