Commit #8171176 reduced workflow permissions and only allowed read
accesses to repo content. However, some workflows require write
permissions for token-id and attestations: these requirements resulted
in both master and release CIs being broken in the last month.
While still applying least privilege principle, this patch restores
the minimum set of required ones.
Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
- Move output_format.h from userspace/falco/ to userspace/engine/ to
fix reverse dependency (engine layer was including from app layer);
update all include paths accordingly
- Add SPDX-License-Identifier to output_format.h
- Remove leftover m_first_event_in_category field from MarkdownFormatter
(was set in begin_category() but never read)
- Emit deprecation warning to stderr when --markdown is used
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Paolo Polidori <paolo.polidori@sysdig.com>
- Added support of the JSON format
- Refactored field and events formatting using the strategy pattern
Signed-off-by: Paolo Polidori <paolo.polidori@sysdig.com>
This fixes a segmentation fault that occurs when /metrics endpoint is accessed during Falco shutdown. The crash happens as the webserver continues serving /metrics requests after outputs and inspectors have been destroyed.
Changes:
- Create cleanup_outputs action to handle outputs destruction
- Create print_stats action for stats printing
- Reorder teardown steps to stop webserver before destorying outputs
- Move outputs.reset() from process_events to cleanup_outputs()
This eliminates the race condition by ensuring the webserver stops accepting requests before any subsystems are destroyed. The synchronisation behaviour of output.reset() block till queue flushed is preserved.
Signed-off-by: Adnan Ali <adduali1310@hotmail.com>
The watchdog thread and stop() consume the timeout pointer with
m_timeout.exchange(nullptr, ...). That exchange was using
memory_order_release. The load part of the RMW needs acquire
semantics so it synchronizes-with the release store in
set_timeout()/cancel_timeout(); otherwise the consumer can see
the pointer value without seeing the writes that initialized
the timeout_data and payload (data race).
Use memory_order_acq_rel on the consumer exchanges so the load
synchronizes-with the producer and the pointed-to memory is
visible before use.
Signed-off-by: irozzo-1A <iacopo@sysdig.com>
Add `permissions: contents: read` at the workflow level for
bump-libs.yaml, format.yaml, master.yaml, and release.yaml to follow
the principle of least privilege. Job-level permissions that require
elevated access will override this as expected.
Signed-off-by: Gagan H R <hrgagan4@gmail.com>
- Bump default falcosecurity/libs to latest main (8f6b914) with
transformer_list_expr and field_transformer_expr (values) support
- Add visit(transformer_list_expr*) to filter_details_resolver and
filter_macro_resolver visitors
- Fix field_transformer_expr handling to use e->values instead of e->value
Signed-off-by: irozzo-1A <iacopo@sysdig.com>
The heading "Add DCO signed-off to your commits 🔏" generates a GitHub
anchor with a trailing hyphen due to the emoji. Fix both link references
to use the correct anchor.
Signed-off-by: Maxime Grenu <maxime.grenu@gmail.com>
- Replace incorrect `/libs` path reference with 'the root directory
of the project'; this file is for the falco repo, not falcosecurity/libs.
- Fix the DCO section: replace `libs` repository mention with `falco`
so it accurately refers to this repository.
- Fix broken markdown hyperlink: `[dedicated section]((#anchor))` had
double opening parentheses causing the link to render incorrectly;
corrected to `[dedicated section](#anchor)`.
Signed-off-by: Maxime Grenu <maxime.grenu@gmail.com>
Add comprehensive support for gperftools CPU profiler to enable performance
profiling of Falco. This commit introduces:
- New CMake options:
* USE_GPERFTOOLS: Enable gperftools CPU profiler support (default: OFF)
* USE_FRAME_POINTER: Enable frame pointers for accurate profiling (default: OFF)
- Automatic frame pointer enabling: When USE_GPERFTOOLS is enabled, frame
pointers are automatically enabled to ensure accurate stack traces in
profiling output.
- Support for both system and bundled gperftools:
* System gperftools: Automatically detected via find_path/find_library
* Bundled gperftools: Built from source (version 2.15) when
USE_BUNDLED_GPERFTOOLS is enabled
- Enhanced stack trace support: Automatically detects and enables libunwind
when available for better stack traces, falling back to frame pointers
otherwise.
- Proper library linking: Uses --whole-archive linker flags to ensure
profiler initialization code is linked even when ProfilerStart() is not
called directly, enabling CPUPROFILE environment variable support.
- Compile-time detection: Adds HAS_GPERFTOOLS preprocessor definition
for conditional compilation.
The profiler can be activated at runtime by setting the CPUPROFILE
environment variable to a file path where profiling data should be written.
Usage:
cmake -DUSE_GPERFTOOLS=ON ..
make
CPUPROFILE=/tmp/falco.prof ./falco
Signed-off-by: irozzo-1A <iacopo@sysdig.com>
Falco 0.43.0 deprecated the gRPC output and server supports. Drop
their supports as well as any reference to them.
BREAKING CHANGE: drop gRPC output and server support
Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
Falco 0.43.0 deprecated the gVisor engine support. Drop its support as
well as any reference to it.
BREAKING CHANGE: drop gVisor engine support
Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
Falco 0.43.0 deprecated the legacy eBPF probe. Drop it as well as any
reference to it.
BREAKING CHANGE: drop legacy eBPF probe
Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
Starting from Falco 0.40, the `falco --help` output incorrectly showed
the source config path (e.g., /home/runner/work/falco/falco/falco.yaml)
in release packages. This path was intended only for local development.
The issue was introduced when RelWithDebInfo build type support was
added (commit 6bf33ffd). The existing code checked for BUILD_TYPE_RELEASE
to determine release behavior, but RelWithDebInfo builds defined
BUILD_TYPE_RELWITHDEBINFO instead, causing them to fall into the
debug code path.
This fix introduces BUILD_TYPE_DEBUG and changes the conditionals to
enable dev features only when CMAKE_BUILD_TYPE is explicitly "debug".
Both Release and RelWithDebInfo builds now correctly show only
/etc/falco/falco.yaml.
Fixes the regression introduced in 0.40.0
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
The previously used driver version was already the `9.1.0+driver`:
simply replace the commit SHA with the release name.
Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
