trace only relevant events for loaded signatures

[itaysk]

based on the loaded signatures, get the relevant set of "event selectors" and use that to configure tracee-ebpf to trace just the relevant events for the loaded signatures

related: #936 #636

[itaysk]

I think that in the current design (2 processes) we need to add add a pre-step tot the entrypoint like tracee-rules --list-events or something similar, then use this as flags to tracee-ebpf.

[yanivagman]

@itaysk @simar7 can this be closed now that #1045 was merged?

[simar7]

I believe so. Correct me if I'm wrong @itaysk

[itaysk]

I don't think so since signatures can be loaded/unloaded which is currently unhandled

[rafaeldtinoco]

@NDStrahilevitz this is one issue you should keep track of (for the major 'filtering improvement' effort you're handling).

[yanivagman]

Using the new experience, rule events select their dependencies automatically.
modifying selected events at runtime will be handled as part of #636

[itaysk]

@yanivagman AFAIR tracee-rules today already has the capability to load/unload rules

[yanivagman]

@yanivagman AFAIR tracee-rules today already has the capability to load/unload rules

It does. But to work it requires the event dependencies to be chosen at Tracee init time, or otherwise it won't work. This will be fixed as part of #636