diff --git a/CMakeLists.txt b/CMakeLists.txt index 5883441e..d3588eb4 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -27,6 +27,14 @@ if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64" AND CMAKE_SYSTEM_NAME MATCHES "Linux endif() endif() +# Modern BPF is not supported on not Linux systems and in MINIMAL_BUILD +if(CMAKE_SYSTEM_NAME MATCHES "Linux" AND NOT MINIMAL_BUILD) + option(BUILD_FALCO_MODERN_BPF "Build modern BPF support for Falco" OFF) + if(BUILD_FALCO_MODERN_BPF) + add_definitions(-DHAS_MODERN_BPF) + endif() +endif() + # We shouldn't need to set this, see https://gitlab.kitware.com/cmake/cmake/-/issues/16419 option(EP_UPDATE_DISCONNECTED "ExternalProject update disconnected" OFF) if (${EP_UPDATE_DISCONNECTED}) diff --git a/cmake/modules/falcosecurity-libs.cmake b/cmake/modules/falcosecurity-libs.cmake index 0e51c3eb..79f7dcb8 100644 --- a/cmake/modules/falcosecurity-libs.cmake +++ b/cmake/modules/falcosecurity-libs.cmake @@ -60,6 +60,9 @@ set(LIBSINSP_DIR "${FALCOSECURITY_LIBS_SOURCE_DIR}") # configure gVisor support set(BUILD_LIBSCAP_GVISOR ${BUILD_FALCO_GVISOR} CACHE BOOL "") +# configure modern BPF support +set(BUILD_LIBSCAP_MODERN_BPF ${BUILD_FALCO_MODERN_BPF} CACHE BOOL "") + # explicitly disable the tests/examples of this dependency set(CREATE_TEST_TARGETS OFF CACHE BOOL "") set(BUILD_LIBSCAP_EXAMPLES OFF CACHE BOOL "") diff --git a/userspace/falco/app_actions/open_inspector.cpp b/userspace/falco/app_actions/open_inspector.cpp index 7ba5d5fc..98e97a56 100644 --- a/userspace/falco/app_actions/open_inspector.cpp +++ b/userspace/falco/app_actions/open_inspector.cpp @@ -75,6 +75,11 @@ application::run_result application::open_live_inspector( falco_logger::log(LOG_INFO, "Enabled event collection from gVisor. Configuration path: " + m_options.gvisor_config); inspector->open_gvisor(m_options.gvisor_config, m_options.gvisor_root); } + else if(m_options.modern_bpf) /* modern BPF engine. */ + { + falco_logger::log(LOG_INFO, "Starting capture with modern BPF probe."); + inspector->open_modern_bpf(DEFAULT_DRIVER_BUFFER_BYTES_DIM, m_state->ppm_sc_of_interest, m_state->tp_of_interest); + } else if(getenv(FALCO_BPF_ENV_VARIABLE) != NULL) /* BPF engine. */ { const char *bpf_probe_path = std::getenv(FALCO_BPF_ENV_VARIABLE); diff --git a/userspace/falco/app_cmdline_options.cpp b/userspace/falco/app_cmdline_options.cpp index 99978f5d..99d9ab0b 100644 --- a/userspace/falco/app_cmdline_options.cpp +++ b/userspace/falco/app_cmdline_options.cpp @@ -168,6 +168,9 @@ void cmdline_options::define() ("g,gvisor-config", "Parse events from gVisor using the specified configuration file. A falco-compatible configuration file can be generated with --gvisor-generate-config and can be used for both runsc and Falco.", cxxopts::value(gvisor_config), "") ("gvisor-generate-config", "Generate a configuration file that can be used for gVisor.", cxxopts::value(gvisor_generate_config_with_socket)->implicit_value("/run/falco/gvisor.sock"), "") ("gvisor-root", "gVisor root directory for storage of container state. Equivalent to runsc --root flag.", cxxopts::value(gvisor_root), "") +#endif +#ifdef HAS_MODERN_BPF + ("modern-bpf", "[EXPERIMENTAL] Use BPF modern probe to capture system events.", cxxopts::value(modern_bpf)->default_value("false")) #endif ("i", "Print all events that are ignored by default (i.e. without the -A flag) and exit.", cxxopts::value(print_ignored_events)->default_value("false")) #ifndef MINIMAL_BUILD diff --git a/userspace/falco/app_cmdline_options.h b/userspace/falco/app_cmdline_options.h index 0af763bc..ac226c91 100644 --- a/userspace/falco/app_cmdline_options.h +++ b/userspace/falco/app_cmdline_options.h @@ -79,6 +79,7 @@ public: bool verbose; bool print_version_info; bool print_page_size; + bool modern_bpf; bool parse(int argc, char **argv, std::string &errstr);