fix(userspace/falco): try to insert kernel module driver conditionally

Do it only when not running with userspace instrumentation enabled and
the syscall input source is enabled (!disable_syscall)

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>

userspace/falco/falco.cpp

@@ -158,7 +158,7 @@ static void usage()
 	   "                               This causes every single line emitted by falco to be flushed,\n"
 	   "                               which generates higher CPU usage but is useful when piping those outputs\n"
 	   "                               into another process or into a script.\n"
-	   " -u                            Parse events from userspace.\n"
+	   " -u, --userspace               Parse events from userspace.\n"
 	   "                               To be used in conjunction with the ptrace(2) based driver (pdig).\n"
 	   " -V, --validate <rules_file>   Read the contents of the specified rules(s) file and exit.\n"
 	   "                               Can be specified multiple times to validate multiple files.\n"
@@ -445,7 +445,7 @@ int falco_init(int argc, char **argv)
 	set<string> disable_sources;
 	bool disable_syscall = false;
 	bool disable_k8s_audit = false;
-	bool udig = false;
+	bool userspace = false;
 
 	// Used for writing trace files
 	int duration_seconds = 0;
@@ -485,7 +485,7 @@ int falco_init(int argc, char **argv)
         {"stats-interval", required_argument, 0},
         {"support", no_argument, 0},
         {"unbuffered", no_argument, 0, 'U'},
-	{"udig", no_argument, 0, 'u'},
+        {"userspace", no_argument, 0, 'u'},
         {"validate", required_argument, 0, 'V'},
         {"version", no_argument, 0, 0},
         {"writefile", required_argument, 0, 'w'},
@@ -612,7 +612,7 @@ int falco_init(int argc, char **argv)
 				buffered_cmdline = true;
 				break;
 			case 'u':
-				udig = true;
+				userspace = true;
 				break;
 			case 'v':
 				verbose = true;
@@ -1098,17 +1098,14 @@ int falco_init(int argc, char **argv)
 		}
 		else
 		{
-			open_t open_cb = [&udig](sinsp* inspector)
+			open_t open_cb = [&userspace](sinsp* inspector)
 			{
-				if(udig)
+				if(userspace)
 				{
-				    // open_udig() is the underlying method used in the capture
-				    // code to parse userspace events from the kernel.
+					// open_udig() is the underlying method used in the capture code to parse userspace events from the kernel.
 					//
-				    // In the case of falco we use ptrace(2) for one
-				    // of these userspace implementations. Regardless
-				    // of the implementation, the underlying method
-				    // remains the same.
+					// Falco uses a ptrace(2) based userspace implementation.
+					// Regardless of the implementation, the underlying method remains the same.
 					inspector->open_udig();
 				}
 				else
@@ -1138,6 +1135,10 @@ int falco_init(int argc, char **argv)
 			}
 			catch(sinsp_exception &e)
 			{
+				// If syscall input source is enabled and not through userspace instrumentation
+				if (!disable_syscall && !userspace)
+				{
+					// Try to insert the Falco kernel module
 					if(system("modprobe " PROBE_NAME " > /dev/null 2> /dev/null"))
 					{
 						falco_logger::log(LOG_ERR, "Unable to load the driver. Exiting.\n");
@@ -1145,6 +1146,7 @@ int falco_init(int argc, char **argv)
 					open_f(inspector);
 				}
 			}
+		}
 
 		// This must be done after the open
 		if(!all_events)
@@ -1161,7 +1163,7 @@ int falco_init(int argc, char **argv)
 		duration = ((double)clock()) / CLOCKS_PER_SEC;
 
 		//
-		// run k8s, if required
+		// Run k8s, if required
 		//
 		if(k8s_api)
 		{
@@ -1200,7 +1202,7 @@ int falco_init(int argc, char **argv)
 		}
 
 		//
-		// run mesos, if required
+		// Run mesos, if required
 		//
 		if(mesos_api)
 		{