in rule/rule.go [44:94]
func Build(rule Rule) (WireFormat, error) {
data := &ruleData{allSyscalls: true}
var err error
switch v := rule.(type) {
case *SyscallRule:
if err = data.setList(v.List); err != nil {
return nil, err
}
if err = data.setAction(v.Action); err != nil {
return nil, err
}
for _, filter := range v.Filters {
switch filter.Type {
case ValueFilterType:
if err = addFilter(data, filter.LHS, filter.Comparator, filter.RHS); err != nil {
return nil, fmt.Errorf("failed to add filter '%v': %w", filter, err)
}
case InterFieldFilterType:
if err = addInterFieldComparator(data, filter.LHS, filter.Comparator, filter.RHS); err != nil {
return nil, fmt.Errorf("failed to add interfield comparison '%v': %w", filter, err)
}
}
}
for _, syscall := range v.Syscalls {
if err = addSyscall(data, syscall); err != nil {
return nil, fmt.Errorf("failed to add syscall '%v': %w", syscall, err)
}
}
if err = addKeys(data, v.Keys); err != nil {
return nil, err
}
case *FileWatchRule:
if err = addFileWatch(data, v); err != nil {
return nil, err
}
default:
return nil, fmt.Errorf("unknown rule type: %T", v)
}
ard, err := data.toAuditRuleData()
if err != nil {
return nil, err
}
return ard.toWireFormat(), nil
}