github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-02-21 14:13:27 +00:00
Code Issues Projects Releases Wiki Activity

chore!: drop legacy BPF probe

Browse Source 
Falco 0.43.0 deprecated the legacy eBPF probe. Drop it as well as any
reference to it.

BREAKING CHANGE: drop legacy eBPF probe

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
This commit is contained in:
Leonardo Di Giovanna
2026-02-05 12:21:22 +01:00
committed by poiana
parent ae9c2fbbc3
commit 387499546f
35 changed files with 41 additions and 232 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/codeql.yaml vendored
View File

@@ -63,7 +63,7 @@ jobs:
- name: Prepare project
run: |
cmake -B build -S . -DBUILD_BPF=On -DBUILD_FALCO_MODERN_BPF=Off -DUSE_BUNDLED_DEPS=Off -DUSE_BUNDLED_NLOHMANN_JSON=On -DUSE_BUNDLED_CXXOPTS=On -DUSE_BUNDLED_CPPHTTPLIB=On
cmake -B build -S . -DBUILD_FALCO_MODERN_BPF=Off -DUSE_BUNDLED_DEPS=Off -DUSE_BUNDLED_NLOHMANN_JSON=On -DUSE_BUNDLED_CXXOPTS=On -DUSE_BUNDLED_CPPHTTPLIB=On
- name: Build
run: |

1
.github/workflows/reusable_build_dev.yaml vendored
View File

@@ -65,7 +65,6 @@ jobs:
-DBUILD_FALCO_UNIT_TESTS=On \
-DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \
-DBUILD_FALCO_MODERN_BPF=Off \
-DBUILD_BPF=${{ inputs.minimal == true && 'OFF' || 'ON' }} \
-DBUILD_DRIVER=${{ inputs.minimal == true && 'OFF' || 'ON' }} \
-DMINIMAL_BUILD=${{ inputs.minimal == true && 'ON' || 'OFF' }} \
-DUSE_ASAN=${{ inputs.sanitizers == true && 'ON' || 'OFF' }} \

5
.github/workflows/reusable_build_packages.yaml vendored
View File

@@ -97,7 +97,6 @@ jobs:
-DFALCO_ETC_DIR=/etc/falco \
-DMODERN_BPF_SKEL_DIR=/tmp \
-DBUILD_DRIVER=Off \
-DBUILD_BPF=Off \
-DUSE_JEMALLOC=${{ inputs.use_jemalloc }} \
-DUSE_MIMALLOC=${{ inputs.use_mimalloc }} \
-DFALCO_VERSION=${{ inputs.version }}
@@ -170,7 +169,6 @@ jobs:
-DFALCO_ETC_DIR=/etc/falco \
-DMODERN_BPF_SKEL_DIR=/tmp \
-DBUILD_DRIVER=Off \
-DBUILD_BPF=Off \
-DUSE_JEMALLOC=${{ inputs.use_jemalloc }} \
-DUSE_MIMALLOC=${{ inputs.use_mimalloc }} \
-DFALCO_VERSION=${{ inputs.version }}
@@ -219,7 +217,6 @@ jobs:
-DFALCO_ETC_DIR=/etc/falco \
-DMODERN_BPF_SKEL_DIR=/tmp \
-DBUILD_DRIVER=Off \
-DBUILD_BPF=Off \
-DUSE_JEMALLOC=Off \
-DUSE_MIMALLOC=Off \
-DUSE_ASAN=On \
@@ -265,7 +262,7 @@ jobs:
cmake -B build -S . \
-DCMAKE_BUILD_TYPE=Release \
-DCPACK_GENERATOR=TGZ \
-DBUILD_BPF=Off -DBUILD_DRIVER=Off \
-DBUILD_DRIVER=Off \
-DUSE_JEMALLOC=${{ inputs.use_jemalloc }} \
-DUSE_MIMALLOC=${{ inputs.use_mimalloc }} \
-DUSE_BUNDLED_DEPS=On \

2
.github/workflows/staticanalysis.yaml vendored
View File

@@ -24,7 +24,7 @@ jobs:
run: |
cmake -B build -S . \
-DCMAKE_BUILD_TYPE="release" \
-DUSE_BUNDLED_DEPS=On -DUSE_DYNAMIC_LIBELF=Off -DBUILD_WARNINGS_AS_ERRORS=ON -DCREATE_TEST_TARGETS=Off -DBUILD_BPF=Off -DBUILD_DRIVER=Off
-DUSE_BUNDLED_DEPS=On -DUSE_DYNAMIC_LIBELF=Off -DBUILD_WARNINGS_AS_ERRORS=ON -DCREATE_TEST_TARGETS=Off -DBUILD_DRIVER=Off
cmake --build build -j4 --target cppcheck
cmake --build build -j4 --target cppcheck_htmlreport

9
CMakeLists.txt
View File

@@ -64,10 +64,6 @@ elseif(EMSCRIPTEN)
OFF
CACHE BOOL "" FORCE
)
set(BUILD_BPF
OFF
CACHE BOOL "" FORCE
)
set(CPACK_GENERATOR
TGZ
CACHE BOOL "" FORCE
@@ -133,11 +129,6 @@ set(DRIVER_NAME "falco")
set(DRIVER_DEVICE_NAME "falco")
set(DRIVERS_REPO "https://download.falco.org/driver")
# If no path is provided, try to search the BPF probe in: `home/.falco/falco-bpf.o` This is the same
# fallback that we had in the libraries: `SCAP_PROBE_BPF_FILEPATH`.
set(FALCO_PROBE_BPF_FILEPATH ".${DRIVER_NAME}/${DRIVER_NAME}-bpf.o")
add_definitions(-DFALCO_PROBE_BPF_FILEPATH="${FALCO_PROBE_BPF_FILEPATH}")
if(NOT DEFINED FALCO_COMPONENT_NAME)
set(FALCO_COMPONENT_NAME "${CMAKE_PROJECT_NAME}")
endif()

3
README.md
View File

@@ -75,7 +75,6 @@ Here's an example of a `cmake` command that will enable everything you need for
cmake \
-DUSE_BUNDLED_DEPS=ON \
-DBUILD_LIBSCAP_GVISOR=ON \
-DBUILD_BPF=ON \
-DBUILD_DRIVER=ON \
-DBUILD_FALCO_MODERN_BPF=ON \
-DCREATE_TEST_TARGETS=ON \
@@ -113,7 +112,7 @@ Please refer to the [Contributing](https://github.com/falcosecurity/.github/blob
1. The first lines of code at the base of Falco were written some time ago, where Go didn't yet have the same level of maturity and adoption as today.
2. The Falco execution model is sequential and mono-thread due to the statefulness requirements of the tool, and so most of the concurrency-related selling points of the Go runtime would not be leveraged at all.
3. The Falco code deals with very low-level programming in many places (e.g. some headers are shared with the eBPF probe and the Kernel module), and we all know that interfacing Go with C is possible but brings tons of complexity and tradeoffs to the table.
3. The Falco code deals with very low-level programming in many places, and we all know that interfacing Go with C is possible but brings tons of complexity and tradeoffs to the table.
4. As a security tool meant to consume a crazy high throughput of events per second, Falco needs to squeeze performance in all hot paths at runtime and requires deep control on memory allocation, which the Go runtime can't provide (there's also garbage collection involved).
5. Although Go didn't suit the engineering requirements of the core of Falco, we still thought that it could be a good candidate for writing Falco extensions through the plugin system. This is the main reason we gave special attention and high priority to the development of the plugin-sdk-go.
6. Go is not a requirement for having statically-linked binaries. In fact, we provide fully-static Falco builds since few years. The only issue with those is that the plugin system can't be supported with the current dynamic library model we currently have.

5
RELEASE.md
View File

@@ -48,11 +48,10 @@ Alternatively Falco binaries or plugins can be downloaded from the Falco Artifac
> Note: This section specifically applies to non-modern BPF drivers.
The Falco Project publishes all drivers for each release for popular kernel versions / distros and `x86_64` and `aarch64` architectures to the Falco project's managed Artifacts repo. The Artifacts repo follows standard directory level conventions. The respective driver object file is prefixed by distro and named / versioned by kernel release - `$(uname -r)`. Pre-compiled drivers are released with a [best effort](https://github.com/falcosecurity/falco/blob/master/proposals/20200818-artifacts-storage.md#notice) notice. This is because gcc (`kmod`) and clang (`bpf`) compilers sometimes fail to build the artifacts for a specific kernel version. More details around driver versioning and driver compatibility are provided in the [Falco Components Versioning](#falco-components-versioning) section. Short preview: If you use the standard Falco setup leveraging driver-loader, [driver-loader script](https://github.com/falcosecurity/falco/blob/master/scripts/falco-driver-loader) will fetch the kernel space artifact (object file) corresponding to the default `DRIVER_VERSION` Falco was shipped with.
The Falco Project publishes all drivers for each release for popular kernel versions / distros and `x86_64` and `aarch64` architectures to the Falco project's managed Artifacts repo. The Artifacts repo follows standard directory level conventions. The respective driver object file is prefixed by distro and named / versioned by kernel release - `$(uname -r)`. Pre-compiled drivers are released with a [best effort](https://github.com/falcosecurity/falco/blob/master/proposals/20200818-artifacts-storage.md#notice) notice. This is because gcc (`kmod`) sometimes fails to build the artifacts for a specific kernel version. More details around driver versioning and driver compatibility are provided in the [Falco Components Versioning](#falco-components-versioning) section. Short preview: If you use the standard Falco setup leveraging driver-loader, [driver-loader script](https://github.com/falcosecurity/falco/blob/master/scripts/falco-driver-loader) will fetch the kernel space artifact (object file) corresponding to the default `DRIVER_VERSION` Falco was shipped with.
- [Falco Artifacts Repo Drivers Root](https://download.falco.org/?prefix=driver/)
- Option 1: Kernel module (`.ko` files) - all under same driver version directory
- Option 2: eBPF (`.o` files) - all under same driver version directory
- Kernel module (`.ko` files) - all under same driver version directory
### Timeline

11
brand/README.md
View File

@@ -53,15 +53,10 @@ Notice the capitalization of the following terms.
This section contains key terms specifically used within the context of The Falco Project. For a more comprehensive list of Falco-related terminology, we invite you to visit the [Glossary](https://falco.org/docs/reference/glossary/) page on our official website.
#### eBPF Probe
Used to describe the `.o` object that would be dynamically loaded into the kernel as a secure and stable (e)BPF probe.
This is one option used to pass kernel events up to userspace for Falco to consume.
#### Modern eBPF Probe
More robust [eBPF probe](#ebpf-probe), which brings the CO-RE paradigm, better performances, and maintainability.
Unlike the legacy probe, the modern eBPF probe is not shipped as a separate artifact but bundled into the Falco binary itself.
Robust eBPF probe, which brings the CO-RE paradigm, better performances, and maintainability.
The modern eBPF probe is not shipped as a separate artifact but bundled into the Falco binary itself.
This is one option used to pass kernel events up to userspace for Falco to consume.
#### Kernel Module
@@ -71,7 +66,7 @@ This is one option used to pass kernel events up to userspace for Falco to consu
#### Driver
The global term for the software that sends events from the kernel. Such as the [eBPF probe](#ebpf-probe), the [Modern eBPF probe](#modern-ebpf-probe), or the [Kernel Module](#kernel-module).
The global term for the software that sends events from the kernel. Such as the [Modern eBPF probe](#modern-ebpf-probe), or the [Kernel Module](#kernel-module).
#### Plugin

5
cmake/cpack/CMakeCPackOptions.cmake
View File

@@ -29,11 +29,6 @@ if(CPACK_GENERATOR MATCHES "DEB" OR CPACK_GENERATOR MATCHES "RPM")
CPACK_INSTALL_COMMANDS
"cp scripts/systemd/falco-kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system"
)
list(
APPEND
CPACK_INSTALL_COMMANDS
"cp scripts/systemd/falco-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system"
)
list(
APPEND
CPACK_INSTALL_COMMANDS

7
docker/driver-loader-buster/docker-entrypoint.sh
View File

@@ -1,7 +1,7 @@
#!/usr/bin/env bash
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (C) 2023 The Falco Authors.
# Copyright (C) 2026 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -27,7 +27,6 @@ print_usage() {
echo " auto leverage automatic driver selection logic (default)"
echo " modern_ebpf modern eBPF CORE probe"
echo " kmod kernel module"
echo " ebpf eBPF probe"
echo ""
echo "Options:"
echo " --help show this help message"
@@ -59,7 +58,7 @@ driver=
has_opts=
while test $# -gt 0; do
case "$1" in
auto|kmod|ebpf|modern_ebpf)
auto|kmod|modern_ebpf)
if [ -n "$driver" ]; then
>&2 echo "Only one driver per invocation"
print_usage
@@ -120,7 +119,7 @@ if [ "$driver" != "auto" ]; then
/usr/bin/falcoctl driver config --type $driver
else
# Needed because we need to configure Falco to start with correct driver
/usr/bin/falcoctl driver config --type modern_ebpf --type kmod --type ebpf
/usr/bin/falcoctl driver config --type modern_ebpf --type kmod
fi
/usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD --http-insecure=$HTTP_INSECURE --http-headers="$FALCOCTL_DRIVER_HTTP_HEADERS"

5
docker/driver-loader/docker-entrypoint.sh
View File

@@ -27,7 +27,6 @@ print_usage() {
echo " auto leverage automatic driver selection logic (default)"
echo " modern_ebpf modern eBPF CORE probe"
echo " kmod kernel module"
echo " ebpf eBPF probe"
echo ""
echo "Options:"
echo " --help show this help message"
@@ -64,7 +63,7 @@ extra_args=
while test $# -gt 0; do
case "$1" in
auto|kmod|ebpf|modern_ebpf)
auto|kmod|modern_ebpf)
if [ -n "$driver" ]; then
>&2 echo "Only one driver per invocation"
print_usage
@@ -133,7 +132,7 @@ if [ "$driver" != "auto" ]; then
/usr/bin/falcoctl driver config --type $driver
else
# Needed because we need to configure Falco to start with correct driver
/usr/bin/falcoctl driver config --type modern_ebpf --type kmod --type ebpf
/usr/bin/falcoctl driver config --type modern_ebpf --type kmod
fi
/usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD --http-insecure=$HTTP_INSECURE --http-headers="$FALCOCTL_DRIVER_HTTP_HEADERS" $extra_args

28
falco.yaml
View File

@@ -282,12 +282,10 @@ rules_files:
#
# -- Falco supports different engines to generate events.
# Choose the appropriate engine kind based on your system's configuration and requirements.
# DEPRECATION NOTICE: the Legacy eBPF probe and the gVisor engine are currently deprecated. Consider using other
# engines.
# DEPRECATION NOTICE: the gVisor engine are currently deprecated. Consider using other engines.
#
# Available engines:
# - `kmod`: Kernel Module
# - `ebpf`: Legacy eBPF probe (deprecated)
# - `modern_ebpf`: Modern eBPF (CO-RE eBPF probe)
# - `gvisor`: gVisor sandbox (deprecated)
# - `replay`: Replay a scap trace file
@@ -359,15 +357,14 @@ rules_files:
#
################### `cpus_for_each_buffer` (modern_ebpf only)
#
# The modern_ebpf driver in Falco utilizes the new BPF ring buffer, which has a
# different memory footprint compared to the current BPF driver that uses the
# perf buffer. The Falco core maintainers have discussed the differences and
# their implications, particularly in Kubernetes environments where limits need
# to be carefully set to avoid interference with the Falco daemonset deployment
# from the OOM killer. Based on guidance received from the kernel mailing list,
# it is recommended to assign multiple CPUs to one buffer instead of allocating
# a buffer for each CPU individually. This helps optimize resource allocation
# and prevent potential issues related to memory usage.
# The modern_ebpf driver in Falco utilizes the new BPF ring buffer. The Falco
# core maintainers have discussed the differences and their implications,
# particularly in Kubernetes environments where limits need to be carefully set
# to avoid interference with the Falco daemonset deployment from the OOM
# killer. Based on guidance received from the kernel mailing list, it is
# recommended to assign multiple CPUs to one buffer instead of allocating a
# buffer for each CPU individually. This helps optimize resource allocation and
# prevent potential issues related to memory usage.
#
# This is an index that controls how many CPUs you want to assign to a single
# syscall buffer (ring buffer). By default, for modern_ebpf every syscall buffer
@@ -440,13 +437,6 @@ engine:
kmod:
buf_size_preset: 4
drop_failed_exit: false
# -- Engine-specific configuration for Legacy eBPF (ebpf) engine. DEPRECATION NOTICE: the Legacy eBPF engine is
# deprecated.
ebpf:
# -- Path to the elf file to load.
probe: ${HOME}/.falco/falco-bpf.o
buf_size_preset: 4
drop_failed_exit: false
# -- Engine-specific configuration for Modern eBPF (modern_ebpf) engine.
modern_ebpf:
cpus_for_each_buffer: 2

7
scripts/CMakeLists.txt
View File

@@ -24,10 +24,6 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux")
"${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod.service"
"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY
)
configure_file(
"${PROJECT_SOURCE_DIR}/scripts/systemd/falco-bpf.service"
"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY
)
configure_file(
"${PROJECT_SOURCE_DIR}/scripts/systemd/falco-modern-bpf.service"
"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY
@@ -68,9 +64,6 @@ if(NOT WIN32
if(BUILD_DRIVER)
list(APPEND FALCOCTL_DRIVER_TYPES_LIST "kmod")
endif()
if(BUILD_BPF)
list(APPEND FALCOCTL_DRIVER_TYPES_LIST "ebpf")
endif()
string(REPLACE ";" ", " FALCOCTL_DRIVER_TYPES "${FALCOCTL_DRIVER_TYPES_LIST}")
configure_file(
${CMAKE_CURRENT_SOURCE_DIR}/falcoctl/falcoctl.yaml.in

20
scripts/debian/postinst.in
View File

@@ -25,12 +25,10 @@ CHOICE=
# Every time we call this script we want to stat from a clean state.
echo "[POST-INSTALL] Disable all possible 'falco' services:"
systemctl --system stop 'falco-kmod.service' || true
systemctl --system stop 'falco-bpf.service' || true
systemctl --system stop 'falco-modern-bpf.service' || true
systemctl --system stop 'falco-custom.service' || true
systemctl --system stop 'falcoctl-artifact-follow.service' || true
systemctl --system disable 'falco-kmod.service' || true
systemctl --system disable 'falco-bpf.service' || true
systemctl --system disable 'falco-modern-bpf.service' || true
systemctl --system disable 'falco-custom.service' || true
systemctl --system disable 'falcoctl-artifact-follow.service' || true
@@ -47,11 +45,8 @@ if [ "$1" = "configure" ]; then
kmod)
CHOICE=3
;;
ebpf)
CHOICE=4
;;
modern_ebpf)
CHOICE=5
CHOICE=4
;;
esac
if [ -z $CHOICE ] && [ -x /usr/bin/dialog ] && [ "${FALCO_FRONTEND}" != "noninteractive" ]; then
@@ -60,8 +55,7 @@ if [ "$1" = "configure" ]; then
1 "Manual configuration (no unit is started)" \
2 "Automatic selection" \
3 "Kmod" \
4 "eBPF (deprecated)" \
5 "Modern eBPF" \
4 "Modern eBPF" \
2>&1 >/dev/tty)
fi
# "auto" case is not managed here since it is already the default, so no CHOICE=2
@@ -73,9 +67,6 @@ if [ "$1" = "configure" ]; then
chosen_driver="kmod"
;;
4)
chosen_driver="ebpf"
;;
5)
chosen_driver="modern_ebpf"
;;
esac
@@ -83,7 +74,7 @@ if [ "$1" = "configure" ]; then
echo "[POST-INSTALL] Configure falcoctl '$chosen_driver' driver type:"
if [ "$chosen_driver" = "auto" ]; then
# Configure falcoctl to enable all drivers
falcoctl driver config --type "modern_ebpf" --type "kmod" --type "ebpf"
falcoctl driver config --type "modern_ebpf" --type "kmod"
# Load the actually automatic chosen driver
chosen_driver=$(falcoctl driver printenv | grep DRIVER= | cut -d'"' -f2)
else
@@ -124,11 +115,6 @@ case "$chosen_driver" in
falcoctl driver install --download=false
chosen_unit="kmod"
;;
"ebpf")
echo "[POST-INSTALL] Call 'falcoctl driver install for ebpf':"
falcoctl driver install
chosen_unit="bpf"
;;
"modern_ebpf")
chosen_unit="modern-bpf"
;;

1
scripts/debian/postrm.in
View File

@@ -25,7 +25,6 @@ set -e
if [ -d /run/systemd/system ] && [ "$1" = remove ]; then
echo "[POST-REMOVE] Disable all Falco services:"
systemctl --system disable 'falco-kmod.service' || true
systemctl --system disable 'falco-bpf.service' || true
systemctl --system disable 'falco-modern-bpf.service' || true
systemctl --system disable 'falco-custom.service' || true
systemctl --system disable 'falcoctl-artifact-follow.service' || true

1
scripts/debian/prerm.in
View File

@@ -26,7 +26,6 @@ case "$1" in
remove|upgrade|deconfigure)
echo "[PRE-REMOVE] Stop all Falco services:"
systemctl --system stop 'falco-kmod.service' || true
systemctl --system stop 'falco-bpf.service' || true
systemctl --system stop 'falco-modern-bpf.service' || true
systemctl --system stop 'falco-custom.service' || true
systemctl --system stop 'falcoctl-artifact-follow.service' || true

20
scripts/rpm/postinstall.in
View File

@@ -24,12 +24,10 @@ CHOICE=
# Every time we call this script we want to stat from a clean state.
echo "[POST-INSTALL] Disable all possible enabled 'falco' service:"
systemctl --system stop 'falco-kmod.service' || true
systemctl --system stop 'falco-bpf.service' || true
systemctl --system stop 'falco-modern-bpf.service' || true
systemctl --system stop 'falco-custom.service' || true
systemctl --system stop 'falcoctl-artifact-follow.service' || true
systemctl --system disable 'falco-kmod.service' || true
systemctl --system disable 'falco-bpf.service' || true
systemctl --system disable 'falco-modern-bpf.service' || true
systemctl --system disable 'falco-custom.service' || true
systemctl --system disable 'falcoctl-artifact-follow.service' || true
@@ -46,11 +44,8 @@ if [ $1 -ge 1 ]; then
kmod)
CHOICE=3
;;
ebpf)
CHOICE=4
;;
modern_ebpf)
CHOICE=5
CHOICE=4
;;
esac
if [ -z $CHOICE ] && [ -x /usr/bin/dialog ] && [ "${FALCO_FRONTEND}" != "noninteractive" ]; then
@@ -59,8 +54,7 @@ if [ $1 -ge 1 ]; then
1 "Manual configuration (no unit is started)" \
2 "Automatic selection" \
3 "Kmod" \
4 "eBPF (deprecated)" \
5 "Modern eBPF" \
4 "Modern eBPF" \
2>&1 >/dev/tty)
fi
# "auto" case is not managed here since it is already the default, so no CHOICE=2
@@ -72,9 +66,6 @@ if [ $1 -ge 1 ]; then
chosen_driver="kmod"
;;
4)
chosen_driver="ebpf"
;;
5)
chosen_driver="modern_ebpf"
;;
esac
@@ -82,7 +73,7 @@ if [ $1 -ge 1 ]; then
echo "[POST-INSTALL] Configure falcoctl '$chosen_driver' driver type:"
if [ "$chosen_driver" = "auto" ]; then
# Configure falcoctl to enable all drivers
falcoctl driver config --type "modern_ebpf" --type "kmod" --type "ebpf"
falcoctl driver config --type "modern_ebpf" --type "kmod"
# Load the actually automatic chosen driver
chosen_driver=$(falcoctl driver printenv | grep DRIVER= | cut -d'"' -f2)
else
@@ -123,11 +114,6 @@ case "$chosen_driver" in
falcoctl driver install --download=false
chosen_unit="kmod"
;;
"ebpf")
echo "[POST-INSTALL] Call 'falcoctl driver install for ebpf':"
falcoctl driver install
chosen_unit="bpf"
;;
"modern_ebpf")
chosen_unit="modern-bpf"
;;

1
scripts/rpm/postuninstall.in
View File

@@ -21,7 +21,6 @@ set -e
if [ -d /run/systemd/system ] && [ $1 -eq 0 ]; then
echo "[POST-REMOVE] Disable all Falco services:"
systemctl --system disable 'falco-kmod.service'|| true
systemctl --system disable 'falco-bpf.service' || true
systemctl --system disable 'falco-modern-bpf.service' || true
systemctl --system disable 'falco-custom.service' || true
systemctl --system disable 'falcoctl-artifact-follow.service' || true

2
scripts/rpm/preuninstall.in
View File

@@ -20,7 +20,6 @@ set -e
# Currently running falco service uses the driver, so stop it before driver cleanup
echo "[PRE-REMOVE] Stop all Falco services:"
systemctl --system stop 'falco-kmod.service' || true
systemctl --system stop 'falco-bpf.service' || true
systemctl --system stop 'falco-modern-bpf.service' || true
systemctl --system stop 'falco-custom.service' || true
systemctl --system stop 'falcoctl-artifact-follow.service' || true
@@ -36,7 +35,6 @@ falcoctl driver cleanup
# if preuninstall:
# `systemd-update-helper remove-system-units <service>`
%systemd_preun 'falco-kmod.service'
%systemd_preun 'falco-bpf.service'
%systemd_preun 'falco-modern-bpf.service'
%systemd_preun 'falco-custom.service'
%systemd_preun 'falcoctl-artifact-follow.service'

27
scripts/systemd/falco-bpf.service
View File

@@ -1,27 +0,0 @@
[Unit]
Description=Falco: Container Native Runtime Security with ebpf
Documentation=https://falco.org/docs/
Before=falcoctl-artifact-follow.service
Wants=falcoctl-artifact-follow.service
[Service]
Type=simple
User=root
ExecStart=/usr/bin/falco -o engine.kind=ebpf
ExecReload=kill -1 $MAINPID
UMask=0077
TimeoutSec=30
RestartSec=15s
Restart=on-failure
PrivateTmp=true
NoNewPrivileges=yes
ProtectHome=read-only
ProtectSystem=full
ProtectKernelTunables=true
RestrictRealtime=true
RestrictAddressFamilies=~AF_PACKET
StandardOutput=null
[Install]
WantedBy=multi-user.target
Alias=falco.service

2
scripts/systemd/falcoctl-artifact-follow.service
View File

@@ -1,7 +1,7 @@
[Unit]
Description=Falcoctl Artifact Follow: automatic artifacts update service
Documentation=https://falco.org/docs/
PartOf=falco-bpf.service falco-kmod.service falco-modern-bpf.service falco-custom.service
PartOf=falco-kmod.service falco-modern-bpf.service falco-custom.service
[Service]
Type=simple

3
unit_tests/CMakeLists.txt
View File

@@ -25,8 +25,7 @@ FetchContent_Declare(
FetchContent_MakeAvailable(googletest)
# Create a libscap_test_var.h file with some variables used by our tests for example the kmod path
# or the bpf path.
# Create a libscap_test_var.h file with some variables used by our tests (e.g: the kmod path).
configure_file(
${CMAKE_CURRENT_SOURCE_DIR}/falco_test_var.h.in ${CMAKE_CURRENT_BINARY_DIR}/falco_test_var.h
)

2
unit_tests/README.md
View File

@@ -7,7 +7,7 @@ Under `unit_tests/engine` and `unit_tests/falco` directories, we have different
## Build and Run
```bash
cmake -DMINIMAL_BUILD=On -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DBUILD_FALCO_UNIT_TESTS=On ..
cmake -DMINIMAL_BUILD=On -DBUILD_DRIVER=Off -DBUILD_FALCO_UNIT_TESTS=On ..
make falco_unit_tests
sudo ./unit_tests/falco_unit_tests
```

9
unit_tests/falco/app/actions/test_load_config.cpp
View File

@@ -31,11 +31,6 @@ TEST(ActionLoadConfig, check_kmod_engine_config) {
EXPECT_EQ(s.config->m_kmod.m_buf_size_preset, 2);
EXPECT_FALSE(s.config->m_kmod.m_drop_failed_exit);
// Check that all other engine params are empty
EXPECT_TRUE(s.config->m_ebpf.m_probe_path.empty());
EXPECT_EQ(s.config->m_ebpf.m_buf_size_preset, 0);
EXPECT_FALSE(s.config->m_ebpf.m_drop_failed_exit);
EXPECT_EQ(s.config->m_modern_ebpf.m_cpus_for_each_buffer, 0);
EXPECT_EQ(s.config->m_modern_ebpf.m_buf_size_preset, 0);
EXPECT_FALSE(s.config->m_modern_ebpf.m_drop_failed_exit);
@@ -63,10 +58,6 @@ TEST(ActionLoadConfig, check_modern_engine_config) {
EXPECT_EQ(s.config->m_kmod.m_buf_size_preset, 0);
EXPECT_FALSE(s.config->m_kmod.m_drop_failed_exit);
EXPECT_TRUE(s.config->m_ebpf.m_probe_path.empty());
EXPECT_EQ(s.config->m_ebpf.m_buf_size_preset, 0);
EXPECT_FALSE(s.config->m_ebpf.m_drop_failed_exit);
EXPECT_TRUE(s.config->m_replay.m_capture_file.empty());
EXPECT_TRUE(s.config->m_gvisor.m_config.empty());

4
unit_tests/falco/test_configs/engine_kmod_config.yaml
View File

@@ -25,10 +25,6 @@ engine:
kmod:
buf_size_preset: 2
drop_failed_exit: false
ebpf:
probe: /path/to/probe.o
buf_size_preset: 7
drop_failed_exit: true
modern_ebpf:
cpus_for_each_buffer: 2
buf_size_preset: 4

4
unit_tests/falco/test_configs/engine_modern_config.yaml
View File

@@ -25,10 +25,6 @@ engine:
kmod:
buf_size_preset: 1
drop_failed_exit: true
ebpf:
probe: /path/to/probe.o
buf_size_preset: 4
drop_failed_exit: false
modern_ebpf:
cpus_for_each_buffer: 1
# missing `buf_size_preset` should be defaulted

8
userspace/falco/app/actions/helpers_inspector.cpp
View File

@@ -116,14 +116,6 @@ falco::app::run_result falco::app::actions::open_live_inspector(falco::app::stat
s.config->m_modern_ebpf.m_cpus_for_each_buffer,
true,
s.selected_sc_set);
} else if(s.is_ebpf()) /* BPF engine. */
{
falco_logger::log(falco_logger::level::INFO,
"Opening '" + source + "' source with BPF probe. BPF probe path: " +
s.config->m_ebpf.m_probe_path);
inspector->open_bpf(s.config->m_ebpf.m_probe_path.c_str(),
s.syscall_buffer_bytes_size,
s.selected_sc_set);
} else /* Kernel module (default). */
{
try {

2
userspace/falco/app/actions/print_kernel_version.cpp
View File

@@ -28,7 +28,7 @@ using namespace falco::app::actions;
falco::app::run_result falco::app::actions::print_kernel_version(const falco::app::state& s) {
#ifdef __linux__
// We print this info only when a kernel driver is injected
bool const is_kernel_driver_injected = s.is_modern_ebpf() || s.is_ebpf() || s.is_kmod();
bool const is_kernel_driver_injected = s.is_modern_ebpf() || s.is_kmod();
if(!is_kernel_driver_injected) {
return run_result::ok();
}

8
userspace/falco/app/state.h
View File

@@ -126,8 +126,6 @@ struct state {
inline bool is_kmod() const { return config->m_engine_mode == engine_kind_t::KMOD; }
inline bool is_ebpf() const { return config->m_engine_mode == engine_kind_t::EBPF; }
inline bool is_modern_ebpf() const {
return config->m_engine_mode == engine_kind_t::MODERN_EBPF;
}
@@ -144,9 +142,6 @@ struct state {
case engine_kind_t::KMOD:
drop_failed = config->m_kmod.m_drop_failed_exit;
break;
case engine_kind_t::EBPF:
drop_failed = config->m_ebpf.m_drop_failed_exit;
break;
case engine_kind_t::MODERN_EBPF:
drop_failed = config->m_modern_ebpf.m_drop_failed_exit;
break;
@@ -163,9 +158,6 @@ struct state {
case engine_kind_t::KMOD:
index = config->m_kmod.m_buf_size_preset;
break;
case engine_kind_t::EBPF:
index = config->m_ebpf.m_buf_size_preset;
break;
case engine_kind_t::MODERN_EBPF:
index = config->m_modern_ebpf.m_buf_size_preset;
break;

22
userspace/falco/config_json_schema.h
View File

@@ -367,9 +367,6 @@ const char config_schema_string[] = LONG_STRING_CONST(
"kmod": {
"$ref": "#/definitions/Kmod"
},
"ebpf": {
"$ref": "#/definitions/Ebpf"
},
"modern_ebpf": {
"$ref": "#/definitions/ModernEbpf"
},
@@ -385,25 +382,6 @@ const char config_schema_string[] = LONG_STRING_CONST(
],
"title": "Engine"
},
"Ebpf": {
"type": "object",
"additionalProperties": false,
"properties": {
"probe": {
"type": "string"
},
"buf_size_preset": {
"type": "integer"
},
"drop_failed_exit": {
"type": "boolean"
}
},
"required": [
"probe"
],
"title": "Ebpf"
},
"Gvisor": {
"type": "object",
"additionalProperties": false,

21
userspace/falco/configuration.cpp
View File

@@ -27,9 +27,6 @@ limitations under the License.
#include <sys/stat.h>
#ifndef _WIN32
#include <unistd.h>
#else
// Used in the ebpf probe path.
#define PATH_MAX 260
#endif
#include "falco_utils.h"
@@ -239,7 +236,6 @@ void falco_configuration::load_engine_config(const std::string &config_name) {
// Set driver mode if not already set.
const std::unordered_map<std::string, engine_kind_t> engine_mode_lut = {
{"kmod", engine_kind_t::KMOD},
{"ebpf", engine_kind_t::EBPF},
{"modern_ebpf", engine_kind_t::MODERN_EBPF},
{"replay", engine_kind_t::REPLAY},
{"gvisor", engine_kind_t::GVISOR},
@@ -254,7 +250,7 @@ void falco_configuration::load_engine_config(const std::string &config_name) {
driver_mode_str + "' is not a valid kind.");
}
if(m_engine_mode == engine_kind_t::EBPF || m_engine_mode == engine_kind_t::GVISOR) {
if(m_engine_mode == engine_kind_t::GVISOR) {
falco_logger::log(falco_logger::level::WARNING,
"Using deprecated engine '" + driver_mode_str +
"'. Please consider switching to another engine.");
@@ -267,21 +263,6 @@ void falco_configuration::load_engine_config(const std::string &config_name) {
m_kmod.m_drop_failed_exit =
m_config.get_scalar<bool>("engine.kmod.drop_failed_exit", DEFAULT_DROP_FAILED_EXIT);
break;
case engine_kind_t::EBPF: {
// default value for `m_probe_path` should be `$HOME/FALCO_PROBE_BPF_FILEPATH`
char full_path[PATH_MAX];
const char *home = std::getenv("HOME");
if(!home) {
throw std::logic_error("Cannot get the env variable 'HOME'");
}
snprintf(full_path, PATH_MAX, "%s/%s", home, FALCO_PROBE_BPF_FILEPATH);
m_ebpf.m_probe_path =
m_config.get_scalar<std::string>("engine.ebpf.probe", std::string(full_path));
m_ebpf.m_buf_size_preset = m_config.get_scalar<int16_t>("engine.ebpf.buf_size_preset",
DEFAULT_BUF_SIZE_PRESET);
m_ebpf.m_drop_failed_exit =
m_config.get_scalar<bool>("engine.ebpf.drop_failed_exit", DEFAULT_DROP_FAILED_EXIT);
} break;
case engine_kind_t::MODERN_EBPF:
m_modern_ebpf.m_cpus_for_each_buffer =
m_config.get_scalar<uint16_t>("engine.modern_ebpf.cpus_for_each_buffer",

9
userspace/falco/configuration.h
View File

@@ -40,7 +40,7 @@ limitations under the License.
// Falco only metric
#define METRICS_V2_JEMALLOC_STATS 1 << 31
enum class engine_kind_t : uint8_t { KMOD, EBPF, MODERN_EBPF, REPLAY, GVISOR, NODRIVER };
enum class engine_kind_t : uint8_t { KMOD, MODERN_EBPF, REPLAY, GVISOR, NODRIVER };
enum class capture_mode_t : uint8_t { RULES, ALL_RULES };
@@ -66,12 +66,6 @@ public:
bool m_drop_failed_exit;
};
struct ebpf_config {
std::string m_probe_path;
int16_t m_buf_size_preset;
bool m_drop_failed_exit;
};
struct modern_ebpf_config {
uint16_t m_cpus_for_each_buffer;
int16_t m_buf_size_preset;
@@ -220,7 +214,6 @@ public:
// Falco engine
engine_kind_t m_engine_mode = engine_kind_t::KMOD;
kmod_config m_kmod = {};
ebpf_config m_ebpf = {};
modern_ebpf_config m_modern_ebpf = {};
replay_config m_replay = {};
gvisor_config m_gvisor = {};

8
userspace/falco/event_drops.cpp
View File

@@ -109,11 +109,9 @@ bool syscall_evt_drop_mgr::process_event(std::shared_ptr<sinsp> inspector, sinsp
if(m_bucket.claim(1, evt->get_ts())) {
m_num_actions++;
return perform_actions(
evt->get_ts(),
delta,
inspector->check_current_engine(BPF_ENGINE) ||
inspector->check_current_engine(MODERN_BPF_ENGINE));
return perform_actions(evt->get_ts(),
delta,
inspector->check_current_engine(MODERN_BPF_ENGINE));
} else {
falco_logger::log(
falco_logger::level::DEBUG,

3
userspace/falco/falco_metrics.cpp
View File

@@ -258,8 +258,7 @@ std::string falco_metrics::sources_to_text_prometheus(
const falco::app::state& state,
libs::metrics::prometheus_metrics_converter& prometheus_metrics_converter,
std::vector<metrics_v2>& additional_wrapper_metrics) {
static const char* all_driver_engines[] = {BPF_ENGINE,
KMOD_ENGINE,
static const char* all_driver_engines[] = {KMOD_ENGINE,
MODERN_BPF_ENGINE,
SOURCE_PLUGIN_ENGINE,
NODRIVER_ENGINE,

6
userspace/falco/stats_writer.cpp
View File

@@ -335,8 +335,7 @@ void stats_writer::collector::get_metrics_output_fields_wrapper(
uint64_t num_evts,
uint64_t now,
double stats_snapshot_time_delta_sec) {
static const char* all_driver_engines[] = {BPF_ENGINE,
KMOD_ENGINE,
static const char* all_driver_engines[] = {KMOD_ENGINE,
MODERN_BPF_ENGINE,
SOURCE_PLUGIN_ENGINE,
NODRIVER_ENGINE,
@@ -620,8 +619,7 @@ void stats_writer::collector::collect(const std::shared_ptr<sinsp>& inspector,
// Note: ENGINE_FLAG_BPF_STATS_ENABLED check has been moved to libs, that is, when
// libbpf stats is not enabled in the kernel settings we won't collect them even if the
// end user enabled the libbpf stats option
if(!(inspector->check_current_engine(BPF_ENGINE) ||
inspector->check_current_engine(MODERN_BPF_ENGINE))) {
if(!inspector->check_current_engine(MODERN_BPF_ENGINE)) {
flags &= ~METRICS_V2_LIBBPF_STATS;
}
// Note: src is static for live captures