diff --git a/cmake/cpack/CMakeCPackOptions.cmake b/cmake/cpack/CMakeCPackOptions.cmake index aba0490b..d9750055 100644 --- a/cmake/cpack/CMakeCPackOptions.cmake +++ b/cmake/cpack/CMakeCPackOptions.cmake @@ -3,7 +3,8 @@ if(CPACK_GENERATOR MATCHES "DEB" OR CPACK_GENERATOR MATCHES "RPM") list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco@.target _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod-inject.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") - list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-ebpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") + list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") + list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-modern_bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-plugin.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") endif() diff --git a/scripts/CMakeLists.txt b/scripts/CMakeLists.txt index b9bfabd7..91236e14 100644 --- a/scripts/CMakeLists.txt +++ b/scripts/CMakeLists.txt @@ -22,7 +22,9 @@ file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod-inject.service" DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd") file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod.service" DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd") -file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-ebpf.service" +file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-bpf.service" + DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd") +file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-modern_bpf.service" DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd") file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-plugin.service" DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd") diff --git a/scripts/debian/postinst.in b/scripts/debian/postinst.in index 30a92e83..baef3a43 100755 --- a/scripts/debian/postinst.in +++ b/scripts/debian/postinst.in @@ -27,7 +27,8 @@ case "$1" in 1 "Don't start" \ 2 "Kmod" \ 3 "eBPF" \ - 4 "Plugin" \ + 4 "Modern eBPF" \ + 5 "Plugin" \ 2>&1 >/dev/tty) clear case $CHOICE in @@ -35,9 +36,12 @@ case "$1" in chosen_driver="kmod" ;; 3) - chosen_driver="ebpf" + chosen_driver="bpf" ;; 4) + chosen_driver="modern_bpf" + ;; + 5) chosen_driver="plugin" ;; esac @@ -50,7 +54,7 @@ case "$chosen_driver" in "kmod") falco-driver-loader module ;; - "ebpf") + "bpf") falco-driver-loader bpf ;; esac @@ -61,7 +65,8 @@ esac if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then # This will only remove masks created by d-s-h on package removal. deb-systemd-helper unmask "falco@kmod.target" >/dev/null || true - deb-systemd-helper unmask "falco@ebpf.target" >/dev/null || true + deb-systemd-helper unmask "falco@bpf.target" >/dev/null || true + deb-systemd-helper unmask "falco@modern_bpf.target" >/dev/null || true deb-systemd-helper unmask "falco@plugin.target" >/dev/null || true # was-enabled defaults to true, so new installations run enable. diff --git a/scripts/debian/postrm.in b/scripts/debian/postrm.in index 170ea927..6557fa33 100755 --- a/scripts/debian/postrm.in +++ b/scripts/debian/postrm.in @@ -28,7 +28,8 @@ fi if [ "$1" = "remove" ]; then if [ -x "/usr/bin/deb-systemd-helper" ]; then deb-systemd-helper mask 'falco@kmod.target' >/dev/null || true - deb-systemd-helper mask 'falco@ebpf.target' >/dev/null || true + deb-systemd-helper mask 'falco@bpf.target' >/dev/null || true + deb-systemd-helper mask 'falco@modern_bpf.target' >/dev/null || true deb-systemd-helper mask "falco@plugin.target" >/dev/null || true fi fi @@ -37,8 +38,10 @@ if [ "$1" = "purge" ]; then if [ -x "/usr/bin/deb-systemd-helper" ]; then deb-systemd-helper purge 'falco@kmod.target' >/dev/null || true deb-systemd-helper unmask 'falco@kmod.target' >/dev/null || true - deb-systemd-helper purge 'falco@ebpf.target' >/dev/null || true - deb-systemd-helper unmask 'falco@ebpf.target' >/dev/null || true + deb-systemd-helper purge 'falco@bpf.target' >/dev/null || true + deb-systemd-helper unmask 'falco@bpf.target' >/dev/null || true + deb-systemd-helper purge 'falco@modern_bpf.target' >/dev/null || true + deb-systemd-helper unmask 'falco@modern_bpf.target' >/dev/null || true deb-systemd-helper purge 'falco@plugin.target' >/dev/null || true deb-systemd-helper unmask 'falco@plugin.target' >/dev/null || true fi diff --git a/scripts/debian/prerm.in b/scripts/debian/prerm.in index a86c966c..aa4ee4ac 100755 --- a/scripts/debian/prerm.in +++ b/scripts/debian/prerm.in @@ -23,7 +23,8 @@ set -e if [ -d /run/systemd/system ] && [ "$1" = remove ]; then deb-systemd-invoke stop 'falco@kmod.target' >/dev/null || true - deb-systemd-invoke stop 'falco@ebpf.target' >/dev/null || true + deb-systemd-invoke stop 'falco@bpf.target' >/dev/null || true + deb-systemd-invoke stop 'falco@modern_bpf.target' >/dev/null || true deb-systemd-invoke stop 'falco@plugin.target' >/dev/null || true fi diff --git a/scripts/rpm/postinstall.in b/scripts/rpm/postinstall.in index 5f89485f..17d80fd9 100755 --- a/scripts/rpm/postinstall.in +++ b/scripts/rpm/postinstall.in @@ -26,7 +26,8 @@ case "$1" in 1 "Don't start" \ 2 "Kmod" \ 3 "eBPF" \ - 4 "Plugin" \ + 4 "Modern eBPF" \ + 5 "Plugin" \ 2>&1 >/dev/tty) clear case $CHOICE in @@ -34,9 +35,12 @@ case "$1" in chosen_driver="kmod" ;; 3) - chosen_driver="ebpf" + chosen_driver="bpf" ;; 4) + chosen_driver="modern_bpf" + ;; + 5) chosen_driver="plugin" ;; esac @@ -49,7 +53,7 @@ case "$chosen_driver" in "kmod") falco-driver-loader module ;; - "ebpf") + "bpf") falco-driver-loader bpf ;; esac @@ -67,7 +71,8 @@ esac if [ $1 -eq 1 ]; then # This will only remove masks created on package removal. /usr/bin/systemctl --system unmask "falco@kmod.target" >/dev/null || true - /usr/bin/systemctl --system unmask "falco@ebpf.target" >/dev/null || true + /usr/bin/systemctl --system unmask "falco@bpf.target" >/dev/null || true + /usr/bin/systemctl --system unmask "falco@modern_bpf.target" >/dev/null || true /usr/bin/systemctl --system unmask "falco@plugin.target" >/dev/null || true if [ -n "$chosen_driver" ]; then diff --git a/scripts/rpm/postuninstall.in b/scripts/rpm/postuninstall.in index 9b8cae9c..cbd19ab4 100755 --- a/scripts/rpm/postuninstall.in +++ b/scripts/rpm/postuninstall.in @@ -21,7 +21,8 @@ set -e if [ -d /run/systemd/system ] && [ "$1" = 0 ]; then /usr/bin/systemctl --system daemon-reload >/dev/null || true /usr/bin/systemctl --system mask 'falco@kmod.target' >/dev/null || true - /usr/bin/systemctl --system mask 'falco@ebpf.target' >/dev/null || true + /usr/bin/systemctl --system mask 'falco@bpf.target' >/dev/null || true + /usr/bin/systemctl --system mask 'falco@modern_bpf.target' >/dev/null || true /usr/bin/systemctl --system mask 'falco@plugin.target' >/dev/null || true fi @@ -33,5 +34,6 @@ fi # if package upgrade, not uninstall: # `systemd-update-helper mark-restart-system-units ` %systemd_postun_with_restart 'falco@kmod.target' -%systemd_postun_with_restart 'falco@ebpf.target' +%systemd_postun_with_restart 'falco@bpf.target' +%systemd_postun_with_restart 'falco@modern_bpf.target' %systemd_postun_with_restart 'falco@plugin.target' diff --git a/scripts/rpm/preuninstall.in b/scripts/rpm/preuninstall.in index 8cc4a66d..0ee76e89 100755 --- a/scripts/rpm/preuninstall.in +++ b/scripts/rpm/preuninstall.in @@ -21,7 +21,8 @@ set -e if [ -d /run/systemd/system ] && [ $1 -eq 0 ]; then # stop falco service before uninstall /usr/bin/systemctl --system stop 'falco@kmod.target' >/dev/null || true - /usr/bin/systemctl --system stop 'falco@ebpf.target' >/dev/null || true + /usr/bin/systemctl --system stop 'falco@bpf.target' >/dev/null || true + /usr/bin/systemctl --system stop 'falco@modern_bpf.target' >/dev/null || true /usr/bin/systemctl --system stop 'falco@plugin.target' >/dev/null || true fi @@ -35,5 +36,6 @@ fi # if preuninstall: # `systemd-update-helper remove-system-units ` %systemd_preun 'falco@kmod.target' -%systemd_preun 'falco@ebpf.target' +%systemd_preun 'falco@bpf.target' +%systemd_preun 'falco@modern_bpf.target' %systemd_preun 'falco@plugin.target' diff --git a/scripts/systemd/falco-ebpf.service b/scripts/systemd/falco-bpf.service similarity index 100% rename from scripts/systemd/falco-ebpf.service rename to scripts/systemd/falco-bpf.service diff --git a/scripts/systemd/falco-modern_bpf.service b/scripts/systemd/falco-modern_bpf.service new file mode 100644 index 00000000..e7258a64 --- /dev/null +++ b/scripts/systemd/falco-modern_bpf.service @@ -0,0 +1,23 @@ +[Unit] +Description=Falco: Container Native Runtime Security with ebpf +Documentation=https://falco.org/docs/ +PartOf=falco@ebpf.target +Conflicts=falco-kmod.service +Conflicts=falco-plugin.service + +[Service] +Type=simple +User=root +ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid --modern-bpf +UMask=0077 +TimeoutSec=30 +RestartSec=15s +Restart=on-failure +PrivateTmp=true +NoNewPrivileges=yes +ProtectHome=read-only +ProtectSystem=full +ProtectKernelTunables=true +RestrictRealtime=true +RestrictAddressFamilies=~AF_PACKET +StandardOutput=null