Skip to content

fix(libsinsp/filter): support syscall.type in event code search #2331

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 8, 2025
Merged

fix(libsinsp/filter): support syscall.type in event code search #2331

merged 1 commit into from
Apr 8, 2025

Conversation

jasondellaluce
Copy link
Contributor

What type of PR is this?

/kind bug

Any specific area of the project related to this PR?

/area libsinsp

Does this PR require a change in the driver versions?

What this PR does / why we need it:

When searching for evt.type comparisons in rules condition filters, we never considered thesyscall.type. This is essentially wrong, as that field extract the same exact sets of values as evt.type, except for the fact that it returns NULL in case the event is not produced from a syscall. That means that it's extractable value set is a subset of the one of evt.type, thus meaning that it should be considered in the same way.

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

fix(libsinsp/filter): support syscall.type in event code search

@jasondellaluce
fix(libsinsp/filter): support syscall.type in event code search
cd63bab 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
@poiana poiana requested review from gnosek and hbrueckner March 31, 2025 14:51
@github-actions GitHub Actions
Copy link

Perf diff from master - unit tests

     4.84%     +0.70%  [.] sinsp_evt::get_type
    36.51%     -0.54%  [.] sinsp_thread_manager::create_thread_dependencies
     1.94%     -0.40%  [.] sinsp_thread_manager::get_thread_ref
     0.90%     -0.38%  [.] libsinsp::events::is_unknown_event
     0.83%     -0.31%  [.] sinsp_evt::get_syscall_return_value
     5.90%     +0.29%  [.] sinsp::next
     5.81%     +0.24%  [.] sinsp_parser::reset
     3.68%     +0.22%  [.] next_event_from_file
     0.47%     -0.21%  [.] sinsp_evt::is_filtered_out
     1.11%     -0.20%  [.] sinsp_evt_filter::sinsp_evt_filter

Heap diff from master - unit tests

peak heap memory consumption: 0B
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B

Heap diff from master - scap file

peak heap memory consumption: 0B
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B

Benchmarks diff from master

Comparing gbench_data.json to /root/actions-runner/_work/libs/libs/build/gbench_data.json
Benchmark                                                         Time             CPU      Time Old      Time New       CPU Old       CPU New
----------------------------------------------------------------------------------------------------------------------------------------------
BM_sinsp_split_mean                                            +0.0027         +0.0027           148           149           148           149
BM_sinsp_split_median                                          +0.0034         +0.0034           148           149           148           149
BM_sinsp_split_stddev                                          -0.1152         -0.1152             1             1             1             1
BM_sinsp_split_cv                                              -0.1176         -0.1176             0             0             0             0
BM_sinsp_concatenate_paths_relative_path_mean                  -0.0547         -0.0547            61            57            61            57
BM_sinsp_concatenate_paths_relative_path_median                -0.0727         -0.0727            61            56            61            56
BM_sinsp_concatenate_paths_relative_path_stddev                +8.1219         +8.1244             0             2             0             2
BM_sinsp_concatenate_paths_relative_path_cv                    +8.6498         +8.6526             0             0             0             0
BM_sinsp_concatenate_paths_empty_path_mean                     +0.0052         +0.0052            25            25            25            25
BM_sinsp_concatenate_paths_empty_path_median                   +0.0031         +0.0030            25            25            25            25
BM_sinsp_concatenate_paths_empty_path_stddev                   +0.7777         +0.7776             0             0             0             0
BM_sinsp_concatenate_paths_empty_path_cv                       +0.7684         +0.7684             0             0             0             0
BM_sinsp_concatenate_paths_absolute_path_mean                  +0.0225         +0.0225            63            65            63            65
BM_sinsp_concatenate_paths_absolute_path_median                +0.0341         +0.0341            62            65            62            65
BM_sinsp_concatenate_paths_absolute_path_stddev                -0.7099         -0.7098             2             0             2             0
BM_sinsp_concatenate_paths_absolute_path_cv                    -0.7162         -0.7162             0             0             0             0

@codecov Codecov
Copy link

codecov bot commented Mar 31, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 77.18%. Comparing base (7f01ec8) to head (cd63bab).
Report is 3 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #2331   +/-   ##
=======================================
  Coverage   77.18%   77.18%           
=======================================
  Files         227      227           
  Lines       30192    30193    +1     
  Branches     4611     4611           
=======================================
+ Hits        23304    23305    +1     
  Misses       6888     6888
Flag Coverage Δ
libsinsp 77.18% <100.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

FedeDP
FedeDP approved these changes Apr 1, 2025
View reviewed changes
Copy link
Contributor

@FedeDP FedeDP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@poiana poiana added the lgtm label Apr 1, 2025
@poiana
Copy link
Contributor

poiana commented Apr 1, 2025

LGTM label has been added.

Git tree hash: 25904dadd60f41f986df4d458cb37bbf5674df42

@FedeDP
Copy link
Contributor

FedeDP commented Apr 1, 2025

/milestone 0.21.0

@poiana poiana added this to the 0.21.0 milestone Apr 1, 2025
@poiana
Copy link
Contributor

poiana commented Apr 1, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: FedeDP, jasondellaluce

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [FedeDP,jasondellaluce]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@github-project-automation github-project-automation bot moved this from Todo to In progress in Falco Roadmap Apr 8, 2025
@poiana poiana merged commit b424690 into master Apr 8, 2025
47 checks passed
@poiana poiana deleted the fix/event-search-syscall-type branch April 8, 2025 14:32
@github-project-automation github-project-automation bot moved this from In progress to Done in Falco Roadmap Apr 8, 2025
@bevanjkay bevanjkay mentioned this pull request May 20, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leogr leogr leogr approved these changes

@FedeDP FedeDP FedeDP approved these changes

@gnosek gnosek Awaiting requested review from gnosek

@hbrueckner hbrueckner Awaiting requested review from hbrueckner

Assignees

@leogr leogr

@FedeDP FedeDP

Labels
approved area/libsinsp dco-signoff: yes kind/bug Something isn't working lgtm release-note size/XS
Projects
Falco Roadmap
Archived in project
Milestone
0.21.0
Development

Successfully merging this pull request may close these issues.
4 participants
@jasondellaluce @poiana @FedeDP @leogr