This version works

Minimally working version that can link a go program against a so with
the embedded falco engine. Running the program opens the engine for
syscalls and prints any output strings on alert.

It assumes the device already exists and the kernel module is
loaded. Also assumes the lua code is below /user/share--we'll want to
bake that into the shared library.

Lots of memory leaks still, the interface from go to c is still
monolithic, and I had to change the config of openssl crypto and
luajit to compile with -fPIC in order to link into the shared library,
but this version shows its feasible.

.circleci/config.yml

@@ -13,7 +13,7 @@ jobs:
           command: apk update
       - run:
           name: Install build dependencies
-          command: apk add g++ gcc cmake cmake make ncurses-dev git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils
+          command: apk add g++ gcc cmake cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils
       - run:
           name: Prepare project
           command: |
@@ -60,7 +60,7 @@ jobs:
           command: apt update -y
       - run:
           name: Install dependencies
-          command: DEBIAN_FRONTEND=noninteractive apt install libjq-dev libncurses-dev libyaml-cpp-dev libelf-dev cmake build-essential git -y
+          command: DEBIAN_FRONTEND=noninteractive apt install libjq-dev libyaml-cpp-dev libelf-dev cmake build-essential git -y
       - run:
           name: Prepare project
           command: |
@@ -92,7 +92,7 @@ jobs:
           command: apt update -y
       - run:
           name: Install dependencies
-          command: DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libncurses-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-generic clang llvm git -y
+          command: DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-generic clang llvm git -y
       - run:
           name: Prepare project
           command: |
@@ -124,7 +124,7 @@ jobs:
           command: apt update -y
       - run:
           name: Install dependencies
-          command: DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libncurses-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-generic clang llvm git -y
+          command: DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-generic clang llvm git -y
       - run:
           name: Prepare project
           command: |
@@ -156,7 +156,7 @@ jobs:
           command: apt update -y
       - run:
           name: Install dependencies
-          command: DEBIAN_FRONTEND=noninteractive apt install cmake build-essential clang llvm git linux-headers-generic libncurses-dev pkg-config autoconf libtool libelf-dev -y
+          command: DEBIAN_FRONTEND=noninteractive apt install cmake build-essential clang llvm git linux-headers-generic pkg-config autoconf libtool libelf-dev -y
       - run:
           name: Prepare project
           command: |
@@ -188,7 +188,7 @@ jobs:
           command: dnf update -y
       - run:
           name: Install dependencies
-          command: dnf install gcc gcc-c++ git make cmake autoconf automake pkg-config patch ncurses-devel libtool elfutils-libelf-devel diffutils kernel-devel kernel-headers kernel-core clang llvm which -y
+          command: dnf install gcc gcc-c++ git make cmake autoconf automake pkg-config patch libtool elfutils-libelf-devel diffutils kernel-devel kernel-headers kernel-core clang llvm which -y
       - run:
           name: Prepare project
           command: |

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,6 +1,6 @@
 <!--  Thanks for sending a pull request!  Here are some tips for you:
 
-1. If this is your first time, please read our contributor guidelines in the [CONTRIBUTING.md](CONTRIBUTING.md) file and learn how to compile Falco from source [here](https://falco.org/docs/source).
+1. If this is your first time, please read our contributor guidelines in the [CONTRIBUTING.md](https://github.com/falcosecurity/.github/blob/master/CONTRIBUTING.md) file and learn how to compile Falco from source [here](https://falco.org/docs/source).
 2. Please label this pull request according to what type of issue you are addressing.
 3. . Please add a release note!
 4. If the PR is unfinished while opening it specify a wip in the title before the actual title, for example, "wip: my awesome feature"

ADOPTERS.md

@@ -40,6 +40,8 @@ This is a list of production adopters of Falco (in alphabetical order):
 * [Preferral](https://www.preferral.com) - Preferral is a HIPAA-compliant platform for Referral Management and Online Referral Forms. Preferral streamlines the referral process for patients, specialists and their referral partners. By automating the referral process, referring practices spend less time on the phone, manual efforts are eliminated, and patients get the right care from the right specialist. Preferral leverages Falco to provide a Host Intrusion Detection System to meet their HIPPA compliance requirements.
   * https://hipaa.preferral.com/01-preferral_hipaa_compliance/
 
+* [Replicated](https://www.replicated.com/) - Replicated is the modern way to ship on-prem software. Replicated gives software vendors a container-based platform for easily deploying cloud native applications inside customers'​ environments to provide greater security and control. Replicated uses Falco as runtime security to detect threats in the Kubernetes clusters which host our critical SaaS services.
+
 * [Secureworks](https://www.secureworks.com/) - Secureworks is a leading worldwide cybersecurity company with a cloud-native security product that combines the power of human intellect with security analytics to unify detection and response across cloud, network, and endpoint environments for improved security operations and outcomes. Our Taegis XDR platform and detection system processes petabytes of security relevant data to expose active threats amongst the billions of daily events from our customers. We are proud to protect our platform’s Kubernetes deployments, as well as help our customers protect their own Linux and container environments, using Falco. 
 
 * [Shopify](https://www.shopify.com) - Shopify is the leading multi-channel commerce platform. Merchants use Shopify to design, set up, and manage their stores across multiple sales channels, including mobile, web, social media, marketplaces, brick-and-mortar locations, and pop-up shops. The platform also provides merchants with a powerful back-office and a single view of their business, from payments to shipping. The Shopify platform was engineered for reliability and scale, making enterprise-level technology available to businesses of all sizes. Shopify uses Falco to complement its Host and Network Intrusion Detection Systems.
@@ -54,6 +56,8 @@ This is a list of production adopters of Falco (in alphabetical order):
 
 * [Shapesecurity/F5] (https://www.shapesecurity.com/) Shapesecurity defends against application fraud attacks like Account Take Over, Credential Stuffing, Fake Accounts, etc. Required by FedRamp certification, we needed to find a FIM solution to help monitor and protect our Kubernetes clusters. Traditional FIM solutions were not scalable and not working for our environment, but with Falco we found the solution we needed. Falco's detection capabilities have helped us identify anomalous behaviour within our clusters. We leverage Sidekick (https://github.com/falcosecurity/charts/tree/master/falcosidekick) to send Falco alerts to a PubSub which in turn publishes those alerts to our SIEM (SumoLogic)
 
+* [Yahoo! JAPAN](https://www.yahoo.co.jp/) Yahoo! JAPAN is a leading company of internet in Japan. We build an AI Platform in our private cloud and provide it to scientists in our company. AI Platform is a multi-tenant Kubernetes environment and more flexible, faster, more efficient Machine Learning environment. Falco is used to detect unauthorized commands and malicious access and our AI Platform is monitored and alerted by Falco.
+
 * [Sysdig](https://www.sysdig.com/) Sysdig originally created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call probe. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended Falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-defined infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.
 
 ## Adding a name

CHANGELOG.md

@@ -1,5 +1,54 @@
 # Change Log
 
+## v0.29.1
+
+Released on 2021-06-29
+
+### Minor Changes
+
+* update: bump the Falco engine version to version 9 [[#1675](https://github.com/falcosecurity/falco/pull/1675)] - [@leodido](https://github.com/leodido)
+
+### Rule Changes
+
+* rule(list user_known_userfaultfd_processes): list to exclude processes known to use userfaultfd syscall [[#1675](https://github.com/falcosecurity/falco/pull/1675)] - [@leodido](https://github.com/leodido)
+* rule(macro consider_userfaultfd_activities): macro to gate the "Unprivileged Delegation of Page Faults Handling to a Userspace Process" rule [[#1675](https://github.com/falcosecurity/falco/pull/1675)] - [@leodido](https://github.com/leodido)
+* rule(Unprivileged Delegation of Page Faults Handling to a Userspace Process): new rule to detect successful unprivileged userfaultfd syscalls [[#1675](https://github.com/falcosecurity/falco/pull/1675)] - [@leodido](https://github.com/leodido)
+* rule(Linux Kernel Module Injection Detected): adding container info to the output of the rule [[#1675](https://github.com/falcosecurity/falco/pull/1675)] - [@leodido](https://github.com/leodido)
+
+### Non user-facing changes
+
+* docs(release.md): update steps [[#1684](https://github.com/falcosecurity/falco/pull/1684)] - [@maxgio92](https://github.com/maxgio92)
+
+
+## v0.29.0
+
+Released on 2021-06-21
+
+### Minor Changes
+
+* update: driver version is 17f5df52a7d9ed6bb12d3b1768460def8439936d now [[#1669](https://github.com/falcosecurity/falco/pull/1669)] - [@leogr](https://github.com/leogr)
+
+### Rule Changes
+
+* rule(list miner_domains): add rx.unmineable.com for anti-miner detection [[#1676](https://github.com/falcosecurity/falco/pull/1676)] - [@fntlnz](https://github.com/fntlnz)
+* rule(Change thread namespace and Set Setuid or Setgid bit): disable by default [[#1632](https://github.com/falcosecurity/falco/pull/1632)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(list known_sa_list): add namespace-controller, statefulset-controller, disruption-controller, job-controller, horizontal-pod-autoscaler and persistent-volume-binder as allowed service accounts in the kube-system namespace [[#1659](https://github.com/falcosecurity/falco/pull/1659)] - [@sboschman](https://github.com/sboschman)
+* rule(Non sudo setuid): check user id as well in case user name info is not available [[#1665](https://github.com/falcosecurity/falco/pull/1665)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(Debugfs Launched in Privileged Container): fix typo in description [[#1657](https://github.com/falcosecurity/falco/pull/1657)] - [@Kaizhe](https://github.com/Kaizhe)
+
+### Non user-facing changes
+
+* Fix link to CONTRIBUTING.md in the Pull Request Template [[#1679](https://github.com/falcosecurity/falco/pull/1679)] - [@tspearconquest](https://github.com/tspearconquest)
+* fetch libs and drivers from the new repo [[#1552](https://github.com/falcosecurity/falco/pull/1552)] - [@leogr](https://github.com/leogr)
+* build(test): upgrade urllib3 to 1.26.5 [[#1666](https://github.com/falcosecurity/falco/pull/1666)] - [@leogr](https://github.com/leogr)
+* revert: add notes for 0.28.2 release [[#1663](https://github.com/falcosecurity/falco/pull/1663)] - [@maxgio92](https://github.com/maxgio92)
+* changelog: add notes for 0.28.2 release [[#1661](https://github.com/falcosecurity/falco/pull/1661)] - [@maxgio92](https://github.com/maxgio92)
+* docs(release.md): add blog announcement to post-release tasks [[#1652](https://github.com/falcosecurity/falco/pull/1652)] - [@maxgio92](https://github.com/maxgio92)
+* add Yahoo!Japan as an adopter [[#1651](https://github.com/falcosecurity/falco/pull/1651)] - [@ukitazume](https://github.com/ukitazume)
+* Add Replicated to adopters [[#1649](https://github.com/falcosecurity/falco/pull/1649)] - [@diamonwiggins](https://github.com/diamonwiggins)
+* docs(proposals): fix libs contribution name [[#1641](https://github.com/falcosecurity/falco/pull/1641)] - [@leodido](https://github.com/leodido)
+
+
 ## v0.28.1
 
 Released on 2021-05-07

CMakeLists.txt

@@ -110,6 +110,12 @@ set(CMD_MAKE make)
 
 include(ExternalProject)
 
+# LuaJIT
+include(luajit)
+
+# libs
+include(falcosecurity-libs)
+
 # jq
 include(jq)
 
@@ -125,12 +131,6 @@ ExternalProject_Add(
   BUILD_COMMAND ""
   INSTALL_COMMAND "")
 
-# curses
-# We pull this in because libsinsp won't build without it
-set(CURSES_NEED_NCURSES TRUE)
-find_package(Curses REQUIRED)
-message(STATUS "Found ncurses: include: ${CURSES_INCLUDE_DIR}, lib: ${CURSES_LIBRARIES}")
-
 # b64
 include(b64)
 
@@ -139,15 +139,12 @@ include(yaml-cpp)
 
 if(NOT MINIMAL_BUILD)
   # OpenSSL
-  include(OpenSSL)
+  include(openssl)
 
   # libcurl
-  include(cURL)
+  include(curl)
 endif()
 
-# LuaJIT
-include(luajit)
-
 # Lpeg
 include(lpeg)
 
@@ -158,21 +155,7 @@ include(libyaml)
 include(lyaml)
 
 # One TBB
-set(TBB_SRC "${PROJECT_BINARY_DIR}/tbb-prefix/src/tbb")
-
-message(STATUS "Using bundled tbb in '${TBB_SRC}'")
-
-set(TBB_INCLUDE_DIR "${TBB_SRC}/include/")
-set(TBB_LIB "${TBB_SRC}/build/lib_release/libtbb.a")
-ExternalProject_Add(
-  tbb
-  URL "https://github.com/oneapi-src/oneTBB/archive/2018_U5.tar.gz"
-  URL_HASH "SHA256=b8dbab5aea2b70cf07844f86fa413e549e099aa3205b6a04059ca92ead93a372"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ${CMD_MAKE} tbb_build_dir=${TBB_SRC}/build tbb_build_prefix=lib extra_inc=big_iron.inc
-  BUILD_IN_SOURCE 1
-  BUILD_BYPRODUCTS ${TBB_LIB}
-  INSTALL_COMMAND "")
+include(tbb)
 
 if(NOT MINIMAL_BUILD)
   # civetweb
@@ -196,13 +179,13 @@ endif()
 include(DownloadStringViewLite)
 
 if(NOT MINIMAL_BUILD)
+  include(zlib)
+  include(cares)
+  include(protobuf)
   # gRPC
-  include(gRPC)
+  include(grpc)
 endif()
 
-# sysdig
-include(sysdig)
-
 # Installation
 install(FILES falco.yaml DESTINATION "${FALCO_ETC_DIR}")
 

RELEASE.md

@@ -77,6 +77,10 @@ Now assume `x.y.z` is the new version.
     | `docker pull docker.io/falcosecurity/falco-driver-loader:x.y.z`             |
     | `docker pull docker.io/falcosecurity/falco-no-driver:x.y.z`                 |
 
+    <changelog>
+
+    <!-- Substitute <changelog> with the one generated by [rn2md](https://github.com/leodido/rn2md) -->
+
     ### Statistics
 
     | Merged PRs      | Number |
@@ -86,6 +90,10 @@ Now assume `x.y.z` is the new version.
     | Total           | x      |
 
     <!-- Calculate stats and fill the above table -->
+
+    #### Release Manager <github handle>
+
+    <!-- Substitute Github handle with the release manager's one -->
     ```
 
 - Finally, publish the release!
@@ -104,5 +112,7 @@ For each release we archive the meeting notes in git for historical purposes.
 
 Announce the new release to the world!
 
+- Publish a blog on [Falco website](https://github.com/falcosecurity/falco-website) ([example](https://github.com/falcosecurity/falco-website/blob/master/content/en/blog/falco-0-28-1.md))
 - Send an announcement to cncf-falco-dev@lists.cncf.io (plain text, please)
 - Let folks in the slack #falco channel know about a new release came out
+- IFF the on going release introduces a **new minor version**, [archive a snapshot of the Falco website](https://github.com/falcosecurity/falco-website/blob/master/release.md#documentation-versioning)

cmake/modules/CPackConfig.cmake

@@ -48,7 +48,7 @@ set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
 set(CPACK_RPM_PACKAGE_LICENSE "Apache v2.0")
 set(CPACK_RPM_PACKAGE_ARCHITECTURE, "amd64")
 set(CPACK_RPM_PACKAGE_URL "https://www.falco.org")
-set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, ncurses, systemd")
+set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, systemd")
 set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postinstall")
 set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/preuninstall")
 set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postuninstall")

cmake/modules/OpenSSL.cmake

@@ -1,45 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-mark_as_advanced(OPENSSL_BINARY)
-if(NOT USE_BUNDLED_DEPS)
-  find_package(OpenSSL REQUIRED)
-  message(STATUS "Found openssl: include: ${OPENSSL_INCLUDE_DIR}, lib: ${OPENSSL_LIBRARIES}")
-  find_program(OPENSSL_BINARY openssl)
-  if(NOT OPENSSL_BINARY)
-    message(FATAL_ERROR "Couldn't find the openssl command line in PATH")
-  else()
-    message(STATUS "Found openssl: binary: ${OPENSSL_BINARY}")
-  endif()
-else()
-  mark_as_advanced(OPENSSL_BUNDLE_DIR OPENSSL_INSTALL_DIR OPENSSL_INCLUDE_DIR
-    OPENSSL_LIBRARY_SSL OPENSSL_LIBRARY_CRYPTO)
-  set(OPENSSL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl")
-  set(OPENSSL_INSTALL_DIR "${OPENSSL_BUNDLE_DIR}/target")
-  set(OPENSSL_INCLUDE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl/include")
-  set(OPENSSL_LIBRARY_SSL "${OPENSSL_INSTALL_DIR}/lib/libssl.a")
-  set(OPENSSL_LIBRARY_CRYPTO "${OPENSSL_INSTALL_DIR}/lib/libcrypto.a")
-  set(OPENSSL_BINARY "${OPENSSL_INSTALL_DIR}/bin/openssl")
-
-  message(STATUS "Using bundled openssl in '${OPENSSL_BUNDLE_DIR}'")
-
-  ExternalProject_Add(
-    openssl
-    # START CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
-    URL "https://github.com/openssl/openssl/archive/OpenSSL_1_0_2n.tar.gz"
-    URL_HASH "SHA256=4f4bc907caff1fee6ff8593729e5729891adcee412049153a3bb4db7625e8364"
-    # END CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
-    CONFIGURE_COMMAND ./config no-shared --prefix=${OPENSSL_INSTALL_DIR}
-    BUILD_COMMAND ${CMD_MAKE}
-    BUILD_IN_SOURCE 1
-    INSTALL_COMMAND ${CMD_MAKE} install)
-endif()

cmake/modules/b64.cmake

@@ -1,27 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-set(B64_SRC "${PROJECT_BINARY_DIR}/b64-prefix/src/b64")
-message(STATUS "Using bundled b64 in '${B64_SRC}'")
-set(B64_INCLUDE "${B64_SRC}/include")
-set(B64_LIB "${B64_SRC}/src/libb64.a")
-externalproject_add(
-  b64
-  URL "https://github.com/libb64/libb64/archive/ce864b17ea0e24a91e77c7dd3eb2d1ac4175b3f0.tar.gz"
-  URL_HASH "SHA256=d07173e66f435e5c77dbf81bd9313f8d0e4a3b4edd4105a62f4f8132ba932811"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ${CMD_MAKE}
-  BUILD_IN_SOURCE 1
-  BUILD_BYPRODUCTS ${B64_LIB}
-  INSTALL_COMMAND ""
-)

cmake/modules/cURL.cmake

@@ -1,76 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-if(NOT USE_BUNDLED_DEPS)
-  find_package(CURL REQUIRED)
-  message(STATUS "Found CURL: include: ${CURL_INCLUDE_DIR}, lib: ${CURL_LIBRARIES}")
-else()
-  set(CURL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/curl-prefix/src/curl")
-  set(CURL_INCLUDE_DIR "${CURL_BUNDLE_DIR}/include/")
-  set(CURL_LIBRARIES "${CURL_BUNDLE_DIR}/lib/.libs/libcurl.a")
-
-  set(CURL_SSL_OPTION "--with-ssl=${OPENSSL_INSTALL_DIR}")
-  message(STATUS "Using bundled curl in '${CURL_BUNDLE_DIR}'")
-  message(STATUS "Using SSL for curl in '${CURL_SSL_OPTION}'")
-
-  externalproject_add(
-    curl
-    DEPENDS openssl
-    # START CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
-    URL "https://github.com/curl/curl/releases/download/curl-7_61_0/curl-7.61.0.tar.bz2"
-    URL_HASH "SHA256=5f6f336921cf5b84de56afbd08dfb70adeef2303751ffb3e570c936c6d656c9c"
-    # END CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
-    CONFIGURE_COMMAND
-      ./configure
-      ${CURL_SSL_OPTION}
-      --disable-shared
-      --enable-optimize
-      --disable-curldebug
-      --disable-rt
-      --enable-http
-      --disable-ftp
-      --disable-file
-      --disable-ldap
-      --disable-ldaps
-      --disable-rtsp
-      --disable-telnet
-      --disable-tftp
-      --disable-pop3
-      --disable-imap
-      --disable-smb
-      --disable-smtp
-      --disable-gopher
-      --disable-sspi
-      --disable-ntlm-wb
-      --disable-tls-srp
-      --without-winssl
-      --without-darwinssl
-      --without-polarssl
-      --without-cyassl
-      --without-nss
-      --without-axtls
-      --without-ca-path
-      --without-ca-bundle
-      --without-libmetalink
-      --without-librtmp
-      --without-winidn
-      --without-libidn2
-      --without-libpsl
-      --without-nghttp2
-      --without-libssh2
-      --disable-threaded-resolver
-      --without-brotli
-    BUILD_COMMAND ${CMD_MAKE}
-    BUILD_IN_SOURCE 1
-    INSTALL_COMMAND "")
-endif()

cmake/modules/falcosecurity-libs-repo/CMakeLists.txt

@@ -12,15 +12,15 @@
 #
 cmake_minimum_required(VERSION 3.5.1)
 
-project(sysdig-repo NONE)
+project(falcosecurity-libs-repo NONE)
 
 include(ExternalProject)
-message(STATUS "Driver version: ${SYSDIG_VERSION}")
+message(STATUS "Driver version: ${FALCOSECURITY_LIBS_VERSION}")
 
 ExternalProject_Add(
-  sysdig
-  URL "https://github.com/draios/sysdig/archive/${SYSDIG_VERSION}.tar.gz"
-  URL_HASH "${SYSDIG_CHECKSUM}"
+  falcosecurity-libs
+  URL "https://github.com/falcosecurity/libs/archive/${FALCOSECURITY_LIBS_VERSION}.tar.gz"
+  URL_HASH "${FALCOSECURITY_LIBS_CHECKSUM}"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""
   INSTALL_COMMAND ""

cmake/modules/falcosecurity-libs-repo/patch/luajit.patch

@@ -1,7 +1,7 @@
-diff --git a/userspace/libsinsp/chisel.cpp b/userspace/libsinsp/chisel.cpp
+diff --git a/userspace/chisel/chisel.cpp b/userspace/chisel/chisel.cpp
 index 0a6e3cf8..0c2e255a 100644
---- a/userspace/libsinsp/chisel.cpp
-+++ b/userspace/libsinsp/chisel.cpp
+--- a/userspace/chisel/chisel.cpp
++++ b/userspace/chisel/chisel.cpp
 @@ -98,7 +98,7 @@ void lua_stackdump(lua_State *L)
  // Lua callbacks
  ///////////////////////////////////////////////////////////////////////////////
@@ -29,10 +29,10 @@ index 0a6e3cf8..0c2e255a 100644
  {
  	{"field", &lua_cbacks::field},
  	{"get_num", &lua_cbacks::get_num},
-diff --git a/userspace/libsinsp/lua_parser.cpp b/userspace/libsinsp/lua_parser.cpp
+diff --git a/userspace/chisel/lua_parser.cpp b/userspace/chisel/lua_parser.cpp
 index 0e26617d..78810d96 100644
---- a/userspace/libsinsp/lua_parser.cpp
-+++ b/userspace/libsinsp/lua_parser.cpp
+--- a/userspace/chisel/lua_parser.cpp
++++ b/userspace/chisel/lua_parser.cpp
 @@ -32,7 +32,7 @@ extern "C" {
  #include "lauxlib.h"
  }
@@ -42,10 +42,10 @@ index 0e26617d..78810d96 100644
  {
  	{"rel_expr", &lua_parser_cbacks::rel_expr},
  	{"bool_op", &lua_parser_cbacks::bool_op},
-diff --git a/userspace/libsinsp/lua_parser_api.cpp b/userspace/libsinsp/lua_parser_api.cpp
+diff --git a/userspace/chisel/lua_parser_api.cpp b/userspace/chisel/lua_parser_api.cpp
 index c89e9126..c3d8008a 100644
---- a/userspace/libsinsp/lua_parser_api.cpp
-+++ b/userspace/libsinsp/lua_parser_api.cpp
+--- a/userspace/chisel/lua_parser_api.cpp
++++ b/userspace/chisel/lua_parser_api.cpp
 @@ -266,7 +266,7 @@ int lua_parser_cbacks::rel_expr(lua_State *ls)
  					string err = "Got non-table as in-expression operand\n";
  					throw sinsp_exception("parser API error");

cmake/modules/falcosecurity-libs.cmake

@@ -0,0 +1,67 @@
+#
+# Copyright (C) 2021 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(FALCOSECURITY_LIBS_CMAKE_SOURCE_DIR "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules/falcosecurity-libs-repo")
+set(FALCOSECURITY_LIBS_CMAKE_WORKING_DIR "${CMAKE_BINARY_DIR}/falcosecurity-libs-repo")
+
+file(MAKE_DIRECTORY ${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR})
+
+# The falcosecurity/libs git reference (branch name, commit hash, or tag) To update falcosecurity/libs version for the next release, change the
+# default below In case you want to test against another falcosecurity/libs version just pass the variable - ie., `cmake
+# -DFALCOSECURITY_LIBS_VERSION=dev ..`
+if(NOT FALCOSECURITY_LIBS_VERSION)
+  set(FALCOSECURITY_LIBS_VERSION "new/plugin-system-api-additions")
+  set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=ba0ea2e22121b8543cb1ebe616090097c4dc3f093db8f0bb5cf2ce5a7e0425a0")
+endif()
+
+# cd /path/to/build && cmake /path/to/source
+execute_process(COMMAND "${CMAKE_COMMAND}" -DFALCOSECURITY_LIBS_VERSION=${FALCOSECURITY_LIBS_VERSION} -DFALCOSECURITY_LIBS_CHECKSUM=${FALCOSECURITY_LIBS_CHECKSUM}
+                        ${FALCOSECURITY_LIBS_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR})
+
+# todo(leodido, fntlnz) > use the following one when CMake version will be >= 3.13
+
+# execute_process(COMMAND "${CMAKE_COMMAND}" -B ${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR} WORKING_DIRECTORY
+# "${FALCOSECURITY_LIBS_CMAKE_SOURCE_DIR}")
+
+execute_process(COMMAND "${CMAKE_COMMAND}" --build . WORKING_DIRECTORY "${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR}")
+set(FALCOSECURITY_LIBS_SOURCE_DIR "${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR}/falcosecurity-libs-prefix/src/falcosecurity-libs")
+
+add_definitions(-D_GNU_SOURCE)
+add_definitions(-DHAS_CAPTURE)
+if(MUSL_OPTIMIZED_BUILD)
+  add_definitions(-DMUSL_OPTIMIZED)
+endif()
+
+set(PROBE_VERSION "${FALCOSECURITY_LIBS_VERSION}")
+
+if(NOT LIBSCAP_DIR)
+  set(LIBSCAP_DIR "${FALCOSECURITY_LIBS_SOURCE_DIR}")
+endif()
+set(LIBSINSP_DIR "${FALCOSECURITY_LIBS_SOURCE_DIR}")
+
+# explicitly disable the tests/examples of this dependency
+set(CREATE_TEST_TARGETS OFF CACHE BOOL "")
+set(BUILD_LIBSCAP_EXAMPLES OFF CACHE BOOL "")
+
+# todo(leogr): although Falco does not actually depend on chisels, we need this for the lua_parser. 
+# Hopefully, we can switch off this in the future
+set(WITH_CHISEL ON CACHE BOOL "")
+
+set(USE_BUNDLED_TBB ON CACHE BOOL "")
+set(USE_BUNDLED_B64 ON CACHE BOOL "")
+set(USE_BUNDLED_JSONCPP ON CACHE BOOL "")
+
+list(APPEND CMAKE_MODULE_PATH "${FALCOSECURITY_LIBS_SOURCE_DIR}/cmake/modules")
+
+include(libscap)
+include(libsinsp)

cmake/modules/gRPC.cmake

@@ -1,145 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-if(NOT USE_BUNDLED_DEPS)
-  # zlib
-  include(FindZLIB)
-  set(ZLIB_INCLUDE "${ZLIB_INCLUDE_DIRS}")
-  set(ZLIB_LIB "${ZLIB_LIBRARIES}")
-
-  if(ZLIB_INCLUDE AND ZLIB_LIB)
-    message(STATUS "Found zlib: include: ${ZLIB_INCLUDE}, lib: ${ZLIB_LIB}")
-  endif()
-
-  # c-ares
-  mark_as_advanced(CARES_INCLUDE CARES_LIB)
-  find_path(CARES_INCLUDE NAMES ares.h)
-  find_library(CARES_LIB NAMES libcares.so)
-  if(CARES_INCLUDE AND CARES_LIB)
-    message(STATUS "Found c-ares: include: ${CARES_INCLUDE}, lib: ${CARES_LIB}")
-  else()
-    message(FATAL_ERROR "Couldn't find system c-ares")
-  endif()
-
-  # protobuf
-  mark_as_advanced(PROTOC PROTOBUF_INCLUDE PROTOBUF_LIB)
-  find_program(PROTOC NAMES protoc)
-  find_path(PROTOBUF_INCLUDE NAMES google/protobuf/message.h)
-  find_library(PROTOBUF_LIB NAMES libprotobuf.so)
-  if(PROTOC
-     AND PROTOBUF_INCLUDE
-     AND PROTOBUF_LIB)
-    message(STATUS "Found protobuf: compiler: ${PROTOC}, include: ${PROTOBUF_INCLUDE}, lib: ${PROTOBUF_LIB}")
-  else()
-    message(FATAL_ERROR "Couldn't find system protobuf")
-  endif()
-
-  # gpr
-  mark_as_advanced(GPR_LIB)
-  find_library(GPR_LIB NAMES gpr)
-
-  if(GPR_LIB)
-    message(STATUS "Found gpr lib: ${GPR_LIB}")
-  else()
-    message(FATAL_ERROR "Couldn't find system gpr")
-  endif()
-
-  # gRPC todo(fntlnz, leodido): check that gRPC version is greater or equal than 1.8.0
-  mark_as_advanced(GRPC_INCLUDE GRPC_SRC
-    GRPC_LIB GRPC_LIBS_ABSOLUTE  GRPCPP_LIB GRPC_CPP_PLUGIN)
-  find_path(GRPCXX_INCLUDE NAMES grpc++/grpc++.h)
-  if(GRPCXX_INCLUDE)
-    set(GRPC_INCLUDE ${GRPCXX_INCLUDE})
-    unset(GRPCXX_INCLUDE CACHE)
-  else()
-    find_path(GRPCPP_INCLUDE NAMES grpcpp/grpcpp.h)
-    set(GRPC_INCLUDE ${GRPCPP_INCLUDE})
-    unset(GRPCPP_INCLUDE CACHE)
-    add_definitions(-DGRPC_INCLUDE_IS_GRPCPP=1)
-  endif()
-  find_library(GRPC_LIB NAMES grpc)
-  find_library(GRPCPP_LIB NAMES grpc++)
-  if(GRPC_INCLUDE
-     AND GRPC_LIB
-     AND GRPCPP_LIB)
-    message(STATUS "Found grpc: include: ${GRPC_INCLUDE}, C lib: ${GRPC_LIB}, C++ lib: ${GRPCPP_LIB}")
-  else()
-    message(FATAL_ERROR "Couldn't find system grpc")
-  endif()
-  find_program(GRPC_CPP_PLUGIN grpc_cpp_plugin)
-  if(NOT GRPC_CPP_PLUGIN)
-    message(FATAL_ERROR "System grpc_cpp_plugin not found")
-  endif()
-
-else()
-  find_package(PkgConfig)
-    if(NOT PKG_CONFIG_FOUND)
-      message(FATAL_ERROR "pkg-config binary not found")
-  endif()
-  message(STATUS "Found pkg-config executable: ${PKG_CONFIG_EXECUTABLE}")
-  set(GRPC_SRC "${PROJECT_BINARY_DIR}/grpc-prefix/src/grpc")
-  set(GRPC_INCLUDE "${GRPC_SRC}/include")
-  set(GRPC_LIBS_ABSOLUTE "${GRPC_SRC}/libs/opt")
-  set(GRPC_LIB "${GRPC_LIBS_ABSOLUTE}/libgrpc.a")
-  set(GRPCPP_LIB "${GRPC_LIBS_ABSOLUTE}/libgrpc++.a")
-  set(GRPC_CPP_PLUGIN "${GRPC_SRC}/bins/opt/grpc_cpp_plugin")
-
-  # we tell gRPC to compile protobuf for us because when a gRPC package is not available, like on CentOS, it's very
-  # likely that protobuf will be very outdated
-  set(PROTOBUF_INCLUDE "${GRPC_SRC}/third_party/protobuf/src")
-  set(PROTOC "${PROTOBUF_INCLUDE}/protoc")
-  set(PROTOBUF_LIB "${GRPC_LIBS_ABSOLUTE}/protobuf/libprotobuf.a")
-  # we tell gRPC to compile zlib for us because when a gRPC package is not available, like on CentOS, it's very likely
-  # that zlib will be very outdated
-  set(ZLIB_INCLUDE "${GRPC_SRC}/third_party/zlib")
-  set(ZLIB_LIB "${GRPC_LIBS_ABSOLUTE}/libz.a")
-  # we tell gRPC to compile c-ares for us because when a gRPC package is not available, like on CentOS, it's very likely
-  # that c-ares will be very outdated
-  set(CARES_INCLUDE "${GRPC_SRC}/third_party/cares" "${GRPC_SRC}/third_party/cares/cares")
-  set(CARES_LIB "${GRPC_LIBS_ABSOLUTE}/libares.a")
-
-  message(STATUS "Using bundled gRPC in '${GRPC_SRC}'")
-  message(
-    STATUS
-      "Bundled gRPC comes with protobuf: compiler: ${PROTOC}, include: ${PROTOBUF_INCLUDE}, lib: ${PROTOBUF_LIB}")
-  message(STATUS "Bundled gRPC comes with zlib: include: ${ZLIB_INCLUDE}, lib: ${ZLIB_LIB}}")
-  message(STATUS "Bundled gRPC comes with cares: include: ${CARES_INCLUDE}, lib: ${CARES_LIB}}")
-  message(STATUS "Bundled gRPC comes with gRPC C++ plugin: include: ${GRPC_CPP_PLUGIN}")
-
-  get_filename_component(PROTOC_DIR ${PROTOC} PATH)
-
-  ExternalProject_Add(
-    grpc
-    DEPENDS openssl
-    GIT_REPOSITORY https://github.com/grpc/grpc.git
-    GIT_TAG v1.32.0
-    GIT_SUBMODULES "third_party/protobuf third_party/zlib third_party/cares/cares third_party/abseil-cpp third_party/re2"
-    BUILD_IN_SOURCE 1
-    BUILD_BYPRODUCTS ${GRPC_LIB} ${GRPCPP_LIB}
-    INSTALL_COMMAND ""
-    CONFIGURE_COMMAND ""
-    BUILD_COMMAND
-      CFLAGS=-Wno-implicit-fallthrough
-      HAS_SYSTEM_ZLIB=false
-      HAS_SYSTEM_PROTOBUF=false
-      HAS_SYSTEM_CARES=false
-      HAS_EMBEDDED_OPENSSL_ALPN=false
-      HAS_SYSTEM_OPENSSL_ALPN=true
-      PKG_CONFIG_PATH=${OPENSSL_BUNDLE_DIR}
-      PKG_CONFIG=${PKG_CONFIG_EXECUTABLE}
-      PATH=${PROTOC_DIR}:$ENV{PATH}
-      make
-      static_cxx
-      static_c
-      grpc_cpp_plugin)
-endif()

cmake/modules/jq.cmake

@@ -1,54 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-mark_as_advanced(JQ_INCLUDE JQ_LIB)
-if (NOT USE_BUNDLED_DEPS)
-    find_path(JQ_INCLUDE jq.h PATH_SUFFIXES jq)
-    find_library(JQ_LIB NAMES jq)
-    if (JQ_INCLUDE AND JQ_LIB)
-        message(STATUS "Found jq: include: ${JQ_INCLUDE}, lib: ${JQ_LIB}")
-    else ()
-        message(FATAL_ERROR "Couldn't find system jq")
-    endif ()
-else ()
-    set(JQ_SRC "${PROJECT_BINARY_DIR}/jq-prefix/src/jq")
-    message(STATUS "Using bundled jq in '${JQ_SRC}'")
-    set(JQ_INCLUDE "${JQ_SRC}/target/include")
-    set(JQ_INSTALL_DIR "${JQ_SRC}/target")
-    set(JQ_LIB "${JQ_INSTALL_DIR}/lib/libjq.a")
-    set(ONIGURUMA_LIB "${JQ_INSTALL_DIR}/lib/libonig.a")
-    message(STATUS "Bundled jq: include: ${JQ_INCLUDE}, lib: ${JQ_LIB}")
-
-    # Why we mirror jq here?
-    #
-    # In their readme, jq claims that you don't have
-    # to do autoreconf -fi when downloading a released tarball.
-    #
-    # However, they forgot to push the released makefiles
-    # into their release tarbal.
-    #
-    # For this reason, we have to mirror their release after
-    # doing the configuration ourselves.
-    #
-    # This is needed because many distros do not ship the right
-    # version of autoreconf, making virtually impossible to build Falco on them.
-    # Read more about it here:
-    #   https://github.com/stedolan/jq/issues/2061#issuecomment-593445920
-    ExternalProject_Add(
-            jq
-            URL "https://download.falco.org/dependencies/jq-1.6.tar.gz"
-            URL_HASH "SHA256=787518068c35e244334cc79b8e56b60dbab352dff175b7f04a94f662b540bfd9"
-            CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking --with-oniguruma=builtin --prefix=${JQ_INSTALL_DIR}
-            BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
-            BUILD_IN_SOURCE 1
-            INSTALL_COMMAND ${CMD_MAKE} install)
-endif ()

cmake/modules/luajit.cmake

@@ -11,17 +11,20 @@
 # specific language governing permissions and limitations under the License.
 #
 
-set(LUAJIT_SRC "${PROJECT_BINARY_DIR}/luajit-prefix/src/luajit/src")
-message(STATUS "Using bundled LuaJIT in '${LUAJIT_SRC}'")
-set(LUAJIT_INCLUDE "${LUAJIT_SRC}")
-set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
-externalproject_add(
-  luajit
-  GIT_REPOSITORY "https://github.com/LuaJIT/LuaJIT"
-  GIT_TAG "1d8b747c161db457e032a023ebbff511f5de5ec2"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ${CMD_MAKE}
-  BUILD_IN_SOURCE 1
-  BUILD_BYPRODUCTS ${LUAJIT_LIB}
-  INSTALL_COMMAND ""
-)
+if(NOT LUAJIT_INCLUDE)
+  set(LUAJIT_SRC "${PROJECT_BINARY_DIR}/luajit-prefix/src/luajit/src")
+  message(STATUS "Using bundled LuaJIT in '${LUAJIT_SRC}'")
+  set(LUAJIT_INCLUDE "${LUAJIT_SRC}")
+  set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
+  externalproject_add(
+    luajit
+    GIT_REPOSITORY "https://github.com/LuaJIT/LuaJIT"
+    GIT_TAG "1d8b747c161db457e032a023ebbff511f5de5ec2"
+    CONFIGURE_COMMAND ""
+    BUILD_COMMAND ${CMD_MAKE}
+    BUILD_IN_SOURCE 1
+    BUILD_BYPRODUCTS ${LUAJIT_LIB}
+    INSTALL_COMMAND ""
+  )
+endif()
+include_directories("${LUAJIT_INCLUDE}")

cmake/modules/sysdig.cmake

@@ -1,78 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-set(SYSDIG_CMAKE_SOURCE_DIR "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules/sysdig-repo")
-set(SYSDIG_CMAKE_WORKING_DIR "${CMAKE_BINARY_DIR}/sysdig-repo")
-
-# this needs to be here at the top
-if(USE_BUNDLED_DEPS)
-  # explicitly force this dependency to use the bundled OpenSSL
-  if(NOT MINIMAL_BUILD)
-    set(USE_BUNDLED_OPENSSL ON)
-  endif()
-  set(USE_BUNDLED_JQ ON)
-endif()
-
-file(MAKE_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
-
-# The sysdig git reference (branch name, commit hash, or tag) To update sysdig version for the next release, change the
-# default below In case you want to test against another sysdig version just pass the variable - ie., `cmake
-# -DSYSDIG_VERSION=dev ..`
-if(NOT SYSDIG_VERSION)
-  set(SYSDIG_VERSION "5c0b863ddade7a45568c0ac97d037422c9efb750")
-  set(SYSDIG_CHECKSUM "SHA256=9de717b3a4b611ea6df56afee05171860167112f74bb7717b394bcc88ac843cd")
-endif()
-set(PROBE_VERSION "${SYSDIG_VERSION}")
-
-# cd /path/to/build && cmake /path/to/source
-execute_process(COMMAND "${CMAKE_COMMAND}" -DSYSDIG_VERSION=${SYSDIG_VERSION} -DSYSDIG_CHECKSUM=${SYSDIG_CHECKSUM}
-                        ${SYSDIG_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
-
-# todo(leodido, fntlnz) > use the following one when CMake version will be >= 3.13
-
-# execute_process(COMMAND "${CMAKE_COMMAND}" -B ${SYSDIG_CMAKE_WORKING_DIR} WORKING_DIRECTORY
-# "${SYSDIG_CMAKE_SOURCE_DIR}")
-
-execute_process(COMMAND "${CMAKE_COMMAND}" --build . WORKING_DIRECTORY "${SYSDIG_CMAKE_WORKING_DIR}")
-set(SYSDIG_SOURCE_DIR "${SYSDIG_CMAKE_WORKING_DIR}/sysdig-prefix/src/sysdig")
-
-# jsoncpp
-set(JSONCPP_SRC "${SYSDIG_SOURCE_DIR}/userspace/libsinsp/third-party/jsoncpp")
-set(JSONCPP_INCLUDE "${JSONCPP_SRC}")
-set(JSONCPP_LIB_SRC "${JSONCPP_SRC}/jsoncpp.cpp")
-
-# Add driver directory
-add_subdirectory("${SYSDIG_SOURCE_DIR}/driver" "${PROJECT_BINARY_DIR}/driver")
-
-# Add libscap directory
-add_definitions(-D_GNU_SOURCE)
-add_definitions(-DHAS_CAPTURE)
-add_definitions(-DNOCURSESUI)
-if(MUSL_OPTIMIZED_BUILD)
-  add_definitions(-DMUSL_OPTIMIZED)
-endif()
-add_subdirectory("${SYSDIG_SOURCE_DIR}/userspace/libscap" "${PROJECT_BINARY_DIR}/userspace/libscap")
-
-# Add libsinsp directory
-add_subdirectory("${SYSDIG_SOURCE_DIR}/userspace/libsinsp" "${PROJECT_BINARY_DIR}/userspace/libsinsp")
-add_dependencies(sinsp tbb b64 luajit)
-
-# explicitly disable the tests of this dependency
-set(CREATE_TEST_TARGETS OFF)
-
-if(USE_BUNDLED_DEPS)
-  add_dependencies(scap jq)
-  if(NOT MINIMAL_BUILD)
-    add_dependencies(scap curl grpc)
-  endif()
-endif()

cmake/modules/yaml-cpp.cmake

@@ -28,6 +28,7 @@ else()
     yamlcpp
     URL "https://github.com/jbeder/yaml-cpp/archive/yaml-cpp-0.6.2.tar.gz"
     URL_HASH "SHA256=e4d8560e163c3d875fd5d9e5542b5fd5bec810febdcba61481fe5fc4e6b1fd05"
+    BUILD_BYPRODUCTS ${YAMLCPP_LIB}
     BUILD_IN_SOURCE 1
     INSTALL_COMMAND "")
 endif()

docker/builder/Dockerfile

@@ -20,11 +20,11 @@ ENV FALCO_VERSION=${FALCO_VERSION}
 
 # build toolchain
 RUN yum -y install centos-release-scl && \
-    INSTALL_PKGS="devtoolset-7-gcc devtoolset-7-gcc-c++ devtoolset-7-toolchain devtoolset-7-libstdc++-devel devtoolset-7-elfutils-libelf-devel llvm-toolset-7 glibc-static autoconf automake libtool createrepo expect git which libcurl-devel zlib-devel ncurses-devel rpm-build libyaml-devel" && \
+    INSTALL_PKGS="devtoolset-7-gcc devtoolset-7-gcc-c++ devtoolset-7-toolchain devtoolset-7-libstdc++-devel devtoolset-7-elfutils-libelf-devel llvm-toolset-7 glibc-static autoconf automake libtool createrepo expect git which libcurl-devel zlib-devel rpm-build libyaml-devel" && \
     yum -y install --setopt=tsflags=nodocs $INSTALL_PKGS && \
     rpm -V $INSTALL_PKGS
 
-ARG CMAKE_VERSION=3.5.1
+ARG CMAKE_VERSION=3.6.3
 RUN source scl_source enable devtoolset-7 llvm-toolset-7 && \
     cd /tmp && \
     curl -L https://github.com/kitware/cmake/releases/download/v${CMAKE_VERSION}/cmake-${CMAKE_VERSION}.tar.gz | tar xz; \

docker/builder/root/usr/bin/entrypoint

@@ -34,7 +34,6 @@ case "$CMD" in
     -DCMAKE_BUILD_TYPE="$BUILD_TYPE" \
     -DCMAKE_INSTALL_PREFIX=/usr \
     -DBUILD_DRIVER="$BUILD_DRIVER" \
-    -DMINIMAL_BUILD="$MINIMAL_BUILD" \
     -DBUILD_BPF="$BUILD_BPF" \
     -DBUILD_WARNINGS_AS_ERRORS="$BUILD_WARNINGS_AS_ERRORS" \
     -DFALCO_VERSION="$FALCO_VERSION" \

proposals/20210119-libraries-contribution.md

@@ -1,4 +1,4 @@
-# OSS Libraries Donation Plan
+# OSS Libraries Contribution Plan
 
 ## Summary
 
@@ -6,7 +6,7 @@ Sysdig Inc. intends to donate **libsinsp**, **libscap**, the **kernel module dri
 
 This means that some parts of the [draios/sysdig](https://github.com/draios/sysdig) repository will be moved to a new GitHub repository called [falcosecurity/libs](https://github.com/falcosecurity/libs).
 
-This plan aims to describe and clarify the terms and goals to get the donation done.
+This plan aims to describe and clarify the terms and goals to get the contribution done.
 
 ## Motivation
 
@@ -22,7 +22,7 @@ Sysdig (the command line tool) will continue to use the libraries now provided b
 This change is win-win for both parties because of the following reasons:
 
 - The Falco community owns the source code of the three most important parts of the software it distributes.
-  - Right now it is "only" an engine on top of the libraries. This **donation** helps in making the scope of the Falco project broader. Having the majority of the source code under an **open governance** in the same organization gives the Falco project more contribution opportunities, helps it in **evolving independently** and makes the whole Falco community a strong owner of the processes and decision making regarding those crucial parts.
+  - Right now it is "only" an engine on top of the libraries. This **contribution** helps in making the scope of the Falco project broader. Having the majority of the source code under an **open governance** in the same organization gives the Falco project more contribution opportunities, helps it in **evolving independently** and makes the whole Falco community a strong owner of the processes and decision making regarding those crucial parts.
 
 - Given the previous point, Sysdig (the command line tool) will benefit from the now **extended contributors base**
 
@@ -34,7 +34,7 @@ This change is win-win for both parties because of the following reasons:
 
 ## Goals
 
-There are many sub-projects and each of them interacts in a different way in this donation.
+There are many sub-projects and each of them interacts in a different way in this contribution.
 
 Let's see the goals per sub-project.
 
@@ -68,7 +68,7 @@ Let's see the goals per sub-project.
 
 13. Falco follows a [multi-stage model for adopting new projects](https://github.com/falcosecurity/evolution#falco-project-evolution), in this case we will do an exception since the library is foundational for Falco and it has a very good track record already
 
-14. This project will go already "Official support" once the donation is completed
+14. This project will go already "Official support" once the contribution is completed
 
 15. Contributing, Code of Conduct, Governance, Security, and Support will be the same as the rest of the organization, find them [here](https://github.com/falcosecurity/.github)
 
@@ -110,7 +110,7 @@ Let's see the goals per sub-project.
 
 13. Falco follows a [multi-stage model for adopting new projects](https://github.com/falcosecurity/evolution#falco-project-evolution), in this case we will do an exception since the library is foundational for Falco and it has a very good track record already
 
-14. This project will go already "Official support" once the donation is completed
+14. This project will go already "Official support" once the contribution is completed
 
 15. Contributing, Code of Conduct, Governance, Security, and Support will be the same as the rest of the organization, find them [here](https://github.com/falcosecurity/.github)
 

rules/falco_rules.yaml

@@ -15,10 +15,10 @@
 # limitations under the License.
 #
 
-# The latest Falco Engine version is 8 if you want to
-# use exceptions. However the default rules file does not
-# use them so we stick with 7 for compatibility.
-- required_engine_version: 7
+# The latest Falco Engine version is 9.
+# Starting with version 8, the Falco engine supports exceptions.
+# However the Falco rules file does not use them by default.
+- required_engine_version: 9
 
 # Currently disabled as read/write are ignored syscalls. The nearly
 # similar open_write/open_read check for files being opened for
@@ -1565,6 +1565,7 @@
     and not calico_node
     and not weaveworks_scope
     and not user_known_change_thread_namespace_activities
+  enabled: false
   output: >
     Namespace change (setns) by unexpected program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline
     parent=%proc.pname %container.info container_id=%container.id image=%container.image.repository:%container.image.tag)
@@ -1752,13 +1753,13 @@
 - macro: allowed_aws_ecr_registry_root_for_eks
   condition: >
     (container.image.repository startswith "602401143452.dkr.ecr" or
-     container.image.repository startswith "877085696533.dkr.ecr" or 
-     container.image.repository startswith "800184023465.dkr.ecr" or 
-     container.image.repository startswith "602401143452.dkr.ecr" or 
+     container.image.repository startswith "877085696533.dkr.ecr" or
+     container.image.repository startswith "800184023465.dkr.ecr" or
+     container.image.repository startswith "602401143452.dkr.ecr" or
      container.image.repository startswith "918309763551.dkr.ecr" or
-     container.image.repository startswith "961992271922.dkr.ecr" or 
+     container.image.repository startswith "961992271922.dkr.ecr" or
      container.image.repository startswith "590381155156.dkr.ecr" or
-     container.image.repository startswith "558608220178.dkr.ecr" or 
+     container.image.repository startswith "558608220178.dkr.ecr" or
      container.image.repository startswith "151742754352.dkr.ecr" or
      container.image.repository startswith "013241004608.dkr.ecr")
 
@@ -2234,7 +2235,7 @@
   condition: >
     evt.type=setuid and evt.dir=>
     and (known_user_in_container or not container)
-    and not user.name=root
+    and not (user.name=root or user.uid=0)
     and not somebody_becoming_themself
     and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries,
                           nomachine_binaries)
@@ -2641,6 +2642,7 @@
     and not proc.name in (user_known_chmod_applications)
     and not exe_running_docker_save
     and not user_known_set_setuid_or_setgid_bit_conditions
+  enabled: false
   output: >
     Setuid or setgid bit is set via chmod (fd=%evt.arg.fd filename=%evt.arg.filename mode=%evt.arg.mode user=%user.name user_loginuid=%user.loginuid process=%proc.name
     command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
@@ -2745,7 +2747,7 @@
       "xmr-eu1.nanopool.org","xmr-eu2.nanopool.org",
       "xmr-jp1.nanopool.org","xmr-us-east1.nanopool.org",
       "xmr-us-west1.nanopool.org","xmr.crypto-pool.fr",
-      "xmr.pool.minergate.com"
+      "xmr.pool.minergate.com", "rx.unmineable.com"
       ]
 
 - list: https_miner_domains
@@ -3001,7 +3003,7 @@
 - rule: Linux Kernel Module Injection Detected
   desc: Detect kernel module was injected (from container).
   condition: spawned_process and container and proc.name=insmod and not proc.args in (white_listed_modules)
-  output: Linux Kernel Module injection using insmod detected (user=%user.name user_loginuid=%user.loginuid parent_process=%proc.pname module=%proc.args)
+  output: Linux Kernel Module injection using insmod detected (user=%user.name user_loginuid=%user.loginuid parent_process=%proc.pname module=%proc.args %container.info image=%container.image.repository:%container.image.tag)
   priority: WARNING
   tags: [process]
 
@@ -3025,13 +3027,13 @@
 # A privilege escalation to root through heap-based buffer overflow
 - rule: Sudo Potential Privilege Escalation
   desc: Privilege escalation vulnerability affecting sudo (<= 1.9.5p2). Executing sudo using sudoedit -s or sudoedit -i command with command-line argument that ends with a single backslash character from an unprivileged user it's possible to elevate the user privileges to root.
-  condition: spawned_process and user.uid!= 0 and proc.name=sudoedit and (proc.args contains -s or proc.args contains -i) and (proc.args contains "\ " or proc.args endswith \)
+  condition: spawned_process and user.uid != 0 and proc.name=sudoedit and (proc.args contains -s or proc.args contains -i) and (proc.args contains "\ " or proc.args endswith \)
   output: "Detect Sudo Privilege Escalation Exploit (CVE-2021-3156) (user=%user.name parent=%proc.pname cmdline=%proc.cmdline %container.info)"
   priority: CRITICAL
   tags: [filesystem, mitre_privilege_escalation]
 
 - rule: Debugfs Launched in Privileged Container
-  desc: Detect file system debugger debugfs launched inside a privilegd container which might lead to container escape.
+  desc: Detect file system debugger debugfs launched inside a privileged container which might lead to container escape.
   condition: >
     spawned_process and container
     and container.privileged=true
@@ -3054,6 +3056,24 @@
   priority: WARNING
   tags: [container, cis, mitre_lateral_movement]
 
+- macro: consider_userfaultfd_activities
+  condition: (always_true)
+
+- list: user_known_userfaultfd_processes
+  items: []
+
+- rule: Unprivileged Delegation of Page Faults Handling to a Userspace Process
+  desc: Detect a successful unprivileged userfaultfd syscall which might act as an attack primitive to exploit other bugs
+  condition: >
+    consider_userfaultfd_activities and
+    evt.type = userfaultfd and
+    user.uid != 0 and
+    (evt.rawres >= 0 or evt.res != -1) and
+    not proc.name in (user_known_userfaultfd_processes)
+  output: An userfaultfd syscall was successfully executed by an unprivileged user (user=%user.name user_loginuid=%user.loginuid process=%proc.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
+  priority: CRITICAL
+  tags: [syscall, mitre_defense_evasion]
+
 # Application rules have moved to application_rules.yaml. Please look
 # there if you want to enable them by adding to
 # falco_rules.local.yaml.

rules/k8s_audit_rules.yaml

@@ -304,7 +304,7 @@
 - list: known_sa_list
   items: ["pod-garbage-collector","resourcequota-controller","cronjob-controller","generic-garbage-collector",
           "daemon-set-controller","endpointslice-controller","deployment-controller", "replicaset-controller",
-          "endpoint-controller"]
+          "endpoint-controller", "namespace-controller", "statefulset-controller", "disruption-controller"]
 
 - macro: trusted_sa
   condition: (ka.target.name in (known_sa_list, user_known_sa_list))

scripts/ignored-calls.sh

@@ -17,9 +17,9 @@
 #
 scriptdir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
 parentdir="$(dirname "$scriptdir")"
-sysdigdir="${parentdir}/build/sysdig-repo/sysdig-prefix/src/sysdig"
-cat "${sysdigdir}/userspace/libscap/syscall_info_table.c" | grep EF_DROP_SIMPLE_CONS | sed -e 's/.*\"\(.*\)\".*/\1/'  | sort > /tmp/ignored_syscall_info_table.txt
-cat "${sysdigdir}/driver/event_table.c" | grep EF_DROP_SIMPLE_CONS | sed -e 's/[^\"]*\"\([^\"]*\)\".*/\1/' | sort | uniq > /tmp/ignored_driver_event_table.txt
+libsdir="${parentdir}/build/falcosecurity-libs-repo/falcosecurity-libs-prefix/src/falcosecurity-libs"
+cat "${libsdir}/userspace/libscap/syscall_info_table.c" | grep EF_DROP_SIMPLE_CONS | sed -e 's/.*\"\(.*\)\".*/\1/'  | sort > /tmp/ignored_syscall_info_table.txt
+cat "${libsdir}/driver/event_table.c" | grep EF_DROP_SIMPLE_CONS | sed -e 's/[^\"]*\"\([^\"]*\)\".*/\1/' | sort | uniq > /tmp/ignored_driver_event_table.txt
 
 cat /tmp/ignored_driver_event_table.txt /tmp/ignored_syscall_info_table.txt | sort | uniq | tr '\n' ', '
 

test/falco_tests.yaml

@@ -763,7 +763,7 @@ trace_files: !mux
       - "Non sudo setuid": 1
       - "Create files below dev": 1
       - "Modify binary dirs": 2
-      - "Change thread namespace": 1
+      - "Change thread namespace": 0
 
   disabled_tags_a:
     detect: True

test/falco_traces.yaml.in

@@ -23,10 +23,10 @@ has_json_output: !mux
 traces: !mux
   change-thread-namespace:
     trace_file: traces-positive/change-thread-namespace.scap
-    detect: True
+    detect: False
     detect_level: NOTICE
     detect_counts:
-      - "Change thread namespace": 1
+      - "Change thread namespace": 0
 
   container-privileged:
     trace_file: traces-positive/container-privileged.scap
@@ -73,7 +73,7 @@ traces: !mux
       - "Non sudo setuid": 1
       - "Create files below dev": 1
       - "Modify binary dirs": 2
-      - "Change thread namespace": 1
+      - "Change thread namespace": 0
 
   mkdir-binary-dirs:
     trace_file: traces-positive/mkdir-binary-dirs.scap

test/requirements.txt

@@ -9,5 +9,5 @@ PyYAML==5.4
 requests==2.23.0
 six==1.14.0
 stevedore==1.32.0
-urllib3==1.25.9
+urllib3==1.26.5
 watchdog==0.10.2

userspace/engine/CMakeLists.txt

@@ -35,9 +35,8 @@ if(MINIMAL_BUILD)
       "${NJSON_INCLUDE}"
       "${TBB_INCLUDE_DIR}"
       "${STRING_VIEW_LITE_INCLUDE}"
-      "${SYSDIG_SOURCE_DIR}/userspace/libsinsp/third-party/jsoncpp"
-      "${SYSDIG_SOURCE_DIR}/userspace/libscap"
-      "${SYSDIG_SOURCE_DIR}/userspace/libsinsp"
+      "${LIBSCAP_INCLUDE_DIRS}"
+      "${LIBSINSP_INCLUDE_DIRS}"
       "${PROJECT_BINARY_DIR}/userspace/engine")
 else()
   target_include_directories(
@@ -48,9 +47,8 @@ else()
       "${CURL_INCLUDE_DIR}"
       "${TBB_INCLUDE_DIR}"
       "${STRING_VIEW_LITE_INCLUDE}"
-      "${SYSDIG_SOURCE_DIR}/userspace/libsinsp/third-party/jsoncpp"
-      "${SYSDIG_SOURCE_DIR}/userspace/libscap"
-      "${SYSDIG_SOURCE_DIR}/userspace/libsinsp"
+      "${LIBSCAP_INCLUDE_DIRS}"
+      "${LIBSINSP_INCLUDE_DIRS}"
       "${PROJECT_BINARY_DIR}/userspace/engine")
 endif()
 
@@ -72,3 +70,5 @@ else()
     FILES_MATCHING
     PATTERN *.lua)
 endif()
+
+add_subdirectory(embeddable)

userspace/engine/embeddable/CMakeLists.txt

@@ -0,0 +1,43 @@
+#
+# Copyright (C) 2021 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+set(FALCO_ENGINE_EMBEDDABLE_SOURCE_FILES
+    falco_engine_embeddable.cpp)
+
+set(
+  FALCO_LIBRARIES
+  falco_engine
+  sinsp
+  "${LIBYAML_LIB}"
+  "${YAMLCPP_LIB}"
+)
+
+add_library(falco_engine_embeddable SHARED ${FALCO_ENGINE_EMBEDDABLE_SOURCE_FILES})
+add_dependencies(falco_engine_embeddable falco_engine)
+
+target_include_directories(
+  falco_engine_embeddable
+  PUBLIC
+    "${PROJECT_SOURCE_DIR}/userspace/engine"
+    "${LUAJIT_INCLUDE}"
+    "${NJSON_INCLUDE}"
+    "${TBB_INCLUDE_DIR}"
+    "${STRING_VIEW_LITE_INCLUDE}"
+    "${LIBSCAP_INCLUDE_DIRS}"
+    "${LIBSINSP_INCLUDE_DIRS}"
+    "${PROJECT_BINARY_DIR}/userspace/engine")
+
+target_link_libraries(falco_engine_embeddable ${FALCO_LIBRARIES})
+
+#add_custom_target(example ALL DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/example)
+#add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/example COMMAND go build ${CMAKE_CURRENT_SOURCE_DIR}/example.go -o ${CMAKE_CURRENT_BINARY_DIR}/example)
+

userspace/engine/embeddable/example/example.go

@@ -0,0 +1,102 @@
+package main
+
+//#cgo CFLAGS: -I../
+//#cgo LDFLAGS: -L/home/mstemm/work/falco-build/userspace/engine/embeddable -lfalco_engine_embeddable -Wl,-rpath=/home/mstemm/work/falco-build/userspace/engine/embeddable
+/*
+#include "stdio.h"
+#include "falco_engine_embeddable.h"
+
+int open_engine(void **engine, void *rules_content)
+{
+   int32_t rc;
+   *engine = falco_engine_embed_init(&rc);
+
+   if (rc != 0)
+   {
+   return rc;
+   }
+
+   char *errstr;
+   rc = falco_engine_embed_load_rules_content(*engine, (const char *) rules_content, &errstr);
+
+   if (rc != 0)
+   {
+   fprintf(stderr, "%s", errstr);
+   return rc;
+   }
+
+   rc = falco_engine_embed_open(*engine, &errstr);
+
+   if (rc != 0)
+   {
+   fprintf(stderr, "%s", errstr);
+   return rc;
+   }
+
+   return rc;
+}
+
+int next_result(void *engine, char **output)
+{
+
+   int32_t rc;
+   falco_engine_embed_result *res;
+   char *errstr;
+
+   rc = falco_engine_embed_next_result(engine, &res, &errstr);
+
+   if (rc != 0)
+   {
+   fprintf(stderr, "NEXT ERROR %s", errstr);
+   return rc;
+   }
+
+   *output = res->output_str;
+   return rc;
+
+}
+
+*/
+import "C"
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"unsafe"
+)
+
+func doMain(rules_filename string) int {
+
+	rules_content, err := ioutil.ReadFile(rules_filename)
+	if err != nil {
+		fmt.Printf("Could not open rules file %s: %v", rules_filename, err)
+		return 1
+	}
+
+	var handle unsafe.Pointer
+	rc := C.open_engine(&handle, C.CBytes(rules_content))
+
+	if rc != 0 {
+		fmt.Printf("Could not open falco engine")
+		return 1
+	}
+
+	for true {
+		var output *C.char
+		rc := C.next_result(handle, &output)
+		if rc != 0 {
+			fmt.Printf("Could not get next result")
+			return 1
+		}
+		fmt.Printf("GOT RESULT %s\n", C.GoString(output))
+	}
+
+	return 0
+}
+
+func main() {
+	os.Exit(doMain(os.Args[1]))
+}
+
+

userspace/engine/embeddable/example/go.mod

@@ -0,0 +1,6 @@
+module github.com/falcosecurity/falco/embedded/example
+
+go 1.16
+
+require (
+)

userspace/engine/embeddable/falco_engine_embeddable.cpp

@@ -0,0 +1,356 @@
+/*
+Copyright (C) 2021 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <memory>
+#include <atomic>
+
+#include <sinsp.h>
+#include <event.h>
+
+#include <falco_engine.h>
+#include "falco_engine_embeddable.h"
+
+using namespace std;
+
+class falco_engine_embed_int {
+public:
+	falco_engine_embed_int();
+	virtual ~falco_engine_embed_int();
+
+	bool load_rules_content(const char *rules_content, string &err);
+	bool is_open();
+	bool open(string &err);
+	bool close(string &err);
+	falco_engine_embed_rc next_result(falco_engine_embed_result **result, string &err);
+
+private:
+
+	falco_engine_embed_result *rule_result_to_embed_result(sinsp_evt *ev,
+							       unique_ptr<falco_engine::rule_result> &res);
+
+	static void add_output_pair(const string &field, const string &val,
+				    char **&fields, char **&vals,
+				    uint32_t &len);
+
+	unique_ptr<sinsp_evt_formatter_cache> m_formatters;
+	bool m_open;
+	unique_ptr<sinsp> m_inspector;
+	unique_ptr<falco_engine> m_falco_engine;
+	atomic<bool> m_shutdown;
+};
+
+falco_engine_embed_int::falco_engine_embed_int()
+        : m_open(false),
+	m_shutdown(false)
+{
+	m_inspector.reset(new sinsp());
+	m_falco_engine.reset(new falco_engine());
+	m_falco_engine->set_inspector(m_inspector.get());
+
+	m_formatters.reset(new sinsp_evt_formatter_cache(m_inspector.get()));
+}
+
+falco_engine_embed_int::~falco_engine_embed_int()
+{
+}
+
+bool falco_engine_embed_int::load_rules_content(const char *rules_content, string &err)
+{
+	bool verbose = false;
+	bool all_events = true;
+
+	try {
+		m_falco_engine->load_rules(string(rules_content), verbose, all_events);
+	}
+	catch(falco_exception &e)
+	{
+		err = e.what();
+		return false;
+	}
+
+	return true;
+}
+
+bool falco_engine_embed_int::is_open()
+{
+	return m_open;
+}
+
+bool falco_engine_embed_int::open(string &err)
+{
+	try {
+		m_inspector->open();
+	}
+	catch(exception &e)
+	{
+		err = e.what();
+		return false;
+	}
+
+	m_open = true;
+	return true;
+}
+
+bool falco_engine_embed_int::close(string &err)
+{
+	m_shutdown = true;
+	m_open = false;
+
+	return true;
+}
+
+falco_engine_embed_rc falco_engine_embed_int::next_result(falco_engine_embed_result **result, string &err)
+{
+	*result = NULL;
+
+	while(!m_shutdown)
+	{
+		sinsp_evt* ev;
+
+		int32_t rc = m_inspector->next(&ev);
+
+		if (rc == SCAP_TIMEOUT)
+		{
+			continue;
+		}
+		else if (rc == SCAP_EOF)
+		{
+			break;
+		}
+		else if (rc != SCAP_SUCCESS)
+		{
+			err = m_inspector->getlasterr();
+			return FE_EMB_RC_ERROR;
+		}
+
+		if(!ev->simple_consumer_consider())
+		{
+			continue;
+		}
+
+		unique_ptr<falco_engine::rule_result> res = m_falco_engine->process_sinsp_event(ev);
+		if(!res)
+		{
+			continue;
+		}
+
+		*result = rule_result_to_embed_result(ev, res);
+
+		return FE_EMB_RC_OK;
+	}
+
+	// Can only get here if shut down/eof.
+	return FE_EMB_RC_EOF;
+}
+
+falco_engine_embed_result * falco_engine_embed_int::rule_result_to_embed_result(sinsp_evt *ev,
+										unique_ptr<falco_engine::rule_result> &res)
+{
+	falco_engine_embed_result *result;
+
+	result = (falco_engine_embed_result *) malloc(sizeof(falco_engine_embed_result));
+
+	result->rule = strdup(res->rule.c_str());
+	result->event_source = strdup(res->source.c_str());
+	result->priority_num = res->priority_num;
+
+	// Copy output format string without resolving fields.
+	result->output_format_str = strdup(res->format.c_str());
+
+	// Resolve output format string into resolved output
+	string output;
+	m_formatters->tostring(ev, res->format, &output);
+	result->output_str = strdup(output.c_str());
+
+	result->output_fields = NULL;
+	result->output_values = NULL;
+	result->num_output_values = 0;
+
+	map<string, string> rule_output_fields;
+	m_formatters->resolve_tokens(ev, res->format, rule_output_fields);
+	for(auto &pair : rule_output_fields)
+	{
+		add_output_pair(pair.first, pair.second,
+				result->output_fields, result->output_values,
+				result->num_output_values);
+	}
+
+	// Preceding * makes the formatting permissive (not ending at first empty value)
+	std::string exformat = "*";
+	for (const auto& exfield : res->exception_fields)
+	{
+		exformat += " %" + exfield;
+	}
+
+	map<string, string> exception_output_fields;
+	m_formatters->resolve_tokens(ev, exformat, exception_output_fields);
+	for(auto &pair : exception_output_fields)
+	{
+		add_output_pair(pair.first, pair.second,
+				result->output_fields, result->output_values,
+				result->num_output_values);
+	}
+
+	return result;
+}
+
+void falco_engine_embed_int::add_output_pair(const string &field, const string &val,
+					     char **&fields, char **&vals,
+					     uint32_t &len)
+{
+	len++;
+	fields = (char **) realloc(fields, len*sizeof(char *));
+	vals = (char **) realloc(vals, len*sizeof(char *));
+	fields[len-1] = strdup(field.c_str());
+	vals[len-1] = strdup(val.c_str());
+}
+
+static const char *FALCO_ENGINE_EMBED_VERSION = "1.0.0";
+
+char *falco_engine_embed_get_version()
+{
+	return strdup(FALCO_ENGINE_EMBED_VERSION);
+}
+
+void falco_engine_embed_free_result(falco_engine_embed_result *result)
+{
+	free(result->rule);
+	free(result->event_source);
+	free(result->output_format_str);
+	free(result->output_str);
+
+	for(int32_t i; i < result->num_output_values; i++)
+	{
+		free(result->output_fields[i]);
+		free(result->output_values[i]);
+	}
+	free(result->output_fields);
+	free(result->output_values);
+	free(result);
+}
+
+falco_engine_embed_t* falco_engine_embed_init(int32_t *rc)
+{
+	falco_engine_embed_int *eengine = new falco_engine_embed_int();
+
+	*rc = FE_EMB_RC_OK;
+
+	return eengine;
+}
+
+int32_t falco_engine_embed_destroy(falco_engine_embed_t *engine, char *errstr)
+{
+	falco_engine_embed_int *eengine = (falco_engine_embed_int *) engine;
+
+	if(eengine->is_open())
+	{
+		errstr = strdup("Engine is open--must call close() first");
+		return FE_EMB_RC_ERROR;
+	}
+
+	delete(eengine);
+
+	return FE_EMB_RC_OK;
+}
+
+int32_t falco_engine_embed_load_plugin(falco_engine_embed_t *engine,
+				       const char *path,
+				       const char* init_config,
+				       const char* open_params,
+				       char **errstr)
+{
+	falco_engine_embed_int *eengine = (falco_engine_embed_int *) engine;
+
+	// XXX/mstemm fill in
+	return FE_EMB_RC_OK;
+}
+
+int32_t falco_engine_embed_load_rules_content(falco_engine_embed_t *engine,
+					      const char *rules_content,
+					      char **errstr)
+{
+	falco_engine_embed_int *eengine = (falco_engine_embed_int *) engine;
+	std::string err;
+
+	if (!eengine->load_rules_content(rules_content, err))
+	{
+		*errstr = strdup(err.c_str());
+		return FE_EMB_RC_ERROR;
+	}
+
+	return FE_EMB_RC_OK;
+}
+
+int32_t falco_engine_embed_enable_source(falco_engine_embed_t *engine,
+					 int32_t source,
+					 bool enabled,
+					 char **errstr)
+{
+	falco_engine_embed_int *eengine = (falco_engine_embed_int *) engine;
+
+	// XXX/mstemm fill in
+	return FE_EMB_RC_OK;
+}
+
+int32_t falco_engine_embed_open(falco_engine_embed_t *engine,
+				char **errstr)
+{
+	falco_engine_embed_int *eengine = (falco_engine_embed_int *) engine;
+	std::string err;
+
+	if (!eengine->open(err))
+	{
+		*errstr = strdup(err.c_str());
+		return FE_EMB_RC_ERROR;
+	}
+
+	return FE_EMB_RC_OK;
+}
+
+int32_t falco_engine_embed_close(falco_engine_embed_t *engine,
+				 char **errstr)
+{
+	falco_engine_embed_int *eengine = (falco_engine_embed_int *) engine;
+	std::string err;
+
+	if (!eengine->close(err))
+	{
+		*errstr = strdup(err.c_str());
+		return FE_EMB_RC_ERROR;
+	}
+
+	return FE_EMB_RC_OK;
+}
+
+int32_t falco_engine_embed_next_result(falco_engine_embed_t *engine,
+				       falco_engine_embed_result **result,
+				       char **errstr)
+{
+	falco_engine_embed_int *eengine = (falco_engine_embed_int *) engine;
+	std::string err;
+	falco_engine_embed_rc rc;
+
+	rc = eengine->next_result(result, err);
+
+	if(rc == FE_EMB_RC_ERROR)
+	{
+		*errstr = strdup(err.c_str());
+	}
+
+	return rc;
+}
+
+

userspace/engine/embeddable/falco_engine_embeddable.h

@@ -0,0 +1,268 @@
+/*
+  Copyright (C) 2021 The Falco Authors.
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+*/
+
+/*
+  This header file provides a C-only interface to the falco engine,
+  suitable for embedding in other programs as a shared library. This
+  interface handles:
+  - Loading Rules Content
+  - Enabling/Disabling syscall/k8s_audit event sources.
+  - Loading and configuring source/extractor plugins
+  - Starting/Stopping the event processing loop.
+
+  After setup, the main interface involves receiving "results" when
+  syscall/k8s_audit/plugin events match rules.
+
+  This interface does not provide as many features as the c++
+  falco_engine interface, such as interfaces to list rules, segregate
+  rules by "ruleset", enabling/disabling specific rules etc.
+
+  Output handling (e.g. routing alerts to files, stdout, webhook,
+  slack, etc) is not covered by this interface. After receiving a
+  result, a program could use a program like falcosidekick for a rich
+  set of output handling methods.
+
+*/
+
+#pragma once
+
+#include <stdint.h>
+#include <stdbool.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* A handle to an embeddable falco engine */
+typedef void falco_engine_embed_t;
+
+/* Defined return values from API functions. */
+enum falco_engine_embed_rc
+{
+	/* No Error */
+	FE_EMB_RC_OK = 0,
+	FE_EMB_RC_ERROR = 1,
+	FE_EMB_RC_EOF = 2,
+};
+
+/* Defined event sources. */
+enum falco_engine_embed_evt_source
+{
+	FE_EMB_SRC_NONE = 0,
+	FE_EMB_SRC_SYSCALL = 1,
+	FE_EMB_K8S_AUDIT = 2,
+	FE_EMB_PLUGINS = 3,   // This includes any event from any plugin
+};
+
+/* Represents a result (e.g. an event matching a falco rule)
+
+   When returned by a call to next_result(), the struct, as well as
+   every allocated char * within the struct, is allocated via a call
+   to malloc() and must be freed via a call to free().
+*/
+typedef struct falco_engine_embed_result
+{
+	// The rule that matched the event
+	char *rule;
+
+	// The event source of the event that matched the rule
+	char *event_source;
+
+	// An int containing a falco_common::priority_type value of
+	// the priority of the matching rule.
+	int32_t priority_num;
+
+	// A copy of the rule's output string, *without* any
+	// fields (e.g. %proc.name, ...) resolved to values.
+	char *output_format_str;
+
+	// An output string, starting with the rule's output string
+	// with all fields resolved to values.
+	char *output_str;
+
+	// An allocated array of allocated field names from the output
+	// string. Additional fields + values may be included in
+	// addition to those in the output string, to aid in
+	// debugging. Item i in this array maps to item i in
+	// output_values.
+	char **output_fields;
+
+	// An allocated array of allocated field values from the
+	// output string. Additional fields + values may be included in
+	// addition to those in the output string, to aid in
+	// debugging. Item i in this array maps to item i in
+	// output_fields.
+	char **output_values;
+
+	// The length of output_fields/output_values
+	uint32_t num_output_values;
+} falco_engine_embed_result;
+
+/* A utility function to free a falco_engine_embed_result struct and
+ * its allocated strings returned by a call to next_result() */
+void falco_engine_embed_free_result(falco_engine_embed_result *result);
+
+// Interface to interact with an embeddable falco engine.
+
+// NOTE: For all functions below that return a char *, the memory
+// pointed to by the char * is allocated using malloc() and should be
+// freed by the caller using free().
+
+// Return the embedded engine version.
+//
+// Return value: a version string, in the following format:
+//        "<major>.<minor>.<patch>", e.g. "1.2.3".
+// This interface is compatible following semver conventions:
+// <major> changes for incompatible api changes, <minor> for
+// backwards-compatible additions, <patch> for compatible bug
+// fixes.
+char* falco_engine_embed_get_version();
+
+// Initialize a falco engine.
+//
+// Arguments:
+// - rc: pointer to an integer containing a falco_engine_embed_rc value.
+//
+// Return value: pointer to the engine state that is passed to
+// other API functions.
+falco_engine_embed_t* falco_engine_embed_init(int32_t *rc);
+
+// Destroy a falco engine. This frees any resources allocated in
+// init(). If open() has been called, close() should be called before
+// destroy().
+//
+// Arguments:
+// - engine: returned by a prior succesful call to init().
+// - errstr: on error, errstr will point to an allocated
+//   string with additional details on the errror. The string
+//   must be freed via a call to free().
+//
+// Return value: an integer containing a falco_engine_embed_rc
+// value.
+int32_t falco_engine_embed_destroy(falco_engine_embed_t *engine, char *errstr);
+
+// Load either a falco source or extractor plugin.
+//
+// Arguments:
+// - engine: returned by a prior succesful call to init().
+// - path: a file path pointing to a dynamic library that
+//   can be dlopen()ed.
+// - init_config: a string that will be passed to the plugin's
+//   init() function.
+// - open_params: a string that will be passed to the
+//   plugin's open() function.
+// - errstr: on error, errstr will point to an allocated
+//   string with additional details on the errror. The string
+//   must be freed via a call to free().
+//
+// Return value: an integer containing a falco_engine_embed_rc
+// value.
+int32_t falco_engine_embed_load_plugin(falco_engine_embed_t *engine,
+				       const char *path,
+				       const char* init_config,
+				       const char* open_params,
+				       char **errstr);
+
+// Load the provided rules content. These rules are applied on
+// top of any previously loaded rules content
+// (e.g. appending/overriding rule/macro/list objects as
+// specified via "append:" properties)
+//
+// NOTE: Plugins should be loaded before any rules are loaded.
+//
+// Arguments:
+// - engine: returned by a prior succesful call to init().
+// - rules_content: a null-terminated string containing
+//   yaml rules content.
+// - errstr: on error, errstr will point to an allocated
+//   string with additional details on the errror. The string
+//   must be freed via a call to free().
+//
+// Return value: an integer containing a falco_engine_embed_rc
+// value.
+int32_t falco_engine_embed_load_rules_content(falco_engine_embed_t *engine,
+					      const char *rules_content,
+					      char **errstr);
+
+// Enable/disable an event source.
+// By default all event sources are enabled. This function
+// enables/disables specific event sources.
+//
+// Arguments:
+// - engine: returned by a prior succesful call to init().
+// - source: an int containing a falco_engine_embed_evt_source value.
+// - enabled: whether to enable or disable the provided source
+// - errstr: on error, errstr will point to an allocated
+//   string with additional details on the errror. The string
+//   must be freed via a call to free().
+//
+// Return value: an integer containing a falco_engine_embed_rc
+// value.
+int32_t falco_engine_embed_enable_source(falco_engine_embed_t *engine,
+					 int32_t source,
+					 bool enabled,
+					 char **errstr);
+
+// Open the engine, which starts event processing and matching
+// against the loaded set of rules.
+//
+// Arguments:
+// - engine: returned by a prior succesful call to init().
+// - errstr: on error, errstr will point to an allocated
+//   string with additional details on the errror. The string
+//   must be freed via a call to free().
+//
+// Return value: an integer containing a falco_engine_embed_rc
+// value.
+int32_t falco_engine_embed_open(falco_engine_embed_t *engine,
+				char **errstr);
+
+// Close the engine, which stops event processing.
+//
+// Arguments:
+// - engine: returned by a prior succesful call to init().
+// - errstr: on error, errstr will point to an allocated
+//   string with additional details on the errror. The string
+//   must be freed via a call to free().
+//
+// Return value: an integer containing a falco_engine_embed_rc
+// value.
+int32_t falco_engine_embed_close(falco_engine_embed_t *engine,
+				 char **errstr);
+
+// Receive the next result (e.g. an event that matched a
+// rule). This function blocks until the next result is
+// available. close() is called, or an error occurs.
+//
+// Arguments:
+// - engine: returned by a prior succesful call to init().
+// - result: a pointer to a falco_engine_embed_result struct
+//   pointer. On success, a struct will be allocated, and filled in
+//   with allocated char* values, and the pointer updated to point to
+//   the allocated struct.
+// - errstr: on error, errstr will point to an allocated
+//   string with additional details on the errror. The string
+//   must be freed via a call to free().
+//
+// Return value: an integer containing a falco_engine_embed_rc
+// value.
+int32_t falco_engine_embed_next_result(falco_engine_embed_t *engine,
+				       falco_engine_embed_result **result,
+				       char **errstr);
+#ifdef __cplusplus
+} // extern "C"
+#endif
+

userspace/engine/falco_engine_version.h

@@ -16,9 +16,9 @@ limitations under the License.
 
 // The version of rules/filter fields/etc supported by this falco
 // engine.
-#define FALCO_ENGINE_VERSION (8)
+#define FALCO_ENGINE_VERSION (9)
 
 // This is the result of running "falco --list -N | sha256sum" and
 // represents the fields supported by this version of falco. It's used
 // at build time to detect a changed set of fields.
-#define FALCO_FIELDS_CHECKSUM "2f324e2e66d4b423f53600e7e0fcf2f0ff72e4a87755c490f2ae8f310aba9386"
+#define FALCO_FIELDS_CHECKSUM "8183621f52451d842036eee409e2ed920d9c91bab33e0c4a44e4a871378d103f"

userspace/falco/CMakeLists.txt

@@ -25,7 +25,6 @@ set(
   event_drops.cpp
   statsfilewriter.cpp
   falco.cpp
-  "${SYSDIG_SOURCE_DIR}/userspace/libsinsp/fields_info.cpp"
 )
 
 set(
@@ -87,16 +86,23 @@ if(NOT MINIMAL_BUILD)
     "${GRPC_INCLUDE}"
     "${GRPCPP_INCLUDE}"
     "${PROTOBUF_INCLUDE}"
+    "${CARES_INCLUDE}"
   )
 
+  if(USE_BUNDLED_GRPC)
+    list(APPEND FALCO_DEPENDENCIES grpc)
+    list(APPEND FALCO_LIBRARIES "${GRPC_LIBRARIES}")
+  endif()
+
   list(APPEND FALCO_DEPENDENCIES civetweb)
 
   list(
     APPEND FALCO_LIBRARIES
-    "${GPR_LIB}"
-    "${GRPC_LIB}"
     "${GRPCPP_LIB}"
+    "${GRPC_LIB}"
+    "${GPR_LIB}"
     "${PROTOBUF_LIB}"
+    "${CARES_LIB}"
     "${OPENSSL_LIBRARY_SSL}"
     "${OPENSSL_LIBRARY_CRYPTO}"
     "${LIBYAML_LIB}"

userspace/falco/falco.cpp

@@ -36,7 +36,6 @@ limitations under the License.
 
 #include "logger.h"
 #include "utils.h"
-#include "chisel.h"
 #include "fields_info.h"
 #include "falco_utils.h"