Handle both ignored events and syscalls.

Henri pointed out that events may also be flagged as ignored. So
populate a second table with the set of ignored events, rename
check_for_ignored_syscalls to check_for_ignored_syscalls_events, and
separately check each table based on whether the LHS of the expression
is evt.type or syscall.type.

userspace/falco/lua/compiler.lua

@@ -111,12 +111,19 @@ function get_macros(ast, set)
    return set
 end
 
-function check_for_ignored_syscalls(ast, filter_type, source)
+function check_for_ignored_syscalls_events(ast, filter_type, source)
 
-   function check_value(val)
+   function check_syscall(val)
       if ignored_syscalls[val] then
 	 error("Ignored syscall \""..val.."\" in "..filter_type..": "..source)
       end
+
+   end
+
+   function check_event(val)
+      if ignored_events[val] then
+	 error("Ignored event \""..val.."\" in "..filter_type..": "..source)
+      end
    end
 
    function cb(node)
@@ -127,12 +134,20 @@ function check_for_ignored_syscalls(ast, filter_type, source)
 	    if node.operator == "in" then
 	       for i, v in ipairs(node.right.elements) do
 		  if v.type == "BareString" then
-		     check_value(v.value)
+		     if node.left.value == "evt.type" then
+			check_event(v.value)
+		     else
+			check_syscall(v.value)
+		     end
 		  end
 	       end
 	    else
 	       if node.right.type == "BareString" then
-		  check_value(node.right.value)
+		  if node.left.value == "evt.type" then
+		     check_event(node.right.value)
+		  else
+		     check_syscall(node.right.value)
+		  end
 	       end
 	    end
       end
@@ -151,7 +166,7 @@ function compiler.compile_macro(line)
 
    -- Traverse the ast looking for events/syscalls in the ignored
    -- syscalls table. If any are found, return an error.
-   check_for_ignored_syscalls(ast, 'macro', line)
+   check_for_ignored_syscalls_events(ast, 'macro', line)
 
    return ast
 end
@@ -169,7 +184,7 @@ function compiler.compile_filter(source, macro_defs)
 
    -- Traverse the ast looking for events/syscalls in the ignored
    -- syscalls table. If any are found, return an error.
-   check_for_ignored_syscalls(ast, 'rule', source)
+   check_for_ignored_syscalls_events(ast, 'rule', source)
 
    if (ast.type == "Rule") then
       -- Line is a filter, so expand macro references

userspace/falco/rules.cpp

@@ -45,12 +45,28 @@ void falco_rules::load_rules(string rules_filename)
 	lua_getglobal(m_ls, m_lua_load_rules.c_str());
 	if(lua_isfunction(m_ls, -1))
 	{
-		// Create a table containing the syscalls that are ignored by
+		// Create a table containing the syscalls/events that
-		// the kernel module. Return an error if any rule references
+		// are ignored by the kernel module. load_rules will
-		// one of these syscalls.
+		// return an error if any rule references one of these
+		// syscalls/events.
 		sinsp_evttables* einfo = m_inspector->get_event_info_tables();
 		const struct ppm_event_info* etable = einfo->m_event_info;
 		const struct ppm_syscall_desc* stable = einfo->m_syscall_info_table;
+
+		lua_newtable(m_ls);
+
+		for(uint32_t j = 0; j < PPM_EVENT_MAX; j++)
+		{
+			if(etable[j].flags & EF_DROP_FALCO)
+			{
+				lua_pushstring(m_ls, etable[j].name);
+				lua_pushnumber(m_ls, 1);
+				lua_settable(m_ls, -3);
+			}
+		}
+
+		lua_setglobal(m_ls, m_lua_ignored_events.c_str());
+
 		lua_newtable(m_ls);
 
 		for(uint32_t j = 0; j < PPM_SC_MAX; j++)

userspace/falco/rules.h

@@ -20,5 +20,6 @@ class falco_rules
 
 	string m_lua_load_rules = "load_rules";
 	string m_lua_ignored_syscalls = "ignored_syscalls";
+	string m_lua_ignored_events = "ignored_events";
 	string m_lua_on_event = "on_event";
 };