refactor(userspace/falco): use new event definitions in app state

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
2025-07-04 18:36:48 +00:00 · 2023-02-17 11:21:01 +00:00 · 2023-02-17 11:21:01 +00:00 · e7d76ca722
commit e7d76ca722
parent 6c38ecaf0e
2 changed files with 10 additions and 9 deletions
--- a/userspace/falco/app/actions/helpers_inspector.cpp
+++ b/userspace/falco/app/actions/helpers_inspector.cpp
@ -81,7 +81,7 @@ falco::app::run_result falco::app::actions::open_live_inspector(
 		{
 			falco_logger::log(LOG_INFO, "Opening capture with modern BPF probe.");
 			falco_logger::log(LOG_INFO, "One ring buffer every '" + std::to_string(s.config->m_cpus_for_each_syscall_buffer) +  "' CPUs.");
-			inspector->open_modern_bpf(s.syscall_buffer_bytes_size, s.config->m_cpus_for_each_syscall_buffer, true, s.ppm_sc_of_interest, s.tp_of_interest);
+			inspector->open_modern_bpf(s.syscall_buffer_bytes_size, s.config->m_cpus_for_each_syscall_buffer, true, s.selected_sc_set, s.selected_tp_set);
 		}
 		else if(getenv(FALCO_BPF_ENV_VARIABLE) != NULL) /* BPF engine. */
 		{
@ -99,14 +99,14 @@ falco::app::run_result falco::app::actions::open_live_inspector(
 				bpf_probe_path = full_path;
 			}
 			falco_logger::log(LOG_INFO, "Opening capture with BPF probe. BPF probe path: " + std::string(bpf_probe_path));
-			inspector->open_bpf(bpf_probe_path, s.syscall_buffer_bytes_size, s.ppm_sc_of_interest, s.tp_of_interest);
+			inspector->open_bpf(bpf_probe_path, s.syscall_buffer_bytes_size, s.selected_sc_set, s.selected_tp_set);
 		}
 		else /* Kernel module (default). */
 		{
 			try
 			{
 				falco_logger::log(LOG_INFO, "Opening capture with Kernel module");
-				inspector->open_kmod(s.syscall_buffer_bytes_size, s.ppm_sc_of_interest, s.tp_of_interest);
+				inspector->open_kmod(s.syscall_buffer_bytes_size, s.selected_sc_set, s.selected_tp_set);
 			}
 			catch(sinsp_exception &e)
 			{
@ -116,7 +116,7 @@ falco::app::run_result falco::app::actions::open_live_inspector(
 				{
 					falco_logger::log(LOG_ERR, "Unable to load the driver\n");
 				}
-				inspector->open_kmod(s.syscall_buffer_bytes_size, s.ppm_sc_of_interest, s.tp_of_interest);
+				inspector->open_kmod(s.syscall_buffer_bytes_size, s.selected_sc_set, s.selected_tp_set);
 			}
 		}
 	}
--- a/userspace/falco/app/state.h
+++ b/userspace/falco/app/state.h
@ -63,8 +63,9 @@ struct state
        enabled_sources(),
        source_infos(),
        plugin_configs(),
-        ppm_sc_of_interest(),
-        tp_of_interest(),
+        selected_event_set(),
+        selected_sc_set(),
+        selected_tp_set(),
        syscall_buffer_bytes_size(DEFAULT_DRIVER_BUFFER_BYTES_DIM)
    {
        config = std::make_shared<falco_configuration>();
@ -106,13 +107,13 @@ struct state
    indexed_vector<falco_configuration::plugin_config> plugin_configs;

    // Set of events we want the driver to capture
-    std::unordered_set<uint32_t> ppm_event_info_of_interest;
+    libsinsp::events::set<ppm_event_code> selected_event_set;

    // Set of syscalls we want the driver to capture
-    std::unordered_set<uint32_t> ppm_sc_of_interest;
+    libsinsp::events::set<ppm_sc_code> selected_sc_set;

    // Set of tracepoints we want the driver to capture
-    std::unordered_set<uint32_t> tp_of_interest;
+    libsinsp::events::set<ppm_tp_code> selected_tp_set;

    // Dimension of the syscall buffer in bytes.
    uint64_t syscall_buffer_bytes_size;