github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-06 08:43:40 +00:00
Code Issues Projects Releases Wiki Activity

feature(falco_service): add a service unit to inject the kmod

Browse Source 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
This commit is contained in:
Andrea Terzolo 2022-10-10 12:51:03 +00:00 committed by poiana
parent 48ce85f4da
commit 7da3041cb3
6 changed files with 46 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cmake/cpack/CMakeCPackOptions.cmake
View File

@ -1,11 +1,13 @@
if(CPACK_GENERATOR MATCHES "DEB") if(CPACK_GENERATOR MATCHES "DEB")
list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco_inject_kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
endif() endif()
if(CPACK_GENERATOR MATCHES "RPM") if(CPACK_GENERATOR MATCHES "RPM")
list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco_inject_kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
endif() endif()
if(CPACK_GENERATOR MATCHES "TGZ") if(CPACK_GENERATOR MATCHES "TGZ")

6
scripts/CMakeLists.txt
View File

@ -22,6 +22,9 @@ configure_file(debian/prerm.in debian/prerm)
file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco.service" file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco.service"
DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian") DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")
file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco_inject_kmod.service"
DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")
configure_file(rpm/postinstall.in rpm/postinstall) configure_file(rpm/postinstall.in rpm/postinstall)
configure_file(rpm/postuninstall.in rpm/postuninstall) configure_file(rpm/postuninstall.in rpm/postuninstall)
configure_file(rpm/preuninstall.in rpm/preuninstall) configure_file(rpm/preuninstall.in rpm/preuninstall)
@ -29,6 +32,9 @@ configure_file(rpm/preuninstall.in rpm/preuninstall)
file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco.service" file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco.service"
DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm") DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")
file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco_inject_kmod.service"
DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")
configure_file(falco-driver-loader falco-driver-loader @ONLY) configure_file(falco-driver-loader falco-driver-loader @ONLY)
if(CMAKE_SYSTEM_NAME MATCHES "Linux") if(CMAKE_SYSTEM_NAME MATCHES "Linux")

5
scripts/debian/falco.service
View File

@ -1,11 +1,12 @@
[Unit] [Unit]
Description=Falco: Container Native Runtime Security Description=Falco: Container Native Runtime Security
Documentation=https://falco.org/docs/ Documentation=https://falco.org/docs/
After=falco_inject_kmod.service
Requires=falco_inject_kmod.service
[Service] [Service]
Type=simple Type=simple
User=root User=root
ExecStartPre=/sbin/modprobe falco
ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
ExecStopPost=/sbin/rmmod falco ExecStopPost=/sbin/rmmod falco
UMask=0077 UMask=0077
@ -17,7 +18,7 @@ NoNewPrivileges=yes
ProtectHome=read-only ProtectHome=read-only
ProtectSystem=full ProtectSystem=full
ProtectKernelTunables=true ProtectKernelTunables=true
ReadWritePaths=/sys/module ReadWritePaths=/sys/module/falco
RestrictRealtime=true RestrictRealtime=true
RestrictAddressFamilies=~AF_PACKET RestrictAddressFamilies=~AF_PACKET

16
scripts/debian/falco_inject_kmod.service Normal file
View File

@ -0,0 +1,16 @@
[Unit]
Description=Falco: Container Native Runtime Security
Documentation=https://falco.org/docs/
Before=falco.service
Wants=falco.service
[Service]
Type=oneshot
User=root
ExecStart=/sbin/modprobe falco
Restart=on-failure
TimeoutSec=30s
RestartSec=15s
[Install]
WantedBy=multi-user.target

5
scripts/rpm/falco.service
View File

@ -1,11 +1,12 @@
[Unit] [Unit]
Description=Falco: Container Native Runtime Security Description=Falco: Container Native Runtime Security
Documentation=https://falco.org/docs/ Documentation=https://falco.org/docs/
After=falco_inject_kmod.service
Requires=falco_inject_kmod.service
[Service] [Service]
Type=simple Type=simple
User=root User=root
ExecStartPre=/sbin/modprobe falco
ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
ExecStopPost=/sbin/rmmod falco ExecStopPost=/sbin/rmmod falco
UMask=0077 UMask=0077
@ -17,7 +18,7 @@ NoNewPrivileges=yes
ProtectHome=read-only ProtectHome=read-only
ProtectSystem=full ProtectSystem=full
ProtectKernelTunables=true ProtectKernelTunables=true
ReadWritePaths=/sys/module ReadWritePaths=/sys/module/falco
RestrictRealtime=true RestrictRealtime=true
RestrictAddressFamilies=~AF_PACKET RestrictAddressFamilies=~AF_PACKET
StandardOutput=null StandardOutput=null

16
scripts/rpm/falco_inject_kmod.service Normal file
View File

@ -0,0 +1,16 @@
[Unit]
Description=Falco: Container Native Runtime Security
Documentation=https://falco.org/docs/
Before=falco.service
Wants=falco.service
[Service]
Type=oneshot
User=root
ExecStart=/sbin/modprobe falco
Restart=on-failure
TimeoutSec=30s
RestartSec=15s
[Install]
WantedBy=multi-user.target