update(userspace/engine): adapt engine classes to new libsinsp event definitions

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
2025-08-10 02:28:03 +00:00 · 2023-02-17 11:17:37 +00:00 · 2023-02-17 11:17:37 +00:00 · 6c38ecaf0e
commit 6c38ecaf0e
parent 34ea7a8245
4 changed files with 10 additions and 11 deletions
--- a/userspace/engine/evttype_index_ruleset.cpp
+++ b/userspace/engine/evttype_index_ruleset.cpp
@ -15,7 +15,6 @@ limitations under the License.
 */
 #include "evttype_index_ruleset.h"
 #include "filter_evttype_resolver.h"
 #include "banned.h" // This raises a compilation error when certain functions are used
 #include <algorithm>
@ -145,7 +144,10 @@ void evttype_index_ruleset::ruleset_filters::evttypes_for_ruleset(std::set<uint1
 	for(auto &wrap : m_filters)
 	{
-		evttypes.insert(wrap->evttypes.begin(), wrap->evttypes.end());
+		for (const auto& e : wrap->evttypes)
 		{
 			evttypes.insert((uint16_t) e);
 		}
 	}
 }
@ -161,12 +163,11 @@ void evttype_index_ruleset::add(
 		wrap->filter = filter;
 		if(rule.source == falco_common::syscall_source)
 		{
-			filter_evttype_resolver resolver;
+			wrap->evttypes = libsinsp::filter::ast::ppm_event_codes(condition.get());
 			resolver.evttypes(condition, wrap->evttypes);
 		}
 		else
 		{
-			wrap->evttypes = { ppm_event_type::PPME_PLUGINEVENT_E };
+			wrap->evttypes = { ppm_event_code::PPME_PLUGINEVENT_E };
 		}
 		m_filters.insert(wrap);
 	}
--- a/userspace/engine/evttype_index_ruleset.h
+++ b/userspace/engine/evttype_index_ruleset.h
@ -93,7 +93,7 @@ private:
 	struct filter_wrapper
 	{
 		falco_rule rule;
-		std::set<uint16_t> evttypes;
+		libsinsp::events::set<ppm_event_code> evttypes;
 		std::shared_ptr<gen_event_filter> filter;
 	};
--- a/userspace/engine/json_evt.h
+++ b/userspace/engine/json_evt.h
@ -48,7 +48,7 @@ public:
 	inline uint16_t get_type() const
 	{
 		// All k8s audit events have the single tag "1". - see falco_engine::process_k8s_audit_event
-		return ppm_event_type::PPME_PLUGINEVENT_E;
+		return ppm_event_code::PPME_PLUGINEVENT_E;
 	}
 protected:
--- a/userspace/engine/rule_loader_compiler.cpp
+++ b/userspace/engine/rule_loader_compiler.cpp
@ -21,7 +21,6 @@ limitations under the License.
 #include "rule_loader_compiler.h"
 #include "filter_macro_resolver.h"
 #include "filter_evttype_resolver.h"
 #include "filter_warning_resolver.h"
 #define MAX_VISIBILITY		((uint32_t) -1)
@ -496,11 +495,10 @@ void rule_loader::compiler::compile_rule_infos(
 		}
 		// populate set of event types and emit an special warning
-		std::set<uint16_t> evttypes = { ppm_event_type::PPME_PLUGINEVENT_E };
+		libsinsp::events::set<ppm_event_code> evttypes = { ppm_event_code::PPME_PLUGINEVENT_E };
 		if(rule.source == falco_common::syscall_source)
 		{
-			evttypes.clear();
+			evttypes = libsinsp::filter::ast::ppm_event_codes(ast.get());
 			filter_evttype_resolver().evttypes(ast, evttypes);
 			if ((evttypes.empty() || evttypes.size() > 100)
 			    && r.warn_evttypes)
 			{