fix(userspace/engine): forcefully set PPME_PLUGINEVENT_E event type for "plugin" source events.

This workaround an issue in libs, targeting Falco 0.31.0.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>

userspace/engine/falco_engine.cpp

@@ -420,7 +420,7 @@ void falco_engine::add_filter(std::shared_ptr<gen_event_filter> filter,
 		throw falco_exception(err);
 	}
 
-	it->second->add(rule, tags, filter);
+	it->second->add(source, rule, tags, filter);
 }
 
 bool falco_engine::is_source_valid(const std::string &source)

userspace/engine/rules.cpp

@@ -145,11 +145,19 @@ int falco_rules::add_filter(lua_State *ls)
 		lua_pop(ls, 1);
 	}
 
-	size_t num_evttypes = lp->filter()->evttypes().size();
+	// todo(jasondellaluce,leogr,fededp): temp workaround, remove when fixed in libs
+	size_t num_evttypes = 1; // assume plugin
+	if(source == "syscall" || source == "k8s_audit")
+	{
+		num_evttypes = lp->filter()->evttypes().size();
+	}
 
-	try {
+	try
+	{
 		rules->add_filter(lp->filter(), rule, source, tags);
-	} catch (exception &e) {
+	}
+	catch (exception &e)
+	{
 		std::string errstr = string("Could not add rule to falco engine: ") + e.what();
 		lua_pushstring(ls, errstr.c_str());
 		lua_error(ls);

userspace/engine/ruleset.cpp

@@ -66,7 +66,7 @@ void falco_ruleset::ruleset_filters::remove_wrapper_from_list(filter_wrapper_lis
 
 void falco_ruleset::ruleset_filters::add_filter(std::shared_ptr<filter_wrapper> wrap)
 {
-	std::set<uint16_t> fevttypes = wrap->filter->evttypes();
+	std::set<uint16_t> fevttypes = wrap->evttypes();
 
 	if(fevttypes.empty())
 	{
@@ -91,7 +91,7 @@ void falco_ruleset::ruleset_filters::add_filter(std::shared_ptr<filter_wrapper>
 
 void falco_ruleset::ruleset_filters::remove_filter(std::shared_ptr<filter_wrapper> wrap)
 {
-	std::set<uint16_t> fevttypes = wrap->filter->evttypes();
+	std::set<uint16_t> fevttypes = wrap->evttypes();
 
 	if(fevttypes.empty())
 	{
@@ -147,16 +147,18 @@ void falco_ruleset::ruleset_filters::evttypes_for_ruleset(std::set<uint16_t> &ev
 
 	for(auto &wrap : m_filters)
 	{
-		auto fevttypes = wrap->filter->evttypes();
+		auto fevttypes = wrap->evttypes();
 		evttypes.insert(fevttypes.begin(), fevttypes.end());
 	}
 }
 
-void falco_ruleset::add(string &name,
+void falco_ruleset::add(string &source,
+			string &name,
 			set<string> &tags,
 			std::shared_ptr<gen_event_filter> filter)
 {
 	std::shared_ptr<filter_wrapper> wrap(new filter_wrapper());
+	wrap->source = source;
 	wrap->name = name;
 	wrap->tags = tags;
 	wrap->filter = filter;

userspace/engine/ruleset.h

@@ -34,7 +34,8 @@ public:
 	falco_ruleset();
 	virtual ~falco_ruleset();
 
-	void add(std::string &name,
+	void add(string &source,
+		 std::string &name,
 		 std::set<std::string> &tags,
 		 std::shared_ptr<gen_event_filter> filter);
 
@@ -73,9 +74,21 @@ private:
 
 	class filter_wrapper {
 	public:
+		std::string source;
 		std::string name;
 		std::set<std::string> tags;
 		std::shared_ptr<gen_event_filter> filter;
+		std::set<uint16_t> evttypes()
+		{
+			// todo(jasondellaluce,leogr): temp workarond, remove when fixed in libs
+			if(source == "syscall" || source == "k8s_audit")
+			{
+				return filter->evttypes();
+			}
+			// else assume plugins
+			return {ppm_event_type::PPME_PLUGINEVENT_E};
+			// workaround end
+		}
 	};
 
 	typedef std::list<std::shared_ptr<filter_wrapper>> filter_wrapper_list;