diff --git a/userspace/falco/app/actions/print_ignored_events.cpp b/userspace/falco/app/actions/print_ignored_events.cpp index 83b26eed..831ddfe3 100644 --- a/userspace/falco/app/actions/print_ignored_events.cpp +++ b/userspace/falco/app/actions/print_ignored_events.cpp @@ -16,44 +16,26 @@ limitations under the License. #include "actions.h" #include "helpers.h" +#include "falco_utils.h" using namespace falco::app; using namespace falco::app::actions; +using namespace falco::utils; + -/// TODO: probably in the next future would be more meaningful to print the ignored syscalls rather than -/// the ignored events, or maybe change the name of the events since right now they are almost the same of -/// the syscalls. falco::app::run_result falco::app::actions::print_ignored_events(falco::app::state& s) { - /* If the option is true we print the events ignored with Falco `-A`, otherwise - * we return immediately. - */ + if(!s.options.print_ignored_events) { return run_result::ok(); } - /* Search for all the ignored syscalls. */ - std::unordered_set all_events; - for (uint32_t j = 0; j < PPM_EVENT_MAX; j++) - { - if (!sinsp::is_old_version_event(j) - && !sinsp::is_unused_event(j) - && !sinsp::is_unknown_event(j)) - { - all_events.insert(j); - } - } - std::unique_ptr inspector(new sinsp()); - auto ignored_event_names = inspector->get_events_names(all_events); - for (const auto &n : inspector->get_events_names(s.ppm_event_info_of_interest)) - { - ignored_event_names.erase(n); - } + std::unordered_set io_ppm_sc_set = enforce_io_ppm_sc_set(); - std::cout << "Ignored Event(s):" << std::endl; - for(const auto& it : ignored_event_names) + std::cout << "Ignored I/O syscall(s):" << std::endl; + for(const auto& it : inspector->get_syscalls_names(io_ppm_sc_set)) { std::cout << "- " << it.c_str() << std::endl; }