github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-20 17:37:43 +00:00
Code Issues Projects Releases Wiki Activity

fix(scripts): falco-driver-loader must infer the OS ID from the host

Browse Source 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
This commit is contained in:
Leonardo Di Donato
2020-04-23 15:00:04 +00:00
committed by poiana
parent 3ec4b5b652
commit 26621ca381
2 changed files with 23 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
CMakeLists.txt
View File

@@ -73,7 +73,7 @@ include(GetFalcoVersion)
set(PACKAGE_NAME "falco") set(PACKAGE_NAME "falco")
set(PROBE_NAME "falco") set(PROBE_NAME "falco")
set(PROBE_DEVICE_NAME "falco") set(PROBE_DEVICE_NAME "falco")
set(DRIVERS_REPO "https://bintray.com/falcosecurity/driver") set(DRIVERS_REPO "https://dl.bintray.com/falcosecurity/driver")
if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT) if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
set(CMAKE_INSTALL_PREFIX set(CMAKE_INSTALL_PREFIX
/usr /usr

46
scripts/falco-driver-loader
View File

@@ -105,7 +105,7 @@ get_target_id() {
if [ -f "${HOST_ROOT}/etc/os-release" ]; then if [ -f "${HOST_ROOT}/etc/os-release" ]; then
# freedesktop.org and systemd # freedesktop.org and systemd
# shellcheck source=/dev/null # shellcheck source=/dev/null
source "/etc/os-release" source "${HOST_ROOT}/etc/os-release"
OS_ID=$ID OS_ID=$ID
elif [ -f "${HOST_ROOT}/etc/debian_version" ]; then elif [ -f "${HOST_ROOT}/etc/debian_version" ]; then
# Older Debian # Older Debian
@@ -156,24 +156,24 @@ load_kernel_module() {
exit 1 exit 1
fi fi
echo "* Unloading ${DRIVER_NAME}, if present" echo "* Unloading ${DRIVER_NAME} module, if present"
rmmod "${DRIVER_NAME}" 2>/dev/null rmmod "${DRIVER_NAME}" 2>/dev/null
WAIT_TIME=0 WAIT_TIME=0
KMOD_NAME=$(echo "${DRIVER_NAME}" | tr "-" "_") KMOD_NAME=$(echo "${DRIVER_NAME}" | tr "-" "_")
while lsmod | grep "${KMOD_NAME}" > /dev/null 2>&1 && [ $WAIT_TIME -lt "${MAX_RMMOD_WAIT}" ]; do while lsmod | grep "${KMOD_NAME}" > /dev/null 2>&1 && [ $WAIT_TIME -lt "${MAX_RMMOD_WAIT}" ]; do
if rmmod "${DRIVER_NAME}" 2>/dev/null; then if rmmod "${DRIVER_NAME}" 2>/dev/null; then
echo "* Unloading ${DRIVER_NAME} succeeded after ${WAIT_TIME}s" echo "* Unloading ${DRIVER_NAME} module succeeded after ${WAIT_TIME}s"
break break
fi fi
((++WAIT_TIME)) ((++WAIT_TIME))
if (( WAIT_TIME % 5 == 0 )); then if (( WAIT_TIME % 5 == 0 )); then
echo "* ${DRIVER_NAME} still loaded, waited ${WAIT_TIME}s (max wait ${MAX_RMMOD_WAIT}s)" echo "* ${DRIVER_NAME} module still loaded, waited ${WAIT_TIME}s (max wait ${MAX_RMMOD_WAIT}s)"
fi fi
sleep 1 sleep 1
done done
if lsmod | grep "${KMOD_NAME}" > /dev/null 2>&1; then if lsmod | grep "${KMOD_NAME}" > /dev/null 2>&1; then
echo "* ${DRIVER_NAME} seems to still be loaded, hoping the best" echo "* ${DRIVER_NAME} module seems to still be loaded, hoping the best"
exit 0 exit 0
fi fi
@@ -182,13 +182,13 @@ load_kernel_module() {
echo "* Skipping dkms install for UEK host" echo "* Skipping dkms install for UEK host"
else else
if hash dkms &>/dev/null && dkms install -m "${DRIVER_NAME}" -v "${DRIVER_VERSION}" -k "${KERNEL_RELEASE}" 2>/dev/null; then if hash dkms &>/dev/null && dkms install -m "${DRIVER_NAME}" -v "${DRIVER_VERSION}" -k "${KERNEL_RELEASE}" 2>/dev/null; then
echo "* Trying to load a dkms ${DRIVER_NAME}, if present" echo "* Trying to load a dkms ${DRIVER_NAME} module, if present"
if insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko" > /dev/null 2>&1; then if insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko" > /dev/null 2>&1; then
echo "${DRIVER_NAME} found and loaded in dkms" echo "${DRIVER_NAME} module found and loaded in dkms"
exit 0 exit 0
elif insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko.xz" > /dev/null 2>&1; then elif insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko.xz" > /dev/null 2>&1; then
echo "${DRIVER_NAME} found and loaded in dkms (xz)" echo "${DRIVER_NAME} module found and loaded in dkms (xz)"
exit 0 exit 0
else else
echo "* Unable to insmod" echo "* Unable to insmod"
@@ -204,21 +204,21 @@ load_kernel_module() {
fi fi
fi fi
echo "* Trying to load a system ${DRIVER_NAME}, if present" echo "* Trying to load a system ${DRIVER_NAME} driver, if present"
if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then
echo "${DRIVER_NAME} found and loaded with modprobe" echo "${DRIVER_NAME} module found and loaded with modprobe"
exit 0 exit 0
fi fi
echo "* Trying to find precompiled ${DRIVER_NAME} for ${KERNEL_RELEASE}" echo "* Trying to find a prebuilt ${DRIVER_NAME} module for kernel ${KERNEL_RELEASE}"
get_target_id get_target_id
local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko" local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
if [ -f "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" ]; then if [ -f "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" ]; then
echo "Found precompiled module at ~/.falco/${FALCO_KERNEL_MODULE_FILENAME}, loading module" echo "Found a prebuilt module at ${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}, loading it"
insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}"
exit $? exit $?
fi fi
@@ -226,13 +226,13 @@ load_kernel_module() {
local URL local URL
URL=$(echo "${DRIVERS_REPO}/kernel-module/${DRIVER_VERSION}/${FALCO_KERNEL_MODULE_FILENAME}" | sed s/+/%2B/g) URL=$(echo "${DRIVERS_REPO}/kernel-module/${DRIVER_VERSION}/${FALCO_KERNEL_MODULE_FILENAME}" | sed s/+/%2B/g)
echo "* Trying to download precompiled module from ${URL}" echo "* Trying to download prebuilt module from ${URL}"
if curl --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" "${URL}"; then if curl --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" "${URL}"; then
echo "Download succeeded, loading module" echo "Download succeeded, loading module"
insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}"
exit $? exit $?
else else
>&2 echo "Download failed, consider compiling your own ${DRIVER_NAME} and loading it or getting in touch with the Falco community" >&2 echo "Download failed, consider compiling your own ${DRIVER_NAME} module and loading it or getting in touch with the Falco community"
exit 1 exit 1
fi fi
} }
@@ -362,7 +362,7 @@ load_bpf_probe() {
customize_kernel_build customize_kernel_build
fi fi
echo "* Trying to compile BPF probe (${BPF_PROBE_FILENAME})" echo "* Trying to compile the eBPF probe (${BPF_PROBE_FILENAME})"
make -C "/usr/src/${DRIVER_NAME}-${DRIVER_VERSION}/bpf" > /dev/null make -C "/usr/src/${DRIVER_NAME}-${DRIVER_VERSION}/bpf" > /dev/null
@@ -378,27 +378,25 @@ load_bpf_probe() {
local URL local URL
URL=$(echo "${DRIVERS_REPO}/ebpf-probe/${DRIVER_VERSION}/${BPF_PROBE_FILENAME}" | sed s/+/%2B/g) URL=$(echo "${DRIVERS_REPO}/ebpf-probe/${DRIVER_VERSION}/${BPF_PROBE_FILENAME}" | sed s/+/%2B/g)
echo "* Trying to download precompiled BPF probe from ${URL}" echo "* Trying to download a prebuilt eBPF probe from ${URL}"
curl --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${BPF_PROBE_FILENAME}" "${URL}" curl --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${BPF_PROBE_FILENAME}" "${URL}"
fi fi
if [ -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then if [ -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
if [ ! -f /proc/sys/net/core/bpf_jit_enable ]; then if [ ! -f /proc/sys/net/core/bpf_jit_enable ]; then
echo "**********************************************************" echo "******************************************************************"
echo "** BPF doesn't have JIT enabled, performance might be **" echo "** BPF doesn't have JIT enabled, performance might be degraded. **"
echo "** degraded. Please ensure to run on a kernel with **" echo "** Please ensure to run on a kernel with CONFIG_BPF_JIT on. **"
echo "** CONFIG_BPF_JIT enabled and/or use --net=host if **" echo "******************************************************************"
echo "** running inside a container. **"
echo "**********************************************************"
fi fi
echo "* BPF probe located, it's now possible to start falco" echo "* eBPF probe located, it's now possible to start Falco"
ln -sf "${HOME}/.falco/${BPF_PROBE_FILENAME}" "${HOME}/.falco/${DRIVER_NAME}-bpf.o" ln -sf "${HOME}/.falco/${BPF_PROBE_FILENAME}" "${HOME}/.falco/${DRIVER_NAME}-bpf.o"
exit $? exit $?
else else
echo "* Failure to find a BPF probe" echo "* Failure to find an eBPF probe"
exit 1 exit 1
fi fi
} }