update(userspace/engine): add event codes to json output

Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
falcosecurity · May 16, 2023 · b9c8ac1 · b9c8ac1
1 parent 93aef41
commit b9c8ac1
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 1 deletion.
diff --git a/unit_tests/engine/test_filter_details_resolver.cpp b/unit_tests/engine/test_filter_details_resolver.cpp
@@ -0,0 +1,19 @@
+/*
+Copyright (C) 2023 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless ASSERT_EQd by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <gtest/gtest.h>
+#include <engine/filter_details_resolver.h>
+
diff --git a/userspace/engine/falco_engine.cpp b/userspace/engine/falco_engine.cpp
@@ -601,6 +601,13 @@ Json::Value falco_engine::get_json_rule_details(const falco_rule& r, filter_deta
 	}
 	output["lists"] = lists;
 
+	Json::Value events = Json::arrayValue;
+	for(const auto &e : rule_info->evttypes)
+	{
+		events.append(e);
+	}
+	output["eventCodes"] = events;
+
 	details.reset();
 
 	return output;

diff --git a/userspace/engine/rule_loader.h b/userspace/engine/rule_loader.h
@@ -456,6 +456,7 @@ namespace rule_loader
 		std::set<std::string> tags;
 		std::vector<rule_exception_info> exceptions;
 		falco_common::priority_type priority;
+		libsinsp::events::set<ppm_event_code> evttypes;
 		bool enabled;
 		bool warn_evttypes;
 		bool skip_if_unknown_filter;

diff --git a/userspace/engine/rule_loader_compiler.cpp b/userspace/engine/rule_loader_compiler.cpp
@@ -386,7 +386,11 @@ void rule_loader::compiler::compile_rule_infos(
 	std::string err, condition;
 	std::set<falco::load_result::load_result::warning_code> warn_codes;
 	filter_warning_resolver warn_resolver;
-	for (auto &r : col.rules())
+
+	// note: cast away the const qualifier in the for loop
+	// this is needed because we want to store information about evttypes
+	// used by any rules, which might come in handy when describing rules.
+	for (auto &r : const_cast<indexed_vector<rule_info>&>(col.rules()))
 	{
 		// skip the rule if below the minimum priority
 		if (r.priority > cfg.min_priority)
@@ -507,6 +511,7 @@ void rule_loader::compiler::compile_rule_infos(
 					"Rule matches too many evt.type values. This has a significant performance penalty.",
 					r.ctx);
 			}
+			r.evttypes = evttypes;
 		}
 	}
 }