github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-27 23:27:20 +00:00
Code Issues Projects Releases Wiki Activity
3,325 Commits 121 Branches 172 Tags 104 MiB
cb58ea9c57
Commit Graph

3325 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Jason Dellaluce
cb58ea9c57 test: add regression tests for ref loops in lists and macros 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-12-13 15:06:10 +01:00
Jason Dellaluce
0a6db28783 fix(test/engine): solve compilation issues with macro resolver 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-12-13 15:06:10 +01:00
Jason Dellaluce
25ddc3c6a2 update(userspace/engine): broader err catching support in macro resolver 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-12-13 15:06:10 +01:00
Jason Dellaluce
35dd0fc153 fix(userspace/engine): implement loop detection in macro resolver 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-12-13 15:06:10 +01:00
Federico Di Pierro
0c39776557 chore(ci): properly checkout pull request HEAD instead of merge commit in gh actions. 
See https://github.com/actions/checkout#checkout-pull-request-head-commit-instead-of-merge-commit.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-12-12 11:11:44 +01:00
Federico Di Pierro
4696948754 fix(cmake): properly fetch dev version by appending latest Falco tag, delta between master and tag, and hash. 
`describe` can no more be used as tags are now made on release branches.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-12-12 11:11:44 +01:00
dependabot[bot]
ec04b758e6 chore(deps): Bump certifi from 2020.4.5.1 to 2022.12.7 in /test 
Bumps [certifi](https://github.com/certifi/python-certifi) from 2020.4.5.1 to 2022.12.7.
- [Release notes](https://github.com/certifi/python-certifi/releases)
- [Commits](https://github.com/certifi/python-certifi/compare/2020.04.05.1...2022.12.07)

---
updated-dependencies:
- dependency-name: certifi
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-12-12 11:01:44 +01:00
Andrea Terzolo
52ee61b800 chore(userspace): add njson lib as a dependency for falco_engine 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-12-10 17:07:06 +01:00
gentooise
70dfdb2e75 support older rhel distros in falco-driver-loader 
Tested on RHEL 6

Signed-off-by: gentooise <andrea.genuise@ibm.com>
 2022-12-09 12:03:13 +01:00
Federico Di Pierro
1b227cf90b update(cmake): bumped libs and driver to latest RC. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-12-06 12:59:50 +01:00
Andrea Terzolo
ff3a38415d fix: remove conflicting helper methods 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-12-06 12:59:50 +01:00
Andrea Terzolo
94ed56df95 chore: bump libs 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-12-06 12:59:50 +01:00
Andrea Terzolo
6a972272c0 update: the capture will be stopped in the inspector destructor 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-12-06 12:59:50 +01:00
Andrea Terzolo
55deb452d8 update: start/stop capture inside do_inspect 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-12-06 12:59:50 +01:00
Federico Di Pierro
87371492c5 update(userspace/engine): updated checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-12-06 12:59:50 +01:00
Federico Di Pierro
17dfe4f55d fix(userspace/falco): properly start/stop capture. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-12-06 12:59:50 +01:00
Federico Di Pierro
928ad6625b update(cmake): update libs to 8eef2e445364d892dba12564d20f9651232eba7c 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-12-06 12:59:50 +01:00
Mark Stemm
356a4a0749 Also copy ruleset when copying falco source 
In the copy constructor and assignment operator for falco_source, also
copy the ruleset along with factories/name.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-12-01 17:07:52 +01:00
Mark Stemm
910b8ff858 Fix(engine) Save parse positions when finding unresolved macros 
Now that ASTs contain parse positions, use them when reporting errors
about unknown macros.

When doing the first pass to find all macro references, save macros as
a map<macro name,parse position> instead of a set<macro name>. While
making that change, change the visitor struct to use references
instead of pointers.

In the second pass, when reporting any unresolved macro references,
also report the parse position.

The unit tests also check that the positions of macros are properly
returned in the resolved/unresolved maps.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-12-01 17:03:52 +01:00
Mark Stemm
83b12bab1d Fix(engine): include parse positions in compile errors 
Now that ASTs have parse positions and the compiler will return the
position of the last error, use that in falco rules to return errors
within condition strings instead of reporting the position as the
beginning of the condition.

This led to a change in the filter_ruleset interface--now, an ast is
compiled to a filter before being passed to the filter_ruleset
object. That avoids polluting the interface with a lot of details
about rule_loader contexts, errors, etc. The ast is still provided in
case the filter_ruleset wants to do indexing/analysis of the filter.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-12-01 17:03:52 +01:00
Lorenzo Susini
ecc1853d60 update(rule): improve insmod detection within container using CAP_SYS_MODULE 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
 2022-12-01 11:17:50 +01:00
Andrea Terzolo
fbd6628693 new(config): add the simulate_drops config explicitly 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
 2022-11-30 19:26:47 +01:00
Jason Dellaluce
ba61706557 update(userspace/falco): enable using zlib with webserver 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-11-30 19:24:47 +01:00
vin01
234026e14b rule(macro rpm_procs): let salt-call write to rpm database 
Signed-off-by: vin01 <vinc.i@protonmail.ch>
 2022-11-30 19:20:47 +01:00
vin01
d03826379b rule(Read sensitive file untrusted): let salt-call read sensitive files 
Signed-off-by: vin01 <vinc.i@protonmail.ch>
 2022-11-30 19:20:47 +01:00
Alessandro Brucato
3697d1fae2 Fixed typo 
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
 2022-11-30 19:12:47 +01:00
Alessandro Brucato
e76c31b493 Added PTRACE_SEIZE, PTRACE_POKETEXT, PTRACE_POKEDATA, PTRACE_SETREGS and whitelist macro 
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
 2022-11-30 19:12:47 +01:00
Alessandro Brucato
d95e36b526 Rule: PTRACE attached to process 
Signed-off-by: Alessandro Brucato <alessandro.brucato@sysdig.com>
 2022-11-30 19:12:47 +01:00
Jason Dellaluce
15b57bd972 fix: remove minor string view dependencies 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-11-29 16:27:42 +01:00
Leonardo Grasso
68f4d5bb59 fix(userspace/engine): no need to use external deps 
Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-11-29 16:27:42 +01:00
Leonardo Grasso
138e373ace chore(cmake/modlule): cleanup DownloadStringViewLite 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-11-29 16:27:42 +01:00
Leonardo Grasso
47fd90bb7f chore: remove not used dependency - string-view-lite 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2022-11-29 16:27:42 +01:00
Luca Guerra
3a56804cff new(CHANGELOG): add entry for 0.33.1 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-11-29 10:29:41 +01:00
Melissa Kilby
8f188ebe06 update(docs): polish release.md based on community feedback 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2022-11-28 10:45:35 +01:00
Melissa Kilby
7ead21daac update(docs): polish overview and versioning sections of release.md 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2022-11-28 10:45:35 +01:00
Melissa Kilby
d3badeb77e update(docs): add overview and versioning to release.md 
Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
 2022-11-28 10:45:35 +01:00
Edvin Norling
588ab01bfd Add Xenit AB to adopters 
Signed-off-by: Edvin Norling <edvin.norling@xenit.se>
 2022-11-23 13:12:57 +01:00
Luca Guerra
f08a5b4067 update(cli): also add cg / kg container-gvisor / kubernetes-gvisor 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-11-23 13:03:57 +01:00
Luca Guerra
dea02f82e8 update(falco): add container-gvisor and kubernetes-gvisor print options 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-11-23 13:03:57 +01:00
Luca Guerra
e3dbae3259 fix(engine): fix warning about redundant std::move 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2022-11-11 16:19:11 +01:00
Federico Di Pierro
d0ceba83b4 update(cmake, docker, circleci): updated libs and driver to latest master. 
Docker builder image was updated to remove the libelf and libz deps as they are now properly bundled, in BUNDLED_DEPS mode.
Finally, circleci musl job was updated to enforce the use of alpine-provided libelf package, since it is already static,
and building libelf on musl is pretty cumbersome.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-11-11 14:56:10 +01:00
Aldo Lacuku
161246fe1a fix(output): do not print syscall_buffer_size when gvisor is enabled 
Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
 2022-11-10 10:32:05 +01:00
Jason Dellaluce
240c0b870d fix(userspace/falco): verify engine fields only for syscalls 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-11-07 15:37:25 +01:00
Federico Di Pierro
136eacc17f chore(scripts): when ENABLE_COMPILE is disabled, exit immediately if target distro could not be fetched. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
 2022-11-02 12:06:29 +01:00
Federico Di Pierro
c0c0246927 fix(scripts): force falco-driver-loader script to try to compile the driver anyway even on unsupported platforms. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-11-02 12:06:29 +01:00
Mark Stemm
acf5c4ce5f fix(engine): save syscall source only when processing events 
The optimization in https://github.com/falcosecurity/falco/pull/2210
had a bug when the engine uses multiple sources at the same
time--m_syscall_source is a pointer to an entry in the indexed vector
m_sources, but if add_source is called multiple times, the vector is
resized, which copies the structs but invalidates any pointer to the
vector entries.

So instead of caching m_syscall_source in add_source(), cache it in
process_events(). m_sources won't change once processing events starts.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2022-10-27 18:23:25 +02:00
Yarden Shoham
4a4fa2592b fix(plugins): trim whitespace in open_params 
`open_params` is read from the falco YAML configuration file and parsed using Go's URL.

For example:
c349be6e84/plugins/k8saudit/pkg/k8saudit/source.go (L41-L42)

Go's URL parser does not handle whitespace, so if a user defines the `open_params` in the falco configuration file as follows

```yaml
open_params: >
/file/path
```

the parser returns an error. To avoid this, we now trim this parameter so no whitespace will be left for Go's URL parser to error out on.

For reference see #2262.

Signed-off-by: Yarden Shoham <hrsi88@gmail.com>
 2022-10-21 19:12:58 +02:00
Federico Di Pierro
d0467de0a7 fix(ci): fixed version bucket for release jobs. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2022-10-21 11:19:19 +02:00
Jason Dellaluce
c1be1496d3 update(CHANGELOG.md): change release date 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-19 10:52:57 +02:00
Jason Dellaluce
fa1a5d58e6 update(changelog.md): add entry for Falco 0.33.0 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
 2022-10-19 10:52:57 +02:00