From 5947f9ae627c8948952ec5c005e275e75e61a558 Mon Sep 17 00:00:00 2001
From: Gianmatteo Palmieri <mail@gian.im>
Date: Thu, 24 Aug 2023 15:02:12 +0000
Subject: [PATCH] new(libsinsp): set is_open_create to true if temp file is
 created

Co-authored-by: Andrea Terzolo <andrea.terzolo@polito.it>
Signed-off-by: Gianmatteo Palmieri <mail@gian.im>
---
 userspace/libsinsp/filterchecks.cpp | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/userspace/libsinsp/filterchecks.cpp b/userspace/libsinsp/filterchecks.cpp
index c2a70eb833..2f07fb1611 100644
--- a/userspace/libsinsp/filterchecks.cpp
+++ b/userspace/libsinsp/filterchecks.cpp
@@ -5925,10 +5925,26 @@ uint8_t* sinsp_filter_check_event::extract(sinsp_evt *evt, OUT uint32_t* len, bo
 					m_u32val = 1;
 				}
 
-				if(m_field_id == TYPE_ISOPEN_CREATE &&
-				   flags & PPM_O_F_CREATED)
+				if(m_field_id == TYPE_ISOPEN_CREATE)
 				{
-					m_u32val = 1;
+					// If PPM_O_F_CREATED is set the file is created 
+					if(flags & PPM_O_F_CREATED)
+					{
+						m_u32val = 1;
+					}
+
+					// If PPM_O_TMPFILE is set and syscall is successful the file is created
+					if(flags & PPM_O_TMPFILE)
+					{
+						parinfo = evt->get_param(0);
+						ASSERT(parinfo->m_len == sizeof(int64_t));
+						int64_t retval = *(int64_t *)parinfo->m_val;
+
+						if(retval >= 0)
+						{
+							m_u32val = 1;
+						}
+					}
 				}
 
 				/* `open_by_handle_at` exit event has no `mode` parameter. */