feature(falco_service): add a service unit to inject the kmod

Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
2025-09-01 14:47:00 +00:00 · 2022-10-10 12:51:03 +00:00
parent 48ce85f4da
commit 7da3041cb3
6 changed files with 46 additions and 4 deletions
--- a/scripts/CMakeLists.txt
+++ b/scripts/CMakeLists.txt
@@ -22,6 +22,9 @@ configure_file(debian/prerm.in debian/prerm)
 file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco.service"
 	DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")

+file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco_inject_kmod.service"
+	DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")
+
 configure_file(rpm/postinstall.in rpm/postinstall)
 configure_file(rpm/postuninstall.in rpm/postuninstall)
 configure_file(rpm/preuninstall.in rpm/preuninstall)
@@ -29,6 +32,9 @@ configure_file(rpm/preuninstall.in rpm/preuninstall)
 file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco.service"
 	DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")

+file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco_inject_kmod.service"
+	DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")
+
 configure_file(falco-driver-loader falco-driver-loader @ONLY)

 if(CMAKE_SYSTEM_NAME MATCHES "Linux")
--- a/scripts/debian/falco.service
+++ b/scripts/debian/falco.service
@@ -1,11 +1,12 @@
 [Unit]
 Description=Falco: Container Native Runtime Security
 Documentation=https://falco.org/docs/
+After=falco_inject_kmod.service
+Requires=falco_inject_kmod.service

 [Service]
 Type=simple
 User=root
-ExecStartPre=/sbin/modprobe falco
 ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
 ExecStopPost=/sbin/rmmod falco
 UMask=0077
@@ -17,7 +18,7 @@ NoNewPrivileges=yes
 ProtectHome=read-only
 ProtectSystem=full
 ProtectKernelTunables=true
-ReadWritePaths=/sys/module
+ReadWritePaths=/sys/module/falco
 RestrictRealtime=true
 RestrictAddressFamilies=~AF_PACKET

--- a/scripts/debian/falco_inject_kmod.service
+++ b/scripts/debian/falco_inject_kmod.service
@@ -0,0 +1,16 @@
+[Unit]
+Description=Falco: Container Native Runtime Security
+Documentation=https://falco.org/docs/
+Before=falco.service
+Wants=falco.service
+
+[Service]
+Type=oneshot
+User=root
+ExecStart=/sbin/modprobe falco
+Restart=on-failure
+TimeoutSec=30s
+RestartSec=15s
+
+[Install]
+WantedBy=multi-user.target
--- a/scripts/rpm/falco.service
+++ b/scripts/rpm/falco.service
@@ -1,11 +1,12 @@
 [Unit]
 Description=Falco: Container Native Runtime Security
 Documentation=https://falco.org/docs/
+After=falco_inject_kmod.service
+Requires=falco_inject_kmod.service

 [Service]
 Type=simple
 User=root
-ExecStartPre=/sbin/modprobe falco
 ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
 ExecStopPost=/sbin/rmmod falco
 UMask=0077
@@ -17,7 +18,7 @@ NoNewPrivileges=yes
 ProtectHome=read-only
 ProtectSystem=full
 ProtectKernelTunables=true
-ReadWritePaths=/sys/module
+ReadWritePaths=/sys/module/falco
 RestrictRealtime=true
 RestrictAddressFamilies=~AF_PACKET
 StandardOutput=null
--- a/scripts/rpm/falco_inject_kmod.service
+++ b/scripts/rpm/falco_inject_kmod.service
@@ -0,0 +1,16 @@
+[Unit]
+Description=Falco: Container Native Runtime Security
+Documentation=https://falco.org/docs/
+Before=falco.service
+Wants=falco.service
+
+[Service]
+Type=oneshot
+User=root
+ExecStart=/sbin/modprobe falco
+Restart=on-failure
+TimeoutSec=30s
+RestartSec=15s
+
+[Install]
+WantedBy=multi-user.target