diff --git a/scripts/debian/postinst.in b/scripts/debian/postinst.in index 0efd2fe2..f11318ba 100755 --- a/scripts/debian/postinst.in +++ b/scripts/debian/postinst.in @@ -39,7 +39,7 @@ case "$1" in chosen_driver="ebpf" ;; 3) - chosen_driver= + chosen_driver="plugin" ;; esac else @@ -65,6 +65,7 @@ if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-decon # This will only remove masks created by d-s-h on package removal. deb-systemd-helper unmask "falco@kmod.target" >/dev/null || true deb-systemd-helper unmask "falco@ebpf.target" >/dev/null || true + deb-systemd-helper unmask "falco@plugin.target" >/dev/null || true # was-enabled defaults to true, so new installations run enable. if [ -n "$chosen_driver" ]; then diff --git a/scripts/debian/postrm.in b/scripts/debian/postrm.in index ca4b3677..170ea927 100755 --- a/scripts/debian/postrm.in +++ b/scripts/debian/postrm.in @@ -29,6 +29,7 @@ if [ "$1" = "remove" ]; then if [ -x "/usr/bin/deb-systemd-helper" ]; then deb-systemd-helper mask 'falco@kmod.target' >/dev/null || true deb-systemd-helper mask 'falco@ebpf.target' >/dev/null || true + deb-systemd-helper mask "falco@plugin.target" >/dev/null || true fi fi @@ -38,5 +39,7 @@ if [ "$1" = "purge" ]; then deb-systemd-helper unmask 'falco@kmod.target' >/dev/null || true deb-systemd-helper purge 'falco@ebpf.target' >/dev/null || true deb-systemd-helper unmask 'falco@ebpf.target' >/dev/null || true + deb-systemd-helper purge 'falco@plugin.target' >/dev/null || true + deb-systemd-helper unmask 'falco@plugin.target' >/dev/null || true fi fi diff --git a/scripts/debian/prerm.in b/scripts/debian/prerm.in index e9f7b9fd..a86c966c 100755 --- a/scripts/debian/prerm.in +++ b/scripts/debian/prerm.in @@ -24,6 +24,7 @@ set -e if [ -d /run/systemd/system ] && [ "$1" = remove ]; then deb-systemd-invoke stop 'falco@kmod.target' >/dev/null || true deb-systemd-invoke stop 'falco@ebpf.target' >/dev/null || true + deb-systemd-invoke stop 'falco@plugin.target' >/dev/null || true fi case "$1" in diff --git a/scripts/rpm/postinstall.in b/scripts/rpm/postinstall.in index ec538cf5..fc9712f8 100755 --- a/scripts/rpm/postinstall.in +++ b/scripts/rpm/postinstall.in @@ -38,7 +38,7 @@ case "$1" in chosen_driver="ebpf" ;; 3) - chosen_driver= + chosen_driver="plugin" ;; esac else @@ -71,6 +71,7 @@ if [ $1 -eq 1 ]; then # This will only remove masks created on package removal. /usr/bin/systemctl --system unmask "falco@kmod.target" >/dev/null || true /usr/bin/systemctl --system unmask "falco@ebpf.target" >/dev/null || true + /usr/bin/systemctl --system unmask "falco@plugin.target" >/dev/null || true if [ -n "$chosen_driver" ]; then # enable falco on installation diff --git a/scripts/rpm/postuninstall.in b/scripts/rpm/postuninstall.in index 22a8f05f..9b8cae9c 100755 --- a/scripts/rpm/postuninstall.in +++ b/scripts/rpm/postuninstall.in @@ -22,6 +22,7 @@ if [ -d /run/systemd/system ] && [ "$1" = 0 ]; then /usr/bin/systemctl --system daemon-reload >/dev/null || true /usr/bin/systemctl --system mask 'falco@kmod.target' >/dev/null || true /usr/bin/systemctl --system mask 'falco@ebpf.target' >/dev/null || true + /usr/bin/systemctl --system mask 'falco@plugin.target' >/dev/null || true fi # validate rpm macros by `rpm -qp --scripts ` @@ -33,3 +34,4 @@ fi # `systemd-update-helper mark-restart-system-units ` %systemd_postun_with_restart 'falco@kmod.target' %systemd_postun_with_restart 'falco@ebpf.target' +%systemd_postun_with_restart 'falco@plugin.target' diff --git a/scripts/rpm/preuninstall.in b/scripts/rpm/preuninstall.in index f4ae0c60..8cc4a66d 100755 --- a/scripts/rpm/preuninstall.in +++ b/scripts/rpm/preuninstall.in @@ -22,6 +22,7 @@ if [ -d /run/systemd/system ] && [ $1 -eq 0 ]; then # stop falco service before uninstall /usr/bin/systemctl --system stop 'falco@kmod.target' >/dev/null || true /usr/bin/systemctl --system stop 'falco@ebpf.target' >/dev/null || true + /usr/bin/systemctl --system stop 'falco@plugin.target' >/dev/null || true fi /usr/bin/falco-driver-loader --clean @@ -34,4 +35,5 @@ fi # if preuninstall: # `systemd-update-helper remove-system-units ` %systemd_preun 'falco@kmod.target' -%systemd_preun 'falco@ebpf.target' \ No newline at end of file +%systemd_preun 'falco@ebpf.target' +%systemd_preun 'falco@plugin.target' diff --git a/scripts/systemd/falco-ebpf.service b/scripts/systemd/falco-ebpf.service index bcb90a2d..8a85ff3d 100644 --- a/scripts/systemd/falco-ebpf.service +++ b/scripts/systemd/falco-ebpf.service @@ -3,6 +3,7 @@ Description=Falco: Container Native Runtime Security with ebpf Documentation=https://falco.org/docs/ PartOf=falco@ebpf.target Conflicts=falco-kmod.service +Conflicts=falco-plugin.service [Service] Type=simple diff --git a/scripts/systemd/falco-kmod.service b/scripts/systemd/falco-kmod.service index a4328247..7799c82d 100644 --- a/scripts/systemd/falco-kmod.service +++ b/scripts/systemd/falco-kmod.service @@ -5,6 +5,7 @@ After=falco-kmod-inject.service Requires=falco-kmod-inject.service PartOf=falco@kmod.target Conflicts=falco-ebpf.service +Conflicts=falco-plugin.service [Service] Type=simple diff --git a/scripts/systemd/falco-plugin.service b/scripts/systemd/falco-plugin.service new file mode 100644 index 00000000..c190bb6c --- /dev/null +++ b/scripts/systemd/falco-plugin.service @@ -0,0 +1,23 @@ +[Unit] +Description=Falco: Container Native Runtime Security with plugin +Documentation=https://falco.org/docs/ +PartOf=falco@plugin.target +Conflicts=falco-kmod.service +Conflicts=falco-ebpf.service + +[Service] +Type=simple +User=%u +ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid +UMask=0077 +TimeoutSec=30 +RestartSec=15s +Restart=on-failure +PrivateTmp=true +NoNewPrivileges=yes +ProtectHome=read-only +ProtectSystem=full +ProtectKernelTunables=true +RestrictRealtime=true +RestrictAddressFamilies=~AF_PACKET +StandardOutput=null