update(cmake): bumped falcoctl to v0.10.1.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

.github/workflows/reusable_build_dev.yaml

@@ -39,7 +39,7 @@ permissions:
 jobs:
   build-and-test:
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
-    runs-on: ${{ (inputs.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-22.04' }}
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'oracle-aarch64-4cpu-16gb') || 'ubuntu-22.04' }}
     outputs:
       cmdout: ${{ steps.run_cmd.outputs.out }}
     steps:

.github/workflows/reusable_build_docker.yaml

@@ -31,7 +31,7 @@ permissions:
 jobs:
   build-docker:
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
-    runs-on: ${{ (inputs.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-latest' }}
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'oracle-aarch64-4cpu-16gb') || 'ubuntu-latest' }}
     env:
       TARGETARCH: ${{ (inputs.arch == 'aarch64' && 'arm64') || 'amd64' }}
     steps:

.github/workflows/reusable_build_packages.yaml

@@ -27,7 +27,7 @@ permissions:
 jobs:
   build-modern-bpf-skeleton:
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
-    runs-on: ${{ (inputs.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-latest' }}
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'oracle-aarch64-4cpu-16gb') || 'ubuntu-latest' }}
     container: fedora:latest
     steps:
       # Always install deps before invoking checkout action, to properly perform a full clone.
@@ -55,7 +55,7 @@ jobs:
     env:
       ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
-    runs-on: ${{ (inputs.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-latest' }}
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'oracle-aarch64-4cpu-16gb') || 'ubuntu-latest' }}
     needs: [build-modern-bpf-skeleton]
     container: centos:7
     steps:

.github/workflows/reusable_test_packages.yaml

@@ -27,7 +27,7 @@ permissions:
 jobs:
   test-packages:
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
-    runs-on: ${{ (inputs.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-latest' }}
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'oracle-aarch64-4cpu-16gb') || 'ubuntu-latest' }}
     steps:
       - name: Download binary
         uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2

CHANGELOG.md

@@ -1,5 +1,24 @@
 # Change Log
 
+## v0.39.1
+
+Released on 2024-10-09
+
+### Bug Fixes
+
+* fix(engine): allow null init_config for plugin info [[#3372](https://github.com/falcosecurity/falco/pull/3372)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(engine): fix parsing issues in -o key={object} when the object definition contains a comma [[#3363](https://github.com/falcosecurity/falco/pull/3363)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(userspace/falco): fix event set selection for plugin with parsing capability [[#3368](https://github.com/falcosecurity/falco/pull/3368)] - [@FedeDP](https://github.com/FedeDP)
+
+### Statistics
+
+|   MERGED PRS    | NUMBER |
+|-----------------|--------|
+| Not user-facing |      0 |
+| Release note    |      3 |
+| Total           |      3 |
+
+
 ## v0.39.0
 
 Released on 2024-10-01

cmake/modules/falcoctl.cmake

@@ -20,16 +20,16 @@ option(ADD_FALCOCTL_DEPENDENCY "Add falcoctl dependency while building falco" ON
 if(ADD_FALCOCTL_DEPENDENCY)
 	string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} FALCOCTL_SYSTEM_NAME)
 
-	set(FALCOCTL_VERSION "0.10.0")
+	set(FALCOCTL_VERSION "0.10.1")
 
 	message(STATUS "Building with falcoctl: ${FALCOCTL_VERSION}")
 
 	if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
 		set(FALCOCTL_SYSTEM_PROC_GO "amd64")
-		set(FALCOCTL_HASH "32d1be4ab2335d9c3fc8ae8900341bcc26d3166094fc553ddb7bb783aa6c7b68")
+		set(FALCOCTL_HASH "039961004a72d27409ab6ba82542134bd5df8a69ad341c897f3d26b6596b9e6a")
 	else() # aarch64
 		set(FALCOCTL_SYSTEM_PROC_GO "arm64")
-		set(FALCOCTL_HASH "9186fd948c1230c338a7fa36d6569ce85d3c4aa8153b30e8d86d2e887eb76756")
+		set(FALCOCTL_HASH "fbaf83512cc73e99f14f90cb14ed4eee83f40efde3d398c7b7ef02163116f2fc")
 	endif()
 
 	ExternalProject_Add(

cmake/modules/falcosecurity-libs.cmake

@@ -42,9 +42,9 @@ else()
 	# version (or branch, or commit) just pass the variable - ie., `cmake
 	# -DFALCOSECURITY_LIBS_VERSION=dev ..`
 	if(NOT FALCOSECURITY_LIBS_VERSION)
-		set(FALCOSECURITY_LIBS_VERSION "0.18.1")
+		set(FALCOSECURITY_LIBS_VERSION "0.18.2")
 		set(FALCOSECURITY_LIBS_CHECKSUM
-			"SHA256=1812e8236c4cb51d3fe5dd066d71be99f25da7ed22d8feeeebeed09bdc26325f"
+			"SHA256=b2e3e42c3255a6d41960afe086e8189d73e27f1dbc23abefaf6b05cf118eb6f4"
 		)
 	endif()
 

unit_tests/falco/test_configuration_schema.cpp

@@ -18,6 +18,7 @@ limitations under the License.
 #include <gtest/gtest.h>
 #include <falco/configuration.h>
 #include <falco_test_var.h>
+#include <nlohmann/json.hpp>
 
 #define EXPECT_VALIDATION_STATUS(res, status)                                                     \
 	do {                                                                                          \
@@ -102,8 +103,13 @@ plugins:
       sslCertificate: /etc/falco/falco.pem
 )";
 
+	auto plugin_config_json = nlohmann::json::parse(
+	        R"({"maxEventSize": 262144, "sslCertificate": "/etc/falco/falco.pem"})");
+
 	EXPECT_NO_THROW(res = falco_config.init_from_content(config, {}));
 	EXPECT_VALIDATION_STATUS(res, yaml_helper::validation_ok);
+	auto parsed_init_config = nlohmann::json::parse(falco_config.m_plugins[0].m_init_config);
+	EXPECT_EQ(parsed_init_config, plugin_config_json);
 
 	config = R"(
 plugins:
@@ -114,6 +120,30 @@ plugins:
 
 	EXPECT_NO_THROW(res = falco_config.init_from_content(config, {}));
 	EXPECT_VALIDATION_STATUS(res, yaml_helper::validation_ok);
+	parsed_init_config = nlohmann::json::parse(falco_config.m_plugins[0].m_init_config);
+	EXPECT_EQ(parsed_init_config, plugin_config_json);
+
+	config = R"(
+plugins:
+  - name: k8saudit
+    library_path: libk8saudit.so
+    init_config: ""
+)";
+
+	EXPECT_NO_THROW(res = falco_config.init_from_content(config, {}));
+	EXPECT_VALIDATION_STATUS(res, yaml_helper::validation_ok);
+	EXPECT_EQ(falco_config.m_plugins[0].m_init_config, "");
+
+	config = R"(
+plugins:
+  - name: k8saudit
+    library_path: libk8saudit.so
+    init_config: null
+)";
+
+	EXPECT_NO_THROW(res = falco_config.init_from_content(config, {}));
+	EXPECT_VALIDATION_STATUS(res, yaml_helper::validation_ok);
+	EXPECT_EQ(falco_config.m_plugins[0].m_init_config, "");
 }
 
 TEST(Configuration, schema_yaml_helper_validator) {

userspace/falco/app/actions/configure_interesting_sets.cpp

@@ -78,11 +78,27 @@ static void select_event_set(falco::app::state& s,
 
 	/* Load PPM event codes needed by plugins with parsing capability */
 	libsinsp::events::set<ppm_event_code> plugin_ev_codes;
-	for(const auto& p : s.offline_inspector->get_plugin_manager()->plugins()) {
-		if(!(p->caps() & CAP_PARSING)) {
-			continue;
+	if(s.is_capture_mode()) {
+		// In capture mode, we need to use the offline inspector
+		// because plugins are inited under it; see init_inspectors action.
+		for(const auto& p : s.offline_inspector->get_plugin_manager()->plugins()) {
+			if(!(p->caps() & CAP_PARSING)) {
+				continue;
+			}
+			plugin_ev_codes.merge(p->parse_event_codes());
+		}
+	} else {
+		// In live mode, we need to use inspectors from the loaded sources,
+		// because plugins are inited under them; see init_inspectors action.
+		for(const auto& src : s.loaded_sources) {
+			auto src_info = s.source_infos.at(src);
+			for(const auto& p : src_info->inspector->get_plugin_manager()->plugins()) {
+				if(!(p->caps() & CAP_PARSING)) {
+					continue;
+				}
+				plugin_ev_codes.merge(p->parse_event_codes());
+			}
 		}
-		plugin_ev_codes.merge(p->parse_event_codes());
 	}
 	const auto plugin_sc_set = libsinsp::events::event_set_to_sc_set(plugin_ev_codes);
 	const auto plugin_names = libsinsp::events::sc_set_to_event_names(plugin_sc_set);

userspace/falco/app/options.cpp

@@ -19,6 +19,9 @@ limitations under the License.
 #include "../configuration.h"
 #include "config_falco.h"
 
+// disable cxxopts vector delimiter, meaning that
+// -o test1,test2,test3 won't be treated like -o test1 -o test2 -o test3
+#define CXXOPTS_VECTOR_DELIMITER '\0'
 #include <cxxopts.hpp>
 
 #include <fstream>

userspace/falco/config_json_schema.h

@@ -593,6 +593,9 @@ const char config_schema_string[] = LONG_STRING_CONST(
                         },
                         {
                             "type": "string"
+                        },
+                        {
+                            "type": "null"
                         }
                     ]
                 },