From 387499546f39dc42396acfb8796f6255d7baa18f Mon Sep 17 00:00:00 2001 From: Leonardo Di Giovanna Date: Thu, 5 Feb 2026 12:21:22 +0100 Subject: [PATCH] chore!: drop legacy BPF probe Falco 0.43.0 deprecated the legacy eBPF probe. Drop it as well as any reference to it. BREAKING CHANGE: drop legacy eBPF probe Signed-off-by: Leonardo Di Giovanna --- .github/workflows/codeql.yaml | 2 +- .github/workflows/reusable_build_dev.yaml | 1 - .../workflows/reusable_build_packages.yaml | 5 +--- .github/workflows/staticanalysis.yaml | 2 +- CMakeLists.txt | 9 ------ README.md | 3 +- RELEASE.md | 5 ++-- brand/README.md | 11 ++------ cmake/cpack/CMakeCPackOptions.cmake | 5 ---- .../driver-loader-buster/docker-entrypoint.sh | 7 ++--- docker/driver-loader/docker-entrypoint.sh | 5 ++-- falco.yaml | 28 ++++++------------- scripts/CMakeLists.txt | 7 ----- scripts/debian/postinst.in | 20 ++----------- scripts/debian/postrm.in | 1 - scripts/debian/prerm.in | 1 - scripts/rpm/postinstall.in | 20 ++----------- scripts/rpm/postuninstall.in | 1 - scripts/rpm/preuninstall.in | 2 -- scripts/systemd/falco-bpf.service | 27 ------------------ .../systemd/falcoctl-artifact-follow.service | 2 +- unit_tests/CMakeLists.txt | 3 +- unit_tests/README.md | 2 +- .../falco/app/actions/test_load_config.cpp | 9 ------ .../test_configs/engine_kmod_config.yaml | 4 --- .../test_configs/engine_modern_config.yaml | 4 --- .../falco/app/actions/helpers_inspector.cpp | 8 ------ .../app/actions/print_kernel_version.cpp | 2 +- userspace/falco/app/state.h | 8 ------ userspace/falco/config_json_schema.h | 22 --------------- userspace/falco/configuration.cpp | 21 +------------- userspace/falco/configuration.h | 9 +----- userspace/falco/event_drops.cpp | 8 ++---- userspace/falco/falco_metrics.cpp | 3 +- userspace/falco/stats_writer.cpp | 6 ++-- 35 files changed, 41 insertions(+), 232 deletions(-) delete mode 100644 scripts/systemd/falco-bpf.service diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index 29da3aaf..40093ac1 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -63,7 +63,7 @@ jobs: - name: Prepare project run: | - cmake -B build -S . -DBUILD_BPF=On -DBUILD_FALCO_MODERN_BPF=Off -DUSE_BUNDLED_DEPS=Off -DUSE_BUNDLED_NLOHMANN_JSON=On -DUSE_BUNDLED_CXXOPTS=On -DUSE_BUNDLED_CPPHTTPLIB=On + cmake -B build -S . -DBUILD_FALCO_MODERN_BPF=Off -DUSE_BUNDLED_DEPS=Off -DUSE_BUNDLED_NLOHMANN_JSON=On -DUSE_BUNDLED_CXXOPTS=On -DUSE_BUNDLED_CPPHTTPLIB=On - name: Build run: | diff --git a/.github/workflows/reusable_build_dev.yaml b/.github/workflows/reusable_build_dev.yaml index 8f6540dd..fd43dec0 100644 --- a/.github/workflows/reusable_build_dev.yaml +++ b/.github/workflows/reusable_build_dev.yaml @@ -65,7 +65,6 @@ jobs: -DBUILD_FALCO_UNIT_TESTS=On \ -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \ -DBUILD_FALCO_MODERN_BPF=Off \ - -DBUILD_BPF=${{ inputs.minimal == true && 'OFF' || 'ON' }} \ -DBUILD_DRIVER=${{ inputs.minimal == true && 'OFF' || 'ON' }} \ -DMINIMAL_BUILD=${{ inputs.minimal == true && 'ON' || 'OFF' }} \ -DUSE_ASAN=${{ inputs.sanitizers == true && 'ON' || 'OFF' }} \ diff --git a/.github/workflows/reusable_build_packages.yaml b/.github/workflows/reusable_build_packages.yaml index 674ee79e..42157661 100644 --- a/.github/workflows/reusable_build_packages.yaml +++ b/.github/workflows/reusable_build_packages.yaml @@ -97,7 +97,6 @@ jobs: -DFALCO_ETC_DIR=/etc/falco \ -DMODERN_BPF_SKEL_DIR=/tmp \ -DBUILD_DRIVER=Off \ - -DBUILD_BPF=Off \ -DUSE_JEMALLOC=${{ inputs.use_jemalloc }} \ -DUSE_MIMALLOC=${{ inputs.use_mimalloc }} \ -DFALCO_VERSION=${{ inputs.version }} @@ -170,7 +169,6 @@ jobs: -DFALCO_ETC_DIR=/etc/falco \ -DMODERN_BPF_SKEL_DIR=/tmp \ -DBUILD_DRIVER=Off \ - -DBUILD_BPF=Off \ -DUSE_JEMALLOC=${{ inputs.use_jemalloc }} \ -DUSE_MIMALLOC=${{ inputs.use_mimalloc }} \ -DFALCO_VERSION=${{ inputs.version }} @@ -219,7 +217,6 @@ jobs: -DFALCO_ETC_DIR=/etc/falco \ -DMODERN_BPF_SKEL_DIR=/tmp \ -DBUILD_DRIVER=Off \ - -DBUILD_BPF=Off \ -DUSE_JEMALLOC=Off \ -DUSE_MIMALLOC=Off \ -DUSE_ASAN=On \ @@ -265,7 +262,7 @@ jobs: cmake -B build -S . \ -DCMAKE_BUILD_TYPE=Release \ -DCPACK_GENERATOR=TGZ \ - -DBUILD_BPF=Off -DBUILD_DRIVER=Off \ + -DBUILD_DRIVER=Off \ -DUSE_JEMALLOC=${{ inputs.use_jemalloc }} \ -DUSE_MIMALLOC=${{ inputs.use_mimalloc }} \ -DUSE_BUNDLED_DEPS=On \ diff --git a/.github/workflows/staticanalysis.yaml b/.github/workflows/staticanalysis.yaml index 3b85a911..83ad2b06 100644 --- a/.github/workflows/staticanalysis.yaml +++ b/.github/workflows/staticanalysis.yaml @@ -24,7 +24,7 @@ jobs: run: | cmake -B build -S . \ -DCMAKE_BUILD_TYPE="release" \ - -DUSE_BUNDLED_DEPS=On -DUSE_DYNAMIC_LIBELF=Off -DBUILD_WARNINGS_AS_ERRORS=ON -DCREATE_TEST_TARGETS=Off -DBUILD_BPF=Off -DBUILD_DRIVER=Off + -DUSE_BUNDLED_DEPS=On -DUSE_DYNAMIC_LIBELF=Off -DBUILD_WARNINGS_AS_ERRORS=ON -DCREATE_TEST_TARGETS=Off -DBUILD_DRIVER=Off cmake --build build -j4 --target cppcheck cmake --build build -j4 --target cppcheck_htmlreport diff --git a/CMakeLists.txt b/CMakeLists.txt index b6783741..dcf15370 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -64,10 +64,6 @@ elseif(EMSCRIPTEN) OFF CACHE BOOL "" FORCE ) - set(BUILD_BPF - OFF - CACHE BOOL "" FORCE - ) set(CPACK_GENERATOR TGZ CACHE BOOL "" FORCE @@ -133,11 +129,6 @@ set(DRIVER_NAME "falco") set(DRIVER_DEVICE_NAME "falco") set(DRIVERS_REPO "https://download.falco.org/driver") -# If no path is provided, try to search the BPF probe in: `home/.falco/falco-bpf.o` This is the same -# fallback that we had in the libraries: `SCAP_PROBE_BPF_FILEPATH`. -set(FALCO_PROBE_BPF_FILEPATH ".${DRIVER_NAME}/${DRIVER_NAME}-bpf.o") -add_definitions(-DFALCO_PROBE_BPF_FILEPATH="${FALCO_PROBE_BPF_FILEPATH}") - if(NOT DEFINED FALCO_COMPONENT_NAME) set(FALCO_COMPONENT_NAME "${CMAKE_PROJECT_NAME}") endif() diff --git a/README.md b/README.md index 5500ecc9..11d211d8 100644 --- a/README.md +++ b/README.md @@ -75,7 +75,6 @@ Here's an example of a `cmake` command that will enable everything you need for cmake \ -DUSE_BUNDLED_DEPS=ON \ -DBUILD_LIBSCAP_GVISOR=ON \ --DBUILD_BPF=ON \ -DBUILD_DRIVER=ON \ -DBUILD_FALCO_MODERN_BPF=ON \ -DCREATE_TEST_TARGETS=ON \ @@ -113,7 +112,7 @@ Please refer to the [Contributing](https://github.com/falcosecurity/.github/blob 1. The first lines of code at the base of Falco were written some time ago, where Go didn't yet have the same level of maturity and adoption as today. 2. The Falco execution model is sequential and mono-thread due to the statefulness requirements of the tool, and so most of the concurrency-related selling points of the Go runtime would not be leveraged at all. -3. The Falco code deals with very low-level programming in many places (e.g. some headers are shared with the eBPF probe and the Kernel module), and we all know that interfacing Go with C is possible but brings tons of complexity and tradeoffs to the table. +3. The Falco code deals with very low-level programming in many places, and we all know that interfacing Go with C is possible but brings tons of complexity and tradeoffs to the table. 4. As a security tool meant to consume a crazy high throughput of events per second, Falco needs to squeeze performance in all hot paths at runtime and requires deep control on memory allocation, which the Go runtime can't provide (there's also garbage collection involved). 5. Although Go didn't suit the engineering requirements of the core of Falco, we still thought that it could be a good candidate for writing Falco extensions through the plugin system. This is the main reason we gave special attention and high priority to the development of the plugin-sdk-go. 6. Go is not a requirement for having statically-linked binaries. In fact, we provide fully-static Falco builds since few years. The only issue with those is that the plugin system can't be supported with the current dynamic library model we currently have. diff --git a/RELEASE.md b/RELEASE.md index 892bce2e..841e69fa 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -48,11 +48,10 @@ Alternatively Falco binaries or plugins can be downloaded from the Falco Artifac > Note: This section specifically applies to non-modern BPF drivers. -The Falco Project publishes all drivers for each release for popular kernel versions / distros and `x86_64` and `aarch64` architectures to the Falco project's managed Artifacts repo. The Artifacts repo follows standard directory level conventions. The respective driver object file is prefixed by distro and named / versioned by kernel release - `$(uname -r)`. Pre-compiled drivers are released with a [best effort](https://github.com/falcosecurity/falco/blob/master/proposals/20200818-artifacts-storage.md#notice) notice. This is because gcc (`kmod`) and clang (`bpf`) compilers sometimes fail to build the artifacts for a specific kernel version. More details around driver versioning and driver compatibility are provided in the [Falco Components Versioning](#falco-components-versioning) section. Short preview: If you use the standard Falco setup leveraging driver-loader, [driver-loader script](https://github.com/falcosecurity/falco/blob/master/scripts/falco-driver-loader) will fetch the kernel space artifact (object file) corresponding to the default `DRIVER_VERSION` Falco was shipped with. +The Falco Project publishes all drivers for each release for popular kernel versions / distros and `x86_64` and `aarch64` architectures to the Falco project's managed Artifacts repo. The Artifacts repo follows standard directory level conventions. The respective driver object file is prefixed by distro and named / versioned by kernel release - `$(uname -r)`. Pre-compiled drivers are released with a [best effort](https://github.com/falcosecurity/falco/blob/master/proposals/20200818-artifacts-storage.md#notice) notice. This is because gcc (`kmod`) sometimes fails to build the artifacts for a specific kernel version. More details around driver versioning and driver compatibility are provided in the [Falco Components Versioning](#falco-components-versioning) section. Short preview: If you use the standard Falco setup leveraging driver-loader, [driver-loader script](https://github.com/falcosecurity/falco/blob/master/scripts/falco-driver-loader) will fetch the kernel space artifact (object file) corresponding to the default `DRIVER_VERSION` Falco was shipped with. - [Falco Artifacts Repo Drivers Root](https://download.falco.org/?prefix=driver/) - - Option 1: Kernel module (`.ko` files) - all under same driver version directory - - Option 2: eBPF (`.o` files) - all under same driver version directory + - Kernel module (`.ko` files) - all under same driver version directory ### Timeline diff --git a/brand/README.md b/brand/README.md index cfd3f883..f55a6a3b 100644 --- a/brand/README.md +++ b/brand/README.md @@ -53,15 +53,10 @@ Notice the capitalization of the following terms. This section contains key terms specifically used within the context of The Falco Project. For a more comprehensive list of Falco-related terminology, we invite you to visit the [Glossary](https://falco.org/docs/reference/glossary/) page on our official website. -#### eBPF Probe - -Used to describe the `.o` object that would be dynamically loaded into the kernel as a secure and stable (e)BPF probe. -This is one option used to pass kernel events up to userspace for Falco to consume. - #### Modern eBPF Probe -More robust [eBPF probe](#ebpf-probe), which brings the CO-RE paradigm, better performances, and maintainability. -Unlike the legacy probe, the modern eBPF probe is not shipped as a separate artifact but bundled into the Falco binary itself. +Robust eBPF probe, which brings the CO-RE paradigm, better performances, and maintainability. +The modern eBPF probe is not shipped as a separate artifact but bundled into the Falco binary itself. This is one option used to pass kernel events up to userspace for Falco to consume. #### Kernel Module @@ -71,7 +66,7 @@ This is one option used to pass kernel events up to userspace for Falco to consu #### Driver -The global term for the software that sends events from the kernel. Such as the [eBPF probe](#ebpf-probe), the [Modern eBPF probe](#modern-ebpf-probe), or the [Kernel Module](#kernel-module). +The global term for the software that sends events from the kernel. Such as the [Modern eBPF probe](#modern-ebpf-probe), or the [Kernel Module](#kernel-module). #### Plugin diff --git a/cmake/cpack/CMakeCPackOptions.cmake b/cmake/cpack/CMakeCPackOptions.cmake index 32274eeb..f5669d8f 100644 --- a/cmake/cpack/CMakeCPackOptions.cmake +++ b/cmake/cpack/CMakeCPackOptions.cmake @@ -29,11 +29,6 @@ if(CPACK_GENERATOR MATCHES "DEB" OR CPACK_GENERATOR MATCHES "RPM") CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system" ) - list( - APPEND - CPACK_INSTALL_COMMANDS - "cp scripts/systemd/falco-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system" - ) list( APPEND CPACK_INSTALL_COMMANDS diff --git a/docker/driver-loader-buster/docker-entrypoint.sh b/docker/driver-loader-buster/docker-entrypoint.sh index 185e4e1f..01032045 100755 --- a/docker/driver-loader-buster/docker-entrypoint.sh +++ b/docker/driver-loader-buster/docker-entrypoint.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash # SPDX-License-Identifier: Apache-2.0 # -# Copyright (C) 2023 The Falco Authors. +# Copyright (C) 2026 The Falco Authors. # # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -27,7 +27,6 @@ print_usage() { echo " auto leverage automatic driver selection logic (default)" echo " modern_ebpf modern eBPF CORE probe" echo " kmod kernel module" - echo " ebpf eBPF probe" echo "" echo "Options:" echo " --help show this help message" @@ -59,7 +58,7 @@ driver= has_opts= while test $# -gt 0; do case "$1" in - auto|kmod|ebpf|modern_ebpf) + auto|kmod|modern_ebpf) if [ -n "$driver" ]; then >&2 echo "Only one driver per invocation" print_usage @@ -120,7 +119,7 @@ if [ "$driver" != "auto" ]; then /usr/bin/falcoctl driver config --type $driver else # Needed because we need to configure Falco to start with correct driver - /usr/bin/falcoctl driver config --type modern_ebpf --type kmod --type ebpf + /usr/bin/falcoctl driver config --type modern_ebpf --type kmod fi /usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD --http-insecure=$HTTP_INSECURE --http-headers="$FALCOCTL_DRIVER_HTTP_HEADERS" diff --git a/docker/driver-loader/docker-entrypoint.sh b/docker/driver-loader/docker-entrypoint.sh index 5012b087..c964b47b 100755 --- a/docker/driver-loader/docker-entrypoint.sh +++ b/docker/driver-loader/docker-entrypoint.sh @@ -27,7 +27,6 @@ print_usage() { echo " auto leverage automatic driver selection logic (default)" echo " modern_ebpf modern eBPF CORE probe" echo " kmod kernel module" - echo " ebpf eBPF probe" echo "" echo "Options:" echo " --help show this help message" @@ -64,7 +63,7 @@ extra_args= while test $# -gt 0; do case "$1" in - auto|kmod|ebpf|modern_ebpf) + auto|kmod|modern_ebpf) if [ -n "$driver" ]; then >&2 echo "Only one driver per invocation" print_usage @@ -133,7 +132,7 @@ if [ "$driver" != "auto" ]; then /usr/bin/falcoctl driver config --type $driver else # Needed because we need to configure Falco to start with correct driver - /usr/bin/falcoctl driver config --type modern_ebpf --type kmod --type ebpf + /usr/bin/falcoctl driver config --type modern_ebpf --type kmod fi /usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD --http-insecure=$HTTP_INSECURE --http-headers="$FALCOCTL_DRIVER_HTTP_HEADERS" $extra_args diff --git a/falco.yaml b/falco.yaml index 369fa43c..071f6e1e 100644 --- a/falco.yaml +++ b/falco.yaml @@ -282,12 +282,10 @@ rules_files: # # -- Falco supports different engines to generate events. # Choose the appropriate engine kind based on your system's configuration and requirements. -# DEPRECATION NOTICE: the Legacy eBPF probe and the gVisor engine are currently deprecated. Consider using other -# engines. +# DEPRECATION NOTICE: the gVisor engine are currently deprecated. Consider using other engines. # # Available engines: # - `kmod`: Kernel Module -# - `ebpf`: Legacy eBPF probe (deprecated) # - `modern_ebpf`: Modern eBPF (CO-RE eBPF probe) # - `gvisor`: gVisor sandbox (deprecated) # - `replay`: Replay a scap trace file @@ -359,15 +357,14 @@ rules_files: # ################### `cpus_for_each_buffer` (modern_ebpf only) # -# The modern_ebpf driver in Falco utilizes the new BPF ring buffer, which has a -# different memory footprint compared to the current BPF driver that uses the -# perf buffer. The Falco core maintainers have discussed the differences and -# their implications, particularly in Kubernetes environments where limits need -# to be carefully set to avoid interference with the Falco daemonset deployment -# from the OOM killer. Based on guidance received from the kernel mailing list, -# it is recommended to assign multiple CPUs to one buffer instead of allocating -# a buffer for each CPU individually. This helps optimize resource allocation -# and prevent potential issues related to memory usage. +# The modern_ebpf driver in Falco utilizes the new BPF ring buffer. The Falco +# core maintainers have discussed the differences and their implications, +# particularly in Kubernetes environments where limits need to be carefully set +# to avoid interference with the Falco daemonset deployment from the OOM +# killer. Based on guidance received from the kernel mailing list, it is +# recommended to assign multiple CPUs to one buffer instead of allocating a +# buffer for each CPU individually. This helps optimize resource allocation and +# prevent potential issues related to memory usage. # # This is an index that controls how many CPUs you want to assign to a single # syscall buffer (ring buffer). By default, for modern_ebpf every syscall buffer @@ -440,13 +437,6 @@ engine: kmod: buf_size_preset: 4 drop_failed_exit: false - # -- Engine-specific configuration for Legacy eBPF (ebpf) engine. DEPRECATION NOTICE: the Legacy eBPF engine is - # deprecated. - ebpf: - # -- Path to the elf file to load. - probe: ${HOME}/.falco/falco-bpf.o - buf_size_preset: 4 - drop_failed_exit: false # -- Engine-specific configuration for Modern eBPF (modern_ebpf) engine. modern_ebpf: cpus_for_each_buffer: 2 diff --git a/scripts/CMakeLists.txt b/scripts/CMakeLists.txt index 109cbae8..5c12f05c 100644 --- a/scripts/CMakeLists.txt +++ b/scripts/CMakeLists.txt @@ -24,10 +24,6 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux") "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod.service" "${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY ) - configure_file( - "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-bpf.service" - "${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY - ) configure_file( "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-modern-bpf.service" "${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY @@ -68,9 +64,6 @@ if(NOT WIN32 if(BUILD_DRIVER) list(APPEND FALCOCTL_DRIVER_TYPES_LIST "kmod") endif() - if(BUILD_BPF) - list(APPEND FALCOCTL_DRIVER_TYPES_LIST "ebpf") - endif() string(REPLACE ";" ", " FALCOCTL_DRIVER_TYPES "${FALCOCTL_DRIVER_TYPES_LIST}") configure_file( ${CMAKE_CURRENT_SOURCE_DIR}/falcoctl/falcoctl.yaml.in diff --git a/scripts/debian/postinst.in b/scripts/debian/postinst.in index 0dd69bd8..2675b9d2 100755 --- a/scripts/debian/postinst.in +++ b/scripts/debian/postinst.in @@ -25,12 +25,10 @@ CHOICE= # Every time we call this script we want to stat from a clean state. echo "[POST-INSTALL] Disable all possible 'falco' services:" systemctl --system stop 'falco-kmod.service' || true -systemctl --system stop 'falco-bpf.service' || true systemctl --system stop 'falco-modern-bpf.service' || true systemctl --system stop 'falco-custom.service' || true systemctl --system stop 'falcoctl-artifact-follow.service' || true systemctl --system disable 'falco-kmod.service' || true -systemctl --system disable 'falco-bpf.service' || true systemctl --system disable 'falco-modern-bpf.service' || true systemctl --system disable 'falco-custom.service' || true systemctl --system disable 'falcoctl-artifact-follow.service' || true @@ -47,11 +45,8 @@ if [ "$1" = "configure" ]; then kmod) CHOICE=3 ;; - ebpf) - CHOICE=4 - ;; modern_ebpf) - CHOICE=5 + CHOICE=4 ;; esac if [ -z $CHOICE ] && [ -x /usr/bin/dialog ] && [ "${FALCO_FRONTEND}" != "noninteractive" ]; then @@ -60,8 +55,7 @@ if [ "$1" = "configure" ]; then 1 "Manual configuration (no unit is started)" \ 2 "Automatic selection" \ 3 "Kmod" \ - 4 "eBPF (deprecated)" \ - 5 "Modern eBPF" \ + 4 "Modern eBPF" \ 2>&1 >/dev/tty) fi # "auto" case is not managed here since it is already the default, so no CHOICE=2 @@ -73,9 +67,6 @@ if [ "$1" = "configure" ]; then chosen_driver="kmod" ;; 4) - chosen_driver="ebpf" - ;; - 5) chosen_driver="modern_ebpf" ;; esac @@ -83,7 +74,7 @@ if [ "$1" = "configure" ]; then echo "[POST-INSTALL] Configure falcoctl '$chosen_driver' driver type:" if [ "$chosen_driver" = "auto" ]; then # Configure falcoctl to enable all drivers - falcoctl driver config --type "modern_ebpf" --type "kmod" --type "ebpf" + falcoctl driver config --type "modern_ebpf" --type "kmod" # Load the actually automatic chosen driver chosen_driver=$(falcoctl driver printenv | grep DRIVER= | cut -d'"' -f2) else @@ -124,11 +115,6 @@ case "$chosen_driver" in falcoctl driver install --download=false chosen_unit="kmod" ;; - "ebpf") - echo "[POST-INSTALL] Call 'falcoctl driver install for ebpf':" - falcoctl driver install - chosen_unit="bpf" - ;; "modern_ebpf") chosen_unit="modern-bpf" ;; diff --git a/scripts/debian/postrm.in b/scripts/debian/postrm.in index ede751a1..1cccd327 100755 --- a/scripts/debian/postrm.in +++ b/scripts/debian/postrm.in @@ -25,7 +25,6 @@ set -e if [ -d /run/systemd/system ] && [ "$1" = remove ]; then echo "[POST-REMOVE] Disable all Falco services:" systemctl --system disable 'falco-kmod.service' || true - systemctl --system disable 'falco-bpf.service' || true systemctl --system disable 'falco-modern-bpf.service' || true systemctl --system disable 'falco-custom.service' || true systemctl --system disable 'falcoctl-artifact-follow.service' || true diff --git a/scripts/debian/prerm.in b/scripts/debian/prerm.in index 7eca20c7..b55d4b9d 100755 --- a/scripts/debian/prerm.in +++ b/scripts/debian/prerm.in @@ -26,7 +26,6 @@ case "$1" in remove|upgrade|deconfigure) echo "[PRE-REMOVE] Stop all Falco services:" systemctl --system stop 'falco-kmod.service' || true - systemctl --system stop 'falco-bpf.service' || true systemctl --system stop 'falco-modern-bpf.service' || true systemctl --system stop 'falco-custom.service' || true systemctl --system stop 'falcoctl-artifact-follow.service' || true diff --git a/scripts/rpm/postinstall.in b/scripts/rpm/postinstall.in index c8b08eeb..039f90d6 100755 --- a/scripts/rpm/postinstall.in +++ b/scripts/rpm/postinstall.in @@ -24,12 +24,10 @@ CHOICE= # Every time we call this script we want to stat from a clean state. echo "[POST-INSTALL] Disable all possible enabled 'falco' service:" systemctl --system stop 'falco-kmod.service' || true -systemctl --system stop 'falco-bpf.service' || true systemctl --system stop 'falco-modern-bpf.service' || true systemctl --system stop 'falco-custom.service' || true systemctl --system stop 'falcoctl-artifact-follow.service' || true systemctl --system disable 'falco-kmod.service' || true -systemctl --system disable 'falco-bpf.service' || true systemctl --system disable 'falco-modern-bpf.service' || true systemctl --system disable 'falco-custom.service' || true systemctl --system disable 'falcoctl-artifact-follow.service' || true @@ -46,11 +44,8 @@ if [ $1 -ge 1 ]; then kmod) CHOICE=3 ;; - ebpf) - CHOICE=4 - ;; modern_ebpf) - CHOICE=5 + CHOICE=4 ;; esac if [ -z $CHOICE ] && [ -x /usr/bin/dialog ] && [ "${FALCO_FRONTEND}" != "noninteractive" ]; then @@ -59,8 +54,7 @@ if [ $1 -ge 1 ]; then 1 "Manual configuration (no unit is started)" \ 2 "Automatic selection" \ 3 "Kmod" \ - 4 "eBPF (deprecated)" \ - 5 "Modern eBPF" \ + 4 "Modern eBPF" \ 2>&1 >/dev/tty) fi # "auto" case is not managed here since it is already the default, so no CHOICE=2 @@ -72,9 +66,6 @@ if [ $1 -ge 1 ]; then chosen_driver="kmod" ;; 4) - chosen_driver="ebpf" - ;; - 5) chosen_driver="modern_ebpf" ;; esac @@ -82,7 +73,7 @@ if [ $1 -ge 1 ]; then echo "[POST-INSTALL] Configure falcoctl '$chosen_driver' driver type:" if [ "$chosen_driver" = "auto" ]; then # Configure falcoctl to enable all drivers - falcoctl driver config --type "modern_ebpf" --type "kmod" --type "ebpf" + falcoctl driver config --type "modern_ebpf" --type "kmod" # Load the actually automatic chosen driver chosen_driver=$(falcoctl driver printenv | grep DRIVER= | cut -d'"' -f2) else @@ -123,11 +114,6 @@ case "$chosen_driver" in falcoctl driver install --download=false chosen_unit="kmod" ;; - "ebpf") - echo "[POST-INSTALL] Call 'falcoctl driver install for ebpf':" - falcoctl driver install - chosen_unit="bpf" - ;; "modern_ebpf") chosen_unit="modern-bpf" ;; diff --git a/scripts/rpm/postuninstall.in b/scripts/rpm/postuninstall.in index 5bda6553..25c76c5b 100755 --- a/scripts/rpm/postuninstall.in +++ b/scripts/rpm/postuninstall.in @@ -21,7 +21,6 @@ set -e if [ -d /run/systemd/system ] && [ $1 -eq 0 ]; then echo "[POST-REMOVE] Disable all Falco services:" systemctl --system disable 'falco-kmod.service'|| true - systemctl --system disable 'falco-bpf.service' || true systemctl --system disable 'falco-modern-bpf.service' || true systemctl --system disable 'falco-custom.service' || true systemctl --system disable 'falcoctl-artifact-follow.service' || true diff --git a/scripts/rpm/preuninstall.in b/scripts/rpm/preuninstall.in index 3579bc87..04feb139 100755 --- a/scripts/rpm/preuninstall.in +++ b/scripts/rpm/preuninstall.in @@ -20,7 +20,6 @@ set -e # Currently running falco service uses the driver, so stop it before driver cleanup echo "[PRE-REMOVE] Stop all Falco services:" systemctl --system stop 'falco-kmod.service' || true -systemctl --system stop 'falco-bpf.service' || true systemctl --system stop 'falco-modern-bpf.service' || true systemctl --system stop 'falco-custom.service' || true systemctl --system stop 'falcoctl-artifact-follow.service' || true @@ -36,7 +35,6 @@ falcoctl driver cleanup # if preuninstall: # `systemd-update-helper remove-system-units ` %systemd_preun 'falco-kmod.service' -%systemd_preun 'falco-bpf.service' %systemd_preun 'falco-modern-bpf.service' %systemd_preun 'falco-custom.service' %systemd_preun 'falcoctl-artifact-follow.service' diff --git a/scripts/systemd/falco-bpf.service b/scripts/systemd/falco-bpf.service deleted file mode 100644 index 98403e10..00000000 --- a/scripts/systemd/falco-bpf.service +++ /dev/null @@ -1,27 +0,0 @@ -[Unit] -Description=Falco: Container Native Runtime Security with ebpf -Documentation=https://falco.org/docs/ -Before=falcoctl-artifact-follow.service -Wants=falcoctl-artifact-follow.service - -[Service] -Type=simple -User=root -ExecStart=/usr/bin/falco -o engine.kind=ebpf -ExecReload=kill -1 $MAINPID -UMask=0077 -TimeoutSec=30 -RestartSec=15s -Restart=on-failure -PrivateTmp=true -NoNewPrivileges=yes -ProtectHome=read-only -ProtectSystem=full -ProtectKernelTunables=true -RestrictRealtime=true -RestrictAddressFamilies=~AF_PACKET -StandardOutput=null - -[Install] -WantedBy=multi-user.target -Alias=falco.service \ No newline at end of file diff --git a/scripts/systemd/falcoctl-artifact-follow.service b/scripts/systemd/falcoctl-artifact-follow.service index 70981a19..a08e5bdc 100644 --- a/scripts/systemd/falcoctl-artifact-follow.service +++ b/scripts/systemd/falcoctl-artifact-follow.service @@ -1,7 +1,7 @@ [Unit] Description=Falcoctl Artifact Follow: automatic artifacts update service Documentation=https://falco.org/docs/ -PartOf=falco-bpf.service falco-kmod.service falco-modern-bpf.service falco-custom.service +PartOf=falco-kmod.service falco-modern-bpf.service falco-custom.service [Service] Type=simple diff --git a/unit_tests/CMakeLists.txt b/unit_tests/CMakeLists.txt index b9411801..14e59c60 100644 --- a/unit_tests/CMakeLists.txt +++ b/unit_tests/CMakeLists.txt @@ -25,8 +25,7 @@ FetchContent_Declare( FetchContent_MakeAvailable(googletest) -# Create a libscap_test_var.h file with some variables used by our tests for example the kmod path -# or the bpf path. +# Create a libscap_test_var.h file with some variables used by our tests (e.g: the kmod path). configure_file( ${CMAKE_CURRENT_SOURCE_DIR}/falco_test_var.h.in ${CMAKE_CURRENT_BINARY_DIR}/falco_test_var.h ) diff --git a/unit_tests/README.md b/unit_tests/README.md index 93373d70..8fd28cba 100644 --- a/unit_tests/README.md +++ b/unit_tests/README.md @@ -7,7 +7,7 @@ Under `unit_tests/engine` and `unit_tests/falco` directories, we have different ## Build and Run ```bash -cmake -DMINIMAL_BUILD=On -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DBUILD_FALCO_UNIT_TESTS=On .. +cmake -DMINIMAL_BUILD=On -DBUILD_DRIVER=Off -DBUILD_FALCO_UNIT_TESTS=On .. make falco_unit_tests sudo ./unit_tests/falco_unit_tests ``` diff --git a/unit_tests/falco/app/actions/test_load_config.cpp b/unit_tests/falco/app/actions/test_load_config.cpp index fecfac7f..7cb7ad3e 100644 --- a/unit_tests/falco/app/actions/test_load_config.cpp +++ b/unit_tests/falco/app/actions/test_load_config.cpp @@ -31,11 +31,6 @@ TEST(ActionLoadConfig, check_kmod_engine_config) { EXPECT_EQ(s.config->m_kmod.m_buf_size_preset, 2); EXPECT_FALSE(s.config->m_kmod.m_drop_failed_exit); - // Check that all other engine params are empty - EXPECT_TRUE(s.config->m_ebpf.m_probe_path.empty()); - EXPECT_EQ(s.config->m_ebpf.m_buf_size_preset, 0); - EXPECT_FALSE(s.config->m_ebpf.m_drop_failed_exit); - EXPECT_EQ(s.config->m_modern_ebpf.m_cpus_for_each_buffer, 0); EXPECT_EQ(s.config->m_modern_ebpf.m_buf_size_preset, 0); EXPECT_FALSE(s.config->m_modern_ebpf.m_drop_failed_exit); @@ -63,10 +58,6 @@ TEST(ActionLoadConfig, check_modern_engine_config) { EXPECT_EQ(s.config->m_kmod.m_buf_size_preset, 0); EXPECT_FALSE(s.config->m_kmod.m_drop_failed_exit); - EXPECT_TRUE(s.config->m_ebpf.m_probe_path.empty()); - EXPECT_EQ(s.config->m_ebpf.m_buf_size_preset, 0); - EXPECT_FALSE(s.config->m_ebpf.m_drop_failed_exit); - EXPECT_TRUE(s.config->m_replay.m_capture_file.empty()); EXPECT_TRUE(s.config->m_gvisor.m_config.empty()); diff --git a/unit_tests/falco/test_configs/engine_kmod_config.yaml b/unit_tests/falco/test_configs/engine_kmod_config.yaml index aa0e1f9d..77ad9430 100644 --- a/unit_tests/falco/test_configs/engine_kmod_config.yaml +++ b/unit_tests/falco/test_configs/engine_kmod_config.yaml @@ -25,10 +25,6 @@ engine: kmod: buf_size_preset: 2 drop_failed_exit: false - ebpf: - probe: /path/to/probe.o - buf_size_preset: 7 - drop_failed_exit: true modern_ebpf: cpus_for_each_buffer: 2 buf_size_preset: 4 diff --git a/unit_tests/falco/test_configs/engine_modern_config.yaml b/unit_tests/falco/test_configs/engine_modern_config.yaml index 0b8a8f04..4ea2f4f0 100644 --- a/unit_tests/falco/test_configs/engine_modern_config.yaml +++ b/unit_tests/falco/test_configs/engine_modern_config.yaml @@ -25,10 +25,6 @@ engine: kmod: buf_size_preset: 1 drop_failed_exit: true - ebpf: - probe: /path/to/probe.o - buf_size_preset: 4 - drop_failed_exit: false modern_ebpf: cpus_for_each_buffer: 1 # missing `buf_size_preset` should be defaulted diff --git a/userspace/falco/app/actions/helpers_inspector.cpp b/userspace/falco/app/actions/helpers_inspector.cpp index 54a78605..1661f462 100644 --- a/userspace/falco/app/actions/helpers_inspector.cpp +++ b/userspace/falco/app/actions/helpers_inspector.cpp @@ -116,14 +116,6 @@ falco::app::run_result falco::app::actions::open_live_inspector(falco::app::stat s.config->m_modern_ebpf.m_cpus_for_each_buffer, true, s.selected_sc_set); - } else if(s.is_ebpf()) /* BPF engine. */ - { - falco_logger::log(falco_logger::level::INFO, - "Opening '" + source + "' source with BPF probe. BPF probe path: " + - s.config->m_ebpf.m_probe_path); - inspector->open_bpf(s.config->m_ebpf.m_probe_path.c_str(), - s.syscall_buffer_bytes_size, - s.selected_sc_set); } else /* Kernel module (default). */ { try { diff --git a/userspace/falco/app/actions/print_kernel_version.cpp b/userspace/falco/app/actions/print_kernel_version.cpp index 1705a527..d65e3579 100644 --- a/userspace/falco/app/actions/print_kernel_version.cpp +++ b/userspace/falco/app/actions/print_kernel_version.cpp @@ -28,7 +28,7 @@ using namespace falco::app::actions; falco::app::run_result falco::app::actions::print_kernel_version(const falco::app::state& s) { #ifdef __linux__ // We print this info only when a kernel driver is injected - bool const is_kernel_driver_injected = s.is_modern_ebpf() || s.is_ebpf() || s.is_kmod(); + bool const is_kernel_driver_injected = s.is_modern_ebpf() || s.is_kmod(); if(!is_kernel_driver_injected) { return run_result::ok(); } diff --git a/userspace/falco/app/state.h b/userspace/falco/app/state.h index 1b1338bb..1b01bec9 100644 --- a/userspace/falco/app/state.h +++ b/userspace/falco/app/state.h @@ -126,8 +126,6 @@ struct state { inline bool is_kmod() const { return config->m_engine_mode == engine_kind_t::KMOD; } - inline bool is_ebpf() const { return config->m_engine_mode == engine_kind_t::EBPF; } - inline bool is_modern_ebpf() const { return config->m_engine_mode == engine_kind_t::MODERN_EBPF; } @@ -144,9 +142,6 @@ struct state { case engine_kind_t::KMOD: drop_failed = config->m_kmod.m_drop_failed_exit; break; - case engine_kind_t::EBPF: - drop_failed = config->m_ebpf.m_drop_failed_exit; - break; case engine_kind_t::MODERN_EBPF: drop_failed = config->m_modern_ebpf.m_drop_failed_exit; break; @@ -163,9 +158,6 @@ struct state { case engine_kind_t::KMOD: index = config->m_kmod.m_buf_size_preset; break; - case engine_kind_t::EBPF: - index = config->m_ebpf.m_buf_size_preset; - break; case engine_kind_t::MODERN_EBPF: index = config->m_modern_ebpf.m_buf_size_preset; break; diff --git a/userspace/falco/config_json_schema.h b/userspace/falco/config_json_schema.h index 882b9222..946d6f5d 100644 --- a/userspace/falco/config_json_schema.h +++ b/userspace/falco/config_json_schema.h @@ -367,9 +367,6 @@ const char config_schema_string[] = LONG_STRING_CONST( "kmod": { "$ref": "#/definitions/Kmod" }, - "ebpf": { - "$ref": "#/definitions/Ebpf" - }, "modern_ebpf": { "$ref": "#/definitions/ModernEbpf" }, @@ -385,25 +382,6 @@ const char config_schema_string[] = LONG_STRING_CONST( ], "title": "Engine" }, - "Ebpf": { - "type": "object", - "additionalProperties": false, - "properties": { - "probe": { - "type": "string" - }, - "buf_size_preset": { - "type": "integer" - }, - "drop_failed_exit": { - "type": "boolean" - } - }, - "required": [ - "probe" - ], - "title": "Ebpf" - }, "Gvisor": { "type": "object", "additionalProperties": false, diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp index 02b7a6b6..21a6b7a7 100644 --- a/userspace/falco/configuration.cpp +++ b/userspace/falco/configuration.cpp @@ -27,9 +27,6 @@ limitations under the License. #include #ifndef _WIN32 #include -#else -// Used in the ebpf probe path. -#define PATH_MAX 260 #endif #include "falco_utils.h" @@ -239,7 +236,6 @@ void falco_configuration::load_engine_config(const std::string &config_name) { // Set driver mode if not already set. const std::unordered_map engine_mode_lut = { {"kmod", engine_kind_t::KMOD}, - {"ebpf", engine_kind_t::EBPF}, {"modern_ebpf", engine_kind_t::MODERN_EBPF}, {"replay", engine_kind_t::REPLAY}, {"gvisor", engine_kind_t::GVISOR}, @@ -254,7 +250,7 @@ void falco_configuration::load_engine_config(const std::string &config_name) { driver_mode_str + "' is not a valid kind."); } - if(m_engine_mode == engine_kind_t::EBPF || m_engine_mode == engine_kind_t::GVISOR) { + if(m_engine_mode == engine_kind_t::GVISOR) { falco_logger::log(falco_logger::level::WARNING, "Using deprecated engine '" + driver_mode_str + "'. Please consider switching to another engine."); @@ -267,21 +263,6 @@ void falco_configuration::load_engine_config(const std::string &config_name) { m_kmod.m_drop_failed_exit = m_config.get_scalar("engine.kmod.drop_failed_exit", DEFAULT_DROP_FAILED_EXIT); break; - case engine_kind_t::EBPF: { - // default value for `m_probe_path` should be `$HOME/FALCO_PROBE_BPF_FILEPATH` - char full_path[PATH_MAX]; - const char *home = std::getenv("HOME"); - if(!home) { - throw std::logic_error("Cannot get the env variable 'HOME'"); - } - snprintf(full_path, PATH_MAX, "%s/%s", home, FALCO_PROBE_BPF_FILEPATH); - m_ebpf.m_probe_path = - m_config.get_scalar("engine.ebpf.probe", std::string(full_path)); - m_ebpf.m_buf_size_preset = m_config.get_scalar("engine.ebpf.buf_size_preset", - DEFAULT_BUF_SIZE_PRESET); - m_ebpf.m_drop_failed_exit = - m_config.get_scalar("engine.ebpf.drop_failed_exit", DEFAULT_DROP_FAILED_EXIT); - } break; case engine_kind_t::MODERN_EBPF: m_modern_ebpf.m_cpus_for_each_buffer = m_config.get_scalar("engine.modern_ebpf.cpus_for_each_buffer", diff --git a/userspace/falco/configuration.h b/userspace/falco/configuration.h index 10238ccd..f4839ff7 100644 --- a/userspace/falco/configuration.h +++ b/userspace/falco/configuration.h @@ -40,7 +40,7 @@ limitations under the License. // Falco only metric #define METRICS_V2_JEMALLOC_STATS 1 << 31 -enum class engine_kind_t : uint8_t { KMOD, EBPF, MODERN_EBPF, REPLAY, GVISOR, NODRIVER }; +enum class engine_kind_t : uint8_t { KMOD, MODERN_EBPF, REPLAY, GVISOR, NODRIVER }; enum class capture_mode_t : uint8_t { RULES, ALL_RULES }; @@ -66,12 +66,6 @@ public: bool m_drop_failed_exit; }; - struct ebpf_config { - std::string m_probe_path; - int16_t m_buf_size_preset; - bool m_drop_failed_exit; - }; - struct modern_ebpf_config { uint16_t m_cpus_for_each_buffer; int16_t m_buf_size_preset; @@ -220,7 +214,6 @@ public: // Falco engine engine_kind_t m_engine_mode = engine_kind_t::KMOD; kmod_config m_kmod = {}; - ebpf_config m_ebpf = {}; modern_ebpf_config m_modern_ebpf = {}; replay_config m_replay = {}; gvisor_config m_gvisor = {}; diff --git a/userspace/falco/event_drops.cpp b/userspace/falco/event_drops.cpp index 65408700..04d11e11 100644 --- a/userspace/falco/event_drops.cpp +++ b/userspace/falco/event_drops.cpp @@ -109,11 +109,9 @@ bool syscall_evt_drop_mgr::process_event(std::shared_ptr inspector, sinsp if(m_bucket.claim(1, evt->get_ts())) { m_num_actions++; - return perform_actions( - evt->get_ts(), - delta, - inspector->check_current_engine(BPF_ENGINE) || - inspector->check_current_engine(MODERN_BPF_ENGINE)); + return perform_actions(evt->get_ts(), + delta, + inspector->check_current_engine(MODERN_BPF_ENGINE)); } else { falco_logger::log( falco_logger::level::DEBUG, diff --git a/userspace/falco/falco_metrics.cpp b/userspace/falco/falco_metrics.cpp index 926fc07a..e73f2d27 100644 --- a/userspace/falco/falco_metrics.cpp +++ b/userspace/falco/falco_metrics.cpp @@ -258,8 +258,7 @@ std::string falco_metrics::sources_to_text_prometheus( const falco::app::state& state, libs::metrics::prometheus_metrics_converter& prometheus_metrics_converter, std::vector& additional_wrapper_metrics) { - static const char* all_driver_engines[] = {BPF_ENGINE, - KMOD_ENGINE, + static const char* all_driver_engines[] = {KMOD_ENGINE, MODERN_BPF_ENGINE, SOURCE_PLUGIN_ENGINE, NODRIVER_ENGINE, diff --git a/userspace/falco/stats_writer.cpp b/userspace/falco/stats_writer.cpp index 7edf1e06..452712df 100644 --- a/userspace/falco/stats_writer.cpp +++ b/userspace/falco/stats_writer.cpp @@ -335,8 +335,7 @@ void stats_writer::collector::get_metrics_output_fields_wrapper( uint64_t num_evts, uint64_t now, double stats_snapshot_time_delta_sec) { - static const char* all_driver_engines[] = {BPF_ENGINE, - KMOD_ENGINE, + static const char* all_driver_engines[] = {KMOD_ENGINE, MODERN_BPF_ENGINE, SOURCE_PLUGIN_ENGINE, NODRIVER_ENGINE, @@ -620,8 +619,7 @@ void stats_writer::collector::collect(const std::shared_ptr& inspector, // Note: ENGINE_FLAG_BPF_STATS_ENABLED check has been moved to libs, that is, when // libbpf stats is not enabled in the kernel settings we won't collect them even if the // end user enabled the libbpf stats option - if(!(inspector->check_current_engine(BPF_ENGINE) || - inspector->check_current_engine(MODERN_BPF_ENGINE))) { + if(!inspector->check_current_engine(MODERN_BPF_ENGINE)) { flags &= ~METRICS_V2_LIBBPF_STATS; } // Note: src is static for live captures