Add falco_consider variants for event/syscall ids

Add the ability to test a given event id/syscall id to see if it should be considered by falco, and use those in sinsp_evt::falco_consider().
draios · Apr 23, 2018 · f09e7ad · f09e7ad
1 parent a97e0a1
commit f09e7ad
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 15 deletions.
diff --git a/userspace/libsinsp/event.cpp b/userspace/libsinsp/event.cpp
@@ -2477,9 +2477,6 @@ scap_dump_flags sinsp_evt::get_dump_flags(OUT bool* should_drop)
 
 bool sinsp_evt::falco_consider()
 {
-	enum ppm_event_flags flags;
-	ppm_event_flags skip_flags = (ppm_event_flags) (EF_SKIPPARSERESET | EF_UNUSED | EF_OLD_VERSION | EF_DROP_FALCO);
-
 	uint16_t etype = get_type();
 
 	if(etype == PPME_GENERIC_E || etype == PPME_GENERIC_X)
@@ -2488,17 +2485,8 @@ bool sinsp_evt::falco_consider()
 		ASSERT(parinfo->m_len == sizeof(uint16_t));
 		uint16_t scid = *(uint16_t *)parinfo->m_val;
 
-		flags = g_infotables.m_syscall_info_table[scid].flags;
-	}
-	else
-	{
-		flags = get_info_flags();
-	}
-
-	if (flags & skip_flags)
-	{
-		return false;
+		return sinsp::falco_consider_syscallid(scid);
 	}
 
-	return true;
+	return sinsp::falco_consider_evtnum(etype);
 }
diff --git a/userspace/libsinsp/sinsp.cpp b/userspace/libsinsp/sinsp.cpp
@@ -45,7 +45,6 @@ along with sysdig.  If not, see <http://www.gnu.org/licenses/>.
 #include "analyzer.h"
 #endif
 
-extern sinsp_evttables g_infotables;
 #ifdef HAS_CHISELS
 extern vector<chiseldir_info>* g_chisel_dirs;
 #endif

diff --git a/userspace/libsinsp/sinsp.h b/userspace/libsinsp/sinsp.h
@@ -829,8 +829,27 @@ class SINSP_PUBLIC sinsp
 		return scap_get_wmi_handle(m_h);
 	}
 #endif
+
+	static inline bool falco_consider_evtnum(uint16_t etype)
+	{
+		enum ppm_event_flags flags = g_infotables.m_event_info[etype].flags;
+
+		return ! (flags & sinsp::falco_skip_flags());
+	}
+
+	static inline bool falco_consider_syscallid(uint16_t scid)
+	{
+		enum ppm_event_flags flags = g_infotables.m_syscall_info_table[scid].flags;
+
+		return ! (flags & sinsp::falco_skip_flags());
+	}
+
 VISIBILITY_PRIVATE
 
+        static inline ppm_event_flags falco_skip_flags()
+        {
+		return (ppm_event_flags) (EF_SKIPPARSERESET | EF_UNUSED | EF_OLD_VERSION | EF_DROP_FALCO);
+        }
 // Doxygen doesn't understand VISIBILITY_PRIVATE
 #ifdef _DOXYGEN
 private:

diff --git a/userspace/libsinsp/utils.h b/userspace/libsinsp/utils.h
@@ -37,6 +37,8 @@ typedef struct ipv4serverinfo ipv4serverinfo;
 typedef struct ipv6serverinfo ipv6serverinfo;
 class filter_check_info;
 
+extern sinsp_evttables g_infotables;
+
 ///////////////////////////////////////////////////////////////////////////////
 // Initializer class.
 // An instance of this class is created when the library is loaded.