update(cmake): bump libs to 0.11.1

Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>

.circleci/config.yml

@@ -203,7 +203,7 @@ jobs:
           path: /tmp/build-arm64/release/integration-tests-xunit
   "tests-driver-loader-integration":
     machine:
-      image: ubuntu-2004:2023.04.2
+      image: ubuntu-2004:202107-02
     steps:
       - attach_workspace:
           at: /tmp/ws

.github/workflows/ci.yml

@@ -11,36 +11,8 @@ concurrency:
   cancel-in-progress: true  
 
 jobs:
-  fetch-version:
-    uses: ./.github/workflows/reusable_fetch_version.yaml
-
-  build-dev-packages:
-    needs: [fetch-version]
-    uses: ./.github/workflows/reusable_build_packages.yaml
-    with:
-      arch: x86_64
-      version: ${{ needs.fetch-version.outputs.version }}
-
-  test-dev-packages:
-    needs: [fetch-version, build-dev-packages]
-    uses: ./.github/workflows/reusable_test_packages.yaml
-    strategy:
-      fail-fast: false
-      matrix:
-        static: ["static", ""]
-    with:
-      arch: x86_64
-      static: ${{ matrix.static != '' && true || false }}
-      version: ${{ needs.fetch-version.outputs.version }}
-
-  build-dev:
-    strategy:
-      fail-fast: false
-      matrix:
-        machine: ['ubuntu-20.04']
-        buildmode: ['Debug', 'Release']
-        minimal: ['', 'minimal']
-    runs-on: ${{ matrix.machine }}
+  build-minimal:
+    runs-on: ubuntu-20.04
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -50,25 +22,83 @@ jobs:
 
       - name: Update base image
         run: sudo apt update -y
-      
-      - name: Install build dependencies
-        run: sudo DEBIAN_FRONTEND=noninteractive apt install libjq-dev libelf-dev libyaml-cpp-dev cmake build-essential git -y
 
-      - name: Install build dependencies (non-minimal)
-        if: matrix.minimal != 'minimal'
-        run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libgrpc++-dev protobuf-compiler-grpc rpm libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm -y
-      
+      - name: Install build dependencies
+        run: sudo DEBIAN_FRONTEND=noninteractive apt install libjq-dev libyaml-cpp-dev libelf-dev cmake build-essential git -y
+
+      - name: Prepare project
+        run: |
+          mkdir build-minimal
+          pushd build-minimal
+          cmake -DMINIMAL_BUILD=On -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DBUILD_FALCO_UNIT_TESTS=On ..
+          popd
+
+      - name: Build
+        run: |
+          pushd build-minimal
+          make -j4 all
+          popd
+
+      - name: Run unit tests
+        run: |
+          pushd build-minimal
+          sudo ./unit_tests/falco_unit_tests 
+          popd
+
+  build-ubuntu-focal:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Update base image
+        run: sudo apt update -y
+
+      - name: Install build dependencies
+        run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm git -y
+
       - name: Prepare project
         run: |
           mkdir build
           pushd build
-          cmake \
-            -DBUILD_FALCO_UNIT_TESTS=On \
-            -DCMAKE_BUILD_TYPE=${{ matrix.buildmode }} \
-            -DBUILD_BPF=${{ matrix.minimal == 'minimal' && 'OFF' || 'ON' }} \
-            -DBUILD_DRIVER=${{ matrix.minimal == 'minimal' && 'OFF' || 'ON' }} \
-            -DMINIMAL_BUILD=${{ matrix.minimal == 'minimal' && 'ON' || 'OFF' }} \
-            ..
+          cmake -DBUILD_BPF=On -DCMAKE_BUILD_TYPE=Release -DBUILD_FALCO_UNIT_TESTS=On ..
+          popd
+
+      - name: Build
+        run: |
+          pushd build
+          KERNELDIR=/lib/modules/$(uname -r)/build make -j4 all
+          popd
+
+      - name: Run unit tests
+        run: |
+          pushd build
+          sudo ./unit_tests/falco_unit_tests 
+          popd
+
+  build-ubuntu-focal-debug:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Update base image
+        run: sudo apt update -y
+
+      - name: Install build dependencies
+        run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm git -y
+
+      - name: Prepare project
+        run: |
+          mkdir build
+          pushd build
+          cmake -DCMAKE_BUILD_TYPE=Debug -DBUILD_BPF=On -DBUILD_FALCO_UNIT_TESTS=On ..
           popd
 
       - name: Build

.github/workflows/master.yaml

@@ -9,8 +9,37 @@ concurrency:
   cancel-in-progress: true  
 
 jobs:
+  # We need to use an ubuntu-latest to fetch Falco version because
+  # Falco version is computed by some cmake scripts that do git sorceries
+  # to get the current version.
+  # But centos7 jobs have a git version too old and actions/checkout does not 
+  # fully clone the repo, but uses http rest api instead.
   fetch-version:
-    uses: ./.github/workflows/reusable_fetch_version.yaml 
+    runs-on: ubuntu-latest
+    # Map the job outputs to step outputs
+    outputs:
+      version: ${{ steps.store_version.outputs.version }}  
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          
+      - name: Install build dependencies
+        run: |
+          sudo apt update 
+          sudo apt install -y cmake build-essential
+      
+      - name: Configure project
+        run: |
+          mkdir build && cd build
+          cmake -DUSE_BUNDLED_DEPS=On ..
+          
+      - name: Load and store Falco version output
+        id: store_version
+        run: |
+          FALCO_VERSION=$(cat build/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+          echo "version=${FALCO_VERSION}" >> $GITHUB_OUTPUT     
 
   build-dev-packages:
     needs: [fetch-version]
@@ -27,28 +56,9 @@ jobs:
       arch: aarch64
       version: ${{ needs.fetch-version.outputs.version }}
     secrets: inherit
-
-  test-dev-packages:
-    needs: [fetch-version, build-dev-packages]
-    uses: ./.github/workflows/reusable_test_packages.yaml
-    strategy:
-      fail-fast: false
-      matrix:
-        static: ["static", ""]
-    with:
-      arch: x86_64
-      static: ${{ matrix.static != '' && true || false }}
-      version: ${{ needs.fetch-version.outputs.version }}
-  
-  test-dev-packages-arm64:
-    needs: [fetch-version, build-dev-packages-arm64]
-    uses: ./.github/workflows/reusable_test_packages.yaml
-    with:
-      arch: aarch64
-      version: ${{ needs.fetch-version.outputs.version }}
-
+    
   publish-dev-packages:
-    needs: [fetch-version, test-dev-packages, test-dev-packages-arm64]
+    needs: [fetch-version, build-dev-packages, build-dev-packages-arm64]
     uses: ./.github/workflows/reusable_publish_packages.yaml
     with:
       bucket_suffix: '-dev'

.github/workflows/reusable_fetch_version.yaml

@@ -1,40 +0,0 @@
-# This is a reusable workflow used by master and release CI
-on:
-  workflow_call:
-    outputs:
-      version:
-        description: "Falco version"
-        value: ${{ jobs.fetch-version.outputs.version }}
-    
-jobs:
-  # We need to use an ubuntu-latest to fetch Falco version because
-  # Falco version is computed by some cmake scripts that do git sorceries
-  # to get the current version.
-  # But centos7 jobs have a git version too old and actions/checkout does not 
-  # fully clone the repo, but uses http rest api instead.
-  fetch-version:
-    runs-on: ubuntu-latest
-    # Map the job outputs to step outputs
-    outputs:
-      version: ${{ steps.store_version.outputs.version }}  
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-          
-      - name: Install build dependencies
-        run: |
-          sudo apt update 
-          sudo apt install -y cmake build-essential
-      
-      - name: Configure project
-        run: |
-          mkdir build && cd build
-          cmake -DUSE_BUNDLED_DEPS=On ..
-          
-      - name: Load and store Falco version output
-        id: store_version
-        run: |
-          FALCO_VERSION=$(cat build/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-          echo "version=${FALCO_VERSION}" >> $GITHUB_OUTPUT

.github/workflows/reusable_publish_packages.yaml

@@ -47,31 +47,31 @@ jobs:
         uses: actions/download-artifact@v3
         with:
           name: falco-${{ inputs.version }}-x86_64.rpm
-          path: /tmp/falco-build-rpm
+          path: /tmp/falco-rpm
 
       - name: Download RPM aarch64
         uses: actions/download-artifact@v3
         with:
           name: falco-${{ inputs.version }}-aarch64.rpm
-          path: /tmp/falco-build-rpm
+          path: /tmp/falco-rpm
 
       - name: Download binary x86_64
         uses: actions/download-artifact@v3
         with:
           name: falco-${{ inputs.version }}-x86_64.tar.gz
-          path: /tmp/falco-build-bin
+          path: /tmp/falco-bin
 
       - name: Download binary aarch64
         uses: actions/download-artifact@v3
         with:
           name: falco-${{ inputs.version }}-aarch64.tar.gz
-          path: /tmp/falco-build-bin
+          path: /tmp/falco-bin
 
       - name: Download static binary x86_64
         uses: actions/download-artifact@v3
         with:
           name: falco-${{ inputs.version }}-static-x86_64.tar.gz
-          path: /tmp/falco-build-bin-static
+          path: /tmp/falco-bin-static
         
       - name: Import gpg key 
         env:
@@ -91,21 +91,21 @@ jobs:
           expect eof
           EOF
           chmod +x ~/sign
-          ~/sign /tmp/falco-build-rpm/falco-*.rpm
-          rpm --qf %{SIGPGP:pgpsig} -qp /tmp/falco-build-rpm/falco-*.rpm | grep SHA256
+          ~/sign /tmp/falco-rpm/falco-*.rpm
+          rpm --qf %{SIGPGP:pgpsig} -qp /tmp/falco-rpm/falco-*.rpm | grep SHA256
           
       - name: Publish rpm
         run: |
-          ./scripts/publish-rpm -f /tmp/falco-build-rpm/falco-${{ inputs.version }}-x86_64.rpm -f /tmp/falco-build-rpm/falco-${{ inputs.version }}-aarch64.rpm -r rpm${{ inputs.bucket_suffix }}
+          ./scripts/publish-rpm -f /tmp/falco-rpm/falco-${{ inputs.version }}-x86_64.rpm -f /tmp/falco-rpm/falco-${{ inputs.version }}-aarch64.rpm -r rpm${{ inputs.bucket_suffix }}
       
       - name: Publish bin
         run: |
-          ./scripts/publish-bin -f /tmp/falco-build-bin/falco-${{ inputs.version }}-x86_64.tar.gz -r bin${{ inputs.bucket_suffix }} -a x86_64
-          ./scripts/publish-bin -f /tmp/falco-build-bin/falco-${{ inputs.version }}-aarch64.tar.gz -r bin${{ inputs.bucket_suffix }} -a aarch64
+          ./scripts/publish-bin -f /tmp/falco-bin/falco-${{ inputs.version }}-x86_64.tar.gz -r bin${{ inputs.bucket_suffix }} -a x86_64
+          ./scripts/publish-bin -f /tmp/falco-bin/falco-${{ inputs.version }}-aarch64.tar.gz -r bin${{ inputs.bucket_suffix }} -a aarch64
           
       - name: Publish static
         run: |
-          ./scripts/publish-bin -f /tmp/falco-build-bin-static/falco-${{ inputs.version }}-static-x86_64.tar.gz -r bin${{ inputs.bucket_suffix }} -a x86_64
+          ./scripts/publish-bin -f /tmp/falco-bin-static/falco-${{ inputs.version }}-static-x86_64.tar.gz -r bin${{ inputs.bucket_suffix }} -a x86_64
           
   publish-packages-deb:
     runs-on: ubuntu-latest
@@ -117,7 +117,8 @@ jobs:
       - name: Install dependencies
         run: |
           apt update -y
-          apt-get install apt-utils bzip2 gpg awscli -y
+          apt-get install apt-utils bzip2 gpg python python3-pip -y
+          pip install awscli
       
       # Configure AWS role; see https://github.com/falcosecurity/test-infra/pull/1102
       # Note: master CI can only push dev packages as we have 2 different roles for master and release.
@@ -131,13 +132,13 @@ jobs:
         uses: actions/download-artifact@v3
         with:
           name: falco-${{ inputs.version }}-x86_64.deb
-          path: /tmp/falco-build-deb
+          path: /tmp/falco-deb
 
       - name: Download deb aarch64
         uses: actions/download-artifact@v3
         with:
           name: falco-${{ inputs.version }}-aarch64.deb
-          path: /tmp/falco-build-deb
+          path: /tmp/falco-deb
 
       - name: Import gpg key 
         env:
@@ -146,4 +147,4 @@ jobs:
           
       - name: Publish deb
         run: |
-          ./scripts/publish-deb -f /tmp/falco-build-deb/falco-${{ inputs.version }}-x86_64.deb -f /tmp/falco-build-deb/falco-${{ inputs.version }}-aarch64.deb -r deb${{ inputs.bucket_suffix }}
+          ./scripts/publish-deb -f /tmp/falco-deb/falco-${{ inputs.version }}-x86_64.deb -f /tmp/falco-deb/falco-${{ inputs.version }}-aarch64.deb -r deb${{ inputs.bucket_suffix }}

.github/workflows/reusable_test_packages.yaml

@@ -1,73 +0,0 @@
-# This is a reusable workflow used by master and release CI
-on:
-  workflow_call:
-    inputs:
-      arch:
-        description: x86_64 or aarch64
-        required: true
-        type: string
-      static:
-        description: Falco packages use a static build
-        required: false
-        type: boolean
-        default: false
-      version:
-        description: The Falco version to use when testing packages
-        required: true
-        type: string
-
-jobs:
-  test-packages:
-    # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
-    runs-on: ${{ (inputs.arch == 'aarch64' && fromJSON('[ "self-hosted", "linux", "ARM64" ]')) || 'ubuntu-latest' }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-          submodules: 'true'
-      
-      - name: Setup Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: '>=1.17.0'
-
-      - name: Download binary
-        uses: actions/download-artifact@v3
-        with:
-          name: falco-${{ inputs.version }}${{ inputs.static && '-static' || '' }}-${{ inputs.arch }}.tar.gz
-      
-      - name: Install Falco package
-        run: |
-          ls falco-*.tar.gz
-          tar -xvf $(ls falco-*.tar.gz)
-          cd falco-${{ inputs.version }}-${{ inputs.arch }}
-          sudo cp -r * /
-
-      - name: Install go-junit-report
-        run: |
-          pushd submodules/falcosecurity-testing
-          go install github.com/jstemmer/go-junit-report/v2@latest
-          popd
-  
-      - name: Generate regression test files
-        run: |
-          pushd submodules/falcosecurity-testing
-          go generate ./...
-          popd
-
-      - name: Run regression tests
-        run: |
-          pushd submodules/falcosecurity-testing
-          ./build/falco.test -falco-static=${{ inputs.static && 'true' || 'false' }} -test.timeout=90s -test.v >> ./report.txt 2>&1 || true
-          ./build/falcoctl.test -falco-static=${{ inputs.static && 'true' || 'false' }} -test.timeout=90s -test.v >> ./report.txt 2>&1 || true
-          ./build/k8saudit.test -falco-static=${{ inputs.static && 'true' || 'false' }} -test.timeout=90s -test.v >> ./report.txt 2>&1 || true
-          cat ./report.txt | go-junit-report -set-exit-code > report.xml
-          popd
-
-      - name: Test Summary
-        if: always() # run this even if previous step fails
-        uses: test-summary/action@v2
-        with:
-          paths: "submodules/falcosecurity-testing/report.xml"
-          show: "fail"

.gitmodules

@@ -2,7 +2,3 @@
 	path = submodules/falcosecurity-rules
 	url = https://github.com/falcosecurity/rules.git
 	branch = main
-[submodule "submodules/falcosecurity-testing"]
-	path = submodules/falcosecurity-testing
-	url = https://github.com/falcosecurity/testing.git
-	branch = main

CHANGELOG.md

@@ -1,142 +1,5 @@
 # Change Log
 
-## v0.35.1
-
-Released on 2023-06-29
-
-### Major Changes
-
-
-### Minor Changes
-
-* update(userspace): change description of snaplen option stating only performance implications [[#2634](https://github.com/falcosecurity/falco/pull/2634)] - [@loresuso](https://github.com/loresuso)
-* update(cmake): bump libs to 0.11.3 [[#2662](https://github.com/falcosecurity/falco/pull/2662)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* cleanup(config): minor config clarifications [[#2651](https://github.com/falcosecurity/falco/pull/2651)] - [@incertum](https://github.com/incertum)
-* update(cmake): bump falco rules to v1.0.1 [[#2648](https://github.com/falcosecurity/falco/pull/2648)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* chore(userspace/falco): make source matching error more expressive [[#2623](https://github.com/falcosecurity/falco/pull/2623)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* update(.github): integrate Go regression tests [[#2437](https://github.com/falcosecurity/falco/pull/2437)] - [@jasondellaluce](https://github.com/jasondellaluce)
-
-
-### Bug Fixes
-
-* fix(scripts): fixed falco-driver-loader to manage debian kernel rt and cloud flavors. [[#2627](https://github.com/falcosecurity/falco/pull/2627)] - [@FedeDP](https://github.com/FedeDP)
-* fix(userspace/falco): solve live multi-source issues when loading more than two sources [[#2653](https://github.com/falcosecurity/falco/pull/2653)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* fix(driver-loader): fix ubuntu kernel version parsing [[#2635](https://github.com/falcosecurity/falco/pull/2635)] - [@therealbobo](https://github.com/therealbobo)
-* fix(userspace): switch to timer_settime API for stats writer. [[#2646](https://github.com/falcosecurity/falco/pull/2646)] - [@FedeDP](https://github.com/FedeDP)
-
-
-
-### Non user-facing changes
-
-* CI: bump ubuntu version for tests-driver-loader-integration job [[#2661](https://github.com/falcosecurity/falco/pull/2661)] - [@Andreagit97](https://github.com/Andreagit97)
-
-## v0.35.0
-
-Released on 2023-06-07
-
-### Major Changes
-
-* BREAKING CHANGE: support for metadata enrichment from Mesos has been removed. [[#2465](https://github.com/falcosecurity/falco/pull/2465)] - [@leogr](https://github.com/leogr)
-
-* new(falco): introduce new metrics w/ Falco internal: metrics snapshot option and new metrics config [[#2333](https://github.com/falcosecurity/falco/pull/2333)] - [@incertum](https://github.com/incertum)
-* new(scripts): properly manage talos prebuilt drivers [[#2537](https://github.com/falcosecurity/falco/pull/2537)] - [@FedeDP](https://github.com/FedeDP)
-* new(release): released container images are now signed with cosign [[#2546](https://github.com/falcosecurity/falco/pull/2546)] - [@LucaGuerra](https://github.com/LucaGuerra)
-* new(ci): ported master and release artifacts publishing CI to gha [[#2501](https://github.com/falcosecurity/falco/pull/2501)] - [@FedeDP](https://github.com/FedeDP)
-* new(app_actions): introduce base_syscalls user option [[#2428](https://github.com/falcosecurity/falco/pull/2428)] - [@incertum](https://github.com/incertum)
-* new(falco/config): add new configurations for http_output that allow custom CA certificates and stores. [[#2458](https://github.com/falcosecurity/falco/pull/2458)] - [@alacuku](https://github.com/alacuku)
-* new(userspace): add a new `syscall_drop_failed` config option to drop failed syscalls exit events [[#2456](https://github.com/falcosecurity/falco/pull/2456)] - [@FedeDP](https://github.com/FedeDP)
-
-
-### Minor Changes
-
-* update(cmake): bump Falco rules to 1.0.0 [[#2618](https://github.com/falcosecurity/falco/pull/2618)] - [@loresuso](https://github.com/loresuso)
-* update(cmake): bump libs to 0.11.1 [[#2614](https://github.com/falcosecurity/falco/pull/2614)] - [@loresuso](https://github.com/loresuso)
-* update(cmake): bump plugins to latest versions [[#2610](https://github.com/falcosecurity/falco/pull/2610)] - [@loresuso](https://github.com/loresuso)
-* update(cmake): bump falco rules to 1.0.0-rc1 [[#2609](https://github.com/falcosecurity/falco/pull/2609)] - [@loresuso](https://github.com/loresuso)
-* update(cmake): bump libs to 0.11.0 [[#2608](https://github.com/falcosecurity/falco/pull/2608)] - [@loresuso](https://github.com/loresuso)
-* cleanup(docs): update release.md [[#2599](https://github.com/falcosecurity/falco/pull/2599)] - [@incertum](https://github.com/incertum)
-* update(cmake): bump libs to 0.11.0-rc5 and driver to 5.0.1. [[#2600](https://github.com/falcosecurity/falco/pull/2600)] - [@FedeDP](https://github.com/FedeDP)
-* cleanup(docs): adjust falco readme style and content [[#2594](https://github.com/falcosecurity/falco/pull/2594)] - [@incertum](https://github.com/incertum)
-* cleanup(userspace, config): improve metrics UX, add include_empty_values option [[#2593](https://github.com/falcosecurity/falco/pull/2593)] - [@incertum](https://github.com/incertum)
-* feat: add the curl and jq packages to the falco-no-driver docker image [[#2581](https://github.com/falcosecurity/falco/pull/2581)] - [@therealdwright](https://github.com/therealdwright)
-* update: add missing exception, required_engine_version, required_plugin_version to -L json output [[#2584](https://github.com/falcosecurity/falco/pull/2584)] - [@loresuso](https://github.com/loresuso)
-* feat: add image source OCI label to docker images [[#2592](https://github.com/falcosecurity/falco/pull/2592)] - [@therealdwright](https://github.com/therealdwright)
-* cleanup(config): improve falco config [[#2571](https://github.com/falcosecurity/falco/pull/2571)] - [@incertum](https://github.com/incertum)
-* update(cmake): bump libs and plugins to latest dev versions [[#2586](https://github.com/falcosecurity/falco/pull/2586)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* chore(userspace/falco): always print invalid syscalls from custom set [[#2578](https://github.com/falcosecurity/falco/pull/2578)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* update(build): upgrade falcoctl to 0.5.0 [[#2572](https://github.com/falcosecurity/falco/pull/2572)] - [@LucaGuerra](https://github.com/LucaGuerra)
-* chore(userspace/falco/app): print all supported plugin caps [[#2564](https://github.com/falcosecurity/falco/pull/2564)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* update: get rules details with `-l` or `-L` flags when json output format is specified [[#2544](https://github.com/falcosecurity/falco/pull/2544)] - [@loresuso](https://github.com/loresuso)
-* update!: bump libs version, and support latest plugin features, add --nodriver option [[#2552](https://github.com/falcosecurity/falco/pull/2552)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* cleanup(actions): now modern bpf support `-A` flag [[#2551](https://github.com/falcosecurity/falco/pull/2551)] - [@Andreagit97](https://github.com/Andreagit97)
-* update: `falco-driver-loader` now uses now uses $TMPDIR if set [[#2518](https://github.com/falcosecurity/falco/pull/2518)] - [@jabdr](https://github.com/jabdr)
-* update: improve control and UX of ignored events [[#2509](https://github.com/falcosecurity/falco/pull/2509)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* update: bump libs and adapt Falco to new libsinsp event source management [[#2507](https://github.com/falcosecurity/falco/pull/2507)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* new(app_actions)!: adjust base_syscalls option, add base_syscalls.repair [[#2457](https://github.com/falcosecurity/falco/pull/2457)] - [@incertum](https://github.com/incertum)
-* update(scripts): support al2022 and al2023 in falco-driver-loader. [[#2494](https://github.com/falcosecurity/falco/pull/2494)] - [@FedeDP](https://github.com/FedeDP)
-* update: sync libs with newest event name APIs [[#2471](https://github.com/falcosecurity/falco/pull/2471)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* update!: remove `--mesos-api`, `-pmesos`, and `-pm` command-line flags [[#2465](https://github.com/falcosecurity/falco/pull/2465)] - [@leogr](https://github.com/leogr)
-* cleanup(unit_tests): try making test_configure_interesting_sets more robust [[#2464](https://github.com/falcosecurity/falco/pull/2464)] - [@incertum](https://github.com/incertum)
-
-
-### Bug Fixes
-
-* fix: unquote quoted URL's to avoid libcurl errors [[#2596](https://github.com/falcosecurity/falco/pull/2596)] - [@therealdwright](https://github.com/therealdwright)
-* fix(userspace/engine): store alternatives as array in -L json output [[#2597](https://github.com/falcosecurity/falco/pull/2597)] - [@loresuso](https://github.com/loresuso)
-* fix(userspace/engine): store required engine version as string in -L json output [[#2595](https://github.com/falcosecurity/falco/pull/2595)] - [@loresuso](https://github.com/loresuso)
-* fix(userspace/falco): report plugin deps rules issues in any case [[#2589](https://github.com/falcosecurity/falco/pull/2589)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* fix(userspace): hotreload on wrong metrics [[#2582](https://github.com/falcosecurity/falco/pull/2582)] - [@therealbobo](https://github.com/therealbobo)
-* fix(userspace): check the supported number of online CPUs with modern bpf [[#2575](https://github.com/falcosecurity/falco/pull/2575)] - [@Andreagit97](https://github.com/Andreagit97)
-* fix(userspace/falco): don't hang on terminating error when multi sourcing [[#2576](https://github.com/falcosecurity/falco/pull/2576)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* fix(userspace/falco): properly format numeric values in metrics [[#2569](https://github.com/falcosecurity/falco/pull/2569)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* fix(scripts): properly support debian kernel releases embedded in kernel version [[#2377](https://github.com/falcosecurity/falco/pull/2377)] - [@FedeDP](https://github.com/FedeDP)
-
-
-
-### Non user-facing changes
-
-* docs(README.md): add scope/status badge and simply doc structure [[#2611](https://github.com/falcosecurity/falco/pull/2611)] - [@leogr](https://github.com/leogr)
-* build(deps): Bump submodules/falcosecurity-rules from `3471984` to `16fb709` [[#2598](https://github.com/falcosecurity/falco/pull/2598)] - [@dependabot[bot]](https://github.com/apps/dependabot)
-* docs(proposals): Falco roadmap management [[#2547](https://github.com/falcosecurity/falco/pull/2547)] - [@leogr](https://github.com/leogr)
-* build(deps): Bump submodules/falcosecurity-rules from `b2290ad` to `3471984` [[#2577](https://github.com/falcosecurity/falco/pull/2577)] - [@dependabot[bot]](https://github.com/apps/dependabot)
-* update(build): libs 0.11.0-rc2 [[#2573](https://github.com/falcosecurity/falco/pull/2573)] - [@LucaGuerra](https://github.com/LucaGuerra)
-* build(deps): Bump submodules/falcosecurity-rules from `3f52480` to `b2290ad` [[#2570](https://github.com/falcosecurity/falco/pull/2570)] - [@dependabot[bot]](https://github.com/apps/dependabot)
-* update(ci): use repo instead of master branch for reusable workflows [[#2568](https://github.com/falcosecurity/falco/pull/2568)] - [@LucaGuerra](https://github.com/LucaGuerra)
-* cleanup(ci): cleaned up circleci workflow. [[#2566](https://github.com/falcosecurity/falco/pull/2566)] - [@FedeDP](https://github.com/FedeDP)
-* build(deps): Bump requests from 2.26.0 to 2.31.0 in /test [[#2567](https://github.com/falcosecurity/falco/pull/2567)] - [@dependabot[bot]](https://github.com/apps/dependabot)
-* fix(ci): simplify and fix multi-arch image publishing process [[#2542](https://github.com/falcosecurity/falco/pull/2542)] - [@LucaGuerra](https://github.com/LucaGuerra)
-* fix(ci): get the manifest for the correct tag [[#2563](https://github.com/falcosecurity/falco/pull/2563)] - [@LucaGuerra](https://github.com/LucaGuerra)
-* build(deps): Bump submodules/falcosecurity-rules from `3f52480` to `6da15ae` [[#2559](https://github.com/falcosecurity/falco/pull/2559)] - [@dependabot[bot]](https://github.com/apps/dependabot)
-* fix(ci): properly use `docker save` to store images. [[#2560](https://github.com/falcosecurity/falco/pull/2560)] - [@FedeDP](https://github.com/FedeDP)
-* fix(ci): docker arg is named `TARGETARCH`. [[#2558](https://github.com/falcosecurity/falco/pull/2558)] - [@FedeDP](https://github.com/FedeDP)
-* fix(ci): set docker TARGET_ARCH [[#2557](https://github.com/falcosecurity/falco/pull/2557)] - [@FedeDP](https://github.com/FedeDP)
-* fix(ci): use normal docker to build docker images, instead of buildx. [[#2556](https://github.com/falcosecurity/falco/pull/2556)] - [@FedeDP](https://github.com/FedeDP)
-* docs: improve documentation and description of base_syscalls option [[#2515](https://github.com/falcosecurity/falco/pull/2515)] - [@Happy-Dude](https://github.com/Happy-Dude)
-* Updating Falco branding guidelines [[#2493](https://github.com/falcosecurity/falco/pull/2493)] - [@aijamalnk](https://github.com/aijamalnk)
-* build(deps): Bump submodules/falcosecurity-rules from `f773578` to `6da15ae` [[#2553](https://github.com/falcosecurity/falco/pull/2553)] - [@dependabot[bot]](https://github.com/apps/dependabot)
-* fix(cmake): properly exclude prereleases when fetching latest tag from cmake [[#2550](https://github.com/falcosecurity/falco/pull/2550)] - [@FedeDP](https://github.com/FedeDP)
-* fix(ci): load falco image before building falco-driver-loader [[#2549](https://github.com/falcosecurity/falco/pull/2549)] - [@LucaGuerra](https://github.com/LucaGuerra)
-* fix(ci): correctly tag slim manifest [[#2545](https://github.com/falcosecurity/falco/pull/2545)] - [@LucaGuerra](https://github.com/LucaGuerra)
-* cleanup(config): modern bpf is no more experimental [[#2538](https://github.com/falcosecurity/falco/pull/2538)] - [@Andreagit97](https://github.com/Andreagit97)
-* new(ci): add RC/prerelease support [[#2533](https://github.com/falcosecurity/falco/pull/2533)] - [@LucaGuerra](https://github.com/LucaGuerra)
-* fix(ci): configure ECR public region [[#2531](https://github.com/falcosecurity/falco/pull/2531)] - [@LucaGuerra](https://github.com/LucaGuerra)
-* fix(ci): falco images directory, ecr login [[#2528](https://github.com/falcosecurity/falco/pull/2528)] - [@LucaGuerra](https://github.com/LucaGuerra)
-* fix(ci): separate rpm/bin/bin-static/deb packages before publication, rename bin-static [[#2527](https://github.com/falcosecurity/falco/pull/2527)] - [@LucaGuerra](https://github.com/LucaGuerra)
-* fix(ci): add Cloudfront Distribution ID [[#2525](https://github.com/falcosecurity/falco/pull/2525)] - [@LucaGuerra](https://github.com/LucaGuerra)
-* fix(ci): escape heredoc [[#2521](https://github.com/falcosecurity/falco/pull/2521)] - [@LucaGuerra](https://github.com/LucaGuerra)
-* chore(ci): build-musl-package does not need to wait for build-packages anymore [[#2520](https://github.com/falcosecurity/falco/pull/2520)] - [@FedeDP](https://github.com/FedeDP)
-* fix: ci Falco version [[#2516](https://github.com/falcosecurity/falco/pull/2516)] - [@FedeDP](https://github.com/FedeDP)
-* fix(ci): fetch version step, download rpms/debs, minor change [[#2519](https://github.com/falcosecurity/falco/pull/2519)] - [@LucaGuerra](https://github.com/LucaGuerra)
-* chore(ci): properly install recent version of git (needed >= 2.18 by checkout action) [[#2514](https://github.com/falcosecurity/falco/pull/2514)] - [@FedeDP](https://github.com/FedeDP)
-* fix(ci): enable toolset before every make command [[#2513](https://github.com/falcosecurity/falco/pull/2513)] - [@LucaGuerra](https://github.com/LucaGuerra)
-* fix(ci): remove unnecessary mv [[#2512](https://github.com/falcosecurity/falco/pull/2512)] - [@LucaGuerra](https://github.com/LucaGuerra)
-* fix(ci): bucket -> bucket_suffix [[#2511](https://github.com/falcosecurity/falco/pull/2511)] - [@LucaGuerra](https://github.com/LucaGuerra)
-* build(deps): Bump submodules/falcosecurity-rules from `5857874` to `1bd7e4a` [[#2478](https://github.com/falcosecurity/falco/pull/2478)] - [@dependabot[bot]](https://github.com/apps/dependabot)
-* build(deps): Bump submodules/falcosecurity-rules from `694adf5` to `5857874` [[#2473](https://github.com/falcosecurity/falco/pull/2473)] - [@dependabot[bot]](https://github.com/apps/dependabot)
-* cleanup(ci): properly set a concurrency for CI workflows. [[#2470](https://github.com/falcosecurity/falco/pull/2470)] - [@FedeDP](https://github.com/FedeDP)
-* build(deps): Bump submodules/falcosecurity-rules from `e0646a0` to `694adf5` [[#2466](https://github.com/falcosecurity/falco/pull/2466)] - [@dependabot[bot]](https://github.com/apps/dependabot)
-* build(deps): Bump submodules/falcosecurity-rules from `0b0f50f` to `e0646a0` [[#2460](https://github.com/falcosecurity/falco/pull/2460)] - [@dependabot[bot]](https://github.com/apps/dependabot)
-
 ## v0.34.1
 
 Released on 2023-02-20

cmake/modules/falcoctl.cmake

@@ -15,14 +15,14 @@ include(ExternalProject)
 
 string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} FALCOCTL_SYSTEM_NAME)
 
-set(FALCOCTL_VERSION "0.5.1")
+set(FALCOCTL_VERSION "0.5.0")
 
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
     set(FALCOCTL_SYSTEM_PROC_GO "amd64")
-    set(FALCOCTL_HASH "ea7c89134dc745a1cbdbcf8f839d3b47851a40e1aebee20702a606b03b45b897")
+    set(FALCOCTL_HASH "ba82ee14ee72fe5737f1b5601e403d8a9422dfe2c467d1754eb488001eeea5f1")
 else() # aarch64
     set(FALCOCTL_SYSTEM_PROC_GO "arm64")
-    set(FALCOCTL_HASH "22797200bf0e4c7c45f69207ed85218a3839115a302dc07939d3006778d41300")
+    set(FALCOCTL_HASH "be145ece641d439011cc4a512d0fd2dac5974cab7399f9a7cd43f08eb43dd446")
 endif()
 
 ExternalProject_Add(

cmake/modules/falcosecurity-libs.cmake

@@ -27,8 +27,8 @@ else()
   # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
   # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..` 
   if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "0.11.3")
-    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=b4f9dc8c1612f4b14207d107bce323a0684dce0dbf018e5b846177992569367b")
+    set(FALCOSECURITY_LIBS_VERSION "0.11.1")
+    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=5bfc4aa37fd7cfeb38cf0db377740705b3e74ce593efca5d18c077a67c47bf94")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

cmake/modules/rules.cmake

@@ -15,8 +15,8 @@ include(GNUInstallDirs)
 include(ExternalProject)
 
 # falco_rules.yaml
-set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-1.0.1")
-set(FALCOSECURITY_RULES_FALCO_CHECKSUM "SHA256=2348d43196bbbdea92e3f67fa928721a241b0406d0ef369693bdefcec2b3fa13")
+set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-1.0.0-rc1")
+set(FALCOSECURITY_RULES_FALCO_CHECKSUM "SHA256=3474d170e6cd1ac5c6ee0cfe6a226e3fd8ef5f7191b0363ecd69672601e7914f")
 set(FALCOSECURITY_RULES_FALCO_PATH "${PROJECT_BINARY_DIR}/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml")
 ExternalProject_Add(
   falcosecurity-rules-falco

falco.yaml

@@ -148,7 +148,7 @@ rules_file:
 #
 # --- [Description]
 #
-# Falco plugins enable integration with other services in your ecosystem.
+# Falco plugins enable integration with other services in the your ecosystem.
 # They allow Falco to extend its functionality and leverage data sources such as
 # Kubernetes audit logs or AWS CloudTrail logs. This enables Falco to perform
 # fast on-host detections beyond syscalls and container events. The plugin
@@ -162,11 +162,10 @@ rules_file:
 #
 # Please note that if your intention is to enrich Falco syscall logs with fields
 # such as `k8s.ns.name`, `k8s.pod.name`, and `k8s.pod.*`, you do not need to use
-# the `k8saudit` plugin nor the `-k`/`-K` Kubernetes metadata enrichment. This
-# information is automatically extracted from the container runtime socket. The
-# `k8saudit` plugin is specifically designed to integrate with Kubernetes audit
-# logs and is not required for basic enrichment of syscall logs with
-# Kubernetes-related fields.
+# the `k8saudit` plugin. This information is automatically extracted from the
+# container runtime socket. The `k8saudit` plugin is specifically designed to
+# integrate with Kubernetes audit logs and is not required for basic enrichment
+# of syscall logs with Kubernetes-related fields.
 #
 # --- [Usage]
 #
@@ -329,9 +328,6 @@ file_output:
 # [Stable] `http_output`
 #
 # Send logs to an HTTP endpoint or webhook.
-#
-# When using falcosidekick, it is necessary to set `json_output` to true, which is
-# conveniently done automatically for you when using `falcosidekick.enabled=true`.
 http_output:
   enabled: false
   url: http://some.url
@@ -602,7 +598,6 @@ syscall_event_drops:
 # [Experimental] `metrics`
 #
 # Generates "Falco internal: metrics snapshot" rule output when `priority=info` at minimum
-# By selecting `output_file`, equivalent JSON output will be appended to a file.
 #
 # periodic metric snapshots (including stats and resource utilization) captured
 # at regular intervals
@@ -634,9 +629,6 @@ syscall_event_drops:
 #
 # It's important to note that the output fields and their names can be subject
 # to change until the metrics feature reaches a stable release.
-# In addition, the majority of fields represent an instant snapshot, with the
-# exception of event rates per second and drop percentage stats. These values
-# are computed based on the delta between two snapshots.
 #
 # To customize the hostname in Falco, you can set the environment variable
 # `FALCO_HOSTNAME` to your desired hostname. This is particularly useful in
@@ -680,8 +672,7 @@ syscall_event_drops:
 # must be set to `info` at a minimum.
 #
 # `output_file`: Append stats to a `jsonl` file. Use with caution in production
-# as Falco does not automatically rotate the file. It can be used in combination
-# with `output_rule`.
+# as Falco does not automatically rotate the file.
 #
 # `resource_utilization_enabled`: Emit CPU and memory usage metrics. CPU usage
 # is reported as a percentage of one CPU and can be normalized to the total

scripts/falco-driver-loader

@@ -151,17 +151,11 @@ get_target_id() {
 		# Real kernel release is embedded inside the kernel version.
 		# Moreover, kernel arch, when present, is attached to the former,
 		# therefore make sure to properly take it and attach it to the latter.
-		# Moreover, we support 3 flavors for debian kernels: cloud, rt and normal.
-		# KERNEL-RELEASE will have a `-rt`, or `-cloud` if we are in one of these flavors.
-		# Manage it to download the correct driver.
-		#
-		# Example: KERNEL_RELEASE="5.10.0-0.deb10.22-rt-amd64" and `uname -v`="5.10.178-3"
-		# should lead to: KERNEL_RELEASE="5.10.178-3-rt-amd64"
 		TARGET_ID=$(echo "${OS_ID}" | tr '[:upper:]' '[:lower:]')
 		local ARCH_extra=""
-		if [[ $KERNEL_RELEASE =~ -?(rt-|cloud-|)(amd64|arm64) ]];
+		if [[ $KERNEL_RELEASE =~ -(amd64|arm64) ]];
 		then
-			ARCH_extra="-${BASH_REMATCH[1]}${BASH_REMATCH[2]}"
+			ARCH_extra="-${BASH_REMATCH[1]}"
 		fi
 		if [[ $(uname -v) =~ ([0-9]+\.[0-9]+\.[0-9]+\-[0-9]+) ]];
 		then
@@ -171,26 +165,14 @@ get_target_id() {
 	("ubuntu")
 		# Extract the flavor from the kernelrelease
 		# Examples:
-		# 5.0.0-1028-aws-5.0 -> ubuntu-aws
+		# 5.0.0-1028-aws-5.0 -> ubuntu-aws-5.0
 		# 5.15.0-1009-aws -> ubuntu-aws
 		if [[ $KERNEL_RELEASE =~ -([a-zA-Z]+)(-.*)?$ ]];
 		then
-			TARGET_ID="ubuntu-${BASH_REMATCH[1]}"
+			TARGET_ID="ubuntu-${BASH_REMATCH[1]}${BASH_REMATCH[2]}"
 		else
 			TARGET_ID="ubuntu-generic"
 		fi
-
-
-		# In the case that the kernelversion isn't just a number
-		# we keep also the remaining part excluding `-Ubuntu`.
-		# E.g.:
-		# from the following `uname -v` result
-		# `#26~22.04.1-Ubuntu SMP Mon Apr 24 01:58:15 UTC 2023`
-		# we obtain the kernelversion`26~22.04.1`
-		if [[ $(uname -v) =~ (^\#[0-9]+\~[^-]*-Ubuntu .*$) ]];
-		then
-			KERNEL_VERSION=$(uname -v | sed 's/#\([^-\\ ]*\).*/\1/g')
-		fi
 		;;
 	("flatcar")
 		KERNEL_RELEASE="${VERSION_ID}"

userspace/falco/app/actions/helpers_generic.cpp

@@ -39,17 +39,8 @@ bool falco::app::actions::check_rules_plugin_requirements(falco::app::state& s,
 
 void falco::app::actions::print_enabled_event_sources(falco::app::state& s)
 {
-	/* Print all loaded sources. */
-	std::string str;
-	for (const auto &src : s.loaded_sources)
-	{
-		str += str.empty() ? "" : ", ";
-		str += src;
-	}
-	falco_logger::log(LOG_INFO, "Loaded event sources: " + str);
-
 	/* Print all enabled sources. */
-	str.clear();
+	std::string str;
 	for (const auto &src : s.enabled_sources)
 	{
 		str += str.empty() ? "" : ", ";

userspace/falco/app/actions/init_inspectors.cpp

@@ -187,23 +187,6 @@ falco::app::run_result falco::app::actions::init_inspectors(falco::app::state& s
 		{
 			return run_result::fatal(err);
 		}
-
-		// in live mode, each inspector should have registered at most two event sources:
-		// the "syscall" on, loaded at default at index 0, and optionally another
-		// one defined by a plugin, at index 1
-		if (!s.is_capture_mode())
-		{
-			const auto& sources = src_info->inspector->event_sources();
-			if (sources.size() == 0 || sources.size() > 2 || sources[0] != falco_common::syscall_source)
-			{
-				std::string err;
-				for (const auto &s : sources)
-				{
-					err += (err.empty() ? "" : ", ") + s;
-				}
-				return run_result::fatal("Illegal sources setup in live inspector for source '" + src + "': " + err);
-			}
-		}
 	}
 
 	// check if some plugin remains unused

userspace/falco/app/actions/process_events.cpp

@@ -144,13 +144,6 @@ static falco::app::run_result do_inspect(
 	const bool is_capture_mode = source.empty();
 	size_t source_engine_idx = 0;
 
-	// note(jasondellaluce): The "syscall" event source will always be loaded
-	// by default in an inspector, and at index 0. As such, in live mode we would
-	// expect the event source index to always be 0 in case of "syscall" source,
-	// and 1 in case of any other plugin event source, because it would be
-	// the only other source loaded in its relative live inspector.
-	size_t expected_live_evt_src_idx = source == falco_common::syscall_source ? 0 : 1;
-
 	if (!is_capture_mode)
 	{
 		// note: in live mode, each inspector gets assigned a distinct event
@@ -272,13 +265,10 @@ static falco::app::run_result do_inspect(
 			if (source_engine_idx == sinsp_no_event_source_idx)
 			{
 				std::string msg = "Unknown event source for inspector's event";
-				if (ev->get_type() == PPME_PLUGINEVENT_E || ev->get_type() == PPME_ASYNCEVENT_E)
+				if (ev->get_type() == PPME_PLUGINEVENT_E)
 				{
-					auto pluginID = *(uint32_t *)ev->get_param(0)->m_val;
-					if (pluginID != 0)
-					{
-						msg += " (plugin ID: " + std::to_string(pluginID) + ")";
-					}
+					auto pluginID = *(int32_t *)ev->get_param(0)->m_val;
+					msg += " (plugin ID: " + std::to_string(pluginID) + ")";
 				}
 				return run_result::fatal(msg);
 			}
@@ -290,15 +280,12 @@ static falco::app::run_result do_inspect(
 		{
 			// in live mode, each inspector gets assigned a distinct event source,
 			// so we report an error if we fetch an event of a different source.
-			if (expected_live_evt_src_idx != ev->get_source_idx())
+			if (source_engine_idx != ev->get_source_idx())
 			{
-				std::string actual = (ev->get_source_name() != NULL)
+				auto msg = "Unexpected event source for inspector's event: expected='" + source + "', actual=";
+				msg += (ev->get_source_name() != NULL)
 					? ("'" + std::string(ev->get_source_name()) + "'")
 					: ("<NA>");
-				std::string msg = "Unexpected event source for inspector's event:";
-				msg += " type=" + std::to_string(ev->get_type());
-				msg += ", expected='" + source + " (idx=" + std::to_string(expected_live_evt_src_idx) + ")";
-				msg += "', actual=" + actual + " (idx=" + std::to_string(ev->get_source_idx()) + ")";
 				return run_result::fatal(msg);
 			}
 

userspace/falco/app/options.cpp

@@ -221,7 +221,7 @@ void options::define(cxxopts::Options& opts)
 		("r",                             "Rules file/directory (defaults to value set in configuration file, or /etc/falco_rules.yaml). This option can be passed multiple times to read from multiple files/directories.", cxxopts::value<std::vector<std::string>>(), "<rules_file>")
 		("s",                             "If specified, append statistics related to Falco's reading/processing of events to this file (only useful in live mode).", cxxopts::value(stats_output_file), "<stats_file>")
 		("stats-interval",                "When using -s <stats_file>, write statistics every <msec> ms. This uses signals, and has a minimum threshold of 100 ms. Defaults to 5000 (5 seconds).", cxxopts::value(stats_interval),  "<msec>")
-		("S,snaplen",                     "Capture the first <len> bytes of each I/O buffer. By default, the first 80 bytes are captured. Use this option with caution, it can have a strong performance impact.", cxxopts::value(snaplen)->default_value("0"), "<len>")
+		("S,snaplen",                     "Capture the first <len> bytes of each I/O buffer. By default, the first 80 bytes are captured. Use this option with caution, it can generate huge trace files.", cxxopts::value(snaplen)->default_value("0"), "<len>")
 		("support",                       "Print support information including version, rules files used, etc. and exit.", cxxopts::value(print_support)->default_value("false"))
 		("T",                             "Disable any rules with a tag=<tag>. This option can be passed multiple times. Can not be mized with -t", cxxopts::value<std::vector<std::string>>(), "<tag>")
 		("t",                             "Only run those rules with a tag=<tag>. This option can be passed multiple times. Can not be mixed with -T/-D.", cxxopts::value<std::vector<std::string>>(), "<tag>")

userspace/falco/stats_writer.cpp

@@ -15,8 +15,7 @@ limitations under the License.
 */
 
 #include <sys/time.h>
-#include <ctime>
-#include <csignal>
+#include <signal.h>
 #include <nlohmann/json.hpp>
 #include <atomic>
 
@@ -40,32 +39,22 @@ static void timer_handler(int signum)
 
 bool stats_writer::init_ticker(uint32_t interval_msec, std::string &err)
 {
-	struct itimerspec timer = {};
-	struct sigaction handler = {};
+	struct itimerval timer;
+	struct sigaction handler;
 
-	memset (&handler, 0, sizeof(handler));
+	memset (&handler, 0, sizeof (handler));
 	handler.sa_handler = &timer_handler;
 	if (sigaction(SIGALRM, &handler, NULL) == -1)
 	{
 		err = std::string("Could not set up signal handler for periodic timer: ") + strerror(errno);
 		return false;
 	}
-	
-	timer_t timerid;
-	struct sigevent sev = {};
-	/* Create the timer */
-	sev.sigev_notify = SIGEV_SIGNAL;
-	sev.sigev_signo = SIGALRM;
-	sev.sigev_value.sival_ptr = &timerid;
-	if (timer_create(CLOCK_MONOTONIC, &sev, &timerid) == -1) {
-		err = std::string("Could not create periodic timer: ") + strerror(errno);
-		return false;
-	}
-	timer.it_value.tv_sec = interval_msec / 1000;
-	timer.it_value.tv_nsec = (interval_msec % 1000) * 1000 * 1000;
-	timer.it_interval = timer.it_value;
 
-	if (timer_settime(timerid, 0, &timer, NULL) == -1) {
+	timer.it_value.tv_sec = interval_msec / 1000;
+	timer.it_value.tv_usec = (interval_msec % 1000) * 1000;
+	timer.it_interval = timer.it_value;
+	if (setitimer(ITIMER_REAL, &timer, NULL) == -1)
+	{
 		err = std::string("Could not set up periodic timer: ") + strerror(errno);
 		return false;
 	}