From 78f56190b409908d6696239d70686041b7549317 Mon Sep 17 00:00:00 2001
From: Federico Di Pierro <nierro92@gmail.com>
Date: Thu, 19 Sep 2024 10:14:47 +0200
Subject: [PATCH] fix(userspace/falco): properly account for plugin with
 CAP_PARSING when computing interesting sc set.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
---
 .../actions/configure_interesting_sets.cpp    | 25 +++++++++++++++++--
 .../falco/app/actions/init_inspectors.cpp     |  5 ----
 2 files changed, 23 insertions(+), 7 deletions(-)

diff --git a/userspace/falco/app/actions/configure_interesting_sets.cpp b/userspace/falco/app/actions/configure_interesting_sets.cpp
index 9f7e60306c2..463db87ac93 100644
--- a/userspace/falco/app/actions/configure_interesting_sets.cpp
+++ b/userspace/falco/app/actions/configure_interesting_sets.cpp
@@ -18,6 +18,7 @@ limitations under the License.
 #include "actions.h"
 #include "helpers.h"
 #include "../app.h"
+#include <libsinsp/plugin_manager.h>
 
 using namespace falco::app;
 using namespace falco::app::actions;
@@ -73,6 +74,25 @@ static void select_event_set(falco::app::state& s, const libsinsp::events::set<p
 			+ ") syscalls in rules: " + concat_set_in_order(rules_names) + "\n");
 	}
 
+	/* Load PPM event codes needed by plugins with parsing capability */
+	libsinsp::events::set<ppm_event_code> plugin_ev_codes;
+	for (const auto &p : s.offline_inspector->get_plugin_manager()->plugins())
+	{
+		if(!(p->caps() & CAP_PARSING))
+		{
+			continue;
+		}
+		plugin_ev_codes.merge(p->parse_event_codes());
+	}
+	const auto plugin_sc_set = libsinsp::events::event_set_to_sc_set(plugin_ev_codes);
+	const auto plugin_names = libsinsp::events::sc_set_to_event_names(plugin_sc_set);
+	if (!plugin_sc_set.empty())
+	{
+		falco_logger::log(falco_logger::level::DEBUG, "(" + std::to_string(plugin_names.size())
+		                                                      + ") syscalls required by plugins: " + concat_set_in_order(plugin_names) + "\n");
+	}
+
+
 	/* DEFAULT OPTION:
 	* Current `sinsp_state_sc_set()` approach includes multiple steps:
 	* (1) Enforce all positive syscalls from each Falco rule
@@ -111,9 +131,10 @@ static void select_event_set(falco::app::state& s, const libsinsp::events::set<p
 			+ concat_set_in_order(invalid_positive_sc_set_names));
 	}
 
-	// selected events are the union of the rules events set and the
+	// selected events are the union of the rules events set plus
+	// the parsing capability plugins events set and the
 	// base events set (either the default or the user-defined one)
-	s.selected_sc_set = rules_sc_set.merge(base_sc_set);
+	s.selected_sc_set = rules_sc_set.merge(plugin_sc_set).merge(base_sc_set);
 
 	/* REPLACE DEFAULT STATE, nothing else. Need to override s.selected_sc_set and have a separate logic block. */
 	if (s.config->m_base_syscalls_repair && user_positive_sc_set.empty())
diff --git a/userspace/falco/app/actions/init_inspectors.cpp b/userspace/falco/app/actions/init_inspectors.cpp
index 4da21f5c987..4a5c2c49df0 100644
--- a/userspace/falco/app/actions/init_inspectors.cpp
+++ b/userspace/falco/app/actions/init_inspectors.cpp
@@ -163,11 +163,6 @@ falco::app::run_result falco::app::actions::init_inspectors(falco::app::state& s
 	std::unordered_set<std::string> used_plugins;
 	const auto& all_plugins = s.offline_inspector->get_plugin_manager()->plugins();
 
-	if((s.config->m_metrics_flags & METRICS_V2_STATE_COUNTERS))
-	{
-
-	}
-
 	for (const auto &src : s.loaded_sources)
 	{
 		auto src_info = s.source_infos.at(src);