The previous commits used gmtime_r/localtime_r (unavailable on Windows)
and assumed the GNU strerror_r variant returning char* (only on glibc).
This broke macOS, musl, WASM, and Win32 builds.
Add userspace/engine/compat.h with portable inline wrappers:
- falco_gmtime_r / falco_localtime_r: use gmtime_s/localtime_s on Win32
- falco_strerror_r: returns const char* on all platforms, detecting
glibc via __GLIBC__ (not _GNU_SOURCE alone, since musl defines
_GNU_SOURCE but provides the XSI variant returning int)
Also fixes a pre-existing bug in create_signal_handlers.cpp where
the GNU strerror_r return value was incorrectly compared to 0 and
the actual error string was discarded.
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
strerror() returns a pointer to a shared static buffer, making it
unsafe when called concurrently from different threads. Replace all
call sites with strerror_r() using stack-local buffers, consistent
with the existing pattern in create_signal_handlers.cpp.
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
random() uses internal static state that is not thread-safe. Since
should_drop_evt() can be called concurrently from per-source event
processing threads, replace it with a thread_local std::mt19937
seeded by std::random_device. Remove the now-unused srandom() seed
and Windows compat defines.
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
gmtime() and localtime() return pointers to a shared static buffer,
making them unsafe in multi-threaded contexts. Replace all call sites
with gmtime_r() and localtime_r() which use caller-provided buffers.
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
Moreover, align the suffix of each artifact produced in
`reusable_test_packages.yaml` by using a common env variable
`ARTIFACT_SUFFIX`.
Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
The buffered_outputs config option was silently overridden to true by an unconditional assignment in load_config.cpp. The -U CLI flag now only overrides the config when explicitly passed.
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
Rely solely on MINIMAL_BUILD and EMSCRIPTEN as semantic guards instead of explicit platform checks. MSVC builds are unaffected since CompilerFlags.cmake forces MINIMAL_BUILD=ON, keeping these features disabled. Non-MSVC Windows toolchains (MinGW, clang) can now build with http_output if curl and OpenSSL are available.
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
The HTTP output, health webserver, and Prometheus metrics were excluded from macOS builds as collateral damage when a Linux-only CMake gate was introduced to handle gRPC/protobuf dependencies (86e76924). Now that gRPC has been dropped (43aaffc4), the original reason no longer applies.
Widen CMake gates and C++ preprocessor guards from Linux-only to all non-Windows/non-Emscripten platforms. Also remove the dead c-ares dependency, which was only needed by gRPC.
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
Commit #8171176 reduced workflow permissions and only allowed read
accesses to repo content. However, some workflows require write
permissions for token-id and attestations: these requirements resulted
in both master and release CIs being broken in the last month.
While still applying least privilege principle, this patch restores
the minimum set of required ones.
Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
- Move output_format.h from userspace/falco/ to userspace/engine/ to
fix reverse dependency (engine layer was including from app layer);
update all include paths accordingly
- Add SPDX-License-Identifier to output_format.h
- Remove leftover m_first_event_in_category field from MarkdownFormatter
(was set in begin_category() but never read)
- Emit deprecation warning to stderr when --markdown is used
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Paolo Polidori <paolo.polidori@sysdig.com>
- Added support of the JSON format
- Refactored field and events formatting using the strategy pattern
Signed-off-by: Paolo Polidori <paolo.polidori@sysdig.com>
This fixes a segmentation fault that occurs when /metrics endpoint is accessed during Falco shutdown. The crash happens as the webserver continues serving /metrics requests after outputs and inspectors have been destroyed.
Changes:
- Create cleanup_outputs action to handle outputs destruction
- Create print_stats action for stats printing
- Reorder teardown steps to stop webserver before destorying outputs
- Move outputs.reset() from process_events to cleanup_outputs()
This eliminates the race condition by ensuring the webserver stops accepting requests before any subsystems are destroyed. The synchronisation behaviour of output.reset() block till queue flushed is preserved.
Signed-off-by: Adnan Ali <adduali1310@hotmail.com>
The watchdog thread and stop() consume the timeout pointer with
m_timeout.exchange(nullptr, ...). That exchange was using
memory_order_release. The load part of the RMW needs acquire
semantics so it synchronizes-with the release store in
set_timeout()/cancel_timeout(); otherwise the consumer can see
the pointer value without seeing the writes that initialized
the timeout_data and payload (data race).
Use memory_order_acq_rel on the consumer exchanges so the load
synchronizes-with the producer and the pointed-to memory is
visible before use.
Signed-off-by: irozzo-1A <iacopo@sysdig.com>
Add `permissions: contents: read` at the workflow level for
bump-libs.yaml, format.yaml, master.yaml, and release.yaml to follow
the principle of least privilege. Job-level permissions that require
elevated access will override this as expected.
Signed-off-by: Gagan H R <hrgagan4@gmail.com>
- Bump default falcosecurity/libs to latest main (8f6b914) with
transformer_list_expr and field_transformer_expr (values) support
- Add visit(transformer_list_expr*) to filter_details_resolver and
filter_macro_resolver visitors
- Fix field_transformer_expr handling to use e->values instead of e->value
Signed-off-by: irozzo-1A <iacopo@sysdig.com>
The heading "Add DCO signed-off to your commits 🔏" generates a GitHub
anchor with a trailing hyphen due to the emoji. Fix both link references
to use the correct anchor.
Signed-off-by: Maxime Grenu <maxime.grenu@gmail.com>
- Replace incorrect `/libs` path reference with 'the root directory
of the project'; this file is for the falco repo, not falcosecurity/libs.
- Fix the DCO section: replace `libs` repository mention with `falco`
so it accurately refers to this repository.
- Fix broken markdown hyperlink: `[dedicated section]((#anchor))` had
double opening parentheses causing the link to render incorrectly;
corrected to `[dedicated section](#anchor)`.
Signed-off-by: Maxime Grenu <maxime.grenu@gmail.com>
