new(cmdline): add support for modern BPF probe

Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
2025-08-16 05:13:50 +00:00 · 2022-09-24 13:48:58 +00:00 · 2022-09-24 13:48:58 +00:00 · fd097e94d7
commit fd097e94d7
parent 6634c896b7
5 changed files with 20 additions and 0 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -27,6 +27,14 @@ if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64" AND CMAKE_SYSTEM_NAME MATCHES "Linux
  endif()
 endif()
 # Modern BPF is not supported on not Linux systems and in MINIMAL_BUILD
 if(CMAKE_SYSTEM_NAME MATCHES "Linux" AND NOT MINIMAL_BUILD)
  option(BUILD_FALCO_MODERN_BPF "Build modern BPF support for Falco" OFF)
  if(BUILD_FALCO_MODERN_BPF)
    add_definitions(-DHAS_MODERN_BPF)
  endif()
 endif()
 # We shouldn't need to set this, see https://gitlab.kitware.com/cmake/cmake/-/issues/16419
 option(EP_UPDATE_DISCONNECTED "ExternalProject update disconnected" OFF)
 if (${EP_UPDATE_DISCONNECTED})
--- a/cmake/modules/falcosecurity-libs.cmake
+++ b/cmake/modules/falcosecurity-libs.cmake
@ -60,6 +60,9 @@ set(LIBSINSP_DIR "${FALCOSECURITY_LIBS_SOURCE_DIR}")
 # configure gVisor support
 set(BUILD_LIBSCAP_GVISOR ${BUILD_FALCO_GVISOR} CACHE BOOL "")
 # configure modern BPF support
 set(BUILD_LIBSCAP_MODERN_BPF ${BUILD_FALCO_MODERN_BPF} CACHE BOOL "")
 # explicitly disable the tests/examples of this dependency
 set(CREATE_TEST_TARGETS OFF CACHE BOOL "")
 set(BUILD_LIBSCAP_EXAMPLES OFF CACHE BOOL "")
--- a/userspace/falco/app_actions/open_inspector.cpp
+++ b/userspace/falco/app_actions/open_inspector.cpp
@ -75,6 +75,11 @@ application::run_result application::open_live_inspector(
 			falco_logger::log(LOG_INFO, "Enabled event collection from gVisor. Configuration path: " + m_options.gvisor_config);
 			inspector->open_gvisor(m_options.gvisor_config, m_options.gvisor_root);
 		}
 		else if(m_options.modern_bpf) /* modern BPF engine. */
 		{
 			falco_logger::log(LOG_INFO, "Starting capture with modern BPF probe.");
 			inspector->open_modern_bpf(DEFAULT_DRIVER_BUFFER_BYTES_DIM, m_state->ppm_sc_of_interest, m_state->tp_of_interest);
 		}
 		else if(getenv(FALCO_BPF_ENV_VARIABLE) != NULL) /* BPF engine. */
 		{
 			const char *bpf_probe_path = std::getenv(FALCO_BPF_ENV_VARIABLE);
--- a/userspace/falco/app_cmdline_options.cpp
+++ b/userspace/falco/app_cmdline_options.cpp
@ -168,6 +168,9 @@ void cmdline_options::define()
 		("g,gvisor-config",				  "Parse events from gVisor using the specified configuration file. A falco-compatible configuration file can be generated with --gvisor-generate-config and can be used for both runsc and Falco.", cxxopts::value(gvisor_config), "<gvisor_config>")
 		("gvisor-generate-config",		  "Generate a configuration file that can be used for gVisor.", cxxopts::value<std::string>(gvisor_generate_config_with_socket)->implicit_value("/run/falco/gvisor.sock"), "<socket_path>")
 		("gvisor-root",					  "gVisor root directory for storage of container state. Equivalent to runsc --root flag.", cxxopts::value(gvisor_root), "<gvisor_root>")
 #endif
 #ifdef HAS_MODERN_BPF
 		("modern-bpf",				  "[EXPERIMENTAL] Use BPF modern probe to capture system events.", cxxopts::value(modern_bpf)->default_value("false"))
 #endif
 		("i",                             "Print all events that are ignored by default (i.e. without the -A flag) and exit.", cxxopts::value(print_ignored_events)->default_value("false"))
 #ifndef MINIMAL_BUILD
--- a/userspace/falco/app_cmdline_options.h
+++ b/userspace/falco/app_cmdline_options.h
@ -79,6 +79,7 @@ public:
 	bool verbose;
 	bool print_version_info;
 	bool print_page_size;
 	bool modern_bpf;
 	bool parse(int argc, char **argv, std::string &errstr);