From a87d05b239bd7842f35c348a03727f29a87d3ab7 Mon Sep 17 00:00:00 2001 From: Andrea Terzolo Date: Fri, 11 Nov 2022 11:49:45 +0000 Subject: [PATCH] temp Signed-off-by: Andrea Terzolo --- cmake/cpack/CMakeCPackOptions.cmake | 3 +- cmake/modules/driver.cmake | 4 +-- .../falcosecurity-libs-repo/CMakeLists.txt | 2 +- cmake/modules/falcosecurity-libs.cmake | 4 +-- scripts/CMakeLists.txt | 2 -- scripts/debian/postinst.in | 31 +++++++------------ scripts/debian/postrm.in | 18 +++++------ scripts/debian/prerm.in | 12 ++++--- scripts/rpm/postinstall.in | 29 +++++------------ scripts/rpm/postuninstall.in | 26 ++++------------ scripts/rpm/preuninstall.in | 19 ++++++------ scripts/systemd/falco-bpf.service | 4 ++- scripts/systemd/falco-kmod-inject.service | 1 - scripts/systemd/falco-kmod.service | 4 ++- scripts/systemd/falco-modern-bpf.service | 6 ++-- scripts/systemd/falco-plugin.service | 4 ++- scripts/systemd/falco@.target | 7 ----- 17 files changed, 68 insertions(+), 108 deletions(-) delete mode 100644 scripts/systemd/falco@.target diff --git a/cmake/cpack/CMakeCPackOptions.cmake b/cmake/cpack/CMakeCPackOptions.cmake index 248795de..f15afdde 100644 --- a/cmake/cpack/CMakeCPackOptions.cmake +++ b/cmake/cpack/CMakeCPackOptions.cmake @@ -1,8 +1,7 @@ if(CPACK_GENERATOR MATCHES "DEB" OR CPACK_GENERATOR MATCHES "RPM") list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") - list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco@.target _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") - list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod-inject.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") + list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-modern-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-plugin.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") diff --git a/cmake/modules/driver.cmake b/cmake/modules/driver.cmake index 654242cc..2cb8a306 100644 --- a/cmake/modules/driver.cmake +++ b/cmake/modules/driver.cmake @@ -26,8 +26,8 @@ else() # In case you want to test against another driver version (or branch, or commit) just pass the variable - # ie., `cmake -DDRIVER_VERSION=dev ..` if(NOT DRIVER_VERSION) - set(DRIVER_VERSION "3.0.1+driver") - set(DRIVER_CHECKSUM "SHA256=f50003043c804aa21990560de02db42e203ee09d050112a4a5dd2b05f22a8a6c") + set(DRIVER_VERSION "bb9702d5d3d3358804b1d483e7648dc55a2b7826") + set(DRIVER_CHECKSUM "SHA256=447aa085ccedcd649e91f68aefff13d4ca2a9ddc0faa5c4e30dd76d45ae47267") endif() # cd /path/to/build && cmake /path/to/source diff --git a/cmake/modules/falcosecurity-libs-repo/CMakeLists.txt b/cmake/modules/falcosecurity-libs-repo/CMakeLists.txt index 692b8f0c..0415ddb4 100644 --- a/cmake/modules/falcosecurity-libs-repo/CMakeLists.txt +++ b/cmake/modules/falcosecurity-libs-repo/CMakeLists.txt @@ -19,7 +19,7 @@ message(STATUS "Libs version: ${FALCOSECURITY_LIBS_VERSION}") ExternalProject_Add( falcosecurity-libs - URL "https://github.com/falcosecurity/libs/archive/${FALCOSECURITY_LIBS_VERSION}.tar.gz" + URL "https://github.com/Andreagit97/libs/archive/${FALCOSECURITY_LIBS_VERSION}.tar.gz" URL_HASH "${FALCOSECURITY_LIBS_CHECKSUM}" CONFIGURE_COMMAND "" BUILD_COMMAND "" diff --git a/cmake/modules/falcosecurity-libs.cmake b/cmake/modules/falcosecurity-libs.cmake index 167d6f95..259f915d 100644 --- a/cmake/modules/falcosecurity-libs.cmake +++ b/cmake/modules/falcosecurity-libs.cmake @@ -27,8 +27,8 @@ else() # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable - # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..` if(NOT FALCOSECURITY_LIBS_VERSION) - set(FALCOSECURITY_LIBS_VERSION "0.9.0") - set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=5319a1b6a72eba3d9524cf084be5fc2ed81e3e90b3bee8edbe58b8646af0cbcb") + set(FALCOSECURITY_LIBS_VERSION "bb9702d5d3d3358804b1d483e7648dc55a2b7826") + set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=447aa085ccedcd649e91f68aefff13d4ca2a9ddc0faa5c4e30dd76d45ae47267") endif() # cd /path/to/build && cmake /path/to/source diff --git a/scripts/CMakeLists.txt b/scripts/CMakeLists.txt index 82959fac..e1330401 100644 --- a/scripts/CMakeLists.txt +++ b/scripts/CMakeLists.txt @@ -16,8 +16,6 @@ # # Systemd -file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco@.target" - DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd") file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod-inject.service" DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd") file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod.service" diff --git a/scripts/debian/postinst.in b/scripts/debian/postinst.in index 36340cbc..35c9256b 100755 --- a/scripts/debian/postinst.in +++ b/scripts/debian/postinst.in @@ -19,8 +19,7 @@ set -e chosen_driver= -case "$1" in - configure) +if [ "$1" = "configure" ]; then if [ -x /usr/bin/dialog ]; then # If dialog is installed, create a dialog to let users choose the correct driver for them CHOICE=$(dialog --clear --backtitle "Choose your preferred driver" --title "Falco driver" --menu "Choose one of the following options:" 15 40 4 \ @@ -46,43 +45,37 @@ case "$1" in ;; esac fi - ;; -esac +fi # If needed, try to load/compile the driver through falco-driver-loader case "$chosen_driver" in "kmod") + echo "[POST-INSTALL] Call falco-driver-loader module:\n" falco-driver-loader module ;; "bpf") + echo "[POST-INSTALL] Call falco-driver-loader bpf:\n" falco-driver-loader bpf ;; esac -# Based off what debhelper dh_systemd_enable/13.3.4 would have added -# ref: https://www.debian.org/doc/manuals/debmake-doc/ch05.en.html#debhelper - if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then - # This will only remove masks created by d-s-h on package removal. - systemctl --system unmask "falco@.target" >/dev/null || true - systemctl --system unmask "falco-kmod.service" >/dev/null || true - systemctl --system unmask "falco-bpf.service" >/dev/null || true - systemctl --system unmask "falco-modern-bpf.service" >/dev/null || true - systemctl --system unmask "falco-plugin.service" >/dev/null || true - - # was-enabled defaults to true, so new installations run enable. if [ -n "$chosen_driver" ]; then - systemctl --system enable "falco@$chosen_driver.target" >/dev/null || true - systemctl --system start "falco@$chosen_driver.target" >/dev/null || true + echo "[POST-INSTALL] enable falco-$chosen_driver.service:\n" + systemctl --system enable "falco-$chosen_driver.service" || true + echo "[POST-INSTALL] start falco-$chosen_driver.service:\n" + systemctl --system start "falco-$chosen_driver.service" || true fi fi if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then if [ -d /run/systemd/system ]; then - systemctl --system daemon-reload >/dev/null || true + echo "[POST-INSTALL] trigger deamon-reload:\n" + systemctl --system daemon-reload || true if [ -n "$chosen_driver" ]; then + echo "[POST-INSTALL] trigger condrestart:\n" # restart falco on upgrade if service is already running - /usr/bin/systemctl --system condrestart "falco@$chosen_driver.target" >/dev/null || true + systemctl --system condrestart "falco-$chosen_driver.service" || true fi fi fi diff --git a/scripts/debian/postrm.in b/scripts/debian/postrm.in index 1cc00ad5..863e61b8 100755 --- a/scripts/debian/postrm.in +++ b/scripts/debian/postrm.in @@ -22,15 +22,11 @@ set -e if [ -d /run/systemd/system ] && [ "$1" = remove ]; then - systemctl --system daemon-reload >/dev/null || true + echo "[POST-REMOVE] disable falco services:\n" + systemctl --system disable 'falco-kmod.service' || true + systemctl --system disable 'falco-bpf.service' || true + systemctl --system disable 'falco-modern-bpf.service' || true + systemctl --system disable 'falco-plugin.service' || true + echo "[POST-REMOVE] trigger deamon-reload:\n" + systemctl --system daemon-reload || true fi - -if [ "$1" = "remove" ]; then - if [ -x "/usr/bin/deb-systemd-helper" ]; then - systemctl --system mask 'falco@.target' >/dev/null || true - systemctl --system mask 'falco-kmod.service' >/dev/null || true - systemctl --system mask 'falco-bpf.service' >/dev/null || true - systemctl --system mask 'falco-modern-bpf.service' >/dev/null || true - systemctl --system mask "falco-plugin.service" >/dev/null || true - fi -fi \ No newline at end of file diff --git a/scripts/debian/prerm.in b/scripts/debian/prerm.in index 2ca0b533..74a2a1ae 100755 --- a/scripts/debian/prerm.in +++ b/scripts/debian/prerm.in @@ -22,14 +22,16 @@ set -e # Currently running falco service uses the driver, so stop it before driver cleanup if [ -d /run/systemd/system ] && [ "$1" = remove ]; then - systemctl --system stop 'falco@kmod.target' >/dev/null || true - systemctl --system stop 'falco@bpf.target' >/dev/null || true - systemctl --system stop 'falco@modern-bpf.target' >/dev/null || true - systemctl --system stop 'falco@plugin.target' >/dev/null || true + echo "[POST-REMOVE] stop falco services:\n" + systemctl --system stop 'falco-kmod.service' || true + systemctl --system stop 'falco-bpf.service' || true + systemctl --system stop 'falco-modern-bpf.service' || true + systemctl --system stop 'falco-plugin.service' || true fi case "$1" in remove|upgrade|deconfigure) - /usr/bin/falco-driver-loader --clean + echo "[POST-REMOVE] call falco-driver-loader --clean:\n" + falco-driver-loader --clean ;; esac diff --git a/scripts/rpm/postinstall.in b/scripts/rpm/postinstall.in index 2b3d1c93..a29ccc50 100755 --- a/scripts/rpm/postinstall.in +++ b/scripts/rpm/postinstall.in @@ -18,8 +18,7 @@ set -e chosen_driver= -case "$1" in - configure) +if [ $1 -eq 1 ]; then if [ -x /usr/bin/dialog ]; then # If dialog is installed, create a dialog to let users choose the correct driver for them CHOICE=$(dialog --clear --backtitle "Choose your preferred driver" --title "Falco driver" --menu "Choose one of the following options:" 15 40 4 \ @@ -45,8 +44,7 @@ case "$1" in ;; esac fi - ;; -esac +fi # If needed, try to load/compile the driver through falco-driver-loader case "$chosen_driver" in @@ -65,34 +63,23 @@ esac # systemd_post macro expands to # if postinst: # `systemd-update-helper install-system-units ` -%systemd_post "falco@$chosen_driver.target" +%systemd_post "falco-$chosen_driver.service" # post install mirrored from .deb if [ $1 -eq 1 ]; then - # This will only remove masks created on package removal. - /usr/bin/systemctl --system unmask "falco@.target" >/dev/null || true - /usr/bin/systemctl --system unmask "falco-kmod.service" >/dev/null || true - /usr/bin/systemctl --system unmask "falco-bpf.service" >/dev/null || true - /usr/bin/systemctl --system unmask "falco-modern-bpf.service" >/dev/null || true - /usr/bin/systemctl --system unmask "falco-plugin.service" >/dev/null || true - if [ -n "$chosen_driver" ]; then - # enable falco on installation - # note: DEB postinstall script checks for changed symlinks - /usr/bin/systemctl --system enable "falco@$chosen_driver.target" >/dev/null || true - - # start falco on installation - /usr/bin/systemctl --system start "falco@$chosen_driver.target" >/dev/null || true + systemctl --system enable "falco-$chosen_driver.service" || true + systemctl --system start "falco-$chosen_driver.service" || true fi fi # post upgrade mirrored from .deb if [ $1 -gt 1 ]; then if [ -d /run/systemd/system ]; then - /usr/bin/systemctl --system daemon-reload >/dev/null || true + systemctl --system daemon-reload || true if [ -n "$chosen_driver" ]; then - # restart falco on upgrade if service is already running - /usr/bin/systemctl --system condrestart "falco@$chosen_driver.target" >/dev/null || true + # restart falco on upgrade if service is already running + systemctl --system condrestart "falco-$chosen_driver.service" || true fi fi fi diff --git a/scripts/rpm/postuninstall.in b/scripts/rpm/postuninstall.in index a1489f43..32fc970e 100755 --- a/scripts/rpm/postuninstall.in +++ b/scripts/rpm/postuninstall.in @@ -17,24 +17,10 @@ set -e -# post uninstall mirrored from .deb -if [ -d /run/systemd/system ] && [ "$1" = 0 ]; then - /usr/bin/systemctl --system daemon-reload >/dev/null || true - /usr/bin/systemctl --system mask 'falco@.target' >/dev/null || true - /usr/bin/systemctl --system mask 'falco-kmod.service' >/dev/null || true - /usr/bin/systemctl --system mask 'falco-bpf.service' >/dev/null || true - /usr/bin/systemctl --system mask 'falco-modern-bpf.service' >/dev/null || true - /usr/bin/systemctl --system mask 'falco-plugin.service' >/dev/null || true +if [ -d /run/systemd/system ] && [ $1 -eq 0 ]; then + systemctl --system disable 'falco-kmod.service'|| true + systemctl --system disable 'falco-bpf.service' || true + systemctl --system disable 'falco-modern-bpf.service' || true + systemctl --system disable 'falco-plugin.service' || true + systemctl --system daemon-reload || true fi - -# validate rpm macros by `rpm -qp --scripts ` -# RPM scriptlets: https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd -# https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax - -# systemd_postun_with_restart macro expands to -# if package upgrade, not uninstall: -# `systemd-update-helper mark-restart-system-units ` -%systemd_postun_with_restart 'falco@kmod.target' -%systemd_postun_with_restart 'falco@bpf.target' -%systemd_postun_with_restart 'falco@modern-bpf.target' -%systemd_postun_with_restart 'falco@plugin.target' diff --git a/scripts/rpm/preuninstall.in b/scripts/rpm/preuninstall.in index e2e703ea..ac8343e7 100755 --- a/scripts/rpm/preuninstall.in +++ b/scripts/rpm/preuninstall.in @@ -19,14 +19,13 @@ set -e # pre uninstall mirrored from .deb # Currently running falco service uses the driver, so stop it before driver cleanup if [ -d /run/systemd/system ] && [ $1 -eq 0 ]; then - # stop falco service before uninstall - /usr/bin/systemctl --system stop 'falco@kmod.target' >/dev/null || true - /usr/bin/systemctl --system stop 'falco@bpf.target' >/dev/null || true - /usr/bin/systemctl --system stop 'falco@modern-bpf.target' >/dev/null || true - /usr/bin/systemctl --system stop 'falco@plugin.target' >/dev/null || true + systemctl --system stop 'falco-kmod.service' || true + systemctl --system stop 'falco-bpf.service' || true + systemctl --system stop 'falco-modern-bpf.service' || true + systemctl --system stop 'falco-plugin.service' || true fi -/usr/bin/falco-driver-loader --clean +falco-driver-loader --clean # validate rpm macros by `rpm -qp --scripts ` # RPM scriptlets: https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd @@ -35,7 +34,7 @@ fi # systemd_preun macro expands to # if preuninstall: # `systemd-update-helper remove-system-units ` -%systemd_preun 'falco@kmod.target' -%systemd_preun 'falco@bpf.target' -%systemd_preun 'falco@modern-bpf.target' -%systemd_preun 'falco@plugin.target' +%systemd_preun 'falco-kmod.service' +%systemd_preun 'falco-bpf.service' +%systemd_preun 'falco-modern-bpf.service' +%systemd_preun 'falco-plugin.service' diff --git a/scripts/systemd/falco-bpf.service b/scripts/systemd/falco-bpf.service index 322316c2..de8c57e6 100644 --- a/scripts/systemd/falco-bpf.service +++ b/scripts/systemd/falco-bpf.service @@ -1,7 +1,6 @@ [Unit] Description=Falco: Container Native Runtime Security with ebpf Documentation=https://falco.org/docs/ -PartOf=falco@bpf.target Conflicts=falco-kmod.service Conflicts=falco-modern-bpf.service Conflicts=falco-plugin.service @@ -23,3 +22,6 @@ ProtectKernelTunables=true RestrictRealtime=true RestrictAddressFamilies=~AF_PACKET StandardOutput=null + +[Install] +WantedBy=multi-user.target diff --git a/scripts/systemd/falco-kmod-inject.service b/scripts/systemd/falco-kmod-inject.service index d2293d99..579ee3bf 100644 --- a/scripts/systemd/falco-kmod-inject.service +++ b/scripts/systemd/falco-kmod-inject.service @@ -1,7 +1,6 @@ [Unit] Description=Falco: Container Native Runtime Security with kmod, inject. Documentation=https://falco.org/docs/ -PartOf=falco@kmod.target [Service] Type=oneshot diff --git a/scripts/systemd/falco-kmod.service b/scripts/systemd/falco-kmod.service index 33cf9786..f6251638 100644 --- a/scripts/systemd/falco-kmod.service +++ b/scripts/systemd/falco-kmod.service @@ -3,7 +3,6 @@ Description=Falco: Container Native Runtime Security with kmod Documentation=https://falco.org/docs/ After=falco-kmod-inject.service Requires=falco-kmod-inject.service -PartOf=falco@kmod.target Conflicts=falco-bpf.service Conflicts=falco-modern-bpf.service Conflicts=falco-plugin.service @@ -25,3 +24,6 @@ ReadWritePaths=/sys/module/falco RestrictRealtime=true RestrictAddressFamilies=~AF_PACKET StandardOutput=null + +[Install] +WantedBy=multi-user.target diff --git a/scripts/systemd/falco-modern-bpf.service b/scripts/systemd/falco-modern-bpf.service index 3e68e8c7..9b682500 100644 --- a/scripts/systemd/falco-modern-bpf.service +++ b/scripts/systemd/falco-modern-bpf.service @@ -1,7 +1,6 @@ [Unit] -Description=Falco: Container Native Runtime Security with ebpf +Description=Falco: Container Native Runtime Security with modern ebpf Documentation=https://falco.org/docs/ -PartOf=falco@modern-bpf.target Conflicts=falco-kmod.service Conflicts=falco-bpf.service Conflicts=falco-plugin.service @@ -22,3 +21,6 @@ ProtectKernelTunables=true RestrictRealtime=true RestrictAddressFamilies=~AF_PACKET StandardOutput=null + +[Install] +WantedBy=multi-user.target diff --git a/scripts/systemd/falco-plugin.service b/scripts/systemd/falco-plugin.service index be6925e3..84befe71 100644 --- a/scripts/systemd/falco-plugin.service +++ b/scripts/systemd/falco-plugin.service @@ -1,7 +1,6 @@ [Unit] Description=Falco: Container Native Runtime Security with plugin Documentation=https://falco.org/docs/ -PartOf=falco@plugin.target Conflicts=falco-kmod.service Conflicts=falco-bpf.service Conflicts=falco-modern-bpf.service @@ -22,3 +21,6 @@ ProtectKernelTunables=true RestrictRealtime=true RestrictAddressFamilies=~AF_PACKET StandardOutput=null + +[Install] +WantedBy=multi-user.target diff --git a/scripts/systemd/falco@.target b/scripts/systemd/falco@.target deleted file mode 100644 index 3178ec16..00000000 --- a/scripts/systemd/falco@.target +++ /dev/null @@ -1,7 +0,0 @@ -[Unit] -Description=Falco generic startup target [kmod,ebpf] -Requires=multi-user.target falco-%i.service -After=multi-user.target - -[Install] -WantedBy=multi-user.target