fix(userspace/libsinsp): fix plugin and meta events edge cases

Signed-off-by: Jason Dellaluce <[email protected]>
falcosecurity · May 25, 2023 · d5a74ae · d5a74ae
1 parent cffb62c
commit d5a74ae
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 6 deletions.
diff --git a/userspace/libsinsp/filterchecks.cpp b/userspace/libsinsp/filterchecks.cpp
@@ -1312,7 +1312,15 @@ uint8_t* sinsp_filter_check_fd::extract(sinsp_evt *evt, OUT uint32_t* len, bool
 		break;
 	case TYPE_UID:
 		{
-			if(evt->get_type() == PPME_CONTAINER_JSON_E || evt->get_type() == PPME_CONTAINER_JSON_2_E)
+			// note: we need to skip events that have no thread info
+			if(evt->get_type() == PPME_CONTAINER_JSON_E ||
+				evt->get_type() == PPME_CONTAINER_JSON_2_E ||
+				evt->get_type() == PPME_USER_ADDED_E ||
+				evt->get_type() == PPME_USER_DELETED_E ||
+				evt->get_type() == PPME_GROUP_ADDED_E ||
+				evt->get_type() == PPME_GROUP_DELETED_E ||
+				evt->get_type() == PPME_PLUGINEVENT_E ||
+				evt->get_type() == PPME_ASYNCEVENT_E)
 			{
 				return NULL;
 			}

diff --git a/userspace/libsinsp/parsers.cpp b/userspace/libsinsp/parsers.cpp
@@ -706,12 +706,15 @@ bool sinsp_parser::reset(sinsp_evt *evt)
 		query_os = true;
 	}
 
+	// todo(jasondellaluce): should we do this for all meta-events in general? (mesos and k8s too?)
 	if(etype == PPME_CONTAINER_JSON_E ||
 	   etype == PPME_CONTAINER_JSON_2_E ||
 	   etype == PPME_USER_ADDED_E ||
 	   etype == PPME_USER_DELETED_E ||
 	   etype == PPME_GROUP_ADDED_E ||
-	   etype == PPME_GROUP_DELETED_E)
+	   etype == PPME_GROUP_DELETED_E ||
+	   etype == PPME_PLUGINEVENT_E ||
+	   etype == PPME_ASYNCEVENT_E)
 	{
 		evt->m_tinfo = nullptr;
 		return true;

diff --git a/userspace/libsinsp/sinsp.cpp b/userspace/libsinsp/sinsp.cpp
@@ -1319,8 +1319,7 @@ int32_t sinsp::next(OUT sinsp_evt **puevt)
 	uint64_t ts = evt->get_ts();
 
 	if(m_firstevent_ts == 0 &&
-	   evt->m_pevt->type != PPME_CONTAINER_JSON_E && evt->m_pevt->type != PPME_CONTAINER_JSON_2_E &&
-	   evt->m_pevt->type != PPME_USER_ADDED_E && evt->m_pevt->type != PPME_GROUP_ADDED_E)
+		!libsinsp::events::is_metaevent((ppm_event_code) evt->get_type()))
 	{
 		m_firstevent_ts = ts;
 	}

diff --git a/userspace/libsinsp/test/public_sinsp_API/ppm_sc_codes.cpp b/userspace/libsinsp/test/public_sinsp_API/ppm_sc_codes.cpp
@@ -172,14 +172,14 @@ const libsinsp::events::set<ppm_event_code> expected_sinsp_state_event_set = {
 	PPME_DROP_E,
 	PPME_DROP_X,
 	PPME_SCAPEVENT_E,
-	PPME_CONTAINER_E, // <<<- test are failing because we are not covering old meta events versions. do we want meta events in this set, we have no a PPM_SC associated (?)
+	PPME_CONTAINER_E,
 	PPME_PROCINFO_E,
 	PPME_CPU_HOTPLUG_E,
 	PPME_K8S_E,
 	PPME_TRACER_E,
 	PPME_TRACER_X,
 	PPME_MESOS_E,
-	PPME_CONTAINER_JSON_E, // <<<- test are failing because we are not covering old meta events versions
+	PPME_CONTAINER_JSON_E,
 	PPME_NOTIFICATION_E,
 	PPME_INFRASTRUCTURE_EVENT_E,
 	PPME_CONTAINER_JSON_2_E,