update(docs): added CHANGELOG entry for 0.37.1

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

.github/workflows/ci.yml

@@ -33,13 +33,15 @@ jobs:
   test-dev-packages:
     needs: [fetch-version, build-dev-packages]
     uses: ./.github/workflows/reusable_test_packages.yaml
-    strategy:
-      fail-fast: false
-      matrix:
-        static: ["static", ""]
+    # The musl build job is currently disabled because we link libelf dynamically and it is
+    # not possible to dynamically link with musl
+    # strategy:
+    #   fail-fast: false
+    #   matrix:
+    #     static: ["static", ""]
     with:
       arch: x86_64
-      static: ${{ matrix.static != '' && true || false }}
+      # static: ${{ matrix.static != '' && true || false }}
       version: ${{ needs.fetch-version.outputs.version }}
 
   test-dev-packages-arm64:

.github/workflows/master.yaml

@@ -31,13 +31,15 @@ jobs:
   test-dev-packages:
     needs: [fetch-version, build-dev-packages]
     uses: ./.github/workflows/reusable_test_packages.yaml
-    strategy:
-      fail-fast: false
-      matrix:
-        static: ["static", ""]
+    # The musl build job is currently disabled because we link libelf dynamically and it is
+    # not possible to dynamically link with musl
+    # strategy:
+    #   fail-fast: false
+    #   matrix:
+    #     static: ["static", ""]
     with:
       arch: x86_64
-      static: ${{ matrix.static != '' && true || false }}
+      # static: ${{ matrix.static != '' && true || false }}
       version: ${{ needs.fetch-version.outputs.version }}
   
   test-dev-packages-arm64:

.github/workflows/release.yaml

@@ -69,13 +69,16 @@ jobs:
   test-packages:
     needs: [release-settings, build-packages]
     uses: ./.github/workflows/reusable_test_packages.yaml
-    strategy:
-      fail-fast: false
-      matrix:
-        static: ["static", ""]
+
+    # The musl build job is currently disabled because we link libelf dynamically and it is
+    # not possible to dynamically link with musl
+    # strategy:
+    #   fail-fast: false
+    #   matrix:
+    #     static: ["static", ""]
     with:
       arch: x86_64
-      static: ${{ matrix.static != '' && true || false }}
+      # static: ${{ matrix.static != '' && true || false }}
       version: ${{ github.event.release.tag_name }}
   
   test-packages-arm64:

.github/workflows/reusable_build_packages.yaml

@@ -20,7 +20,7 @@ jobs:
       # Always install deps before invoking checkout action, to properly perform a full clone.
       - name: Install build dependencies
         run: |
-          dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake libbpf-devel
+          dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake libbpf-devel elfutils-libelf-devel
     
       - name: Checkout
         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
@@ -50,7 +50,7 @@ jobs:
           yum -y install centos-release-scl
           yum -y install devtoolset-9-gcc devtoolset-9-gcc-c++
           source /opt/rh/devtoolset-9/enable
-          yum install -y wget git make m4 rpm-build perl-IPC-Cmd
+          yum install -y wget git make m4 rpm-build elfutils-libelf-devel perl-IPC-Cmd
     
       - name: Checkout
         # It is not possible to upgrade the checkout action to versions >= v4.0.0 because of incompatibilities with centos 7's libc.
@@ -118,9 +118,12 @@ jobs:
           path: |
             ${{ github.workspace }}/build/falco-*.rpm
             
+  # The musl build job is currently disabled because we link libelf dynamically and it is
+  # not possible to dynamically link with musl
   build-musl-package:
     # x86_64 only for now
-    if: ${{ inputs.arch == 'x86_64' }}
+    # if: ${{ inputs.arch == 'x86_64' }}
+    if: false 
     runs-on: ubuntu-latest
     container: alpine:3.17
     steps:

.github/workflows/reusable_fetch_version.yaml

@@ -31,7 +31,7 @@ jobs:
       - name: Configure project
         run: |
           mkdir build && cd build
-          cmake -DUSE_BUNDLED_DEPS=On ..
+          cmake -DUSE_BUNDLED_DEPS=On -DUSE_DYNAMIC_LIBELF=Off ..
           
       - name: Load and store Falco version output
         id: store_version

.github/workflows/reusable_publish_packages.yaml

@@ -65,7 +65,10 @@ jobs:
           name: falco-${{ inputs.version }}-aarch64.tar.gz
           path: /tmp/falco-build-bin
 
+      # The musl build job is currently disabled because we link libelf dynamically and it is
+      # not possible to dynamically link with musl
       - name: Download static binary x86_64
+        if: false
         uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: falco-${{ inputs.version }}-static-x86_64.tar.gz
@@ -89,8 +92,11 @@ jobs:
         run: |
           ./scripts/publish-bin -f /tmp/falco-build-bin/falco-${{ inputs.version }}-x86_64.tar.gz -r bin${{ inputs.bucket_suffix }} -a x86_64
           ./scripts/publish-bin -f /tmp/falco-build-bin/falco-${{ inputs.version }}-aarch64.tar.gz -r bin${{ inputs.bucket_suffix }} -a aarch64
-          
+
+      # The musl build job is currently disabled because we link libelf dynamically and it is
+      # not possible to dynamically link with musl
       - name: Publish static
+        if: false
         run: |
           ./scripts/publish-bin -f /tmp/falco-build-bin-static/falco-${{ inputs.version }}-static-x86_64.tar.gz -r bin${{ inputs.bucket_suffix }} -a x86_64
           

.github/workflows/staticanalysis.yaml

@@ -20,7 +20,7 @@ jobs:
       - name: Build and run cppcheck 🏎️
         run: |
           mkdir build
-          cd build && cmake -DUSE_BUNDLED_DEPS=On -DBUILD_WARNINGS_AS_ERRORS=ON -DCREATE_TEST_TARGETS=Off -DCMAKE_BUILD_TYPE="release" -DBUILD_BPF=Off -DBUILD_DRIVER=Off ..
+          cd build && cmake -DUSE_BUNDLED_DEPS=On -DUSE_DYNAMIC_LIBELF=Off -DBUILD_WARNINGS_AS_ERRORS=ON -DCREATE_TEST_TARGETS=Off -DCMAKE_BUILD_TYPE="release" -DBUILD_BPF=Off -DBUILD_DRIVER=Off ..
           make -j4 cppcheck
           make -j4 cppcheck_htmlreport
 

CHANGELOG.md

@@ -1,5 +1,27 @@
 # Change Log
 
+## v0.37.1
+
+Released on 2024-02-13
+
+### Major Changes
+
+* new(docker): added option for insecure http driver download to falco and driver-loader images [[#3058](https://github.com/falcosecurity/falco/pull/3058)] - [@toamto94](https://github.com/toamto94)
+
+### Minor Changes
+
+* update(cmake): bumped falcoctl to v0.7.2 [[#3076](https://github.com/falcosecurity/falco/pull/3076)] - [@FedeDP](https://github.com/FedeDP)
+* update(build): link libelf dynamically [[#3048](https://github.com/falcosecurity/falco/pull/3048)] - [@LucaGuerra](https://github.com/LucaGuerra)
+
+### Bug Fixes
+
+* fix(userspace/engine): always consider all rules (even the ones below min_prio) in m_rule_stats_manager [[#3060](https://github.com/falcosecurity/falco/pull/3060)] - [@FedeDP](https://github.com/FedeDP)
+
+### Non user-facing changes
+
+* Added http headers option for driver download in docker images [[#3075](https://github.com/falcosecurity/falco/pull/3075)] - [@toamto94](https://github.com/toamto94)
+* fix(build): install libstdc++ in the Wolfi image [[#3053](https://github.com/falcosecurity/falco/pull/3053)] - [@LucaGuerra](https://github.com/LucaGuerra)
+
 ## v0.37.0
 
 Released on 2024-01-30

CMakeLists.txt

@@ -16,6 +16,7 @@ cmake_minimum_required(VERSION 3.5.1)
 project(falco)
 
 option(USE_BUNDLED_DEPS "Bundle hard to find dependencies into the Falco binary" OFF)
+option(USE_DYNAMIC_LIBELF "Dynamically link libelf" ON)
 option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags" OFF)
 option(MINIMAL_BUILD "Build a minimal version of Falco, containing only the engine and basic input/output (EXPERIMENTAL)" OFF)
 option(MUSL_OPTIMIZED_BUILD "Enable if you want a musl optimized build" OFF)

cmake/modules/falcoctl.cmake

@@ -16,14 +16,14 @@ include(ExternalProject)
 
 string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} FALCOCTL_SYSTEM_NAME)
 
-set(FALCOCTL_VERSION "0.7.1")
+set(FALCOCTL_VERSION "0.7.2")
 
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
     set(FALCOCTL_SYSTEM_PROC_GO "amd64")
-    set(FALCOCTL_HASH "f142507c0e2b1e7dc03fd0b1ec36b479eb171f1f58c17f90d2d8edeb00668ef5")
+    set(FALCOCTL_HASH "abbbef2beefceb3d518a638fbad220ca6002840d33a20a7f1de9b358c4dbef45")
 else() # aarch64
     set(FALCOCTL_SYSTEM_PROC_GO "arm64")
-    set(FALCOCTL_HASH "93e4800b68e21057da82c8c7aafa0970598594d62cd9929ebb9b38a9c02159a6")
+    set(FALCOCTL_HASH "8dafef99948355febfa311bb940f8c714af631a249f4ae05ffd7d4c5f181e2c4")
 endif()
 
 ExternalProject_Add(

cmake/modules/falcosecurity-libs.cmake

@@ -35,8 +35,8 @@ else()
   # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
   # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..`
   if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "0.14.2")
-    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=b4ae7bbf3ad031deee4a808145f9fd64b71c537406cc5a92f512823b2e52cdd5")
+    set(FALCOSECURITY_LIBS_VERSION "0.14.3")
+    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=da3d2df24947f1f3c96c3aa8b8999dde691c5ba8bb15beba4486b4c7d6b9d7f9")
   endif()
 
   # cd /path/to/build && cmake /path/to/source
@@ -89,6 +89,10 @@ set(USE_BUNDLED_NLOHMANN_JSON ON CACHE BOOL "")
 set(USE_BUNDLED_VALIJSON ON CACHE BOOL "")
 set(USE_BUNDLED_RE2 ON CACHE BOOL "")
 set(USE_BUNDLED_UTHASH ON CACHE BOOL "")
+if(USE_DYNAMIC_LIBELF)
+  set(USE_BUNDLED_LIBELF OFF CACHE BOOL "")
+  set(USE_SHARED_LIBELF ON CACHE BOOL "")
+endif()
 
 list(APPEND CMAKE_MODULE_PATH "${FALCOSECURITY_LIBS_SOURCE_DIR}/cmake/modules")
 

docker/driver-loader-legacy/docker-entrypoint.sh

@@ -28,15 +28,17 @@ print_usage() {
 	echo "  ebpf           eBPF probe"
 	echo ""
 	echo "Options:"
-	echo "  --help         show this help message"
-	echo "  --clean        try to remove an already present driver installation"
-	echo "  --compile      try to compile the driver locally (default true)"
-	echo "  --download     try to download a prebuilt driver (default true)"
-	echo "  --print-env    skip execution and print env variables for other tools to consume"
+	echo "  --help           show this help message"
+	echo "  --clean          try to remove an already present driver installation"
+	echo "  --compile        try to compile the driver locally (default true)"
+	echo "  --download       try to download a prebuilt driver (default true)"
+ 	echo "  --http-insecure	 enable insecure downloads"
+	echo "  --print-env      skip execution and print env variables for other tools to consume"
 	echo ""
 	echo "Environment variables:"
-	echo "  FALCOCTL_DRIVER_REPOS             specify different URL(s) where to look for prebuilt Falco drivers (comma separated)"
-	echo "  FALCOCTL_DRIVER_NAME              specify a different name for the driver"
+	echo "  FALCOCTL_DRIVER_REPOS         specify different URL(s) where to look for prebuilt Falco drivers (comma separated)"
+	echo "  FALCOCTL_DRIVER_NAME          specify a different name for the driver"
+	echo "  FALCOCTL_DRIVER_HTTP_HEADERS  specify comma separated list of http headers for driver download (e.g. 'x-emc-namespace: default,Proxy-Authenticate: Basic')"
 	echo ""
 }
 
@@ -50,6 +52,7 @@ done
 
 ENABLE_COMPILE="false"
 ENABLE_DOWNLOAD="false"
+HTTP_INSECURE="false"
 has_driver=
 has_opts=
 while test $# -gt 0; do
@@ -80,6 +83,9 @@ while test $# -gt 0; do
 			ENABLE_DOWNLOAD="true"
 			has_opts="true"
 			;;
+		--http-insecure)
+			HTTP_INSECURE="true"
+			;;   
 		--source-only)
 		    >&2 echo "Support dropped in Falco 0.37.0."
 			print_usage
@@ -108,4 +114,4 @@ if [ -z "$has_opts" ]; then
 	ENABLE_DOWNLOAD="true"
 fi
 
-/usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD
+/usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD --http-insecure=$HTTP_INSECURE --http-headers="$FALCOCTL_DRIVER_HTTP_HEADERS"

docker/driver-loader/docker-entrypoint.sh

@@ -28,15 +28,17 @@ print_usage() {
 	echo "  ebpf           eBPF probe"
 	echo ""
 	echo "Options:"
-	echo "  --help         show this help message"
-	echo "  --clean        try to remove an already present driver installation"
-	echo "  --compile      try to compile the driver locally (default true)"
-	echo "  --download     try to download a prebuilt driver (default true)"
-	echo "  --print-env    skip execution and print env variables for other tools to consume"
+	echo "  --help           show this help message"
+	echo "  --clean          try to remove an already present driver installation"
+	echo "  --compile        try to compile the driver locally (default true)"
+	echo "  --download       try to download a prebuilt driver (default true)"
+ 	echo "  --http-insecure	 enable insecure downloads"
+	echo "  --print-env      skip execution and print env variables for other tools to consume"
 	echo ""
 	echo "Environment variables:"
-	echo "  FALCOCTL_DRIVER_REPOS             specify different URL(s) where to look for prebuilt Falco drivers (comma separated)"
-	echo "  FALCOCTL_DRIVER_NAME              specify a different name for the driver"
+	echo "  FALCOCTL_DRIVER_REPOS         specify different URL(s) where to look for prebuilt Falco drivers (comma separated)"
+	echo "  FALCOCTL_DRIVER_NAME          specify a different name for the driver"
+	echo "  FALCOCTL_DRIVER_HTTP_HEADERS  specify comma separated list of http headers for driver download (e.g. 'x-emc-namespace: default,Proxy-Authenticate: Basic')"
 	echo ""
 }
 
@@ -50,6 +52,7 @@ done
 
 ENABLE_COMPILE="false"
 ENABLE_DOWNLOAD="false"
+HTTP_INSECURE="false"
 has_driver=
 has_opts=
 while test $# -gt 0; do
@@ -80,6 +83,9 @@ while test $# -gt 0; do
 			ENABLE_DOWNLOAD="true"
 			has_opts="true"
 			;;
+		--http-insecure)
+			HTTP_INSECURE="true"
+			;;   
 		--source-only)
 		    >&2 echo "Support dropped in Falco 0.37.0."
 			print_usage
@@ -108,4 +114,4 @@ if [ -z "$has_opts" ]; then
 	ENABLE_DOWNLOAD="true"
 fi
 
-/usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD
+/usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD --http-insecure=$HTTP_INSECURE --http-headers="$FALCOCTL_DRIVER_HTTP_HEADERS"

docker/falco/docker-entrypoint.sh

@@ -28,15 +28,17 @@ print_usage() {
 	echo "  ebpf           eBPF probe"
 	echo ""
 	echo "FALCO_DRIVER_LOADER_OPTIONS options:"
-	echo "  --help         show this help message"
-	echo "  --clean        try to remove an already present driver installation"
-	echo "  --compile      try to compile the driver locally (default true)"
-	echo "  --download     try to download a prebuilt driver (default true)"
-	echo "  --print-env    skip execution and print env variables for other tools to consume"
+	echo "  --help           show this help message"
+	echo "  --clean          try to remove an already present driver installation"
+	echo "  --compile        try to compile the driver locally (default true)"
+	echo "  --download       try to download a prebuilt driver (default true)"
+ 	echo "  --http-insecure	 enable insecure downloads"
+	echo "  --print-env      skip execution and print env variables for other tools to consume"
 	echo ""
 	echo "Environment variables:"
-	echo "  FALCOCTL_DRIVER_REPOS             specify different URL(s) where to look for prebuilt Falco drivers (comma separated)"
-	echo "  FALCOCTL_DRIVER_NAME              specify a different name for the driver"
+	echo "  FALCOCTL_DRIVER_REPOS         specify different URL(s) where to look for prebuilt Falco drivers (comma separated)"
+	echo "  FALCOCTL_DRIVER_NAME          specify a different name for the driver"
+	echo "  FALCOCTL_DRIVER_HTTP_HEADERS  specify comma separated list of http headers for driver download (e.g. 'x-emc-namespace: default,Proxy-Authenticate: Basic')"
 	echo ""
 }
 
@@ -57,6 +59,7 @@ if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
 
     ENABLE_COMPILE="false"
     ENABLE_DOWNLOAD="false"
+    HTTP_INSECURE="false"
     has_driver=
     has_opts=
     for opt in "${falco_driver_loader_option_arr[@]}"
@@ -88,6 +91,9 @@ if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
                 ENABLE_DOWNLOAD="true"
                 has_opts="true"
                 ;;
+	    --http-insecure)
+		HTTP_INSECURE="true"
+		;;
             --source-only)
                 >&2 echo "Support dropped in Falco 0.37.0."
                 print_usage
@@ -113,7 +119,7 @@ if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
         ENABLE_COMPILE="true"
         ENABLE_DOWNLOAD="true"
     fi
-    /usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD
+    /usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD --http-insecure=$HTTP_INSECURE --http-headers="$FALCOCTL_DRIVER_HTTP_HEADERS"
 
 fi
 

docker/no-driver/Dockerfile

@@ -28,7 +28,7 @@ LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
 LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
 # NOTE: for the "least privileged" use case, please refer to the official documentation
 
-RUN apt-get -y update && apt-get -y install ca-certificates curl jq \
+RUN apt-get -y update && apt-get -y install ca-certificates curl jq libelf1 \
     && apt clean -y && rm -rf /var/lib/apt/lists/*
 
 ENV HOST_ROOT /host

docker/no-driver/Dockerfile.distroless

@@ -6,7 +6,7 @@ ARG VERSION_BUCKET=bin
 ENV FALCO_VERSION=${FALCO_VERSION}
 ENV VERSION_BUCKET=${VERSION_BUCKET}
 
-RUN apk update && apk add build-base gcc curl ca-certificates jq
+RUN apk update && apk add build-base gcc curl ca-certificates jq elfutils
 
 WORKDIR /
 
@@ -21,7 +21,7 @@ RUN FALCO_VERSION_URLENCODED=$(echo -n ${FALCO_VERSION}|jq -sRr @uri) && \
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
     && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml
 
-FROM cgr.dev/chainguard/glibc-dynamic
+FROM cgr.dev/chainguard/wolfi-base
 
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
@@ -29,6 +29,8 @@ LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
 LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
 # NOTE: for the "least privileged" use case, please refer to the official documentation
 
+RUN apk update && apk add libelf libstdc++
+
 ENV HOST_ROOT /host
 ENV HOME /root
 

userspace/engine/falco_engine.cpp

@@ -174,6 +174,7 @@ std::unique_ptr<load_result> falco_engine::load_rules(const std::string &rules_c
 		// clear the rules known by the engine and each ruleset
 		m_rules.clear();
 		for (auto &src : m_sources)
+		// add rules to each ruleset
 		{
 			src.ruleset = src.ruleset_factory->new_ruleset();
 		}
@@ -181,12 +182,6 @@ std::unique_ptr<load_result> falco_engine::load_rules(const std::string &rules_c
 		// add rules to the engine and the rulesets
 		for (const auto& rule : m_last_compile_output->rules)
 		{
-			// skip the rule if below the minimum priority
-			if (rule.priority > m_min_priority)
-			{
-				continue;
-			}
-
 			auto info = m_rule_collector.rules().at(rule.name);
 			if (!info)
 			{
@@ -201,10 +196,20 @@ std::unique_ptr<load_result> falco_engine::load_rules(const std::string &rules_c
 			std::shared_ptr<gen_event_filter> filter(
 				sinsp_filter_compiler(source->filter_factory, rule.condition.get()).compile());
 			auto rule_id = m_rules.insert(rule, rule.name);
-			m_rules.at(rule_id)->id = rule_id;
+			if (rule_id != rule.id)
+			{
+				throw falco_exception("Incompatible ID for rule: " + rule.name +
+						      " | compiled ID: " + std::to_string(rule.id) +
+						      " | stats_mgr ID: " + std::to_string(rule_id));
+			}
 			source->ruleset->add(rule, filter, rule.condition);
 
 			// By default rules are enabled/disabled for the default ruleset
+			// skip the rule if below the minimum priority
+			if (rule.priority > m_min_priority)
+			{
+				continue;
+			}
 			if(info->enabled)
 			{
 				source->ruleset->enable(rule.name, true, m_default_ruleset_id);