fix(userspace/engine): actually make m_filter_all_event_types useful by properly using it as fallback when no filter event types is provided

[FedeDP]

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

If contributing rules or changes to rules, please make sure to also uncomment one of the following line:

/kind rule-update

/kind rule-create

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area build

/area engine

/area rules

/area tests

/area proposals

What this PR does / why we need it:

Experimenting together with @jasondellaluce and @leogr a possible solution for falcosecurity/plugins#57

The issue was that m_filter_all_event_types was actually unused: for syscalls event source, we always have a m_filter_by_event_type value for the filter, event if evt.type is missing in the condition: in fact when it is missing, a default set of "all events" is used.

For k8s audit logs the bug is not appearing because its filter check provides a default evttypes() impl that basically means "force-use any event type", even when negated.

Plugins filter checks instead is returning PPME_PLUGINEVENT_E as only possible event associated; but, when rule condition gets negated, there is no other set of event type possible and thus the filter check gets added to m_filter_all_event_types.

Unfortunately, the old check in ruleset_filters::run:

if(evt->get_type() >= m_filter_by_event_type.size())
{
	return false;
}

prevented it to actually run the filterchecks stored in m_filter_all_event_types, de facto making it useless.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Edit by @leogr: we also bumped the json plugin version to include a fix for falcosecurity/plugins#56

Does this PR introduce a user-facing change?:

NONE

[leogr]

Closing and reopening to trigger the CI
/close

[poiana]

@leogr: Closed this PR.

In response to this:

Closing and reopening to trigger the CI
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[leogr]

/reopen

[poiana]

@leogr: Reopened this PR.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[leogr]

/milestone 0.31.1

[poiana]

@leogr: The provided milestone is not valid for this repository. Milestones in this repository: [0.31.0, 0.32.0, 1.0.0]

Use /milestone clear to clear the milestone.

In response to this:

/milestone 0.31.1

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[leogr]

/milestone 0.31.0

[leogr]

/approve

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: FedeDP, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [leogr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[poiana]

LGTM label has been added.

Git tree hash: f5626f16540d311539964ef38bc9e4b2e7514046