falcosecurity · poiana · Sep 16, 2022 · Sep 14, 2022 · Sep 13, 2022
diff --git a/userspace/engine/falco_engine.cpp b/userspace/engine/falco_engine.cpp
@@ -41,7 +41,9 @@ using namespace std;
 using namespace falco;
 
 falco_engine::falco_engine(bool seed_rng)
-	: m_next_ruleset_id(0),
+	: m_syscall_source(NULL),
+	  m_syscall_source_idx(SIZE_MAX),
+	  m_next_ruleset_id(0),
 	  m_min_priority(falco_common::PRIORITY_DEBUG),
 	  m_sampling_ratio(1), m_sampling_multiplier(0),
 	  m_replace_container_info(false)
@@ -331,27 +333,37 @@ std::shared_ptr<gen_event_formatter> falco_engine::create_formatter(const std::s
 
 unique_ptr<falco_engine::rule_result> falco_engine::process_event(std::size_t source_idx, gen_event *ev, uint16_t ruleset_id)
 {
-	falco_rule rule;
-
 	// note: there are no thread-safety guarantees on the filter_ruleset::run()
 	// method, but the thread-safety assumptions of falco_engine::process_event()
 	// imply that concurrent invokers use different and non-switchable values of
 	// source_idx, which means that at any time each filter_ruleset will only
 	// be accessed by a single thread.
-	if(should_drop_evt() || !find_source(source_idx)->ruleset->run(ev, rule, ruleset_id))
+
+	const falco_source *source;
+
+	if(source_idx == m_syscall_source_idx)
+	{
+		source = m_syscall_source;
+	}
+	else
+	{
+		source = find_source(source_idx);
+	}
+
+	if(should_drop_evt() || !source || !source->ruleset->run(ev, source->m_rule, ruleset_id))
 	{
 		return unique_ptr<struct rule_result>();
 	}
 
 	unique_ptr<struct rule_result> res(new rule_result());
 	res->evt = ev;
-	res->rule = rule.name;
-	res->source = rule.source;
-	res->format = rule.output;
-	res->priority_num = rule.priority;
-	res->tags = rule.tags;
-	res->exception_fields = rule.exception_fields;
-	m_rule_stats_manager.on_event(rule);
+	res->rule = source->m_rule.name;
+	res->source = source->m_rule.source;
+	res->format = source->m_rule.output;
+	res->priority_num = source->m_rule.priority;
+	res->tags = source->m_rule.tags;
+	res->exception_fields = source->m_rule.exception_fields;
+	m_rule_stats_manager.on_event(source->m_rule);
 	return res;
 }
 
@@ -367,7 +379,15 @@ std::size_t falco_engine::add_source(const std::string &source,
 	// evttype_index_ruleset is the default ruleset implementation
 	std::shared_ptr<filter_ruleset_factory> ruleset_factory(
 		new evttype_index_ruleset_factory(filter_factory));
-	return add_source(source, filter_factory, formatter_factory, ruleset_factory);
+	size_t idx = add_source(source, filter_factory, formatter_factory, ruleset_factory);
+
+	if(source == falco_common::syscall_source)
+	{
+		m_syscall_source_idx = idx;
+		m_syscall_source = find_source(m_syscall_source_idx);
+	}
+
+	return idx;
 }
 
 std::size_t falco_engine::add_source(const std::string &source,

diff --git a/userspace/engine/falco_engine.h b/userspace/engine/falco_engine.h
@@ -22,6 +22,7 @@ limitations under the License.
 
 #pragma once
 
+#include <atomic>
 #include <string>
 #include <memory>
 #include <set>
@@ -171,7 +172,7 @@ class falco_engine
 	// configured the engine. In particular, invoking this with a source_idx
 	// not previosly-returned by a call to add_source() would cause a
 	// falco_exception to be thrown.
-	// 
+	//
 	// This method is thread-safe only with the assumption that every invoker
 	// uses a different source_idx. Moreover, each invoker must not switch
 	// source_idx in subsequent invocations of this method.
@@ -264,6 +265,12 @@ class falco_engine
 	const falco_source* find_source(std::size_t index) const;
 	const falco_source* find_source(const std::string& name) const;
 
+	// To allow the engine to be extremely fast for syscalls (can
+	// be > 1M events/sec), we save the syscall source/source_idx
+	// separately and check it explicitly in process_event()
+	const falco_source* m_syscall_source;
+	std::atomic<size_t> m_syscall_source_idx;
+
 	//
 	// Determine whether the given event should be matched at all
 	// against the set of rules, given the current sampling

diff --git a/userspace/engine/falco_source.h b/userspace/engine/falco_source.h
@@ -32,6 +32,10 @@ struct falco_source
 	std::shared_ptr<gen_event_filter_factory> filter_factory;
 	std::shared_ptr<gen_event_formatter_factory> formatter_factory;
 
+	// Used by the filter_ruleset interface. Filled in when a rule
+	// matches an event.
+	mutable falco_rule m_rule;
+
 	inline bool is_field_defined(std::string field) const
 	{
 		auto *chk = filter_factory->new_filtercheck(field.c_str());