From a4218a4b4fd453111dc7f168bf3093239f8fa2ac Mon Sep 17 00:00:00 2001
From: Jason Dellaluce <jasondellaluce@gmail.com>
Date: Tue, 11 Oct 2022 14:41:13 +0000
Subject: [PATCH] fix(userspace/falco): print right list in ignored events
 warning

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
---
 .../falco/app_actions/load_rules_files.cpp    | 44 +++----------------
 1 file changed, 7 insertions(+), 37 deletions(-)

diff --git a/userspace/falco/app_actions/load_rules_files.cpp b/userspace/falco/app_actions/load_rules_files.cpp
index fc704865..837b2cba 100644
--- a/userspace/falco/app_actions/load_rules_files.cpp
+++ b/userspace/falco/app_actions/load_rules_files.cpp
@@ -17,6 +17,8 @@ limitations under the License.
 #include "application.h"
 #include <plugin_manager.h>
 
+#include <unordered_set>
+
 using namespace falco::app;
 
 bool application::check_rules_plugin_requirements(std::string& err)
@@ -43,52 +45,20 @@ void application::check_for_ignored_events()
 
 	/* Get the events we consider interesting from the application state `ppm_sc` codes. */
 	std::unique_ptr<sinsp> inspector(new sinsp());
-	auto interesting_events = inspector->get_event_set_from_ppm_sc_set(m_state->ppm_sc_of_interest);
-	std::unordered_set<uint32_t> ignored_events;
+	std::unordered_set<uint32_t> events(rule_events.begin(), rule_events.end());
 
-	for(const auto& it : rule_events)
+	auto event_names = inspector->get_events_names(events);
+	for (const auto& n : inspector->get_events_names(m_state->ppm_event_info_of_interest))
 	{
-		/* If we have the old version of the event we will have also the recent one
-		 * so we can avoid analyzing the presence of old events.
-		 */
-		if(sinsp::is_old_version_event(it))
-		{
-			continue;
-		}
-
-		/* Here we are interested only in syscall events the internal events are not
-		 * altered without the `-A` flag.
-		 *
-		 * TODO: We could consider also the tracepoint events here but right now we don't have
-		 * the support from the libraries.
-		 */
-		if(!sinsp::is_syscall_event(it))
-		{
-			continue;
-		}
-
-		/* If the event is not generated by the running system we don't print
-		 * any warning right now.
-		 */
-		if(!sinsp::is_generable_event(it))
-		{
-			continue;
-		}
-
-		/* If the event is not in this set it is not considered by Falco. */
-		if(interesting_events.find(it) == interesting_events.end())
-		{
-			ignored_events.insert(it);
-		}
+		event_names.erase(n);
 	}
 
-	if(ignored_events.empty())
+	if(event_names.empty())
 	{
 		return;
 	}
 
 	/* Get the names of the ignored events and print them. */
-	auto event_names = inspector->get_events_names(ignored_events);
 	std::cerr << std::endl << "Rules match ignored syscall: warning (ignored-evttype):" << std::endl;
 	std::cerr << "Loaded rules match the following events:" << std::endl;
 	for(const auto& it : event_names)