From 802b9f7b69af665593dfa99431c6b9d7abf5c94f Mon Sep 17 00:00:00 2001 From: Lorenzo Fontana Date: Tue, 18 Feb 2020 10:35:18 +0100 Subject: [PATCH] fix: probe environment set to FALCO_BPF_PROBE also at load time Signed-off-by: Lorenzo Fontana --- cmake/modules/sysdig-repo/CMakeLists.txt | 3 ++- cmake/modules/sysdig-repo/patch/libscap.patch | 22 +++++++++++++++++++ .../falco-daemonset-configmap-slim.yaml | 2 +- .../falco-daemonset-configmap.yaml | 2 +- scripts/falco-probe-loader | 4 ++-- 5 files changed, 28 insertions(+), 5 deletions(-) create mode 100644 cmake/modules/sysdig-repo/patch/libscap.patch diff --git a/cmake/modules/sysdig-repo/CMakeLists.txt b/cmake/modules/sysdig-repo/CMakeLists.txt index f7328e85..370869c3 100644 --- a/cmake/modules/sysdig-repo/CMakeLists.txt +++ b/cmake/modules/sysdig-repo/CMakeLists.txt @@ -32,4 +32,5 @@ ExternalProject_Add( CONFIGURE_COMMAND "" BUILD_COMMAND "" INSTALL_COMMAND "" - TEST_COMMAND "") + TEST_COMMAND "" + PATCH_COMMAND patch -p1 -i ${CMAKE_CURRENT_SOURCE_DIR}/patch/libscap.patch) diff --git a/cmake/modules/sysdig-repo/patch/libscap.patch b/cmake/modules/sysdig-repo/patch/libscap.patch new file mode 100644 index 00000000..70ff3fb8 --- /dev/null +++ b/cmake/modules/sysdig-repo/patch/libscap.patch @@ -0,0 +1,22 @@ +diff --git a/userspace/libscap/scap.c b/userspace/libscap/scap.c +index 59b04e0a..bdc311cb 100644 +--- a/userspace/libscap/scap.c ++++ b/userspace/libscap/scap.c +@@ -52,7 +52,7 @@ limitations under the License. + //#define NDEBUG + #include + +-static const char *SYSDIG_BPF_PROBE_ENV = "SYSDIG_BPF_PROBE"; ++static const char *SYSDIG_BPF_PROBE_ENV = "FALCO_BPF_PROBE"; + + // + // Probe version string size +@@ -171,7 +171,7 @@ scap_t* scap_open_live_int(char *error, int32_t *rc, + return NULL; + } + +- snprintf(buf, sizeof(buf), "%s/.sysdig/%s-bpf.o", home, PROBE_NAME); ++ snprintf(buf, sizeof(buf), "%s/.falco/%s-bpf.o", home, PROBE_NAME); + bpf_probe = buf; + } + } diff --git a/integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap-slim.yaml b/integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap-slim.yaml index d0d5145c..c90f9676 100644 --- a/integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap-slim.yaml +++ b/integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap-slim.yaml @@ -39,7 +39,7 @@ spec: # Leave blank for the default probe location, or set to the path # of a precompiled probe. # env: -# - name: BPF_PROBE +# - name: FALCO_BPF_PROBE # value: "" args: [ "/usr/bin/falco", "--cri", "/host/run/containerd/containerd.sock", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://$(KUBERNETES_SERVICE_HOST)", "-pk"] volumeMounts: diff --git a/integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap.yaml b/integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap.yaml index 9b17c815..680c2a77 100644 --- a/integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap.yaml +++ b/integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap.yaml @@ -23,7 +23,7 @@ spec: # Leave blank for the default probe location, or set to the path # of a precompiled probe. # env: -# - name: BPF_PROBE +# - name: FALCO_BPF_PROBE # value: "" args: [ "/usr/bin/falco", "--cri", "/host/run/containerd/containerd.sock", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://$(KUBERNETES_SERVICE_HOST)", "-pk"] volumeMounts: diff --git a/scripts/falco-probe-loader b/scripts/falco-probe-loader index f2f03ac3..70cca7a0 100755 --- a/scripts/falco-probe-loader +++ b/scripts/falco-probe-loader @@ -350,7 +350,7 @@ load_bpf_probe() { echo "**********************************************************" fi - echo "* BPF probe located, it's now possible to start sysdig" + echo "* BPF probe located, it's now possible to start falco" ln -sf "${HOME}/.falco/${BPF_PROBE_FILENAME}" "${HOME}/.falco/${BPF_PROBE_NAME}.o" exit $? @@ -402,7 +402,7 @@ if ! hash curl > /dev/null 2>&1; then exit 1 fi -if [ -v BPF_PROBE ] || [ "${1}" = "bpf" ]; then +if [ -v FALCO_BPF_PROBE ] || [ "${1}" = "bpf" ]; then load_bpf_probe else load_kernel_probe