falcosecurity · poiana · Nov 3, 2021 · Nov 3, 2021
diff --git a/driver/event_table.c b/driver/event_table.c
@@ -284,7 +284,7 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
 	/* PPME_TRACER_X */{ "tracer", EC_OTHER, EF_NONE, 3, { { "id", PT_INT64, PF_DEC }, { "tags", PT_CHARBUFARRAY, PF_NA }, { "args", PT_CHARBUF_PAIR_ARRAY, PF_NA } } },
 	/* PPME_MESOS_E */{"mesos", EC_INTERNAL, EF_SKIPPARSERESET | EF_MODIFIES_STATE, 1, {{"json", PT_CHARBUF, PF_NA} } },
 	/* PPME_MESOS_X */{"NA4", EC_SYSTEM, EF_UNUSED, 0},
-	/* PPME_CONTAINER_JSON_E */{"container", EC_PROCESS, EF_MODIFIES_STATE | EF_LARGE_PAYLOAD, 1, {{"json", PT_CHARBUF, PF_NA} } },
+	/* PPME_CONTAINER_JSON_E */{"container", EC_PROCESS, EF_MODIFIES_STATE, 1, {{"json", PT_CHARBUF, PF_NA} } },
 	/* PPME_CONTAINER_JSON_X */{"container", EC_PROCESS, EF_UNUSED, 0},
 	/* PPME_SYSCALL_SETSID_E */{"setsid", EC_PROCESS, EF_MODIFIES_STATE, 0},
 	/* PPME_SYSCALL_SETSID_X */{"setsid", EC_PROCESS, EF_MODIFIES_STATE, 1, {{"res", PT_PID, PF_DEC} } },
@@ -335,7 +335,9 @@ const struct ppm_event_info g_event_info[PPM_EVENT_MAX] = {
 	/* PPME_SYSCALL_USERFAULTFD_E */{"userfaultfd", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE, 0},
 	/* PPME_SYSCALL_USERFAULTFD_X */{"userfaultfd", EC_FILE, EF_CREATES_FD | EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"flags", PT_FLAGS32, PF_HEX, file_flags} } },
 	/* PPME_PLUGINEVENT_E */{"pluginevent", EC_OTHER, EF_LARGE_PAYLOAD, 2, {{"plugin ID", PT_UINT32, PF_DEC}, {"event_data", PT_BYTEBUF, PF_NA} } },
-	/* PPME_NA1 */{"pluginevent", EC_OTHER, EF_UNUSED, 0}
+	/* PPME_NA1 */{"pluginevent", EC_OTHER, EF_UNUSED, 0},
+	/* PPME_CONTAINER_JSON_2_E */{"container", EC_PROCESS, EF_MODIFIES_STATE | EF_LARGE_PAYLOAD, 1, {{"json", PT_CHARBUF, PF_NA} } },
+	/* PPME_CONTAINER_JSON_2_X */{"container", EC_PROCESS, EF_UNUSED, 0},
 	/* NB: Starting from scap version 1.2, event types will no longer be changed when an event is modified, and the only kind of change permitted for pre-existent events is adding parameters.
 	 *     New event types are allowed only for new syscalls or new internal events.
 	 *     The number of parameters can be used to differentiate between event versions.

diff --git a/driver/ppm_events_public.h b/driver/ppm_events_public.h
@@ -963,7 +963,9 @@ enum ppm_event_type {
 	PPME_SYSCALL_USERFAULTFD_X = 321,
 	PPME_PLUGINEVENT_E = 322,
 	PPME_PLUGINEVENT_X = 323,
-	PPM_EVENT_MAX = 324
+	PPME_CONTAINER_JSON_2_E = 324,
+	PPME_CONTAINER_JSON_2_X = 325,
+	PPM_EVENT_MAX = 326
 };
 /*@}*/
 

diff --git a/userspace/libsinsp/container.cpp b/userspace/libsinsp/container.cpp
@@ -270,7 +270,7 @@ bool sinsp_container_manager::container_to_sinsp_event(const string& json, sinsp
 	}
 	scapevt->tid = -1;
 	scapevt->len = (uint32_t)totlen;
-	scapevt->type = PPME_CONTAINER_JSON_E;
+	scapevt->type = PPME_CONTAINER_JSON_2_E;
 	scapevt->nparams = 1;
 
 	uint32_t* lens = (uint32_t*)((char *)scapevt + sizeof(struct ppm_evt_hdr));

diff --git a/userspace/libsinsp/filterchecks.cpp b/userspace/libsinsp/filterchecks.cpp
@@ -1238,7 +1238,7 @@ uint8_t* sinsp_filter_check_fd::extract(sinsp_evt *evt, OUT uint32_t* len, bool
 		break;
 	case TYPE_UID:
 		{
-			if(evt->get_type() == PPME_CONTAINER_JSON_E)
+			if(evt->get_type() == PPME_CONTAINER_JSON_E || evt->get_type() == PPME_CONTAINER_JSON_2_E)
 			{
 				return NULL;
 			}

diff --git a/userspace/libsinsp/parsers.cpp b/userspace/libsinsp/parsers.cpp
@@ -433,6 +433,7 @@ void sinsp_parser::process_event(sinsp_evt *evt)
 		parse_container_evt(evt); // deprecated, only here for backwards compatibility
 		break;
 	case PPME_CONTAINER_JSON_E:
+	case PPME_CONTAINER_JSON_2_E:
 		parse_container_json_evt(evt);
 		break;
 	case PPME_CPU_HOTPLUG_E:
@@ -542,7 +543,7 @@ bool sinsp_parser::reset(sinsp_evt *evt)
 	// cleared in init(). So only keep the threadinfo for "live"
 	// containers.
 	//
-	if (m_inspector->is_live() && etype == PPME_CONTAINER_JSON_E && evt->m_tinfo_ref != nullptr)
+	if (m_inspector->is_live() && (etype == PPME_CONTAINER_JSON_E || etype == PPME_CONTAINER_JSON_2_E) && evt->m_tinfo_ref != nullptr)
 	{
 		// this is a synthetic event generated by the container manager
 		// the threadinfo should already be set properly
@@ -604,7 +605,7 @@ bool sinsp_parser::reset(sinsp_evt *evt)
 		query_os = true;
 	}
 
-	if(etype == PPME_CONTAINER_JSON_E)
+	if(etype == PPME_CONTAINER_JSON_E || etype == PPME_CONTAINER_JSON_2_E)
 	{
 		evt->m_tinfo = nullptr;
 		return true;

diff --git a/userspace/libsinsp/sinsp.cpp b/userspace/libsinsp/sinsp.cpp
@@ -345,7 +345,7 @@ void sinsp::init()
 
 			if(res == SCAP_SUCCESS)
 			{
-				if((pevent->type != PPME_CONTAINER_E) && (pevent->type != PPME_CONTAINER_JSON_E))
+				if((pevent->type != PPME_CONTAINER_E) && (pevent->type != PPME_CONTAINER_JSON_E) && (pevent->type != PPME_CONTAINER_JSON_2_E))
 				{
 					break;
 				}
@@ -1196,7 +1196,7 @@ int32_t sinsp::next(OUT sinsp_evt **puevt)
 
 	uint64_t ts = evt->get_ts();
 
-	if(m_firstevent_ts == 0 && evt->m_pevt->type != PPME_CONTAINER_JSON_E)
+	if(m_firstevent_ts == 0 && evt->m_pevt->type != PPME_CONTAINER_JSON_E && evt->m_pevt->type != PPME_CONTAINER_JSON_2_E)
 	{
 		m_firstevent_ts = ts;
 	}