fix(userspace/falco): properly account for plugin with CAP_PARSING wh…

…en computing interesting sc set. Signed-off-by: Federico Di Pierro <[email protected]>
falcosecurity · Sep 19, 2024 · 8c01a24 · 8c01a24
1 parent ad13cb6
commit 8c01a24
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 6 deletions.
diff --git a/userspace/falco/app/actions/configure_interesting_sets.cpp b/userspace/falco/app/actions/configure_interesting_sets.cpp
@@ -18,6 +18,7 @@ limitations under the License.
 #include "actions.h"
 #include "helpers.h"
 #include "../app.h"
+#include <libsinsp/plugin_manager.h>
 
 using namespace falco::app;
 using namespace falco::app::actions;
@@ -73,6 +74,25 @@ static void select_event_set(falco::app::state& s, const libsinsp::events::set<p
 			+ ") syscalls in rules: " + concat_set_in_order(rules_names) + "\n");
 	}
 
+	/* Load PPM event codes needed by plugins with parsing capability */
+	libsinsp::events::set<ppm_event_code> plugin_ev_codes;
+	for (const auto &p : s.offline_inspector->get_plugin_manager()->plugins())
+	{
+		if(!(p->caps() & CAP_PARSING))
+		{
+			continue;
+		}
+		plugin_ev_codes.merge(p->parse_event_codes());
+	}
+	const auto plugin_sc_set = libsinsp::events::event_set_to_sc_set(plugin_ev_codes);
+	const auto plugin_names = libsinsp::events::sc_set_to_event_names(plugin_sc_set);
+	if (!plugin_sc_set.empty())
+	{
+		falco_logger::log(falco_logger::level::DEBUG, "(" + std::to_string(plugin_names.size())
+		                                                      + ") syscalls required by plugins: " + concat_set_in_order(plugin_names) + "\n");
+	}
+
+
 	/* DEFAULT OPTION:
 	* Current `sinsp_state_sc_set()` approach includes multiple steps:
 	* (1) Enforce all positive syscalls from each Falco rule
@@ -113,7 +133,7 @@ static void select_event_set(falco::app::state& s, const libsinsp::events::set<p
 
 	// selected events are the union of the rules events set and the
 	// base events set (either the default or the user-defined one)
-	s.selected_sc_set = rules_sc_set.merge(base_sc_set);
+	s.selected_sc_set = rules_sc_set.merge(base_sc_set).merge(plugin_sc_set);
 
 	/* REPLACE DEFAULT STATE, nothing else. Need to override s.selected_sc_set and have a separate logic block. */
 	if (s.config->m_base_syscalls_repair && user_positive_sc_set.empty())

diff --git a/userspace/falco/app/actions/init_inspectors.cpp b/userspace/falco/app/actions/init_inspectors.cpp
@@ -163,11 +163,6 @@ falco::app::run_result falco::app::actions::init_inspectors(falco::app::state& s
 	std::unordered_set<std::string> used_plugins;
 	const auto& all_plugins = s.offline_inspector->get_plugin_manager()->plugins();
 
-	if((s.config->m_metrics_flags & METRICS_V2_STATE_COUNTERS))
-	{
-
-	}
-
 	for (const auto &src : s.loaded_sources)
 	{
 		auto src_info = s.source_infos.at(src);