bump libs

Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>

cmake/modules/driver.cmake

@@ -26,8 +26,8 @@ else()
   # In case you want to test against another driver version (or branch, or commit) just pass the variable -
   # ie., `cmake -DDRIVER_VERSION=dev ..`
   if(NOT DRIVER_VERSION)
-    set(DRIVER_VERSION "9ec78ad55ff558f3381941111b6bf313e043b4b0")
-    set(DRIVER_CHECKSUM "SHA256=333a0aec05653ade6ff0dbdd057a8fe84abe32c07a22626288c2028b1ebc7d2e")
+    set(DRIVER_VERSION "f61834a221aeaca1794af9c87dd2870a42aa6fc8")
+    set(DRIVER_CHECKSUM "SHA256=b8e8e20adee2bf9023955461d635e603bd6e03546a0ea5f24e885e5336ff69ad")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

cmake/modules/falcosecurity-libs.cmake

@@ -27,8 +27,8 @@ else()
   # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
   # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..`
   if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "9ec78ad55ff558f3381941111b6bf313e043b4b0")
-    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=333a0aec05653ade6ff0dbdd057a8fe84abe32c07a22626288c2028b1ebc7d2e")
+    set(FALCOSECURITY_LIBS_VERSION "f61834a221aeaca1794af9c87dd2870a42aa6fc8")
+    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=b8e8e20adee2bf9023955461d635e603bd6e03546a0ea5f24e885e5336ff69ad")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

tests/engine/test_filter_evttype_resolver.cpp

@@ -73,13 +73,15 @@ TEST_CASE("Should find event types from filter", "[rule_loader]")
 	set<uint16_t> not_close;
 	set<uint16_t> all_events;
 	set<uint16_t> no_events;
+
     for(uint32_t i = 2; i < PPM_EVENT_MAX; i++)
     {
         // Skip events that are unused.
-        if(g_infotables.m_event_info[i].flags & EF_UNUSED)
+        if(sinsp::is_unused_event(i))
         {
             continue;
         }
+
         all_events.insert(i);
         if(openat_only.find(i) == openat_only.end())
         {

userspace/engine/filter_evttype_resolver.cpp

@@ -19,8 +19,6 @@ limitations under the License.
 
 using namespace libsinsp::filter;
 
-extern sinsp_evttables g_infotables;
-
 static bool is_evttype_operator(const std::string& op)
 {
 	return op == "==" || op == "=" || op == "!=" || op == "in";
@@ -32,7 +30,6 @@ size_t falco_event_types::get_ppm_event_max()
 	return PPM_EVENT_MAX;
 }
 
-
 void filter_evttype_resolver::visitor::inversion(falco_event_types& types)
 {
 	falco_event_types all_types;
@@ -47,12 +44,12 @@ void filter_evttype_resolver::visitor::evttypes(const std::string& evtname, falc
 {
 	// Fill in from 2 to PPM_EVENT_MAX-1. 0 and 1 are excluded as
 	// those are PPM_GENERIC_E/PPME_GENERIC_X
-	const struct ppm_event_info* etable = g_infotables.m_event_info;
+	static sinsp s_inspector;
+	const auto etable = s_inspector.get_event_info_tables()->m_event_info;
 	for(uint16_t i = 2; i < PPM_EVENT_MAX; i++)
 	{
 		// Skip unused events or events not matching the requested evtname
-		if(!(etable[i].flags & EF_UNUSED)
-			&& (evtname.empty() || std::string(etable[i].name) == evtname))
+		if(!sinsp::is_unused_event(i) && (evtname.empty() || std::string(etable[i].name) == evtname))
 		{
 			out.insert(i);
 		}

userspace/falco/app_actions/configure_interesting_sets.cpp

@@ -33,6 +33,24 @@ void application::configure_interesting_sets()
 	 * plus syscalls for Falco default rules.
 	 */
 	m_state->ppm_sc_of_interest = inspector->enforce_simple_ppm_sc_set();
+	m_state->ppm_event_info_of_interest = inspector->get_event_set_from_ppm_sc_set(m_state->ppm_sc_of_interest);
+
+	/* Fill-up the set of event infos of interest */
+	for (uint32_t ev = 2; ev < PPM_EVENT_MAX; ev++)
+	{
+		if (!sinsp::is_old_version_event(ev)
+				&& !sinsp::is_unused_event(ev)
+				&& !sinsp::is_unknown_event(ev))
+		{
+			/* So far we only covered syscalls, so we add other kinds of
+			interesting events. In this case, we are also interested in
+			metaevents and in the procexit tracepoint event. */
+			if (sinsp::is_metaevent(ev) || ev == PPME_PROCEXIT_1_E)
+			{
+				m_state->ppm_event_info_of_interest.insert(ev);
+			}
+		}
+	}
 
 	/* In this case we get the tracepoints for the `libsinsp` state and we remove
 	 * the `sched_switch` tracepoint since it is highly noisy and not so useful

userspace/falco/app_actions/load_rules_files.cpp

@@ -17,6 +17,8 @@ limitations under the License.
 #include "application.h"
 #include <plugin_manager.h>
 
+#include <unordered_set>
+
 using namespace falco::app;
 
 bool application::check_rules_plugin_requirements(std::string& err)
@@ -43,59 +45,29 @@ void application::check_for_ignored_events()
 
 	/* Get the events we consider interesting from the application state `ppm_sc` codes. */
 	std::unique_ptr<sinsp> inspector(new sinsp());
-	auto interesting_events = inspector->get_event_set_from_ppm_sc_set(m_state->ppm_sc_of_interest);
-	std::unordered_set<uint32_t> ignored_events;
+	std::unordered_set<uint32_t> events(rule_events.begin(), rule_events.end());
 
-	for(const auto& it : rule_events)
+	auto event_names = inspector->get_events_names(events);
+	for (const auto& n : inspector->get_events_names(m_state->ppm_event_info_of_interest))
 	{
-		/* If we have the old version of the event we will have also the recent one
-		 * so we can avoid analyzing the presence of old events.
-		 */
-		if(sinsp::is_old_version_event(it))
-		{
-			continue;
-		}
-
-		/* Here we are interested only in syscall events the internal events are not
-		 * altered without the `-A` flag.
-		 *
-		 * TODO: We could consider also the tracepoint events here but right now we don't have
-		 * the support from the libraries.
-		 */
-		if(!sinsp::is_syscall_event(it))
-		{
-			continue;
-		}
-
-		/* If the event is not generated by the running system we don't print
-		 * any warning right now.
-		 */
-		if(!sinsp::is_generable_event(it))
-		{
-			continue;
-		}
-
-		/* If the event is not in this set it is not considered by Falco. */
-		if(interesting_events.find(it) == interesting_events.end())
-		{
-			ignored_events.insert(it);
-		}
+		event_names.erase(n);
 	}
 
-	if(ignored_events.empty())
+	if(event_names.empty())
 	{
 		return;
 	}
 
 	/* Get the names of the ignored events and print them. */
-	auto event_names = inspector->get_events_names(ignored_events);
-	std::cerr << std::endl << "Rules match ignored syscall: warning (ignored-evttype):" << std::endl;
-	std::cerr << "Loaded rules match the following events:" << std::endl;
+	std::cerr << "Rules match ignored syscall: warning (ignored-evttype):" << std::endl;
+	std::cerr << "Loaded rules match the following events: ";
+	bool first = true;
 	for(const auto& it : event_names)
 	{
-		std::cerr << "\t- " << it.c_str() << std::endl;
+		std::cerr << (first ? "" : ", ") << it.c_str();
+		first = false;
 	}
-	std::cerr << "But these events are not returned unless running falco with -A" << std::endl << std::endl;
+	std::cerr << std::endl << "But these events are not returned unless running falco with -A" << std::endl;
 }
 
 application::run_result application::load_rules_files()

userspace/falco/app_actions/print_ignored_events.cpp

@@ -39,25 +39,26 @@ application::run_result application::print_ignored_events()
 	configure_interesting_sets();
 
 	/* Search for all the ignored syscalls. */
-	std::unique_ptr<sinsp> inspector(new sinsp());
-	std::unordered_set<uint32_t> all_ppm_sc = inspector->get_all_ppm_sc();
-	std::unordered_set<uint32_t> ignored_ppm_sc;
-
-	for(const auto& it : all_ppm_sc)
+	std::unordered_set<uint32_t> all_events;
+	for (uint32_t j = 0; j < PPM_EVENT_MAX; j++)
 	{
-		/* If the syscall is not in this set we ignore it. */
-		if(m_state->ppm_sc_of_interest.find(it) == m_state->ppm_sc_of_interest.end())
+		if (!sinsp::is_old_version_event(j)
+				&& !sinsp::is_unused_event(j)
+				&& !sinsp::is_unknown_event(j))
 		{
-			ignored_ppm_sc.insert(it);
+			all_events.insert(j);
 		}
 	}
 
-	/* Obtain the ignored events names from the ignored syscalls. */
-	auto ignored_events = inspector->get_event_set_from_ppm_sc_set(ignored_ppm_sc);
-	auto event_names = inspector->get_events_names(ignored_events);
+	std::unique_ptr<sinsp> inspector(new sinsp());
+	auto ignored_event_names = inspector->get_events_names(all_events);
+	for (const auto &n : inspector->get_events_names(m_state->ppm_event_info_of_interest))
+	{
+		ignored_event_names.erase(n);
+	}
 
 	std::cout << "Ignored Event(s):" << std::endl;
-	for(const auto& it : event_names)
+	for(const auto& it : ignored_event_names)
 	{
 		std::cout << "- " << it.c_str() << std::endl;
 	}

userspace/falco/application.h

@@ -115,6 +115,9 @@ private:
 
 		std::string cmdline;
 
+		// Set of events we want the driver to capture
+		std::unordered_set<uint32_t> ppm_event_info_of_interest;
+
 		// Set of syscalls we want the driver to capture
 		std::unordered_set<uint32_t> ppm_sc_of_interest;