chore(scripts): added support for falco@plugin.target.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
2025-08-31 06:10:45 +00:00 · 2022-10-24 17:24:56 +02:00
parent b04bb2e32e
commit 91fe2e9e24
9 changed files with 38 additions and 3 deletions
--- a/scripts/debian/postinst.in
+++ b/scripts/debian/postinst.in
@@ -39,7 +39,7 @@ case "$1" in
                      chosen_driver="ebpf"
                      ;;
                  3)
-                      chosen_driver=
+                      chosen_driver="plugin"
                      ;;
              esac
          else
@@ -65,6 +65,7 @@ if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-decon
        # This will only remove masks created by d-s-h on package removal.
        deb-systemd-helper unmask "falco@kmod.target" >/dev/null || true
        deb-systemd-helper unmask "falco@ebpf.target" >/dev/null || true
+        deb-systemd-helper unmask "falco@plugin.target" >/dev/null || true

        # was-enabled defaults to true, so new installations run enable.
        if [ -n "$chosen_driver" ]; then
--- a/scripts/debian/postrm.in
+++ b/scripts/debian/postrm.in
@@ -29,6 +29,7 @@ if [ "$1" = "remove" ]; then
        if [ -x "/usr/bin/deb-systemd-helper" ]; then
                deb-systemd-helper mask 'falco@kmod.target' >/dev/null || true
                deb-systemd-helper mask 'falco@ebpf.target' >/dev/null || true
+                deb-systemd-helper mask "falco@plugin.target" >/dev/null || true
        fi
 fi

@@ -38,5 +39,7 @@ if [ "$1" = "purge" ]; then
                deb-systemd-helper unmask 'falco@kmod.target' >/dev/null || true
                deb-systemd-helper purge 'falco@ebpf.target' >/dev/null || true
                deb-systemd-helper unmask 'falco@ebpf.target' >/dev/null || true
+                deb-systemd-helper purge 'falco@plugin.target' >/dev/null || true
+                deb-systemd-helper unmask 'falco@plugin.target' >/dev/null || true
        fi
 fi
--- a/scripts/debian/prerm.in
+++ b/scripts/debian/prerm.in
@@ -24,6 +24,7 @@ set -e
 if [ -d /run/systemd/system ] && [ "$1" = remove ]; then
        deb-systemd-invoke stop 'falco@kmod.target' >/dev/null || true
        deb-systemd-invoke stop 'falco@ebpf.target' >/dev/null || true
+        deb-systemd-invoke stop 'falco@plugin.target' >/dev/null || true
 fi

 case "$1" in
--- a/scripts/rpm/postinstall.in
+++ b/scripts/rpm/postinstall.in
@@ -38,7 +38,7 @@ case "$1" in
                      chosen_driver="ebpf"
                      ;;
                  3)
-                      chosen_driver=
+                      chosen_driver="plugin"
                      ;;
              esac
          else
@@ -71,6 +71,7 @@ if [ $1 -eq 1 ]; then
        # This will only remove masks created on package removal.
        /usr/bin/systemctl --system unmask "falco@kmod.target" >/dev/null || true
        /usr/bin/systemctl --system unmask "falco@ebpf.target" >/dev/null || true
+        /usr/bin/systemctl --system unmask "falco@plugin.target" >/dev/null || true

        if [ -n "$chosen_driver" ]; then
            # enable falco on installation
--- a/scripts/rpm/postuninstall.in
+++ b/scripts/rpm/postuninstall.in
@@ -22,6 +22,7 @@ if [ -d /run/systemd/system ] && [ "$1" = 0 ]; then
        /usr/bin/systemctl --system daemon-reload >/dev/null || true
        /usr/bin/systemctl --system mask 'falco@kmod.target' >/dev/null || true
        /usr/bin/systemctl --system mask 'falco@ebpf.target' >/dev/null || true
+        /usr/bin/systemctl --system mask 'falco@plugin.target' >/dev/null || true
 fi

 # validate rpm macros by `rpm -qp --scripts <rpm>`
@@ -33,3 +34,4 @@ fi
 #   `systemd-update-helper mark-restart-system-units <service>`
 %systemd_postun_with_restart 'falco@kmod.target'
 %systemd_postun_with_restart 'falco@ebpf.target'
+%systemd_postun_with_restart 'falco@plugin.target'
--- a/scripts/rpm/preuninstall.in
+++ b/scripts/rpm/preuninstall.in
@@ -22,6 +22,7 @@ if [ -d /run/systemd/system ] && [ $1 -eq 0 ]; then
        # stop falco service before uninstall
        /usr/bin/systemctl --system stop 'falco@kmod.target' >/dev/null || true
        /usr/bin/systemctl --system stop 'falco@ebpf.target' >/dev/null || true
+        /usr/bin/systemctl --system stop 'falco@plugin.target' >/dev/null || true
 fi

 /usr/bin/falco-driver-loader --clean
@@ -34,4 +35,5 @@ fi
 # if preuninstall:
 #  `systemd-update-helper remove-system-units <service>`
 %systemd_preun 'falco@kmod.target'
-%systemd_preun 'falco@ebpf.target'
+%systemd_preun 'falco@ebpf.target'
+%systemd_preun 'falco@plugin.target'
--- a/scripts/systemd/falco-ebpf.service
+++ b/scripts/systemd/falco-ebpf.service
@@ -3,6 +3,7 @@ Description=Falco: Container Native Runtime Security with ebpf
 Documentation=https://falco.org/docs/
 PartOf=falco@ebpf.target
 Conflicts=falco-kmod.service
+Conflicts=falco-plugin.service

 [Service]
 Type=simple
--- a/scripts/systemd/falco-kmod.service
+++ b/scripts/systemd/falco-kmod.service
@@ -5,6 +5,7 @@ After=falco-kmod-inject.service
 Requires=falco-kmod-inject.service
 PartOf=falco@kmod.target
 Conflicts=falco-ebpf.service
+Conflicts=falco-plugin.service

 [Service]
 Type=simple
--- a/scripts/systemd/falco-plugin.service
+++ b/scripts/systemd/falco-plugin.service
@@ -0,0 +1,23 @@
+[Unit]
+Description=Falco: Container Native Runtime Security with plugin
+Documentation=https://falco.org/docs/
+PartOf=falco@plugin.target
+Conflicts=falco-kmod.service
+Conflicts=falco-ebpf.service
+
+[Service]
+Type=simple
+User=%u
+ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
+UMask=0077
+TimeoutSec=30
+RestartSec=15s
+Restart=on-failure
+PrivateTmp=true
+NoNewPrivileges=yes
+ProtectHome=read-only
+ProtectSystem=full
+ProtectKernelTunables=true
+RestrictRealtime=true
+RestrictAddressFamilies=~AF_PACKET
+StandardOutput=null