diff --git a/cmake/cpack/CMakeCPackOptions.cmake b/cmake/cpack/CMakeCPackOptions.cmake index 5d50761d..0a9201e1 100644 --- a/cmake/cpack/CMakeCPackOptions.cmake +++ b/cmake/cpack/CMakeCPackOptions.cmake @@ -4,8 +4,8 @@ if(CPACK_GENERATOR MATCHES "DEB") endif() if(CPACK_GENERATOR MATCHES "RPM") - list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/rc.d/init.d/") - list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/rc.d/init.d") + list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") + list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") endif() if(CPACK_GENERATOR MATCHES "TGZ") diff --git a/cmake/modules/CPackConfig.cmake b/cmake/modules/CPackConfig.cmake index 9cacedeb..32ad1ca0 100644 --- a/cmake/modules/CPackConfig.cmake +++ b/cmake/modules/CPackConfig.cmake @@ -46,8 +46,9 @@ set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA ) set(CPACK_RPM_PACKAGE_LICENSE "Apache v2.0") +set(CPACK_RPM_PACKAGE_ARCHITECTURE, "amd64") set(CPACK_RPM_PACKAGE_URL "https://www.falco.org") -set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, ncurses") +set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, ncurses, systemd") set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postinstall") set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/preuninstall") set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postuninstall") @@ -59,9 +60,7 @@ set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION /etc /usr /usr/bin - /usr/share - /etc/rc.d - /etc/rc.d/init.d) + /usr/share) set(CPACK_RPM_PACKAGE_RELOCATABLE "OFF") include(CPack) diff --git a/scripts/CMakeLists.txt b/scripts/CMakeLists.txt index 1b5ff731..7367282a 100644 --- a/scripts/CMakeLists.txt +++ b/scripts/CMakeLists.txt @@ -26,7 +26,7 @@ configure_file(rpm/postinstall.in rpm/postinstall) configure_file(rpm/postuninstall.in rpm/postuninstall) configure_file(rpm/preuninstall.in rpm/preuninstall) -file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco" +file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco.service" DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm") configure_file(falco-driver-loader falco-driver-loader @ONLY) diff --git a/scripts/rpm/falco b/scripts/rpm/falco deleted file mode 100755 index 05bbc5fe..00000000 --- a/scripts/rpm/falco +++ /dev/null @@ -1,127 +0,0 @@ -#!/bin/sh - -# -# Copyright (C) 2019 The Falco Authors. -# -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -# -# falco syscall monitoring agent -# -# chkconfig: 2345 55 45 -# description: Falco syscall monitoring agent -# - -### BEGIN INIT INFO -# Provides: -# Required-Start: -# Required-Stop: -# Should-Start: -# Should-Stop: -# Default-Start: -# Default-Stop: -# Short-Description: -# Description: -### END INIT INFO - -# Source function library. -. /etc/rc.d/init.d/functions - -exec="/usr/bin/falco" -prog="falco" -# config="" - -[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog - -lockfile=/var/lock/subsys/$prog -pidfile="/var/run/falco.pid" - -start() { - [ -x $exec ] || exit 5 - # [ -f $config ] || exit 6 - echo -n $"Starting $prog: " - daemon $exec --daemon --pidfile=$pidfile - if [ ! -d /sys/module/falco ]; then - /sbin/modprobe falco || return $? - fi - retval=$? - echo - [ $retval -eq 0 ] && touch $lockfile - return $retval -} - -stop() { - echo -n $"Stopping $prog: " - killproc -p $pidfile - retval=$? - echo - /sbin/rmmod falco - [ $retval -eq 0 ] && rm -f $lockfile - return $retval -} - -restart() { - stop - start -} - -reload() { - restart -} - -force_reload() { - restart -} - -rh_status() { - status -p $pidfile $prog -} - -rh_status_q() { - rh_status >/dev/null 2>&1 -} - - -case "$1" in - start) - rh_status_q && exit 0 - $1 - ;; - stop) - rh_status_q || exit 0 - $1 - ;; - restart) - $1 - ;; - reload) - rh_status_q || exit 7 - $1 - ;; - force-reload) - force_reload - ;; - status) - rh_status - ;; - condrestart|try-restart) - rh_status_q || exit 0 - restart - ;; - *) - echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}" - exit 2 -esac -exit $? diff --git a/scripts/rpm/falco.service b/scripts/rpm/falco.service new file mode 100644 index 00000000..973d31f9 --- /dev/null +++ b/scripts/rpm/falco.service @@ -0,0 +1,30 @@ +[Unit] +Description=Falco: Container Native Runtime Security + +[Service] +Type=simple +User=root +ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid +UMask=0077 +TimeoutSec=30 +RestartSec=15s +#Restart=always +Restart=on-failure +PrivateTmp=true +NoNewPrivileges=yes +PrivateTmp=true +ProtectHome=read-only +ProtectSystem=full +ProtectKernelTunables=true +RestrictRealtime=true +#RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictAddressFamilies=~AF_PACKET +SystemCallFilter=~@debug @mount @cpu-emulation @obsolete @privileged +# FIXME! +# PANIC: unprotected error in call to Lua API (runtime code generation failed, restricted kernel?) +# https://www.freelists.org/post/luajit/luajit-crashes-with-grsec-kernel,1 +# MemoryDenyWriteExecute=true +# PrivateMounts=true + +[Install] +WantedBy=multi-user.target diff --git a/scripts/rpm/postinstall.in b/scripts/rpm/postinstall.in index 699c27d5..eeaa46ec 100755 --- a/scripts/rpm/postinstall.in +++ b/scripts/rpm/postinstall.in @@ -29,5 +29,3 @@ else echo -e "Module build for the currently running kernel was skipped since the" echo -e "kernel source for this kernel does not seem to be installed." fi - -/sbin/chkconfig --add falco diff --git a/scripts/rpm/postuninstall.in b/scripts/rpm/postuninstall.in index 1d0f6809..0792e13c 100755 --- a/scripts/rpm/postuninstall.in +++ b/scripts/rpm/postuninstall.in @@ -1,5 +1,5 @@ # -# Copyright (C) 2019 The Falco Authors. +# Copyright (C) 2020 The Falco Authors. # # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -14,7 +14,3 @@ # See the License for the specific language governing permissions and # limitations under the License. # - -if [ "$1" -ge "1" ]; then - /sbin/service falco condrestart > /dev/null 2>&1 -fi diff --git a/scripts/rpm/preuninstall.in b/scripts/rpm/preuninstall.in index 3e3362ae..3dc58232 100755 --- a/scripts/rpm/preuninstall.in +++ b/scripts/rpm/preuninstall.in @@ -1,5 +1,5 @@ # -# Copyright (C) 2019 The Falco Authors. +# Copyright (C) 2020 The Falco Authors. # # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -15,10 +15,5 @@ # limitations under the License. # -if [ $1 = 0 ]; then - /sbin/service falco stop > /dev/null 2>&1 - /sbin/chkconfig --del falco -fi - mod_version="@PROBE_VERSION@" dkms remove -m falco -v $mod_version --all --rpm_safe_upgrade