github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-03-18 10:44:27 +00:00
Code Issues Projects Releases Wiki Activity

temp

Browse Source 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
This commit is contained in:
Andrea Terzolo
2022-11-11 11:49:45 +00:00
parent 2ab76405bb
commit a87d05b239
17 changed files with 68 additions and 108 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
cmake/cpack/CMakeCPackOptions.cmake
View File

@@ -1,8 +1,7 @@
if(CPACK_GENERATOR MATCHES "DEB" OR CPACK_GENERATOR MATCHES "RPM")
list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco@.target _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod-inject.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-modern-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-plugin.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")

4
cmake/modules/driver.cmake
View File

@@ -26,8 +26,8 @@ else()
# In case you want to test against another driver version (or branch, or commit) just pass the variable -
# ie., `cmake -DDRIVER_VERSION=dev ..`
if(NOT DRIVER_VERSION)
set(DRIVER_VERSION "3.0.1+driver")
set(DRIVER_CHECKSUM "SHA256=f50003043c804aa21990560de02db42e203ee09d050112a4a5dd2b05f22a8a6c")
set(DRIVER_VERSION "bb9702d5d3d3358804b1d483e7648dc55a2b7826")
set(DRIVER_CHECKSUM "SHA256=447aa085ccedcd649e91f68aefff13d4ca2a9ddc0faa5c4e30dd76d45ae47267")
endif()
# cd /path/to/build && cmake /path/to/source

2
cmake/modules/falcosecurity-libs-repo/CMakeLists.txt
View File

@@ -19,7 +19,7 @@ message(STATUS "Libs version: ${FALCOSECURITY_LIBS_VERSION}")
ExternalProject_Add(
falcosecurity-libs
URL "https://github.com/falcosecurity/libs/archive/${FALCOSECURITY_LIBS_VERSION}.tar.gz"
URL "https://github.com/Andreagit97/libs/archive/${FALCOSECURITY_LIBS_VERSION}.tar.gz"
URL_HASH "${FALCOSECURITY_LIBS_CHECKSUM}"
CONFIGURE_COMMAND ""
BUILD_COMMAND ""

4
cmake/modules/falcosecurity-libs.cmake
View File

@@ -27,8 +27,8 @@ else()
# In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
# ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..`
if(NOT FALCOSECURITY_LIBS_VERSION)
set(FALCOSECURITY_LIBS_VERSION "0.9.0")
set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=5319a1b6a72eba3d9524cf084be5fc2ed81e3e90b3bee8edbe58b8646af0cbcb")
set(FALCOSECURITY_LIBS_VERSION "bb9702d5d3d3358804b1d483e7648dc55a2b7826")
set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=447aa085ccedcd649e91f68aefff13d4ca2a9ddc0faa5c4e30dd76d45ae47267")
endif()
# cd /path/to/build && cmake /path/to/source

2
scripts/CMakeLists.txt
View File

@@ -16,8 +16,6 @@
#
# Systemd
file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco@.target"
DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod-inject.service"
DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod.service"

31
scripts/debian/postinst.in
View File

@@ -19,8 +19,7 @@ set -e
chosen_driver=
case "$1" in
configure)
if [ "$1" = "configure" ]; then
if [ -x /usr/bin/dialog ]; then
# If dialog is installed, create a dialog to let users choose the correct driver for them
CHOICE=$(dialog --clear --backtitle "Choose your preferred driver" --title "Falco driver" --menu "Choose one of the following options:" 15 40 4 \
@@ -46,43 +45,37 @@ case "$1" in
;;
esac
fi
;;
esac
fi
# If needed, try to load/compile the driver through falco-driver-loader
case "$chosen_driver" in
"kmod")
echo "[POST-INSTALL] Call falco-driver-loader module:\n"
falco-driver-loader module
;;
"bpf")
echo "[POST-INSTALL] Call falco-driver-loader bpf:\n"
falco-driver-loader bpf
;;
esac
# Based off what debhelper dh_systemd_enable/13.3.4 would have added
# ref: https://www.debian.org/doc/manuals/debmake-doc/ch05.en.html#debhelper
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
# This will only remove masks created by d-s-h on package removal.
systemctl --system unmask "falco@.target" >/dev/null || true
systemctl --system unmask "falco-kmod.service" >/dev/null || true
systemctl --system unmask "falco-bpf.service" >/dev/null || true
systemctl --system unmask "falco-modern-bpf.service" >/dev/null || true
systemctl --system unmask "falco-plugin.service" >/dev/null || true
# was-enabled defaults to true, so new installations run enable.
if [ -n "$chosen_driver" ]; then
systemctl --system enable "falco@$chosen_driver.target" >/dev/null || true
systemctl --system start "falco@$chosen_driver.target" >/dev/null || true
echo "[POST-INSTALL] enable falco-$chosen_driver.service:\n"
systemctl --system enable "falco-$chosen_driver.service" || true
echo "[POST-INSTALL] start falco-$chosen_driver.service:\n"
systemctl --system start "falco-$chosen_driver.service" || true
fi
fi
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
if [ -d /run/systemd/system ]; then
systemctl --system daemon-reload >/dev/null || true
echo "[POST-INSTALL] trigger deamon-reload:\n"
systemctl --system daemon-reload || true
if [ -n "$chosen_driver" ]; then
echo "[POST-INSTALL] trigger condrestart:\n"
# restart falco on upgrade if service is already running
/usr/bin/systemctl --system condrestart "falco@$chosen_driver.target" >/dev/null || true
systemctl --system condrestart "falco-$chosen_driver.service" || true
fi
fi
fi

18
scripts/debian/postrm.in
View File

@@ -22,15 +22,11 @@
set -e
if [ -d /run/systemd/system ] && [ "$1" = remove ]; then
systemctl --system daemon-reload >/dev/null || true
echo "[POST-REMOVE] disable falco services:\n"
systemctl --system disable 'falco-kmod.service' || true
systemctl --system disable 'falco-bpf.service' || true
systemctl --system disable 'falco-modern-bpf.service' || true
systemctl --system disable 'falco-plugin.service' || true
echo "[POST-REMOVE] trigger deamon-reload:\n"
systemctl --system daemon-reload || true
fi
if [ "$1" = "remove" ]; then
if [ -x "/usr/bin/deb-systemd-helper" ]; then
systemctl --system mask 'falco@.target' >/dev/null || true
systemctl --system mask 'falco-kmod.service' >/dev/null || true
systemctl --system mask 'falco-bpf.service' >/dev/null || true
systemctl --system mask 'falco-modern-bpf.service' >/dev/null || true
systemctl --system mask "falco-plugin.service" >/dev/null || true
fi
fi

12
scripts/debian/prerm.in
View File

@@ -22,14 +22,16 @@ set -e
# Currently running falco service uses the driver, so stop it before driver cleanup
if [ -d /run/systemd/system ] && [ "$1" = remove ]; then
systemctl --system stop 'falco@kmod.target' >/dev/null || true
systemctl --system stop 'falco@bpf.target' >/dev/null || true
systemctl --system stop 'falco@modern-bpf.target' >/dev/null || true
systemctl --system stop 'falco@plugin.target' >/dev/null || true
echo "[POST-REMOVE] stop falco services:\n"
systemctl --system stop 'falco-kmod.service' || true
systemctl --system stop 'falco-bpf.service' || true
systemctl --system stop 'falco-modern-bpf.service' || true
systemctl --system stop 'falco-plugin.service' || true
fi
case "$1" in
remove|upgrade|deconfigure)
/usr/bin/falco-driver-loader --clean
echo "[POST-REMOVE] call falco-driver-loader --clean:\n"
falco-driver-loader --clean
;;
esac

29
scripts/rpm/postinstall.in
View File

@@ -18,8 +18,7 @@ set -e
chosen_driver=
case "$1" in
configure)
if [ $1 -eq 1 ]; then
if [ -x /usr/bin/dialog ]; then
# If dialog is installed, create a dialog to let users choose the correct driver for them
CHOICE=$(dialog --clear --backtitle "Choose your preferred driver" --title "Falco driver" --menu "Choose one of the following options:" 15 40 4 \
@@ -45,8 +44,7 @@ case "$1" in
;;
esac
fi
;;
esac
fi
# If needed, try to load/compile the driver through falco-driver-loader
case "$chosen_driver" in
@@ -65,34 +63,23 @@ esac
# systemd_post macro expands to
# if postinst:
# `systemd-update-helper install-system-units <service>`
%systemd_post "falco@$chosen_driver.target"
%systemd_post "falco-$chosen_driver.service"
# post install mirrored from .deb
if [ $1 -eq 1 ]; then
# This will only remove masks created on package removal.
/usr/bin/systemctl --system unmask "falco@.target" >/dev/null || true
/usr/bin/systemctl --system unmask "falco-kmod.service" >/dev/null || true
/usr/bin/systemctl --system unmask "falco-bpf.service" >/dev/null || true
/usr/bin/systemctl --system unmask "falco-modern-bpf.service" >/dev/null || true
/usr/bin/systemctl --system unmask "falco-plugin.service" >/dev/null || true
if [ -n "$chosen_driver" ]; then
# enable falco on installation
# note: DEB postinstall script checks for changed symlinks
/usr/bin/systemctl --system enable "falco@$chosen_driver.target" >/dev/null || true
# start falco on installation
/usr/bin/systemctl --system start "falco@$chosen_driver.target" >/dev/null || true
systemctl --system enable "falco-$chosen_driver.service" || true
systemctl --system start "falco-$chosen_driver.service" || true
fi
fi
# post upgrade mirrored from .deb
if [ $1 -gt 1 ]; then
if [ -d /run/systemd/system ]; then
/usr/bin/systemctl --system daemon-reload >/dev/null || true
systemctl --system daemon-reload || true
if [ -n "$chosen_driver" ]; then
# restart falco on upgrade if service is already running
/usr/bin/systemctl --system condrestart "falco@$chosen_driver.target" >/dev/null || true
# restart falco on upgrade if service is already running
systemctl --system condrestart "falco-$chosen_driver.service" || true
fi
fi
fi

26
scripts/rpm/postuninstall.in
View File

@@ -17,24 +17,10 @@
set -e
# post uninstall mirrored from .deb
if [ -d /run/systemd/system ] && [ "$1" = 0 ]; then
/usr/bin/systemctl --system daemon-reload >/dev/null || true
/usr/bin/systemctl --system mask 'falco@.target' >/dev/null || true
/usr/bin/systemctl --system mask 'falco-kmod.service' >/dev/null || true
/usr/bin/systemctl --system mask 'falco-bpf.service' >/dev/null || true
/usr/bin/systemctl --system mask 'falco-modern-bpf.service' >/dev/null || true
/usr/bin/systemctl --system mask 'falco-plugin.service' >/dev/null || true
if [ -d /run/systemd/system ] && [ $1 -eq 0 ]; then
systemctl --system disable 'falco-kmod.service'|| true
systemctl --system disable 'falco-bpf.service' || true
systemctl --system disable 'falco-modern-bpf.service' || true
systemctl --system disable 'falco-plugin.service' || true
systemctl --system daemon-reload || true
fi
# validate rpm macros by `rpm -qp --scripts <rpm>`
# RPM scriptlets: https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd
# https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
# systemd_postun_with_restart macro expands to
# if package upgrade, not uninstall:
# `systemd-update-helper mark-restart-system-units <service>`
%systemd_postun_with_restart 'falco@kmod.target'
%systemd_postun_with_restart 'falco@bpf.target'
%systemd_postun_with_restart 'falco@modern-bpf.target'
%systemd_postun_with_restart 'falco@plugin.target'

19
scripts/rpm/preuninstall.in
View File

@@ -19,14 +19,13 @@ set -e
# pre uninstall mirrored from .deb
# Currently running falco service uses the driver, so stop it before driver cleanup
if [ -d /run/systemd/system ] && [ $1 -eq 0 ]; then
# stop falco service before uninstall
/usr/bin/systemctl --system stop 'falco@kmod.target' >/dev/null || true
/usr/bin/systemctl --system stop 'falco@bpf.target' >/dev/null || true
/usr/bin/systemctl --system stop 'falco@modern-bpf.target' >/dev/null || true
/usr/bin/systemctl --system stop 'falco@plugin.target' >/dev/null || true
systemctl --system stop 'falco-kmod.service' || true
systemctl --system stop 'falco-bpf.service' || true
systemctl --system stop 'falco-modern-bpf.service' || true
systemctl --system stop 'falco-plugin.service' || true
fi
/usr/bin/falco-driver-loader --clean
falco-driver-loader --clean
# validate rpm macros by `rpm -qp --scripts <rpm>`
# RPM scriptlets: https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd
@@ -35,7 +34,7 @@ fi
# systemd_preun macro expands to
# if preuninstall:
# `systemd-update-helper remove-system-units <service>`
%systemd_preun 'falco@kmod.target'
%systemd_preun 'falco@bpf.target'
%systemd_preun 'falco@modern-bpf.target'
%systemd_preun 'falco@plugin.target'
%systemd_preun 'falco-kmod.service'
%systemd_preun 'falco-bpf.service'
%systemd_preun 'falco-modern-bpf.service'
%systemd_preun 'falco-plugin.service'

4
scripts/systemd/falco-bpf.service
View File

@@ -1,7 +1,6 @@
[Unit]
Description=Falco: Container Native Runtime Security with ebpf
Documentation=https://falco.org/docs/
PartOf=falco@bpf.target
Conflicts=falco-kmod.service
Conflicts=falco-modern-bpf.service
Conflicts=falco-plugin.service
@@ -23,3 +22,6 @@ ProtectKernelTunables=true
RestrictRealtime=true
RestrictAddressFamilies=~AF_PACKET
StandardOutput=null
[Install]
WantedBy=multi-user.target

1
scripts/systemd/falco-kmod-inject.service
View File

@@ -1,7 +1,6 @@
[Unit]
Description=Falco: Container Native Runtime Security with kmod, inject.
Documentation=https://falco.org/docs/
PartOf=falco@kmod.target
[Service]
Type=oneshot

4
scripts/systemd/falco-kmod.service
View File

@@ -3,7 +3,6 @@ Description=Falco: Container Native Runtime Security with kmod
Documentation=https://falco.org/docs/
After=falco-kmod-inject.service
Requires=falco-kmod-inject.service
PartOf=falco@kmod.target
Conflicts=falco-bpf.service
Conflicts=falco-modern-bpf.service
Conflicts=falco-plugin.service
@@ -25,3 +24,6 @@ ReadWritePaths=/sys/module/falco
RestrictRealtime=true
RestrictAddressFamilies=~AF_PACKET
StandardOutput=null
[Install]
WantedBy=multi-user.target

6
scripts/systemd/falco-modern-bpf.service
View File

@@ -1,7 +1,6 @@
[Unit]
Description=Falco: Container Native Runtime Security with ebpf
Description=Falco: Container Native Runtime Security with modern ebpf
Documentation=https://falco.org/docs/
PartOf=falco@modern-bpf.target
Conflicts=falco-kmod.service
Conflicts=falco-bpf.service
Conflicts=falco-plugin.service
@@ -22,3 +21,6 @@ ProtectKernelTunables=true
RestrictRealtime=true
RestrictAddressFamilies=~AF_PACKET
StandardOutput=null
[Install]
WantedBy=multi-user.target

4
scripts/systemd/falco-plugin.service
View File

@@ -1,7 +1,6 @@
[Unit]
Description=Falco: Container Native Runtime Security with plugin
Documentation=https://falco.org/docs/
PartOf=falco@plugin.target
Conflicts=falco-kmod.service
Conflicts=falco-bpf.service
Conflicts=falco-modern-bpf.service
@@ -22,3 +21,6 @@ ProtectKernelTunables=true
RestrictRealtime=true
RestrictAddressFamilies=~AF_PACKET
StandardOutput=null
[Install]
WantedBy=multi-user.target

7
scripts/systemd/falco@.target
View File

@@ -1,7 +0,0 @@
[Unit]
Description=Falco generic startup target [kmod,ebpf]
Requires=multi-user.target falco-%i.service
After=multi-user.target
[Install]
WantedBy=multi-user.target