Squash w rule commit

falcosecurity · Sep 14, 2022 · 19483c1 · 19483c1
1 parent 3609328
commit 19483c1
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 9 deletions.
diff --git a/userspace/engine/falco_engine.cpp b/userspace/engine/falco_engine.cpp
@@ -357,13 +357,13 @@ unique_ptr<falco_engine::rule_result> falco_engine::process_event(std::size_t so
 
 	unique_ptr<struct rule_result> res(new rule_result());
 	res->evt = ev;
-	res->rule = m_rule.name;
-	res->source = m_rule.source;
-	res->format = m_rule.output;
-	res->priority_num = m_rule.priority;
-	res->tags = m_rule.tags;
-	res->exception_fields = m_rule.exception_fields;
-	m_rule_stats_manager.on_event(m_rule);
+	res->rule = source->m_rule.name;
+	res->source = source->m_rule.source;
+	res->format = source->m_rule.output;
+	res->priority_num = source->m_rule.priority;
+	res->tags = source->m_rule.tags;
+	res->exception_fields = source->m_rule.exception_fields;
+	m_rule_stats_manager.on_event(source->m_rule);
 	return res;
 }
 

diff --git a/userspace/engine/falco_engine.h b/userspace/engine/falco_engine.h
@@ -265,8 +265,6 @@ class falco_engine
 	const falco_source* find_source(std::size_t index) const;
 	const falco_source* find_source(const std::string& name) const;
 
-	// Used for the filter_ruleset interface
-	falco_rule m_rule;
 	// To allow the engine to be extremely fast for syscalls (can
 	// be > 1M events/sec), we save the syscall source/source_idx
 	// separately and check it explicitly in process_event()

diff --git a/userspace/engine/falco_source.h b/userspace/engine/falco_source.h
@@ -32,6 +32,10 @@ struct falco_source
 	std::shared_ptr<gen_event_filter_factory> filter_factory;
 	std::shared_ptr<gen_event_formatter_factory> formatter_factory;
 
+	// Used by the filter_ruleset interface. Filled in when a rule
+	// matches an event.
+	mutable falco_rule m_rule;
+
 	inline bool is_field_defined(std::string field) const
 	{
 		auto *chk = filter_factory->new_filtercheck(field.c_str());