[LIBS PLUGINS] Expose libs syscalls PPME_ events enum over a new plugin API

[incertum]

Motivation

Currently, plugins need to redefine syscalls event types (of type falcosecurity::event_type) resulting in needing to redefine an enum. This approach risks discrepancies between libs' native PPME_ enum and the enum used by the plugins. For example the current k8smeta plugin follows this practice of redefinition. On the other hand the open PR falcosecurity/plugins#419 for the anomalydetection plugin employs a workaround via importing the libs enum.

Feature

When the event source is syscall, a new plugin API should be introduced to allow the importing of syscall libs' PPME_ events enum, making them accessible. This enables us to switch the plugin's evt.get_type() within the parse_event plugin logic while reusing the PPME_ codes from libs, such as PPME_SYSCALL_EXECVEAT_X and PPME_SYSCALL_EXECVE_19_X, for example ...

[jasondellaluce]

@incertum IMO this could be potentially part of the plugins SDKs, as the libs already expose this information. Ideally, we would isolate the "event schema" module and make it importable from outside. Not sure if adding extra layers on top of the current plugin API is the optimal solution, will think about it.

[incertum]

@incertum IMO this could be potentially part of the plugins SDKs, as the libs already expose this information. Ideally, we would isolate the "event schema" module and make it importable from outside. Not sure if adding extra layers on top of the current plugin API is the optimal solution, will think about it.

Thanks @jasondellaluce either way would work. Looking forward to having the enum easily available. Thanks.

[jasondellaluce]

@incertum FYI this is tracked here for the plugin SDK C++: falcosecurity/plugin-sdk-cpp#33