From 19ffadc763d35cda9bd711ab3f9f0ebe347baa09 Mon Sep 17 00:00:00 2001
From: Jason Dellaluce <jasondellaluce@gmail.com>
Date: Fri, 24 Feb 2023 14:43:43 +0000
Subject: [PATCH] update(userspace/engine): support searching ppm_sc events in
 rulesets

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
---
 userspace/engine/evttype_index_ruleset.cpp | 62 ++++++++++++++++------
 userspace/engine/evttype_index_ruleset.h   | 15 ++++--
 userspace/engine/falco_engine.cpp          | 10 ++++
 userspace/engine/falco_engine.h            | 19 +++++++
 userspace/engine/filter_ruleset.h          | 20 +++++++
 5 files changed, 106 insertions(+), 20 deletions(-)

diff --git a/userspace/engine/evttype_index_ruleset.cpp b/userspace/engine/evttype_index_ruleset.cpp
index d79e408c..4189b4b6 100644
--- a/userspace/engine/evttype_index_ruleset.cpp
+++ b/userspace/engine/evttype_index_ruleset.cpp
@@ -65,14 +65,14 @@ void evttype_index_ruleset::ruleset_filters::remove_wrapper_from_list(filter_wra
 
 void evttype_index_ruleset::ruleset_filters::add_filter(std::shared_ptr<filter_wrapper> wrap)
 {
-	if(wrap->evttypes.empty())
+	if(wrap->event_codes.empty())
 	{
 		// Should run for all event types
 		add_wrapper_to_list(m_filter_all_event_types, wrap);
 	}
 	else
 	{
-		for(auto &etype : wrap->evttypes)
+		for(auto &etype : wrap->event_codes)
 		{
 			if(m_filter_by_event_type.size() <= etype)
 			{
@@ -88,13 +88,13 @@ void evttype_index_ruleset::ruleset_filters::add_filter(std::shared_ptr<filter_w
 
 void evttype_index_ruleset::ruleset_filters::remove_filter(std::shared_ptr<filter_wrapper> wrap)
 {
-	if(wrap->evttypes.empty())
+	if(wrap->event_codes.empty())
 	{
 		remove_wrapper_from_list(m_filter_all_event_types, wrap);
 	}
 	else
 	{
-		for(auto &etype : wrap->evttypes)
+		for(auto &etype : wrap->event_codes)
 		{
 			if( etype < m_filter_by_event_type.size() )
 			{
@@ -138,17 +138,24 @@ bool evttype_index_ruleset::ruleset_filters::run(gen_event *evt, falco_rule& mat
 	return false;
 }
 
-void evttype_index_ruleset::ruleset_filters::evttypes_for_ruleset(std::set<uint16_t> &evttypes)
+libsinsp::events::set<ppm_sc_code> evttype_index_ruleset::ruleset_filters::sc_codes()
 {
-	evttypes.clear();
-
+	libsinsp::events::set<ppm_sc_code> res;
 	for(auto &wrap : m_filters)
 	{
-		for (const auto& e : wrap->evttypes)
-		{
-			evttypes.insert((uint16_t) e);
-		}
+		res.insert(wrap->sc_codes.begin(), wrap->sc_codes.end());
 	}
+	return res;
+}
+
+libsinsp::events::set<ppm_event_code> evttype_index_ruleset::ruleset_filters::event_codes()
+{
+	libsinsp::events::set<ppm_event_code> res;
+	for(auto &wrap : m_filters)
+	{
+		res.insert(wrap->event_codes.begin(), wrap->event_codes.end());
+	}
+	return res;
 }
 
 void evttype_index_ruleset::add(
@@ -163,11 +170,15 @@ void evttype_index_ruleset::add(
 		wrap->filter = filter;
 		if(rule.source == falco_common::syscall_source)
 		{
-			wrap->evttypes = libsinsp::filter::ast::ppm_event_codes(condition.get());
+			wrap->sc_codes = libsinsp::filter::ast::ppm_sc_codes(condition.get());
+			// todo(jasondellaluce): once libsinsp has its fixes, optimize this
+			// by using libsinsp::events::ppm_set_to_event_set(wrap->sc_codes)
+			wrap->event_codes = libsinsp::filter::ast::ppm_event_codes(condition.get());
 		}
 		else
 		{
-			wrap->evttypes = { ppm_event_code::PPME_PLUGINEVENT_E };
+			wrap->sc_codes = { };
+			wrap->event_codes = { ppm_event_code::PPME_PLUGINEVENT_E };
 		}
 		m_filters.insert(wrap);
 	}
@@ -300,10 +311,27 @@ bool evttype_index_ruleset::run(gen_event *evt, falco_rule& match, uint16_t rule
 
 void evttype_index_ruleset::enabled_evttypes(std::set<uint16_t> &evttypes, uint16_t ruleset_id)
 {
-	if(m_rulesets.size() < (size_t)ruleset_id + 1)
+	evttypes.clear();
+	for (const auto& e : enabled_event_codes(ruleset_id))
 	{
-		return;
+		evttypes.insert((uint16_t) e);
 	}
-
-	return m_rulesets[ruleset_id]->evttypes_for_ruleset(evttypes);
+}
+
+libsinsp::events::set<ppm_sc_code> evttype_index_ruleset::enabled_sc_codes(uint16_t ruleset)
+{
+	if(m_rulesets.size() < (size_t)ruleset + 1)
+	{
+		return {};
+	}
+	return m_rulesets[ruleset]->sc_codes();
+}
+	
+libsinsp::events::set<ppm_event_code> evttype_index_ruleset::enabled_event_codes(uint16_t ruleset)
+{
+	if(m_rulesets.size() < (size_t)ruleset + 1)
+	{
+		return {};
+	}
+	return m_rulesets[ruleset]->event_codes();
 }
diff --git a/userspace/engine/evttype_index_ruleset.h b/userspace/engine/evttype_index_ruleset.h
index 3dba1351..a4680bc0 100644
--- a/userspace/engine/evttype_index_ruleset.h
+++ b/userspace/engine/evttype_index_ruleset.h
@@ -70,11 +70,17 @@ public:
 		const std::set<std::string> &tags,
 		uint16_t rulset_id) override;
 
-	// evttypes for a ruleset
+	// note(jasondellaluce): this is deprecated, must use the new
+	// typing-improved `enabled_event_codes` and `enabled_sc_codes` instead
+	// todo(jasondellaluce): remove this in future code refactors
 	void enabled_evttypes(
 		std::set<uint16_t> &evttypes,
 		uint16_t ruleset) override;
 
+	libsinsp::events::set<ppm_sc_code> enabled_sc_codes(uint16_t ruleset) override;
+
+	libsinsp::events::set<ppm_event_code> enabled_event_codes(uint16_t ruleset) override;
+
 private:
 
 	// Helper used by enable()/disable()
@@ -93,7 +99,8 @@ private:
 	struct filter_wrapper
 	{
 		falco_rule rule;
-		libsinsp::events::set<ppm_event_code> evttypes;
+		libsinsp::events::set<ppm_sc_code> sc_codes;
+		libsinsp::events::set<ppm_event_code> event_codes;
 		std::shared_ptr<gen_event_filter> filter;
 	};
 
@@ -113,7 +120,9 @@ private:
 
 		bool run(gen_event *evt, falco_rule& match);
 
-		void evttypes_for_ruleset(std::set<uint16_t> &evttypes);
+		libsinsp::events::set<ppm_sc_code> sc_codes();
+
+		libsinsp::events::set<ppm_event_code> event_codes();
 
 	private:
 		void add_wrapper_to_list(filter_wrapper_list &wrappers, std::shared_ptr<filter_wrapper> wrap);
diff --git a/userspace/engine/falco_engine.cpp b/userspace/engine/falco_engine.cpp
index 0dc62c06..343e92ed 100644
--- a/userspace/engine/falco_engine.cpp
+++ b/userspace/engine/falco_engine.cpp
@@ -327,6 +327,16 @@ void falco_engine::evttypes_for_ruleset(std::string &source, std::set<uint16_t>
 	find_source(source)->ruleset->enabled_evttypes(evttypes, find_ruleset_id(ruleset));
 }
 
+libsinsp::events::set<ppm_sc_code> falco_engine::sc_codes_for_ruleset(const std::string &source, const std::string &ruleset)
+{
+	return find_source(source)->ruleset->enabled_sc_codes(find_ruleset_id(ruleset));
+}
+	
+libsinsp::events::set<ppm_event_code> falco_engine::event_codes_for_ruleset(const std::string &source, const std::string &ruleset)
+{
+	return find_source(source)->ruleset->enabled_event_codes(find_ruleset_id(ruleset));
+}
+
 std::shared_ptr<gen_event_formatter> falco_engine::create_formatter(const std::string &source,
 								    const std::string &output) const
 {
diff --git a/userspace/engine/falco_engine.h b/userspace/engine/falco_engine.h
index f188968b..4ea3a43a 100644
--- a/userspace/engine/falco_engine.h
+++ b/userspace/engine/falco_engine.h
@@ -222,11 +222,30 @@ public:
 	//
 	// Given an event source and ruleset, fill in a bitset
 	// containing the event types for which this ruleset can run.
+	// note(jasondellaluce): this is deprecated, must use the new
+	// typing-improved `enabled_event_codes` and `enabled_sc_codes` instead
+	// todo(jasondellaluce): remove this in future code refactors
 	//
 	void evttypes_for_ruleset(std::string &source,
 				  std::set<uint16_t> &evttypes,
 				  const std::string &ruleset = s_default_ruleset);
 
+	//
+	// Given an event source and ruleset, return the set of ppm_sc_codes
+	// for which this ruleset can run and match events.
+	//
+	libsinsp::events::set<ppm_sc_code> sc_codes_for_ruleset(
+				  const std::string &source,
+				  const std::string &ruleset = s_default_ruleset);
+	
+	//
+	// Given an event source and ruleset, return the set of ppm_event_codes
+	// for which this ruleset can run and match events.
+	//
+	libsinsp::events::set<ppm_event_code> event_codes_for_ruleset(
+				  const std::string &source,
+				  const std::string &ruleset = s_default_ruleset);
+
 	//
 	// Given a source and output string, return an
 	// gen_event_formatter that can format output strings for an
diff --git a/userspace/engine/filter_ruleset.h b/userspace/engine/filter_ruleset.h
index c50632e7..9520f0ce 100644
--- a/userspace/engine/filter_ruleset.h
+++ b/userspace/engine/filter_ruleset.h
@@ -21,6 +21,7 @@ limitations under the License.
 #include <filter.h>
 #include <event.h>
 #include <gen_filter.h>
+#include <events/sinsp_events.h>
 
 /*!
 	\brief Manages a set of rulesets. A ruleset is a set of
@@ -83,10 +84,29 @@ public:
 		\brief Returns the union of the evttypes of all the rules enabled
 		in a given ruleset
 		\param ruleset_id The id of the ruleset to be used
+		\deprecated Must use the new typing-improved `enabled_event_codes`
+		and `enabled_sc_codes` instead
+		\note todo(jasondellaluce): remove this in future refactors
 	*/
 	virtual void enabled_evttypes(
 		std::set<uint16_t> &evttypes,
 		uint16_t ruleset) = 0;
+	
+	/*!
+		\brief Returns the all the ppm_sc_codes matching the rules
+		enabled in a given ruleset.
+		\param ruleset_id The id of the ruleset to be used
+	*/
+	virtual libsinsp::events::set<ppm_sc_code> enabled_sc_codes(
+		uint16_t ruleset) = 0;
+	
+	/*!
+		\brief Returns the all the ppm_event_codes matching the rules
+		enabled in a given ruleset.
+		\param ruleset_id The id of the ruleset to be used
+	*/
+	virtual libsinsp::events::set<ppm_event_code> enabled_event_codes(
+		uint16_t ruleset) = 0;
 
 	/*!
 		\brief Find those rules matching the provided substring and enable