m_base_syscalls_repair && user_positive_sc_set.empty()) + { + /* If `base_syscalls.repair` is specified, but `base_syscalls.custom_set` is empty we are replacing + * the default `sinsp_state_sc_set()` enforcement with the alternative `sinsp_repair_state_sc_set`. + * This approach only activates additional syscalls Falco needs beyond the + * syscalls defined in each Falco rule that are absolutely necessary based + * on the current rules configuration. */ + + // returned set already has rules_sc_set merged + s.selected_sc_set = libsinsp::events::sinsp_repair_state_sc_set(rules_sc_set); + } + if (!user_negative_sc_set.empty()) { /* Remove negative base_syscalls events. */ @@ -131,19 +144,6 @@ static void select_event_set(falco::app::state& s, const libsinsp::events::set
m_base_syscalls_repair && s.config->m_base_syscalls_custom_set.empty()) - { - /* If `base_syscalls.repair` is specified, but `base_syscalls.custom_set` is empty we are replacing - * the default `sinsp_state_sc_set()` enforcement with the alternative `sinsp_repair_state_sc_set`. - * This approach only activates additional syscalls Falco needs beyond the - * syscalls defined in each Falco rule that are absolutely necessary based - * on the current rules configuration. */ - - // returned set already has rules_sc_set merged - s.selected_sc_set = libsinsp::events::sinsp_repair_state_sc_set(rules_sc_set); - } - /* Derive the diff between the additional syscalls added via libsinsp state enforcement and the syscalls from each Falco rule. We avoid printing this in case the user specified a custom set of base syscalls */