@@ -18,6 +18,7 @@ limitations under the License.
1818#include " actions.h"
1919#include " helpers.h"
2020#include " ../app.h"
21+ #include < libsinsp/plugin_manager.h>
2122
2223using namespace falco ::app;
2324using namespace falco ::app::actions;
@@ -73,6 +74,25 @@ static void select_event_set(falco::app::state& s, const libsinsp::events::set<p
7374 + " ) syscalls in rules: " concat_set_in_order (rules_names) + " \n "
7475 }
7576
77+ /* Load PPM event codes needed by plugins with parsing capability */
78+ libsinsp::events::set<ppm_event_code> plugin_ev_codes;
79+ for (const auto &p : s.offline_inspector ->get_plugin_manager ()->plugins ())
80+ {
81+ if (!(p->caps () & CAP_PARSING))
82+ {
83+ continue ;
84+ }
85+ plugin_ev_codes.merge (p->parse_event_codes ());
86+ }
87+ const auto plugin_sc_set = libsinsp::events::event_set_to_sc_set (plugin_ev_codes);
88+ const auto plugin_names = libsinsp::events::sc_set_to_event_names (plugin_sc_set);
89+ if (!plugin_sc_set.empty ())
90+ {
91+ falco_logger::log (falco_logger::level::DEBUG, " (" std::to_string (plugin_names.size ())
92+ + " ) syscalls required by plugins: " concat_set_in_order (plugin_names) + " \n "
93+ }
94+
95+
7696 /* DEFAULT OPTION:
7797 * Current `sinsp_state_sc_set()` approach includes multiple steps:
7898 * (1) Enforce all positive syscalls from each Falco rule
@@ -113,7 +133,7 @@ static void select_event_set(falco::app::state& s, const libsinsp::events::set<p
113133
114134 // selected events are the union of the rules events set and the
115135 // base events set (either the default or the user-defined one)
116- s.selected_sc_set = rules_sc_set.merge (base_sc_set);
136+ s.selected_sc_set = rules_sc_set.merge (base_sc_set). merge (plugin_sc_set) ;
117137
118138 /* REPLACE DEFAULT STATE, nothing else. Need to override s.selected_sc_set and have a separate logic block. */
119139 if (s.config ->m_base_syscalls_repair && user_positive_sc_set.empty ())
0 commit comments