refactor(userspace): align falco to gen-event class family deprecation

cmake/modules/driver.cmake

@@ -34,8 +34,8 @@ else()
   # In case you want to test against another driver version (or branch, or commit) just pass the variable -
   # ie., `cmake -DDRIVER_VERSION=dev ..`
   if(NOT DRIVER_VERSION)
-    set(DRIVER_VERSION "9cd289cb27efb94ad47c4598f976253151dd3f62")
-    set(DRIVER_CHECKSUM "SHA256=b380f5bc1e0e2f21d82023ff361ac60bea3e4de336e3ec94b98618b5c58290a2")
+    set(DRIVER_VERSION "93a04bb92f85142edbfb47120cbaafb45d9ba5d8")
+    set(DRIVER_CHECKSUM "SHA256=8df88170cfcdd617366ef470bca9ac29be22cff36cafdac74a288697d5c860ab")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

cmake/modules/falcosecurity-libs.cmake

@@ -35,8 +35,8 @@ else()
   # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
   # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..`
   if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "9cd289cb27efb94ad47c4598f976253151dd3f62")
-    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=b380f5bc1e0e2f21d82023ff361ac60bea3e4de336e3ec94b98618b5c58290a2")
+    set(FALCOSECURITY_LIBS_VERSION "93a04bb92f85142edbfb47120cbaafb45d9ba5d8")
+    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=8df88170cfcdd617366ef470bca9ac29be22cff36cafdac74a288697d5c860ab")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

unit_tests/engine/test_add_source.cpp

@@ -31,7 +31,7 @@ namespace
 class test_ruleset_factory : public evttype_index_ruleset_factory
 {
 public:
-	test_ruleset_factory(std::shared_ptr<gen_event_filter_factory> factory):
+	test_ruleset_factory(std::shared_ptr<sinsp_filter_factory> factory):
 		evttype_index_ruleset_factory(factory)
 	{
 		ruleset = evttype_index_ruleset_factory::new_ruleset();
@@ -54,9 +54,9 @@ TEST(AddSource, basic)
 	sinsp inspector;
 	sinsp_filter_check_list filterchecks;
 
-	auto filter_factory = std::shared_ptr<gen_event_filter_factory>(
+	auto filter_factory = std::shared_ptr<sinsp_filter_factory>(
 		new sinsp_filter_factory(&inspector, filterchecks));
-	auto formatter_factory = std::shared_ptr<gen_event_formatter_factory>(
+	auto formatter_factory = std::shared_ptr<sinsp_evt_formatter_factory>(
 		new sinsp_evt_formatter_factory(&inspector, filterchecks));
 	test_ruleset_factory *test_factory = new test_ruleset_factory(filter_factory);
 	auto ruleset_factory = std::shared_ptr<filter_ruleset_factory>(test_factory);

unit_tests/engine/test_alt_rule_loader.cpp

@@ -124,7 +124,7 @@ class test_reader : public rule_loader::reader
 class test_ruleset : public evttype_index_ruleset
 {
 public:
-	test_ruleset(std::shared_ptr<gen_event_filter_factory> factory):
+	test_ruleset(std::shared_ptr<sinsp_filter_factory> factory):
 		evttype_index_ruleset(factory){};
 	virtual ~test_ruleset() = default;
 
@@ -154,7 +154,7 @@ class test_ruleset : public evttype_index_ruleset
 class test_ruleset_factory : public filter_ruleset_factory
 {
 public:
-	test_ruleset_factory(std::shared_ptr<gen_event_filter_factory> factory):
+	test_ruleset_factory(std::shared_ptr<sinsp_filter_factory> factory):
 		m_filter_factory(factory)
 	{
 	}
@@ -167,7 +167,7 @@ class test_ruleset_factory : public filter_ruleset_factory
 		return ret;
 	}
 
-	std::shared_ptr<gen_event_filter_factory> m_filter_factory;
+	std::shared_ptr<sinsp_filter_factory> m_filter_factory;
 };
 }; // namespace
 
@@ -235,9 +235,9 @@ static std::shared_ptr<rule_loader::configuration> create_configuration(sinsp& i
 									sinsp_filter_check_list& filterchecks,
 									indexed_vector<falco_source>& sources)
 {
-	auto filter_factory = std::shared_ptr<gen_event_filter_factory>(
+	auto filter_factory = std::shared_ptr<sinsp_filter_factory>(
 		new sinsp_filter_factory(&inspector, filterchecks));
-	auto formatter_factory = std::shared_ptr<gen_event_formatter_factory>(
+	auto formatter_factory = std::shared_ptr<sinsp_evt_formatter_factory>(
 		new sinsp_evt_formatter_factory(&inspector, filterchecks));
 	auto ruleset_factory = std::shared_ptr<filter_ruleset_factory>(
 		new evttype_index_ruleset_factory(filter_factory));
@@ -330,9 +330,9 @@ TEST(engine_loader_alt_loader, falco_engine_alternate_loader)
 	sinsp inspector;
 	sinsp_filter_check_list filterchecks;
 
-	auto filter_factory = std::shared_ptr<gen_event_filter_factory>(
+	auto filter_factory = std::shared_ptr<sinsp_filter_factory>(
 		new sinsp_filter_factory(&inspector, filterchecks));
-	auto formatter_factory = std::shared_ptr<gen_event_formatter_factory>(
+	auto formatter_factory = std::shared_ptr<sinsp_evt_formatter_factory>(
 		new sinsp_evt_formatter_factory(&inspector, filterchecks));
 	auto ruleset_factory = std::shared_ptr<filter_ruleset_factory>(
 		new test_ruleset_factory(filter_factory));

unit_tests/engine/test_enable_rule.cpp

@@ -56,9 +56,9 @@ static void load_rules(falco_engine& engine, sinsp& inspector, sinsp_filter_chec
 {
 	std::unique_ptr<falco::load_result> res;
 
-	auto filter_factory = std::shared_ptr<gen_event_filter_factory>(
+	auto filter_factory = std::shared_ptr<sinsp_filter_factory>(
 		new sinsp_filter_factory(&inspector, filterchecks));
-	auto formatter_factory = std::shared_ptr<gen_event_formatter_factory>(
+	auto formatter_factory = std::shared_ptr<sinsp_evt_formatter_factory>(
 		new sinsp_evt_formatter_factory(&inspector, filterchecks));
 
 	engine.add_source("syscall", filter_factory, formatter_factory);

unit_tests/engine/test_rule_loader.cpp

@@ -15,9 +15,9 @@ class engine_loader_test : public ::testing::Test {
 		// create a falco engine ready to load the ruleset
 		m_inspector.reset(new sinsp());
 		m_engine.reset(new falco_engine());
-		m_filter_factory = std::shared_ptr<gen_event_filter_factory>(
+		m_filter_factory = std::shared_ptr<sinsp_filter_factory>(
 			new sinsp_filter_factory(m_inspector.get(), m_filterlist));
-		m_formatter_factory = std::shared_ptr<gen_event_formatter_factory>(
+		m_formatter_factory = std::shared_ptr<sinsp_evt_formatter_factory>(
 			new sinsp_evt_formatter_factory(m_inspector.get(), m_filterlist));
 		m_engine->add_source(m_sample_source, m_filter_factory, m_formatter_factory);
 	}
@@ -107,8 +107,8 @@ class engine_loader_test : public ::testing::Test {
 	std::string m_sample_ruleset;
 	std::string m_sample_source;
 	sinsp_filter_check_list m_filterlist;
-	std::shared_ptr<gen_event_filter_factory> m_filter_factory;
-	std::shared_ptr<gen_event_formatter_factory> m_formatter_factory;
+	std::shared_ptr<sinsp_filter_factory> m_filter_factory;
+	std::shared_ptr<sinsp_evt_formatter_factory> m_formatter_factory;
 	std::unique_ptr<falco_engine> m_engine;
 	std::unique_ptr<falco::load_result> m_load_result;
 	std::string m_load_result_string;

unit_tests/engine/test_rulesets.cpp

@@ -23,31 +23,31 @@ limitations under the License.
 #define RULESET_2 2
 
 /* Helpers methods */
-static std::shared_ptr<gen_event_filter_factory> create_factory(filter_check_list& list)
+static std::shared_ptr<sinsp_filter_factory> create_factory(filter_check_list& list)
 {
-	std::shared_ptr<gen_event_filter_factory> ret(new sinsp_filter_factory(NULL, list));
+	std::shared_ptr<sinsp_filter_factory> ret(new sinsp_filter_factory(NULL, list));
 	return ret;
 }
 
-static std::shared_ptr<filter_ruleset> create_ruleset(std::shared_ptr<gen_event_filter_factory> f)
+static std::shared_ptr<filter_ruleset> create_ruleset(std::shared_ptr<sinsp_filter_factory> f)
 {
 	std::shared_ptr<filter_ruleset> ret(new evttype_index_ruleset(f));
 	return ret;
 }
 
-static std::shared_ptr<libsinsp::filter::ast::expr> create_ast(std::shared_ptr<gen_event_filter_factory> f)
+static std::shared_ptr<libsinsp::filter::ast::expr> create_ast(std::shared_ptr<sinsp_filter_factory> f)
 {
 	libsinsp::filter::parser parser("evt.type=open");
 	std::shared_ptr<libsinsp::filter::ast::expr> ret(parser.parse());
 	return ret;
 }
 
-static std::shared_ptr<gen_event_filter> create_filter(
-	std::shared_ptr<gen_event_filter_factory> f,
+static std::shared_ptr<sinsp_filter> create_filter(
+	std::shared_ptr<sinsp_filter_factory> f,
 	std::shared_ptr<libsinsp::filter::ast::expr> ast)
 {
 	sinsp_filter_compiler compiler(f, ast.get());
-	std::shared_ptr<gen_event_filter> filter(compiler.compile());
+	std::shared_ptr<sinsp_filter> filter(compiler.compile());
 	return filter;
 }
 

unit_tests/falco/app/actions/test_configure_interesting_sets.cpp

@@ -79,9 +79,9 @@ static std::shared_ptr<falco_engine> mock_engine_from_filters(const strset_t& fi
 	// create a falco engine and load the ruleset
 	sinsp_filter_check_list filterlist;
 	std::shared_ptr<falco_engine> res(new falco_engine());
-	auto filter_factory = std::shared_ptr<gen_event_filter_factory>(
+	auto filter_factory = std::shared_ptr<sinsp_filter_factory>(
 			new sinsp_filter_factory(nullptr, filterlist));
-	auto formatter_factory = std::shared_ptr<gen_event_formatter_factory>(
+	auto formatter_factory = std::shared_ptr<sinsp_evt_formatter_factory>(
 			new sinsp_evt_formatter_factory(nullptr, filterlist));
 	res->add_source(s_sample_source, filter_factory, formatter_factory);
 	res->load_rules(dummy_rules, "dummy_rules.yaml");

userspace/engine/evttype_index_ruleset.cpp

@@ -20,7 +20,7 @@ limitations under the License.
 #include <algorithm>
 
 evttype_index_ruleset::evttype_index_ruleset(
-	std::shared_ptr<gen_event_filter_factory> f): m_filter_factory(f)
+	std::shared_ptr<sinsp_filter_factory> f): m_filter_factory(f)
 {
 }
 
@@ -111,7 +111,7 @@ uint64_t evttype_index_ruleset::ruleset_filters::num_filters()
 	return m_filters.size();
 }
 
-bool evttype_index_ruleset::ruleset_filters::run(gen_event *evt, falco_rule& match)
+bool evttype_index_ruleset::ruleset_filters::run(sinsp_evt *evt, falco_rule& match)
 {
     if(evt->get_type() < m_filter_by_event_type.size())
     {
@@ -138,7 +138,7 @@ bool evttype_index_ruleset::ruleset_filters::run(gen_event *evt, falco_rule& mat
 	return false;
 }
 
-bool evttype_index_ruleset::ruleset_filters::run(gen_event *evt, std::vector<falco_rule>& matches)
+bool evttype_index_ruleset::ruleset_filters::run(sinsp_evt *evt, std::vector<falco_rule>& matches)
 {
 	bool match_found = false;
 
@@ -194,7 +194,7 @@ libsinsp::events::set<ppm_event_code> evttype_index_ruleset::ruleset_filters::ev
 
 void evttype_index_ruleset::add(
 		const falco_rule& rule,
-		std::shared_ptr<gen_event_filter> filter,
+		std::shared_ptr<sinsp_filter> filter,
 		std::shared_ptr<libsinsp::filter::ast::expr> condition)
 {
 	try
@@ -332,7 +332,7 @@ uint64_t evttype_index_ruleset::enabled_count(uint16_t ruleset_id)
 	return m_rulesets[ruleset_id]->num_filters();
 }
 
-bool evttype_index_ruleset::run(gen_event *evt, falco_rule& match, uint16_t ruleset_id)
+bool evttype_index_ruleset::run(sinsp_evt *evt, falco_rule& match, uint16_t ruleset_id)
 {
 	if(m_rulesets.size() < (size_t)ruleset_id + 1)
 	{
@@ -342,7 +342,7 @@ bool evttype_index_ruleset::run(gen_event *evt, falco_rule& match, uint16_t rule
 	return m_rulesets[ruleset_id]->run(evt, match);
 }
 
-bool evttype_index_ruleset::run(gen_event *evt, std::vector<falco_rule>& matches, uint16_t ruleset_id)
+bool evttype_index_ruleset::run(sinsp_evt *evt, std::vector<falco_rule>& matches, uint16_t ruleset_id)
 {
 	if(m_rulesets.size() < (size_t)ruleset_id + 1)
 	{

userspace/engine/evttype_index_ruleset.h

@@ -27,7 +27,6 @@ limitations under the License.
 #include <libsinsp/sinsp.h>
 #include <libsinsp/filter.h>
 #include <libsinsp/event.h>
-#include <libsinsp/gen_filter.h>
 
 /*!
 	\brief A filter_ruleset that indexes enabled rules by event type,
@@ -36,18 +35,18 @@ limitations under the License.
 class evttype_index_ruleset: public filter_ruleset
 {
 public:
-	evttype_index_ruleset(std::shared_ptr<gen_event_filter_factory> factory);
+	evttype_index_ruleset(std::shared_ptr<sinsp_filter_factory> factory);
 	virtual ~evttype_index_ruleset();
 
 	void add(
 		const falco_rule& rule,
-		std::shared_ptr<gen_event_filter> filter,
+		std::shared_ptr<sinsp_filter> filter,
 		std::shared_ptr<libsinsp::filter::ast::expr> condition) override;
 
 	void clear() override;
 
-	bool run(gen_event *evt, falco_rule& match, uint16_t ruleset_id) override;
-	bool run(gen_event *evt, std::vector<falco_rule>&matches, uint16_t ruleset_id) override;
+	bool run(sinsp_evt *evt, falco_rule& match, uint16_t ruleset_id) override;
+	bool run(sinsp_evt *evt, std::vector<falco_rule>&matches, uint16_t ruleset_id) override;
 
 	uint64_t enabled_count(uint16_t ruleset_id) override;
 
@@ -102,7 +101,7 @@ class evttype_index_ruleset: public filter_ruleset
 		falco_rule rule;
 		libsinsp::events::set<ppm_sc_code> sc_codes;
 		libsinsp::events::set<ppm_event_code> event_codes;
-		std::shared_ptr<gen_event_filter> filter;
+		std::shared_ptr<sinsp_filter> filter;
 	};
 
 	typedef std::list<std::shared_ptr<filter_wrapper>> filter_wrapper_list;
@@ -121,11 +120,11 @@ class evttype_index_ruleset: public filter_ruleset
 
 		// Evaluate an event against the ruleset and return the first rule
 		// that matched.
-		bool run(gen_event *evt, falco_rule& match);
+		bool run(sinsp_evt *evt, falco_rule& match);
 
 		//  Evaluate an event against the ruleset and return all the 
 		//	matching rules. 
-		bool run(gen_event *evt, std::vector<falco_rule>& matches);
+		bool run(sinsp_evt *evt, std::vector<falco_rule>& matches);
 
 		libsinsp::events::set<ppm_sc_code> sc_codes();
 
@@ -152,15 +151,15 @@ class evttype_index_ruleset: public filter_ruleset
 	// All filters added. The set of enabled filters is held in m_rulesets
 	std::set<std::shared_ptr<filter_wrapper>> m_filters;
 
-	std::shared_ptr<gen_event_filter_factory> m_filter_factory;
+	std::shared_ptr<sinsp_filter_factory> m_filter_factory;
 	std::vector<std::string> m_ruleset_names;
 };
 
 class evttype_index_ruleset_factory: public filter_ruleset_factory
 {
 public:
 	inline evttype_index_ruleset_factory(
-		std::shared_ptr<gen_event_filter_factory> factory
+		std::shared_ptr<sinsp_filter_factory> factory
 	): m_filter_factory(factory) { }
 
 	inline std::shared_ptr<filter_ruleset> new_ruleset() override
@@ -171,5 +170,5 @@ class evttype_index_ruleset_factory: public filter_ruleset_factory
 	}
 
 private:
-	std::shared_ptr<gen_event_filter_factory> m_filter_factory;
+	std::shared_ptr<sinsp_filter_factory> m_filter_factory;
 };

userspace/engine/falco_engine.cpp

@@ -115,7 +115,7 @@ std::shared_ptr<rule_loader::compiler> falco_engine::get_rule_compiler()
 
 // Return a key that uniquely represents a field class.
 // For now, we assume name + shortdesc is unique.
-static std::string fieldclass_key(const gen_event_filter_factory::filter_fieldclass_info &fld_info)
+static std::string fieldclass_key(const sinsp_filter_factory::filter_fieldclass_info &fld_info)
 {
 	return fld_info.name + fld_info.shortdesc;
 }
@@ -372,14 +372,14 @@ libsinsp::events::set<ppm_event_code> falco_engine::event_codes_for_ruleset(cons
 	return find_source(source)->ruleset->enabled_event_codes(find_ruleset_id(ruleset));
 }
 
-std::shared_ptr<gen_event_formatter> falco_engine::create_formatter(const std::string &source,
+std::shared_ptr<sinsp_evt_formatter> falco_engine::create_formatter(const std::string &source,
 								    const std::string &output) const
 {
 	return find_source(source)->formatter_factory->create_formatter(output);
 }
 
 std::unique_ptr<std::vector<falco_engine::rule_result>> falco_engine::process_event(std::size_t source_idx,
-	gen_event *ev, uint16_t ruleset_id, falco_common::rule_matching strategy)
+	sinsp_evt *ev, uint16_t ruleset_id, falco_common::rule_matching strategy)
 {
 	// note: there are no thread-safety guarantees on the filter_ruleset::run()
 	// method, but the thread-safety assumptions of falco_engine::process_event()
@@ -437,14 +437,14 @@ std::unique_ptr<std::vector<falco_engine::rule_result>> falco_engine::process_ev
 }
 
 std::unique_ptr<std::vector<falco_engine::rule_result>> falco_engine::process_event(std::size_t source_idx,
-	gen_event *ev, falco_common::rule_matching strategy)
+	sinsp_evt *ev, falco_common::rule_matching strategy)
 {
 	return process_event(source_idx, ev, m_default_ruleset_id, strategy);
 }
 
 std::size_t falco_engine::add_source(const std::string &source,
-				     std::shared_ptr<gen_event_filter_factory> filter_factory,
-				     std::shared_ptr<gen_event_formatter_factory> formatter_factory)
+				     std::shared_ptr<sinsp_filter_factory> filter_factory,
+				     std::shared_ptr<sinsp_evt_formatter_factory> formatter_factory)
 {
 	// evttype_index_ruleset is the default ruleset implementation
 	std::shared_ptr<filter_ruleset_factory> ruleset_factory(
@@ -460,8 +460,8 @@ std::size_t falco_engine::add_source(const std::string &source,
 }
 
 std::size_t falco_engine::add_source(const std::string &source,
-	std::shared_ptr<gen_event_filter_factory> filter_factory,
-	std::shared_ptr<gen_event_formatter_factory> formatter_factory,
+	std::shared_ptr<sinsp_filter_factory> filter_factory,
+	std::shared_ptr<sinsp_evt_formatter_factory> formatter_factory,
 	std::shared_ptr<filter_ruleset_factory> ruleset_factory)
 {
 	falco_source src;
@@ -892,22 +892,22 @@ bool falco_engine::is_source_valid(const std::string &source) const
 	return m_sources.at(source) != nullptr;
 }
 
-std::shared_ptr<gen_event_filter_factory> falco_engine::filter_factory_for_source(const std::string& source)
+std::shared_ptr<sinsp_filter_factory> falco_engine::filter_factory_for_source(const std::string& source)
 {
 	return find_source(source)->filter_factory;
 }
 
-std::shared_ptr<gen_event_filter_factory> falco_engine::filter_factory_for_source(std::size_t source_idx)
+std::shared_ptr<sinsp_filter_factory> falco_engine::filter_factory_for_source(std::size_t source_idx)
 {
 	return find_source(source_idx)->filter_factory;
 }
 
-std::shared_ptr<gen_event_formatter_factory> falco_engine::formatter_factory_for_source(const std::string& source)
+std::shared_ptr<sinsp_evt_formatter_factory> falco_engine::formatter_factory_for_source(const std::string& source)
 {
 	return find_source(source)->formatter_factory;
 }
 
-std::shared_ptr<gen_event_formatter_factory> falco_engine::formatter_factory_for_source(std::size_t source_idx)
+std::shared_ptr<sinsp_evt_formatter_factory> falco_engine::formatter_factory_for_source(std::size_t source_idx)
 {
 	return find_source(source_idx)->formatter_factory;
 }