update(cmake): bump falcoctl to v0.11.0

Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>

.github/release_template.md

@@ -10,12 +10,11 @@
 | deb-aarch64      | [![deb](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/debFALCOBUCKET/stable/falco-FALCOVER-aarch64.deb) |
 | tgz-aarch64      | [![tgz](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/binFALCOBUCKET/aarch64/falco-FALCOVER-aarch64.tar.gz) |
 
-| Images                                                                      |
-| --------------------------------------------------------------------------- |
-| `docker pull docker.io/falcosecurity/falco:FALCOVER`                           |
-| `docker pull public.ecr.aws/falcosecurity/falco:FALCOVER`                      |
-| `docker pull docker.io/falcosecurity/falco-driver-loader:FALCOVER`             |
-| `docker pull docker.io/falcosecurity/falco-driver-loader-legacy:FALCOVER`      |
-| `docker pull docker.io/falcosecurity/falco-no-driver:FALCOVER`                 |
-| `docker pull docker.io/falcosecurity/falco-distroless:FALCOVER`                |
+| Images                                                                    |
+|---------------------------------------------------------------------------|
+| `docker pull docker.io/falcosecurity/falco:FALCOVER`                      |
+| `docker pull public.ecr.aws/falcosecurity/falco:FALCOVER`                 |
+| `docker pull docker.io/falcosecurity/falco-driver-loader:FALCOVER`        |
+| `docker pull docker.io/falcosecurity/falco-driver-loader:FALCOVER-buster` |
+| `docker pull docker.io/falcosecurity/falco:FALCOVER-debian`               |
 

.github/workflows/bump-libs.yaml

@@ -0,0 +1,63 @@
+---
+name: Bump Libs
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '30 6 * * 1' # on each monday 6:30
+
+# Checks if any concurrent jobs is running for kernels CI and eventually cancel it.
+concurrency:
+  group: bump-libs-ci
+  cancel-in-progress: true
+
+jobs:
+  bump-libs:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Download libs master tar.gz
+        run: |
+          wget https://github.com/falcosecurity/libs/archive/refs/heads/master.tar.gz
+
+      - name: Store libs hash and shasum
+        id: store
+        run: |
+          gunzip -c master.tar.gz > master.tar
+          commit=$(cat master.tar | git get-tar-commit-id)
+          echo "COMMIT=$commit" >> "$GITHUB_OUTPUT"
+          wget https://github.com/falcosecurity/libs/archive/$commit.tar.gz
+          echo "SHASUM=$(sha256sum $commit.tar.gz | awk '{print $1}')" >> "$GITHUB_OUTPUT"
+
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          path: falco
+
+      - name: Bump libs version and hash
+        run: |
+          cd falco
+          sed -i -E '45s/FALCOSECURITY_LIBS_VERSION "(.+)"/FALCOSECURITY_LIBS_VERSION "${{ steps.store.outputs.COMMIT }}"/' cmake/modules/falcosecurity-libs.cmake
+          sed -i -E '47s/"SHA256=(.+)"/"SHA256=${{ steps.store.outputs.SHASUM }}"/' cmake/modules/falcosecurity-libs.cmake
+          sed -i -E '38s/DRIVER_VERSION "(.+)"/DRIVER_VERSION "${{ steps.store.outputs.COMMIT }}"/' cmake/modules/driver.cmake
+          sed -i -E '40s/"SHA256=(.+)"/"SHA256=${{ steps.store.outputs.SHASUM }}"/' cmake/modules/driver.cmake
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
+        with:
+          path: falco
+          signoff: true
+          base: master
+          branch: update/libs
+          title: 'update(cmake): update libs and driver to latest master'
+          body: |
+            This PR updates libs and driver to latest commit.
+            /kind release
+            /area build
+            ```release-note
+            NONE
+            ```
+          commit-message: 'update(cmake): update libs and driver to latest master.'
+          token: ${{ secrets.GITHUB_TOKEN }}	  

.github/workflows/ci.yml

@@ -19,22 +19,14 @@ jobs:
   fetch-version:
     uses: ./.github/workflows/reusable_fetch_version.yaml
 
-  build-dev-packages-sanitizers-x86_64:
-    needs: [fetch-version]
-    uses: ./.github/workflows/reusable_build_packages.yaml
-    with:
-      arch: x86_64
-      version: ${{ needs.fetch-version.outputs.version }}
-      build_type: Debug
-      sanitizers: true
-
   build-dev-packages-x86_64:
     needs: [fetch-version]
     uses: ./.github/workflows/reusable_build_packages.yaml
     with:
       arch: x86_64
       version: ${{ needs.fetch-version.outputs.version }}
-      build_type: Release
+      enable_debug: true
+      enable_sanitizers: true
 
   build-dev-packages-arm64:
     needs: [fetch-version]
@@ -42,22 +34,19 @@ jobs:
     with:
       arch: aarch64
       version: ${{ needs.fetch-version.outputs.version }}
-      build_type: Debug
-      sanitizers: false
+      enable_debug: true
 
   test-dev-packages:
-    needs: [fetch-version, build-dev-packages-sanitizers-x86_64]
+    needs: [fetch-version, build-dev-packages-x86_64]
     uses: ./.github/workflows/reusable_test_packages.yaml
-    # The musl build job is currently disabled because we link libelf dynamically and it is
-    # not possible to dynamically link with musl
-    # strategy:
-    #   fail-fast: false
-    #   matrix:
-    #     static: ["static", ""]
+    strategy:
+      fail-fast: false
+      matrix:
+        static: ["static", ""]
     with:
       arch: x86_64
-      sanitizers: true
-      # static: ${{ matrix.static != '' && true || false }}
+      sanitizers: ${{ matrix.static == '' && true || false }}
+      static: ${{ matrix.static != '' && true || false }}
       version: ${{ needs.fetch-version.outputs.version }}
 
   test-dev-packages-arm64:

.github/workflows/format.yaml

@@ -32,7 +32,7 @@ jobs:
 
       - name: Upload the git diff artifact 📦
         if: failure()
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: format_diff.patch
           path: ./format_diff.patch

.github/workflows/master.yaml

@@ -31,15 +31,13 @@ jobs:
   test-dev-packages:
     needs: [fetch-version, build-dev-packages]
     uses: ./.github/workflows/reusable_test_packages.yaml
-    # The musl build job is currently disabled because we link libelf dynamically and it is
-    # not possible to dynamically link with musl
-    # strategy:
-    #   fail-fast: false
-    #   matrix:
-    #     static: ["static", ""]
+    strategy:
+      fail-fast: false
+      matrix:
+        static: ["static", ""]
     with:
       arch: x86_64
-      # static: ${{ matrix.static != '' && true || false }}
+      static: ${{ matrix.static != '' && true || false }}
       version: ${{ needs.fetch-version.outputs.version }}
   
   test-dev-packages-arm64:

.github/workflows/release.yaml

@@ -6,13 +6,13 @@ on:
 # Checks if any concurrent jobs is running for release CI and eventually cancel it.
 concurrency:
   group: ci-release
-  cancel-in-progress: true  
-  
+  cancel-in-progress: true
+
 jobs:
   release-settings:
     runs-on: ubuntu-latest
     outputs:
-      is_latest: ${{ steps.get_settings.outputs.is_latest }} 
+      is_latest: ${{ steps.get_settings.outputs.is_latest }}
       bucket_suffix: ${{ steps.get_settings.outputs.bucket_suffix }}
     steps:
       - name: Get latest release
@@ -69,25 +69,22 @@ jobs:
   test-packages:
     needs: [release-settings, build-packages]
     uses: ./.github/workflows/reusable_test_packages.yaml
-
-    # The musl build job is currently disabled because we link libelf dynamically and it is
-    # not possible to dynamically link with musl
-    # strategy:
-    #   fail-fast: false
-    #   matrix:
-    #     static: ["static", ""]
+    strategy:
+      fail-fast: false
+      matrix:
+        static: ["static", ""]
     with:
       arch: x86_64
-      # static: ${{ matrix.static != '' && true || false }}
+      static: ${{ matrix.static != '' && true || false }}
       version: ${{ github.event.release.tag_name }}
-  
+
   test-packages-arm64:
     needs: [release-settings, build-packages-arm64]
     uses: ./.github/workflows/reusable_test_packages.yaml
     with:
       arch: aarch64
       version: ${{ github.event.release.tag_name }}
-    
+
   publish-packages:
     needs: [release-settings, test-packages, test-packages-arm64]
     uses: ./.github/workflows/reusable_publish_packages.yaml
@@ -95,7 +92,7 @@ jobs:
       bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }}
       version: ${{ github.event.release.tag_name }}
     secrets: inherit
-  
+
   # Both build-docker and its arm64 counterpart require build-packages because they use its output
   build-docker:
     needs: [release-settings, build-packages, publish-packages]
@@ -106,7 +103,7 @@ jobs:
       version: ${{ github.event.release.tag_name }}
       tag: ${{ github.event.release.tag_name }}
     secrets: inherit
-    
+
   build-docker-arm64:
     needs: [release-settings, build-packages, publish-packages]
     uses: ./.github/workflows/reusable_build_docker.yaml
@@ -125,7 +122,7 @@ jobs:
       is_latest: ${{ needs.release-settings.outputs.is_latest == 'true' }}
       tag: ${{ github.event.release.tag_name }}
       sign: true
-      
+
   release-body:
     needs: [release-settings, publish-docker]
     if: ${{ needs.release-settings.outputs.is_latest == 'true' }} # only for latest releases
@@ -135,7 +132,7 @@ jobs:
     steps:
       - name: Clone repo
         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
-          
+
       - name: Extract LIBS and DRIVER versions
         run: |
           cp .github/release_template.md release-body.md
@@ -143,29 +140,48 @@ jobs:
           DRIVER_VERS=$(cat cmake/modules/driver.cmake | grep 'set(DRIVER_VERSION' | tail -n1 | grep -o '[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*+driver')
           sed -i s/LIBSVER/$LIBS_VERS/g release-body.md
           sed -i s/DRIVERVER/$DRIVER_VERS/g release-body.md
-          
+
       - name: Append release matrixes
         run: |
           sed -i s/FALCOBUCKET/${{ needs.release-settings.outputs.bucket_suffix }}/g release-body.md
           sed -i s/FALCOVER/${{ github.event.release.tag_name }}/g release-body.md
-          
+
       - name: Generate release notes
         uses: leodido/rn2md@9c351d81278644c0e17b1ca68edbdba305276c73
         with:
           milestone: ${{ github.event.release.tag_name }}
           output: ./notes.md
-        
+
       - name: Merge release notes to pre existent body
         run: cat notes.md >> release-body.md
-        
+
       - name: Attach release creator to release body
         run: |
           echo "" >> release-body.md
           echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md
-        
+
+      - name: Download debug symbols for Falco x86_64
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: falco-${{ github.event.release.tag_name }}-x86_64.debug
+
+      - name: Rename x86_64 debug symbols
+        run: mv falco.debug falco-x86_64.debug
+
+      - name: Download debug symbols for Falco aarch64
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: falco-${{ github.event.release.tag_name }}-aarch64.debug
+
+      - name: Rename aarch64 debug symbols
+        run: mv falco.debug falco-aarch64.debug
+
       - name: Release
         uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
         with:
           body_path: ./release-body.md
           tag_name: ${{ github.event.release.tag_name }}
           name: ${{ github.event.release.name }}
+          files: |
+            falco-x86_64.debug
+            falco-aarch64.debug

.github/workflows/reusable_build_dev.yaml

@@ -39,7 +39,7 @@ permissions:
 jobs:
   build-and-test:
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
-    runs-on: ${{ (inputs.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-22.04' }}
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
     outputs:
       cmdout: ${{ steps.run_cmd.outputs.out }}
     steps:

.github/workflows/reusable_build_docker.yaml

@@ -20,57 +20,47 @@ on:
         required: true
         type: string
 
-# Here we just build all docker images as tarballs, 
+# Here we just build all docker images as tarballs,
 # then we upload all the tarballs to be later downloaded by reusable_publish_docker workflow.
-# In this way, we don't need to publish any arch specific image, 
+# In this way, we don't need to publish any arch specific image,
 # and this "build" workflow is actually only building images.
 
-permissions:  
+permissions:
   contents: read
 
 jobs:
   build-docker:
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
-    runs-on: ${{ (inputs.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-latest' }}
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-latest' }}
     env:
       TARGETARCH: ${{ (inputs.arch == 'aarch64' && 'arm64') || 'amd64' }}
     steps:
       - name: Checkout
         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
-        
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
-          
-      - name: Build no-driver image
-        run: |
-          cd ${{ github.workspace }}/docker/no-driver/
-          docker build -t docker.io/falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ inputs.tag }} \
-            --build-arg VERSION_BUCKET=bin${{ inputs.bucket_suffix }} \
-            --build-arg FALCO_VERSION=${{ inputs.version }} \
-            --build-arg TARGETARCH=${TARGETARCH} \
-            .
-            docker save docker.io/falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-no-driver-${{ inputs.arch }}.tar
 
-      - name: Build distroless image
-        run: |
-          cd ${{ github.workspace }}/docker/no-driver/
-          docker build -f Dockerfile.distroless -t docker.io/falcosecurity/falco-distroless:${{ inputs.arch }}-${{ inputs.tag }} \
-            --build-arg VERSION_BUCKET=bin${{ inputs.bucket_suffix }} \
-            --build-arg FALCO_VERSION=${{ inputs.version }} \
-            --build-arg TARGETARCH=${TARGETARCH} \
-            .
-            docker save docker.io/falcosecurity/falco-distroless:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-distroless-${{ inputs.arch }}.tar
-            
       - name: Build falco image
         run: |
           cd ${{ github.workspace }}/docker/falco/
           docker build -t docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }} \
-            --build-arg VERSION_BUCKET=deb${{ inputs.bucket_suffix }} \
+            --build-arg VERSION_BUCKET=bin${{ inputs.bucket_suffix }} \
             --build-arg FALCO_VERSION=${{ inputs.version }} \
             --build-arg TARGETARCH=${TARGETARCH} \
             .
             docker save docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-${{ inputs.arch }}.tar
 
+      - name: Build falco-debian image
+        run: |
+          cd ${{ github.workspace }}/docker/falco-debian/
+          docker build -t docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }}-debian \
+            --build-arg VERSION_BUCKET=deb${{ inputs.bucket_suffix }} \
+            --build-arg FALCO_VERSION=${{ inputs.version }} \
+            --build-arg TARGETARCH=${TARGETARCH} \
+            .
+            docker save docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }}-debian --output /tmp/falco-${{ inputs.arch }}-debian.tar
+
       - name: Build falco-driver-loader image
         run: |
           cd ${{ github.workspace }}/docker/driver-loader/
@@ -80,19 +70,19 @@ jobs:
             .
             docker save docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-driver-loader-${{ inputs.arch }}.tar
 
-      - name: Build falco-driver-loader-legacy image
+      - name: Build falco-driver-loader-buster image
         run: |
-          cd ${{ github.workspace }}/docker/driver-loader-legacy/
-          docker build -t docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.arch }}-${{ inputs.tag }} \
+          cd ${{ github.workspace }}/docker/driver-loader-buster/
+          docker build -t docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }}-buster \
             --build-arg VERSION_BUCKET=deb${{ inputs.bucket_suffix }} \
             --build-arg FALCO_VERSION=${{ inputs.version }} \
             --build-arg TARGETARCH=${TARGETARCH} \
             .
-            docker save docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-driver-loader-legacy-${{ inputs.arch }}.tar
+            docker save docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }}-buster --output /tmp/falco-driver-loader-${{ inputs.arch }}-buster.tar
 
       - name: Upload images tarballs
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
-          name: falco-images
+          name: falco-images-${{ inputs.arch }}
           path: /tmp/falco-*.tar
           retention-days: 1

.github/workflows/reusable_build_packages.yaml

@@ -10,13 +10,13 @@ on:
         description: The Falco version to use when building packages
         required: true
         type: string
-      build_type:
-        description: The build type
+      enable_debug:
+        description: Also create a debug build
         required: false
-        type: string
-        default: 'Release'
-      sanitizers:
-        description: enable sanitizer support
+        type: boolean
+        default: false
+      enable_sanitizers:
+        description: Also create a sanitizer build
         required: false
         type: boolean
         default: false
@@ -27,13 +27,13 @@ permissions:
 jobs:
   build-modern-bpf-skeleton:
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
-    runs-on: ${{ (inputs.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-latest' }}
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-latest' }}
     container: fedora:latest
     steps:
       # Always install deps before invoking checkout action, to properly perform a full clone.
       - name: Install build dependencies
         run: |
-          dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake libbpf-devel elfutils-libelf-devel
+          dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake
 
       - name: Checkout
         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
@@ -45,120 +45,197 @@ jobs:
           cmake --build skeleton-build --target ProbeSkeleton -j6
 
       - name: Upload skeleton
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: bpf_probe_${{ inputs.arch }}.skel.h
           path: skeleton-build/skel_dir/bpf_probe.skel.h
           retention-days: 1
 
-  build-packages:
-    env:
-      ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
+  build-packages-release:
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
-    runs-on: ${{ (inputs.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-latest' }}
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-latest' }}
     needs: [build-modern-bpf-skeleton]
-    container: centos:7
     steps:
       # Always install deps before invoking checkout action, to properly perform a full clone.
-      - name: Fix mirrors to use vault.centos.org
-        run: |
-          sed -i s/mirror.centos.org/vault.centos.org/g /etc/yum.repos.d/*.repo
-          sed -i s/^#.*baseurl=http/baseurl=https/g /etc/yum.repos.d/*.repo
-          sed -i s/^mirrorlist=http/#mirrorlist=https/g /etc/yum.repos.d/*.repo
-
-      - name: Install scl repos
-        run: |
-          yum -y install centos-release-scl
-
-      - name: Fix new mirrors to use vault.centos.org
-        run: |
-          sed -i s/mirror.centos.org/vault.centos.org/g /etc/yum.repos.d/*.repo
-          sed -i s/^#.*baseurl=http/baseurl=https/g /etc/yum.repos.d/*.repo
-          sed -i s/^mirrorlist=http/#mirrorlist=https/g /etc/yum.repos.d/*.repo
-
-      - name: Fix arm64 scl repos to use correct mirror
-        if: inputs.arch == 'aarch64'
-        run: |
-          sed -i 's/vault.centos.org\/centos/vault.centos.org\/altarch/g' /etc/yum.repos.d/CentOS-SCLo-scl*.repo
-
       - name: Install build deps
         run: |
-          yum -y install devtoolset-9-gcc devtoolset-9-gcc-c++
-          source /opt/rh/devtoolset-9/enable
-          yum install -y wget git make m4 rpm-build elfutils-libelf-devel perl-IPC-Cmd devtoolset-9-libasan-devel devtoolset-9-libubsan-devel
+          sudo apt update && sudo apt install -y --no-install-recommends ca-certificates cmake curl wget build-essential git pkg-config autoconf automake libtool m4 rpm
 
       - name: Checkout
-        # It is not possible to upgrade the checkout action to versions >= v4.0.0 because of incompatibilities with centos 7's libc.
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
 
       - name: Download skeleton
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: bpf_probe_${{ inputs.arch }}.skel.h
           path: /tmp
 
-      - name: Install updated cmake
-        run: |
-          curl -L https://github.com/Kitware/CMake/releases/download/v3.22.5/cmake-3.22.5-linux-$(uname -m).tar.gz \
-            | tar --directory=/usr --strip-components=1 -xzp
+      - name: Install zig
+        if: inputs.sanitizers == false
+        uses: falcosecurity/libs/.github/actions/install-zig@master
 
       - name: Prepare project
         run: |
-          source /opt/rh/devtoolset-9/enable
           cmake -B build -S . \
-              -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \
+              -DCMAKE_BUILD_TYPE=RelWithDebInfo \
               -DUSE_BUNDLED_DEPS=On \
               -DFALCO_ETC_DIR=/etc/falco \
               -DMODERN_BPF_SKEL_DIR=/tmp \
               -DBUILD_DRIVER=Off \
               -DBUILD_BPF=Off \
-              -DUSE_ASAN=${{ (inputs.sanitizers == true && inputs.arch == 'x86_64' && 'ON') || 'OFF' }} \
+              -DUSE_JEMALLOC=ON \
               -DFALCO_VERSION=${{ inputs.version }}
 
       - name: Build project
         run: |
-          source /opt/rh/devtoolset-9/enable
           cmake --build build --target falco -j6
 
       - name: Build packages
         run: |
-          source /opt/rh/devtoolset-9/enable
           cmake --build build --target package
 
       - name: Upload Falco tar.gz package
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
-          name: falco-${{ inputs.version }}-${{ inputs.arch }}${{ inputs.sanitizers == true && '-sanitizers' || '' }}.tar.gz
+          name: falco-${{ inputs.version }}-${{ inputs.arch }}.tar.gz
           path: |
             ${{ github.workspace }}/build/falco-*.tar.gz
 
       - name: Upload Falco deb package
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
-          name: falco-${{ inputs.version }}-${{ inputs.arch }}${{ inputs.sanitizers == true && '-sanitizers' || '' }}.deb
+          name: falco-${{ inputs.version }}-${{ inputs.arch }}.deb
           path: |
             ${{ github.workspace }}/build/falco-*.deb
 
       - name: Upload Falco rpm package
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
-          name: falco-${{ inputs.version }}-${{ inputs.arch }}${{ inputs.sanitizers == true && '-sanitizers' || '' }}.rpm
+          name: falco-${{ inputs.version }}-${{ inputs.arch }}.rpm
           path: |
             ${{ github.workspace }}/build/falco-*.rpm
 
-  # The musl build job is currently disabled because we link libelf dynamically and it is
-  # not possible to dynamically link with musl
+      - name: Upload Falco debug symbols
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: falco-${{ inputs.version }}-${{ inputs.arch }}.debug
+          path: |
+            ${{ github.workspace }}/build/userspace/falco/falco.debug
+
+  build-packages-debug:
+    # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
+    if: ${{ inputs.enable_debug == true }}
+    needs: [build-modern-bpf-skeleton]
+    steps:
+      # Always install deps before invoking checkout action, to properly perform a full clone.
+      - name: Install build deps
+        run: |
+          sudo apt update && sudo apt install -y --no-install-recommends ca-certificates cmake curl wget build-essential git pkg-config autoconf automake libtool m4 rpm
+
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+
+      - name: Download skeleton
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: bpf_probe_${{ inputs.arch }}.skel.h
+          path: /tmp
+
+      - name: Install zig
+        if: inputs.sanitizers == false
+        uses: falcosecurity/libs/.github/actions/install-zig@master
+
+      - name: Prepare project
+        run: |
+          cmake -B build -S . \
+              -DCMAKE_BUILD_TYPE=Debug \
+              -DUSE_BUNDLED_DEPS=On \
+              -DFALCO_ETC_DIR=/etc/falco \
+              -DMODERN_BPF_SKEL_DIR=/tmp \
+              -DBUILD_DRIVER=Off \
+              -DBUILD_BPF=Off \
+              -DUSE_JEMALLOC=On \
+              -DFALCO_VERSION=${{ inputs.version }}
+
+      - name: Build project
+        run: |
+          cmake --build build --target falco -j6
+
+      - name: Build packages
+        run: |
+          cmake --build build --target package
+
+      - name: Upload Falco tar.gz package
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: falco-${{ inputs.version }}-${{ inputs.arch }}-debug.tar.gz
+          path: |
+            ${{ github.workspace }}/build/falco-*.tar.gz
+
+  build-packages-sanitizers:
+    # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-latest' }}
+    if: ${{ inputs.enable_sanitizers == true }}
+    needs: [build-modern-bpf-skeleton]
+    steps:
+      # Always install deps before invoking checkout action, to properly perform a full clone.
+      - name: Install build deps
+        run: |
+          sudo apt update && sudo apt install -y --no-install-recommends ca-certificates cmake curl wget build-essential git pkg-config autoconf automake libtool m4 rpm
+
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+
+      - name: Download skeleton
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: bpf_probe_${{ inputs.arch }}.skel.h
+          path: /tmp
+
+      - name: Prepare project
+        # Jemalloc and ASAN don't play very well together.
+        run: |
+          cmake -B build -S . \
+              -DCMAKE_BUILD_TYPE=Debug \
+              -DUSE_BUNDLED_DEPS=On \
+              -DFALCO_ETC_DIR=/etc/falco \
+              -DMODERN_BPF_SKEL_DIR=/tmp \
+              -DBUILD_DRIVER=Off \
+              -DBUILD_BPF=Off \
+              -DUSE_JEMALLOC=Off \
+              -DUSE_ASAN=On \
+              -DFALCO_VERSION=${{ inputs.version }}
+
+      - name: Build project
+        run: |
+          cmake --build build --target falco -j6
+
+      - name: Build packages
+        run: |
+          cmake --build build --target package
+
+      - name: Upload Falco tar.gz package
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: falco-${{ inputs.version }}-${{ inputs.arch }}-sanitizers.tar.gz
+          path: |
+            ${{ github.workspace }}/build/falco-*.tar.gz
+
   build-musl-package:
     # x86_64 only for now
-    # if: ${{ inputs.arch == 'x86_64' }}
-    if: false
+    if: ${{ inputs.arch == 'x86_64' }}
     runs-on: ubuntu-latest
     container: alpine:3.17
     steps:
       # Always install deps before invoking checkout action, to properly perform a full clone.
       - name: Install build dependencies
         run: |
-          apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils bpftool clang
+          apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils clang llvm
+          git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
+          cd bpftool
+          git submodule update --init
+          cd src && make install
 
       - name: Checkout
         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
@@ -168,10 +245,14 @@ jobs:
       - name: Prepare project
         run: |
           cmake -B build -S . \
-                -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \
+                -DCMAKE_BUILD_TYPE=Release \
                 -DCPACK_GENERATOR=TGZ \
                 -DBUILD_BPF=Off -DBUILD_DRIVER=Off \
-                -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco -DFALCO_VERSION=${{ inputs.version }}
+                -DUSE_JEMALLOC=On \
+                -DUSE_BUNDLED_DEPS=On \
+                -DMUSL_OPTIMIZED_BUILD=On \
+                -DFALCO_ETC_DIR=/etc/falco \
+                -DFALCO_VERSION=${{ inputs.version }}
 
       - name: Build project
         run: |
@@ -187,7 +268,7 @@ jobs:
           mv falco-${{ inputs.version }}-x86_64.tar.gz falco-${{ inputs.version }}-static-x86_64.tar.gz
 
       - name: Upload Falco static package
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: falco-${{ inputs.version }}-static-x86_64.tar.gz
           path: |
@@ -195,7 +276,7 @@ jobs:
 
   build-wasm-package:
     if: ${{ inputs.arch == 'x86_64' }}
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       # Always install deps before invoking checkout action, to properly perform a full clone.
       - name: Install build dependencies
@@ -216,10 +297,7 @@ jobs:
       - name: Prepare project
         run: |
           emcmake cmake -B build -S . \
-            -DBUILD_BPF=Off \
-            -DBUILD_DRIVER=Off \
-            -DBUILD_FALCO_MODERN_BPF=Off \
-            -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \
+            -DCMAKE_BUILD_TYPE=Release \
             -DUSE_BUNDLED_DEPS=On \
             -DFALCO_ETC_DIR=/etc/falco \
             -DBUILD_FALCO_UNIT_TESTS=On \
@@ -241,7 +319,7 @@ jobs:
           emmake make -j6 package
 
       - name: Upload Falco WASM package
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: falco-${{ inputs.version }}-wasm.tar.gz
           path: |
@@ -259,28 +337,28 @@ jobs:
       # NOTE: Backslash doesn't work as line continuation on Windows.
       - name: Prepare project
         run: |
-          cmake -B build -S . -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} -DMINIMAL_BUILD=On -DUSE_BUNDLED_DEPS=On -DBUILD_FALCO_UNIT_TESTS=On -DFALCO_VERSION=${{ inputs.version }}
+          cmake -B build -S . -DCMAKE_BUILD_TYPE=Release -DMINIMAL_BUILD=On -DUSE_BUNDLED_DEPS=On -DBUILD_FALCO_UNIT_TESTS=On -DFALCO_VERSION=${{ inputs.version }}
 
       - name: Build project
         run: |
-          cmake --build build --target package --config ${{ inputs.build_type }}
+          cmake --build build --target package --config Release
 
       - name: Run unit Tests
         run: |
-          build/unit_tests/${{ inputs.build_type }}/falco_unit_tests.exe
+          build/unit_tests/Release/falco_unit_tests.exe
 
       - name: Upload Falco win32 installer
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
-          name: falco-installer-${{ inputs.version }}-win32.exe
+          name: falco-installer-Release-win32.exe
           path: build/falco-*.exe
 
       - name: Upload Falco win32 package
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
-          name: falco-${{ inputs.version }}-win32.exe
+          name: falco-Release-win32.exe
           path: |
-            ${{ github.workspace }}/build/userspace/falco/${{ inputs.build_type }}/falco.exe
+            ${{ github.workspace }}/build/userspace/falco/Release/falco.exe
 
   build-macos-package:
     if: ${{ inputs.arch == 'x86_64' }}
@@ -305,7 +383,7 @@ jobs:
           sudo build/unit_tests/falco_unit_tests
 
       - name: Upload Falco macos package
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: falco-${{ inputs.version }}-macos
           path: |

.github/workflows/reusable_publish_docker.yaml

@@ -18,44 +18,55 @@ on:
         default: false
 
 permissions:
-  id-token: write
   contents: read
-  
+
 jobs:
   publish-docker:
     runs-on: ubuntu-latest
+
+    permissions:
+      attestations: write
+      id-token: write
+      contents: read
+
     steps:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
-    
-      - name: Download images tarballs
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+
+      - name: Download x86_64 images tarballs
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
-          name: falco-images
+          name: falco-images-x86_64
           path: /tmp/falco-images
-      
+
+      - name: Download aarch64 images tarballs
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: falco-images-aarch64
+          path: /tmp/falco-images
+
       - name: Load all images
         run: |
           for img in /tmp/falco-images/falco-*.tar; do docker load --input $img; done
-    
+
       - name: Login to Docker Hub
         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with:
           username: ${{ secrets.DOCKERHUB_USER }}
           password: ${{ secrets.DOCKERHUB_SECRET }}
-      
+
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
         with:
           role-to-assume: "arn:aws:iam::292999226676:role/github_actions-falco-ecr"
           aws-region: us-east-1 # The region must be set to us-east-1 in order to access ECR Public.
-          
+
       - name: Login to Amazon ECR
         id: login-ecr-public
         uses: aws-actions/amazon-ecr-login@2f9f10ea3fa2eed41ac443fee8bfbd059af2d0a4 # v1.6.0
         with:
-          registry-type: public    
-      
+          registry-type: public
+
       - name: Setup Crane
         uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.3
         with:
@@ -64,42 +75,29 @@ jobs:
       # We're pushing the arch-specific manifests to Docker Hub so that we'll be able to easily create the index/multiarch later
       - name: Push arch-specific images to Docker Hub
         run: |
-          docker push docker.io/falcosecurity/falco-no-driver:aarch64-${{ inputs.tag }}
-          docker push docker.io/falcosecurity/falco-no-driver:x86_64-${{ inputs.tag }}
-          docker push docker.io/falcosecurity/falco-distroless:aarch64-${{ inputs.tag }}
-          docker push docker.io/falcosecurity/falco-distroless:x86_64-${{ inputs.tag }}
           docker push docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }}
           docker push docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}
+          docker push docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }}-debian
+          docker push docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}-debian
           docker push docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }}
           docker push docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}
-          docker push docker.io/falcosecurity/falco-driver-loader-legacy:aarch64-${{ inputs.tag }}
-          docker push docker.io/falcosecurity/falco-driver-loader-legacy:x86_64-${{ inputs.tag }}
+          docker push docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }}-buster
+          docker push docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}-buster
 
-      - name: Create no-driver manifest on Docker Hub
-        uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
-        with:
-          inputs: docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }}
-          images: docker.io/falcosecurity/falco-no-driver:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-no-driver:x86_64-${{ inputs.tag }}
-          push: true
-
-      - name: Create distroless manifest on Docker Hub
-        uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
-        with:
-          inputs: docker.io/falcosecurity/falco-distroless:${{ inputs.tag }}
-          images: docker.io/falcosecurity/falco-distroless:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-distroless:x86_64-${{ inputs.tag }}
-          push: true
-          
-      - name: Tag slim manifest on Docker Hub
-        run: |
-          crane copy docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} docker.io/falcosecurity/falco:${{ inputs.tag }}-slim
-
-      - name: Create falco manifest on Docker Hub
+      - name: Create Falco manifest on Docker Hub
         uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
         with:
           inputs: docker.io/falcosecurity/falco:${{ inputs.tag }}
           images: docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}
           push: true
-          
+
+      - name: Create falco-debian manifest on Docker Hub
+        uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
+        with:
+          inputs: docker.io/falcosecurity/falco:${{ inputs.tag }}-debian
+          images: docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }}-debian,docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}-debian
+          push: true
+
       - name: Create falco-driver-loader manifest on Docker Hub
         uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
         with:
@@ -107,48 +105,41 @@ jobs:
           images: docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}
           push: true
 
-      - name: Create falco-driver-loader-legacy manifest on Docker Hub
+      - name: Create falco-driver-loader-buster manifest on Docker Hub
         uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
         with:
-          inputs: docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }}
-          images: docker.io/falcosecurity/falco-driver-loader-legacy:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-driver-loader-legacy:x86_64-${{ inputs.tag }}
+          inputs: docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster
+          images: docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }}-buster,docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}-buster
           push: true
 
       - name: Get Digests for images
         id: digests
         # We could probably use the docker-manifest-action output instead of recomputing those with crane
         run: |
-          echo "falco-no-driver=$(crane digest docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }})" >> $GITHUB_OUTPUT
-          echo "falco-distroless=$(crane digest docker.io/falcosecurity/falco-distroless:${{ inputs.tag }})" >> $GITHUB_OUTPUT
           echo "falco=$(crane digest docker.io/falcosecurity/falco:${{ inputs.tag }})" >> $GITHUB_OUTPUT
+          echo "falco-debian=$(crane digest docker.io/falcosecurity/falco:${{ inputs.tag }}-debian)" >> $GITHUB_OUTPUT
           echo "falco-driver-loader=$(crane digest docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }})" >> $GITHUB_OUTPUT
-          echo "falco-driver-loader-legacy=$(crane digest docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }})" >> $GITHUB_OUTPUT
+          echo "falco-driver-loader-buster=$(crane digest docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster)" >> $GITHUB_OUTPUT
 
       - name: Publish images to ECR
         run: |
-          crane copy docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }}
-          crane copy docker.io/falcosecurity/falco-distroless:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-distroless:${{ inputs.tag }}
           crane copy docker.io/falcosecurity/falco:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}
+          crane copy docker.io/falcosecurity/falco:${{ inputs.tag }}-debian public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-debian
           crane copy docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }}
-          crane copy docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }}
-          crane copy public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-slim
+          crane copy docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster
 
       - name: Tag latest on Docker Hub and ECR
         if: inputs.is_latest
         run: |
-          crane tag docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} latest
-          crane tag docker.io/falcosecurity/falco-distroless:${{ inputs.tag }} latest
           crane tag docker.io/falcosecurity/falco:${{ inputs.tag }} latest
+          crane tag docker.io/falcosecurity/falco:${{ inputs.tag }}-debian latest-debian
           crane tag docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }} latest
-          crane tag docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }} latest
-          crane tag docker.io/falcosecurity/falco:${{ inputs.tag }}-slim latest-slim
+          crane tag docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster latest-buster
 
-          crane tag public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }} latest
-          crane tag public.ecr.aws/falcosecurity/falco-distroless:${{ inputs.tag }} latest
           crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }} latest
+          crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-debian latest-debian
           crane tag public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }} latest
-          crane tag public.ecr.aws/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }} latest
-          crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-slim latest-slim
+          crane tag public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster latest-buster
 
       - name: Setup Cosign
         if: inputs.sign
@@ -160,14 +151,24 @@ jobs:
           COSIGN_EXPERIMENTAL: "true"
           COSIGN_YES: "true"
         run: |
-          cosign sign docker.io/falcosecurity/falco-no-driver@${{ steps.digests.outputs.falco-no-driver }}
-          cosign sign docker.io/falcosecurity/falco-distroless@${{ steps.digests.outputs.falco-distroless }}
-          cosign sign docker.io/falcosecurity/falco@${{ steps.digests.outputs.falco }}
-          cosign sign docker.io/falcosecurity/falco-driver-loader@${{ steps.digests.outputs.falco-driver-loader }}
-          cosign sign docker.io/falcosecurity/falco-driver-loader-legacy@${{ steps.digests.outputs.falco-driver-loader-legacy }}
+          cosign sign docker.io/falcosecurity/falco:latest@${{ steps.digests.outputs.falco }}
+          cosign sign docker.io/falcosecurity/falco:latest-debian@${{ steps.digests.outputs.falco-debian }}
+          cosign sign docker.io/falcosecurity/falco-driver-loader:latest@${{ steps.digests.outputs.falco-driver-loader }}
+          cosign sign docker.io/falcosecurity/falco-driver-loader:latest-buster@${{ steps.digests.outputs.falco-driver-loader-buster }}
 
-          cosign sign public.ecr.aws/falcosecurity/falco-no-driver@${{ steps.digests.outputs.falco-no-driver }}
-          cosign sign public.ecr.aws/falcosecurity/falco-distroless@${{ steps.digests.outputs.falco-distroless }}
-          cosign sign public.ecr.aws/falcosecurity/falco@${{ steps.digests.outputs.falco }}
-          cosign sign public.ecr.aws/falcosecurity/falco-driver-loader@${{ steps.digests.outputs.falco-driver-loader }}
-          cosign sign public.ecr.aws/falcosecurity/falco-driver-loader-legacy@${{ steps.digests.outputs.falco-driver-loader-legacy }}
+          cosign sign public.ecr.aws/falcosecurity/falco:latest@${{ steps.digests.outputs.falco }}
+          cosign sign public.ecr.aws/falcosecurity/falco:latest-debian@${{ steps.digests.outputs.falco-debian }}
+          cosign sign public.ecr.aws/falcosecurity/falco-driver-loader:latest@${{ steps.digests.outputs.falco-driver-loader }}
+          cosign sign public.ecr.aws/falcosecurity/falco-driver-loader:latest-buster@${{ steps.digests.outputs.falco-driver-loader-buster }}
+
+      - uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
+        with:
+          subject-name: docker.io/falcosecurity/falco
+          subject-digest: ${{ steps.digests.outputs.falco }}
+          push-to-registry: true
+
+      - uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
+        with:
+          subject-name: docker.io/falcosecurity/falco-driver-loader
+          subject-digest: ${{ steps.digests.outputs.falco-driver-loader }}
+          push-to-registry: true

.github/workflows/reusable_publish_packages.yaml

@@ -42,40 +42,37 @@ jobs:
           aws-region: ${{ env.AWS_S3_REGION }}    
           
       - name: Download RPM x86_64
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: falco-${{ inputs.version }}-x86_64.rpm
           path: /tmp/falco-build-rpm
 
       - name: Download RPM aarch64
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: falco-${{ inputs.version }}-aarch64.rpm
           path: /tmp/falco-build-rpm
 
       - name: Download binary x86_64
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: falco-${{ inputs.version }}-x86_64.tar.gz
           path: /tmp/falco-build-bin
 
       - name: Download binary aarch64
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: falco-${{ inputs.version }}-aarch64.tar.gz
           path: /tmp/falco-build-bin
 
-      # The musl build job is currently disabled because we link libelf dynamically and it is
-      # not possible to dynamically link with musl
       - name: Download static binary x86_64
-        if: false
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: falco-${{ inputs.version }}-static-x86_64.tar.gz
           path: /tmp/falco-build-bin-static
 
       - name: Download WASM package
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: falco-${{ inputs.version }}-wasm.tar.gz
           path: /tmp/falco-wasm
@@ -88,7 +85,7 @@ jobs:
       - name: Sign rpms
         run: |
           rpmsign --define '_gpg_name Falcosecurity Package Signing' --addsign /tmp/falco-build-rpm/falco-*.rpm
-          rpm --qf %{SIGPGP:pgpsig} -qp /tmp/falco-build-rpm/falco-*.rpm | grep SHA256
+          rpm -qp --qf '%|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{%{RSAHEADER:pgpsig}}:{(none)}|}|\n' /tmp/falco-build-rpm/falco-*.rpm
 
       - name: Publish wasm
         run: |
@@ -102,11 +99,8 @@ jobs:
         run: |
           ./scripts/publish-bin -f /tmp/falco-build-bin/falco-${{ inputs.version }}-x86_64.tar.gz -r bin${{ inputs.bucket_suffix }} -a x86_64
           ./scripts/publish-bin -f /tmp/falco-build-bin/falco-${{ inputs.version }}-aarch64.tar.gz -r bin${{ inputs.bucket_suffix }} -a aarch64
-
-      # The musl build job is currently disabled because we link libelf dynamically and it is
-      # not possible to dynamically link with musl
+          
       - name: Publish static
-        if: false
         run: |
           ./scripts/publish-bin -f /tmp/falco-build-bin-static/falco-${{ inputs.version }}-static-x86_64.tar.gz -r bin${{ inputs.bucket_suffix }} -a x86_64
 
@@ -131,13 +125,13 @@ jobs:
           aws-region: ${{ env.AWS_S3_REGION }}     
       
       - name: Download deb x86_64
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: falco-${{ inputs.version }}-x86_64.deb
           path: /tmp/falco-build-deb
 
       - name: Download deb aarch64
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: falco-${{ inputs.version }}-aarch64.deb
           path: /tmp/falco-build-deb

.github/workflows/reusable_test_packages.yaml

@@ -27,10 +27,10 @@ permissions:
 jobs:
   test-packages:
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
-    runs-on: ${{ (inputs.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-latest' }}
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-latest' }}
     steps:
       - name: Download binary
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: falco-${{ inputs.version }}${{ inputs.static && '-static' || '' }}-${{ inputs.arch }}${{ inputs.sanitizers == true && '-sanitizers' || '' }}.tar.gz
       
@@ -43,7 +43,6 @@ jobs:
      
       # We only run driver loader tests on x86_64
       - name: Install kernel headers for falco-driver-loader tests
-        if: ${{ inputs.arch == 'x86_64' }}
         run: |
           sudo apt update -y
           sudo apt install -y --no-install-recommends linux-headers-$(uname -r)
@@ -64,5 +63,6 @@ jobs:
           test-k8saudit: 'true'
           test-dummy: 'true'
           static: ${{ inputs.static && 'true' || 'false' }}
-          test-drivers: ${{ inputs.arch == 'x86_64' && 'true' || 'false' }}
+          test-drivers: 'true'
           show-all: 'true'
+          report-name-suffix: ${{ inputs.static && '-static' || '' }}${{ inputs.sanitizers && '-sanitizers' || '' }}

.github/workflows/scorecard.yaml

@@ -65,7 +65,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: SARIF file
           path: results.sarif

.github/workflows/staticanalysis.yaml

@@ -29,7 +29,7 @@ jobs:
           cmake --build build -j4 --target cppcheck_htmlreport
 
       - name: Upload reports ⬆️
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: static-analysis-reports
           path: ./build/static-analysis-reports

CHANGELOG.md

@@ -1,5 +1,27 @@
 # Change Log
 
+## v0.39.2
+
+Released on 2024-11-21
+
+### Minor Changes
+
+* update(cmake): bumped falcoctl to v0.10.1. [[#3408](https://github.com/falcosecurity/falco/pull/3408)] - [@FedeDP](https://github.com/FedeDP)
+* update(cmake): bump yaml-cpp to latest master. [[#3394](https://github.com/falcosecurity/falco/pull/3394)] - [@FedeDP](https://github.com/FedeDP)
+
+### Non user-facing changes
+
+* update(ci): use arm64 CNCF runners for GH actions [[#3386](https://github.com/falcosecurity/falco/pull/3386)] - [@LucaGuerra](https://github.com/LucaGuerra)
+
+### Statistics
+
+|   MERGED PRS    | NUMBER |
+|-----------------|--------|
+| Not user-facing |      1 |
+| Release note    |      2 |
+| Total           |      3 |
+
+
 ## v0.39.1
 
 Released on 2024-10-09

CMakeLists.txt

@@ -17,7 +17,7 @@ cmake_minimum_required(VERSION 3.5.1)
 project(falco)
 
 option(USE_BUNDLED_DEPS "Bundle hard to find dependencies into the Falco binary" ON)
-option(USE_DYNAMIC_LIBELF "Dynamically link libelf" ON)
+option(USE_DYNAMIC_LIBELF "Dynamically link libelf" OFF)
 option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags" OFF)
 option(
 	MINIMAL_BUILD
@@ -29,6 +29,7 @@ option(BUILD_FALCO_UNIT_TESTS "Build falco unit tests" OFF)
 option(USE_ASAN "Build with AddressSanitizer" OFF)
 option(USE_UBSAN "Build with UndefinedBehaviorSanitizer" OFF)
 option(UBSAN_HALT_ON_ERROR "Halt on error when building with UBSan" ON)
+option(USE_JEMALLOC "Use jemalloc allocator" OFF)
 
 if(WIN32)
 	if(POLICY CMP0091)
@@ -141,6 +142,13 @@ set(CMD_MAKE make)
 
 include(ExternalProject)
 
+if(USE_JEMALLOC)
+	if(USE_ASAN)
+		message(WARNING "Jemalloc and ASAN are known to have issues when combined")
+	endif()
+	include(jemalloc)
+endif()
+
 # libs
 include(falcosecurity-libs)
 

cmake/modules/CPackConfig.cmake

@@ -24,7 +24,11 @@ set(CPACK_PACKAGE_VERSION_MAJOR "${FALCO_VERSION_MAJOR}")
 set(CPACK_PACKAGE_VERSION_MINOR "${FALCO_VERSION_MINOR}")
 set(CPACK_PACKAGE_VERSION_PATCH "${FALCO_VERSION_PATCH}")
 set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/cmake/cpack/CMakeCPackOptions.cmake")
-set(CPACK_STRIP_FILES "ON")
+if(CMAKE_BUILD_TYPE STREQUAL "debug")
+	set(CPACK_STRIP_FILES "OFF")
+else()
+	set(CPACK_STRIP_FILES "ON")
+endif()
 set(CPACK_PACKAGE_RELOCATABLE "OFF")
 if(EMSCRIPTEN)
 	set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-wasm")
@@ -68,7 +72,7 @@ if(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "aarch64")
 	set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "arm64")
 endif()
 set(CPACK_DEBIAN_PACKAGE_HOMEPAGE "https://www.falco.org")
-set(CPACK_DEBIAN_PACKAGE_DEPENDS "dkms (>= 2.1.0.0)")
+set(CPACK_DEBIAN_PACKAGE_SUGGESTS "dkms (>= 2.1.0.0)")
 set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
 	"${CMAKE_BINARY_DIR}/scripts/debian/postinst;${CMAKE_BINARY_DIR}/scripts/debian/prerm;${CMAKE_BINARY_DIR}/scripts/debian/postrm;${PROJECT_SOURCE_DIR}/cmake/cpack/debian/conffiles"
 )
@@ -76,7 +80,8 @@ set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
 set(CPACK_RPM_PACKAGE_LICENSE "Apache v2.0")
 set(CPACK_RPM_PACKAGE_ARCHITECTURE, "amd64")
 set(CPACK_RPM_PACKAGE_URL "https://www.falco.org")
-set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, systemd")
+set(CPACK_RPM_PACKAGE_REQUIRES "systemd")
+set(CPACK_RPM_PACKAGE_SUGGESTS "dkms, kernel-devel")
 set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postinstall")
 set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/preuninstall")
 set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postuninstall")

cmake/modules/CompilerFlags.cmake

@@ -23,6 +23,9 @@ endif()
 string(TOLOWER "${CMAKE_BUILD_TYPE}" CMAKE_BUILD_TYPE)
 if(CMAKE_BUILD_TYPE STREQUAL "debug")
 	set(KBUILD_FLAGS "${FALCO_EXTRA_DEBUG_FLAGS} ${FALCO_EXTRA_FEATURE_FLAGS}")
+elseif(CMAKE_BUILD_TYPE STREQUAL "relwithdebinfo")
+	set(KBUILD_FLAGS "${FALCO_EXTRA_FEATURE_FLAGS}")
+	add_definitions(-DBUILD_TYPE_RELWITHDEBINFO)
 else()
 	set(CMAKE_BUILD_TYPE "release")
 	set(KBUILD_FLAGS "${FALCO_EXTRA_FEATURE_FLAGS}")
@@ -85,6 +88,17 @@ if(NOT MSVC)
 	set(CMAKE_C_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")
 	set(CMAKE_CXX_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")
 
+	set(CMAKE_C_FLAGS_RELWITHDEBINFO "${CMAKE_C_FLAGS_RELEASE} -g")
+	set(CMAKE_CXX_FLAGS_RELWITHDEBINFO "${CMAKE_CXX_FLAGS_RELEASE} -g")
+
+	# Add linker flags to generate separate debug files
+	set(CMAKE_EXE_LINKER_FLAGS_RELWITHDEBINFO
+		"${CMAKE_EXE_LINKER_FLAGS_RELWITHDEBINFO} -Wl,--build-id"
+	)
+	set(CMAKE_SHARED_LINKER_FLAGS_RELWITHDEBINFO
+		"${CMAKE_SHARED_LINKER_FLAGS_RELWITHDEBINFO} -Wl,--build-id"
+	)
+
 else() # MSVC
 	set(MINIMAL_BUILD ON)
 	set(CMAKE_MSVC_RUNTIME_LIBRARY "MultiThreaded$<$<CONFIG:Debug>:Debug>")
@@ -99,6 +113,13 @@ else() # MSVC
 	set(FALCOSECURITY_LIBS_COMMON_FLAGS "/EHsc /W3 /Zi /std:c++17")
 	set(FALCOSECURITY_LIBS_DEBUG_FLAGS "/MTd /Od")
 	set(FALCOSECURITY_LIBS_RELEASE_FLAGS "/MT")
+	set(FALCOSECURITY_LIBS_RELWITHDEBINFO_FLAGS "/MT /Zi")
+
+	# Ensure linker generates PDB files for MSVC
+	set(CMAKE_EXE_LINKER_FLAGS_RELWITHDEBINFO "${CMAKE_EXE_LINKER_FLAGS_RELWITHDEBINFO} /DEBUG")
+	set(CMAKE_SHARED_LINKER_FLAGS_RELWITHDEBINFO
+		"${CMAKE_SHARED_LINKER_FLAGS_RELWITHDEBINFO} /DEBUG"
+	)
 
 	set(CMAKE_C_FLAGS "${FALCOSECURITY_LIBS_COMMON_FLAGS}")
 	set(CMAKE_CXX_FLAGS "${FALCOSECURITY_LIBS_COMMON_FLAGS}")
@@ -109,4 +130,7 @@ else() # MSVC
 	set(CMAKE_C_FLAGS_RELEASE "${FALCOSECURITY_LIBS_RELEASE_FLAGS}")
 	set(CMAKE_CXX_FLAGS_RELEASE "${FALCOSECURITY_LIBS_RELEASE_FLAGS}")
 
+	set(CMAKE_C_FLAGS_RELWITHDEBINFO "${FALCOSECURITY_LIBS_RELWITHDEBINFO_FLAGS}")
+	set(CMAKE_CXX_FLAGS_RELWITHDEBINFO "${FALCOSECURITY_LIBS_RELWITHDEBINFO_FLAGS}")
+
 endif()

cmake/modules/cpp-httplib.cmake

@@ -16,6 +16,10 @@
 option(USE_BUNDLED_CPPHTTPLIB "Enable building of the bundled cpp-httplib" ${USE_BUNDLED_DEPS})
 
 if(USE_BUNDLED_CPPHTTPLIB)
+	set(HTTPLIB_USE_BROTLI_IF_AVAILABLE OFF)
+	set(HTTPLIB_REQUIRE_BROTLI OFF)
+	set(HTTPLIB_USE_ZLIB_IF_AVAILABLE OFF)
+	set(HTTPLIB_REQUIRE_ZLIB OFF)
 	include(FetchContent)
 	FetchContent_Declare(
 		cpp-httplib

cmake/modules/driver.cmake

@@ -35,9 +35,9 @@ else()
 	# FALCOSECURITY_LIBS_VERSION. In case you want to test against another driver version (or
 	# branch, or commit) just pass the variable - ie., `cmake -DDRIVER_VERSION=dev ..`
 	if(NOT DRIVER_VERSION)
-		set(DRIVER_VERSION "7.3.0+driver")
+		set(DRIVER_VERSION "8.0.0+driver")
 		set(DRIVER_CHECKSUM
-			"SHA256=8f572d9a83feda635a3fa53b859d61e37af127c241e35068aadee3bc50d212c0"
+			"SHA256=f35990d6a1087a908fe94e1390027b9580d4636032c0f2b80bf945219474fd6b"
 		)
 	endif()
 

cmake/modules/falcoctl.cmake

@@ -20,16 +20,16 @@ option(ADD_FALCOCTL_DEPENDENCY "Add falcoctl dependency while building falco" ON
 if(ADD_FALCOCTL_DEPENDENCY)
 	string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} FALCOCTL_SYSTEM_NAME)
 
-	set(FALCOCTL_VERSION "0.10.0")
+	set(FALCOCTL_VERSION "0.11.0")
 
 	message(STATUS "Building with falcoctl: ${FALCOCTL_VERSION}")
 
 	if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
 		set(FALCOCTL_SYSTEM_PROC_GO "amd64")
-		set(FALCOCTL_HASH "32d1be4ab2335d9c3fc8ae8900341bcc26d3166094fc553ddb7bb783aa6c7b68")
+		set(FALCOCTL_HASH "b9d0e0f50813e7172a945f36f70c5c3c16a677ab4c85b35b6f7a155bc92768fc")
 	else() # aarch64
 		set(FALCOCTL_SYSTEM_PROC_GO "arm64")
-		set(FALCOCTL_HASH "9186fd948c1230c338a7fa36d6569ce85d3c4aa8153b30e8d86d2e887eb76756")
+		set(FALCOCTL_HASH "689c625d1d414cbf53d39ef94083a53dda3ea4ac4908799fb85f4519e21442e0")
 	endif()
 
 	ExternalProject_Add(

cmake/modules/falcosecurity-libs.cmake

@@ -42,9 +42,9 @@ else()
 	# version (or branch, or commit) just pass the variable - ie., `cmake
 	# -DFALCOSECURITY_LIBS_VERSION=dev ..`
 	if(NOT FALCOSECURITY_LIBS_VERSION)
-		set(FALCOSECURITY_LIBS_VERSION "0.18.1")
+		set(FALCOSECURITY_LIBS_VERSION "0.20.0")
 		set(FALCOSECURITY_LIBS_CHECKSUM
-			"SHA256=1812e8236c4cb51d3fe5dd066d71be99f25da7ed22d8feeeebeed09bdc26325f"
+			"SHA256=4ae6ddb42a1012bacd88c63abdaa7bd27ca0143c4721338a22c45597e63bc99d"
 		)
 	endif()
 
@@ -73,7 +73,6 @@ set(LIBS_PACKAGE_NAME "falcosecurity")
 
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 	add_definitions(-D_GNU_SOURCE)
-	add_definitions(-DHAS_CAPTURE)
 endif()
 
 if(MUSL_OPTIMIZED_BUILD)

cmake/modules/jemalloc.cmake

@@ -0,0 +1,70 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2024 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+option(USE_BUNDLED_JEMALLOC "Use bundled jemalloc allocator" ${USE_BUNDLED_DEPS})
+
+if(JEMALLOC_INCLUDE)
+	# we already have JEMALLOC
+elseif(NOT USE_BUNDLED_JEMALLOC)
+	find_path(JEMALLOC_INCLUDE jemalloc/jemalloc.h)
+	set(JEMALLOC_INCLUDE ${JEMALLOC_INCLUDE}/jemalloc)
+	if(BUILD_SHARED_LIBS)
+		set(JEMALLOC_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
+	else()
+		set(JEMALLOC_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
+	endif()
+	find_library(JEMALLOC_LIB NAMES libjemalloc${JEMALLOC_LIB_SUFFIX})
+	if(JEMALLOC_LIB)
+		message(STATUS "Found JEMALLOC: include: ${JEMALLOC_INCLUDE}, lib: ${JEMALLOC_LIB}")
+	else()
+		message(FATAL_ERROR "Couldn't find system jemalloc")
+	endif()
+else()
+	if(BUILD_SHARED_LIBS)
+		set(JEMALLOC_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
+	else()
+		set(JEMALLOC_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
+	endif()
+	set(JEMALLOC_SRC "${PROJECT_BINARY_DIR}/jemalloc-prefix/src")
+	set(JEMALLOC_LIB "${JEMALLOC_SRC}/jemalloc/lib/libjemalloc${JEMALLOC_LIB_SUFFIX}")
+	set(JEMALLOC_INCLUDE "${JEMALLOC_SRC}/jemalloc/include/jemalloc")
+	ExternalProject_Add(
+		jemalloc
+		PREFIX "${PROJECT_BINARY_DIR}/jemalloc-prefix"
+		URL "https://github.com/jemalloc/jemalloc/archive/refs/tags/5.3.0.tar.gz"
+		URL_HASH "SHA256=ef6f74fd45e95ee4ef7f9e19ebe5b075ca6b7fbe0140612b2a161abafb7ee179"
+		CONFIGURE_COMMAND ./autogen.sh --enable-prof --disable-libdl
+		BUILD_IN_SOURCE 1
+		BUILD_COMMAND make build_lib_static
+		INSTALL_COMMAND ""
+		UPDATE_COMMAND ""
+		BUILD_BYPRODUCTS ${JEMALLOC_LIB}
+	)
+	message(STATUS "Using bundled jemalloc: include: ${JEMALLOC_INCLUDE}, lib: ${JEMALLOC_LIB}")
+	install(
+		FILES "${JEMALLOC_LIB}"
+		DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+		COMPONENT "libs-deps"
+	)
+endif()
+
+# We add a custom target, in this way we can always depend on `jemalloc` without distinguishing
+# between "bundled" and "not-bundled" case
+if(NOT TARGET jemalloc)
+	add_custom_target(jemalloc)
+endif()
+
+include_directories(${JEMALLOC_INCLUDE})
+add_compile_definitions(HAS_JEMALLOC)

cmake/modules/yaml-cpp.cmake

@@ -19,8 +19,8 @@ if(USE_BUNDLED_YAMLCPP)
 	include(FetchContent)
 	FetchContent_Declare(
 		yamlcpp
-		URL https://github.com/jbeder/yaml-cpp/archive/refs/tags/0.8.0.tar.gz
-		URL_HASH SHA256=fbe74bbdcee21d656715688706da3c8becfd946d92cd44705cc6098bb23b3a16
+		URL https://github.com/jbeder/yaml-cpp/archive/c2bec4c755c67ad86185a2a264996137904fb712.tar.gz
+		URL_HASH SHA256=faea1ffdbad81b958b3b45a63ba667f4db53a3fffb983ca5df4745cf90044797
 	)
 	FetchContent_MakeAvailable(yamlcpp)
 else()

docker/README.md

@@ -4,15 +4,9 @@ This directory contains various ways to package Falco as a container and related
 
 ## Currently Supported Images
 
-| Name | Directory | Description |
-|---|---|---|
-| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/falco | Falco (DEB built from git tag or from the master) with all the building toolchain. |
-| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. |
-| [falcosecurity/falco-no-driver:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver), [falcosecurity/falco-no-driver:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver),[falcosecurity/falco-no-driver:master](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver) | docker/no-driver | Falco (TGZ built from git tag or from the master) without the building toolchain. |
-| [falcosecurity/falco-driver-loader-legacy:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader-legacy), [falcosecurity/falco-driver-loader-legacy:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader-legacy) | docker/driver-loader-legacy | `falco-driver-loader` as entrypoint with the legacy building toolchain. Recommended for kernels < 4.0 |
-
-## Experimental Images
-
-| Name | Directory | Description |
-|---|---|---|
-| [falcosecurity/falco-distroless:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-distroless), [falcosecurity/falco-distroless:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-distroless),[falcosecurity/falco-distroless:master](https://hub.docker.com/repository/docker/falcosecurity/falco-distroless) | docker/no-driver/Dockerfile.distroless | Falco without the building toolchain built from a distroless base image. This results in a smaller image that has less potentially vulnerable components. |
+| Name                                                                                                                                                                                                                                                                                                                                                                                       | Directory                   | Description                                                                                                                                                                                                                |
+|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco)                                                                                                          | docker/falco                | Distroless image based on the latest released tar.gz of Falco. No tools are included in the image.                                                                              |
+| [falcosecurity/falco:latest-debian](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_-debian](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master-debian](https://hub.docker.com/repository/docker/falcosecurity/falco)                                                                                     | docker/falco-debian         | Debian-based image. Include some tools (i.e. jq, curl). No driver-building toolchain support. |
+| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader)                      | docker/driver-loader        | Based on falcosecurity/falco:x.y.z-debian (see above) plus the driver building toolchain support and falcoctl. This is intended to be used as an installer or an init container when modern eBPF cannot be used.                     |
+| [falcosecurity/falco-driver-loader:latest-buster](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_-buster](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master-debian](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader-buster | Similar to falcosecurity/falco-driver-loader (see above) but based on a legacy Debian image (i.e. buster ). Recommended only for old kernel versions.                                                                      |

docker/docker-compose/docker-compose.yaml

@@ -13,7 +13,7 @@ services:
       - /proc:/host/proc:ro
       - /etc:/host/etc:ro
       - ./config/http_output.yml:/etc/falco/config.d/http_output.yml
-    image: falcosecurity/falco-no-driver:latest
+    image: falcosecurity/falco:latest
 
   sidekick:
     container_name: falco-sidekick

docker/driver-loader-buster/Dockerfile

@@ -3,7 +3,7 @@ FROM debian:buster
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
 
-LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc --name NAME IMAGE"
+LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader:latest-buster [driver] [options]"
 
 ARG TARGETARCH
 
@@ -31,7 +31,6 @@ RUN apt-get update \
 	gcc \
 	jq \
 	libc6-dev \
-	libelf-dev \
 	libssl-dev \
 	llvm-7 \
 	netcat \
@@ -41,8 +40,8 @@ RUN apt-get update \
 	&& rm -rf /var/lib/apt/lists/*
 
 RUN if [ "$TARGETARCH" = "amd64" ]; \
-    then apt-get install -y --no-install-recommends libmpx2; \
-    fi
+	then apt-get install -y --no-install-recommends libmpx2; \
+	fi
 
 # gcc 6 is no longer included in debian stable, but we need it to
 # build kernel modules on the default debian-based ami used by
@@ -51,7 +50,7 @@ RUN if [ "$TARGETARCH" = "amd64" ]; \
 # or so.
 
 RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libcilkrts5_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \
-    curl -L -o cpp-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_${TARGETARCH}.deb \
+	curl -L -o cpp-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_${TARGETARCH}.deb \
 	&& curl -L -o gcc-6-base_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-6-base_6.3.0-18_${TARGETARCH}.deb \
 	&& curl -L -o gcc-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-6_6.3.0-18_${TARGETARCH}.deb \
 	&& curl -L -o libasan3_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libasan3_6.3.0-18_${TARGETARCH}.deb \
@@ -60,8 +59,8 @@ RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libcilkrts5_6.3.0-18_${TARGE
 	&& curl -L -o libmpfr4_3.1.3-2_${TARGETARCH}.deb https://download.falco.org/dependencies/libmpfr4_3.1.3-2_${TARGETARCH}.deb \
 	&& curl -L -o libisl15_0.18-1_${TARGETARCH}.deb https://download.falco.org/dependencies/libisl15_0.18-1_${TARGETARCH}.deb \
 	&& dpkg -i cpp-6_6.3.0-18_${TARGETARCH}.deb gcc-6-base_6.3.0-18_${TARGETARCH}.deb gcc-6_6.3.0-18_${TARGETARCH}.deb libasan3_6.3.0-18_${TARGETARCH}.deb; \
-    if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \
-    dpkg -i libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb \
+	if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \
+	dpkg -i libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb \
 	&& rm -f cpp-6_6.3.0-18_${TARGETARCH}.deb gcc-6-base_6.3.0-18_${TARGETARCH}.deb gcc-6_6.3.0-18_${TARGETARCH}.deb libasan3_6.3.0-18_${TARGETARCH}.deb libcilkrts5_6.3.0-18_${TARGETARCH}.deb libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb
 
 # gcc 5 is no longer included in debian stable, but we need it to
@@ -70,15 +69,15 @@ RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libcilkrts5_6.3.0-18_${TARGE
 # snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
 
 RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libmpx0_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \
-    curl -L -o cpp-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_${TARGETARCH}.deb \
+	curl -L -o cpp-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_${TARGETARCH}.deb \
 	&& curl -L -o gcc-5-base_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-5-base_5.5.0-12_${TARGETARCH}.deb \
 	&& curl -L -o gcc-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-5_5.5.0-12_${TARGETARCH}.deb \
 	&& curl -L -o libasan2_5.5.0-12_${TARGETARCH}.deb	https://download.falco.org/dependencies/libasan2_5.5.0-12_${TARGETARCH}.deb \
 	&& curl -L -o libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb \
 	&& curl -L -o libisl15_0.18-4_${TARGETARCH}.deb https://download.falco.org/dependencies/libisl15_0.18-4_${TARGETARCH}.deb \
 	&& dpkg -i cpp-5_5.5.0-12_${TARGETARCH}.deb gcc-5-base_5.5.0-12_${TARGETARCH}.deb gcc-5_5.5.0-12_${TARGETARCH}.deb libasan2_5.5.0-12_${TARGETARCH}.deb; \
-    if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \
-    dpkg -i libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb \
+	if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \
+	dpkg -i libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb \
 	&& rm -f cpp-5_5.5.0-12_${TARGETARCH}.deb gcc-5-base_5.5.0-12_${TARGETARCH}.deb gcc-5_5.5.0-12_${TARGETARCH}.deb libasan2_5.5.0-12_${TARGETARCH}.deb libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb libmpx0_5.5.0-12_${TARGETARCH}.deb
 
 # Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
@@ -113,10 +112,10 @@ RUN rm -df /lib/modules \
 # forcibly install binutils 2.30-22 instead.
 
 RUN if [ "$TARGETARCH" = "amd64" ] ; then \
-    curl -L -o binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
-    else  \
-    curl -L -o  binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
-    fi
+	curl -L -o binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
+	else  \
+	curl -L -o  binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
+	fi
 
 RUN curl -L -o binutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils_2.30-22_${TARGETARCH}.deb \
 	&& curl -L -o libbinutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/libbinutils_2.30-22_${TARGETARCH}.deb \

docker/driver-loader-buster/docker-entrypoint.sh

@@ -21,7 +21,7 @@
 print_usage() {
 	echo ""
 	echo "Usage:"
-	echo "  docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader-legacy:latest [driver] [options]"
+	echo "  docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader:latest-buster [driver] [options]"
 	echo ""
 	echo "Available drivers:"
 	echo "  auto	       leverage automatic driver selection logic (default)"

docker/driver-loader/Dockerfile

@@ -1,14 +1,46 @@
 ARG FALCO_IMAGE_TAG=latest
-FROM docker.io/falcosecurity/falco:${FALCO_IMAGE_TAG}
+FROM docker.io/falcosecurity/falco:${FALCO_IMAGE_TAG}-debian
 
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
 
-LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --name NAME IMAGE"
+LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader:latest [driver] [options]"
 
 ENV HOST_ROOT /host
 ENV HOME /root
 
+RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
+
+RUN apt-get update \
+	&& apt-get install -y --no-install-recommends \
+	bc \
+	bison \
+	ca-certificates \
+	clang \
+	curl \
+	dkms \
+	dwarves \
+	flex \
+	gcc \
+	gcc-11 \
+	gnupg2 \
+	jq \
+	libc6-dev \
+	libssl-dev \
+	llvm \
+	make \
+	netcat-openbsd \
+	patchelf \
+	xz-utils \
+	zstd \
+	&& rm -rf /var/lib/apt/lists/*
+
+# Some base images have an empty /lib/modules by default
+# If it's not empty, docker build will fail instead of
+# silently overwriting the existing directory
+RUN rm -df /lib/modules \
+	&& ln -s $HOST_ROOT/lib/modules /lib/modules
+
 COPY ./docker-entrypoint.sh /
 
 ENTRYPOINT ["/docker-entrypoint.sh"]

docker/driver-loader/docker-entrypoint.sh

@@ -50,6 +50,7 @@ echo "* Setting up /usr/src links from host"
 
 for i in "$HOST_ROOT/usr/src"/*
 do
+    [[ -e $i ]] || continue
     base=$(basename "$i")
     ln -s "$i" "/usr/src/$base"
 done

docker/falco-debian/Dockerfile

@@ -0,0 +1,31 @@
+FROM debian:12-slim
+
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco/docker/falco-debian"
+
+LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /proc:/host/proc:ro -v /etc:/host/etc:ro falcosecurity/falco:latest-debian"
+
+ARG FALCO_VERSION
+ARG VERSION_BUCKET=deb
+
+ENV FALCO_VERSION=${FALCO_VERSION}
+ENV VERSION_BUCKET=${VERSION_BUCKET}
+
+ENV HOST_ROOT /host
+ENV HOME /root
+
+RUN apt-get -y update && apt-get -y install ca-certificates curl jq ca-certificates gnupg2 \
+	&& apt clean -y && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /
+
+RUN curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add - \
+	&& echo "deb https://download.falco.org/packages/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
+	&& apt-get update -y \
+	&& if [ "$FALCO_VERSION" = "latest" ]; then FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco; else FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
+	&& apt-get clean \
+	&& rm -rf /var/lib/apt/lists/*
+
+RUN sed -i -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' /etc/falco/falco.yaml
+
+CMD ["/usr/bin/falco"]

docker/falco/Dockerfile

@@ -1,67 +1,36 @@
-FROM debian:bookworm
+FROM cgr.dev/chainguard/wolfi-base
 
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
 
-LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc --name NAME IMAGE"
+LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /proc:/host/proc:ro  -v /etc:/host/etc:ro falcosecurity/falco:latest"
+# NOTE: for the "least privileged" use case, please refer to the official documentation
 
-ARG TARGETARCH
-
-ARG FALCO_VERSION=latest
-ARG VERSION_BUCKET=deb
-ENV VERSION_BUCKET=${VERSION_BUCKET}
+ARG FALCO_VERSION
+ARG VERSION_BUCKET=bin
 
 ENV FALCO_VERSION=${FALCO_VERSION}
+ENV VERSION_BUCKET=${VERSION_BUCKET}
 ENV HOST_ROOT /host
 ENV HOME /root
 
-RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
+RUN apk update && apk add curl ca-certificates jq libstdc++
 
-RUN apt-get update \
-	&& apt-get install -y --no-install-recommends \
-	bc \
-	bison \
-	ca-certificates \
-	clang \
-	curl \
-	dkms \
-	dwarves \
-	flex \
-	gcc \
-	gcc-11 \
-	gnupg2 \
-	jq \
-	libc6-dev \
-	libelf-dev \
-	libssl-dev \
-	llvm \
-	make \
-	netcat-openbsd \
-	patchelf \
-	xz-utils \
-	zstd \
-	&& rm -rf /var/lib/apt/lists/*
+WORKDIR /
 
-RUN curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add - \
-	&& echo "deb https://download.falco.org/packages/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
-	&& apt-get update -y \
-	&& if [ "$FALCO_VERSION" = "latest" ]; then FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco; else FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
-	&& apt-get clean \
-	&& rm -rf /var/lib/apt/lists/*
+RUN FALCO_VERSION_URLENCODED=$(echo -n ${FALCO_VERSION}|jq -sRr @uri) && \
+    curl -L -o falco.tar.gz \
+    https://download.falco.org/packages/${VERSION_BUCKET}/$(uname -m)/falco-${FALCO_VERSION_URLENCODED}-$(uname -m).tar.gz && \
+    tar -xvf falco.tar.gz && \
+    rm -f falco.tar.gz && \
+    mv falco-${FALCO_VERSION}-$(uname -m) falco && \
+    rm -rf /falco/usr/src/falco-* && \
+    cp -r /falco/* / && \
+    rm -rf /falco
 
-# Change the falco config within the container to enable ISO 8601
-# output.
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
-	&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
+RUN sed -i -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' /etc/falco/falco.yaml
 
-# Some base images have an empty /lib/modules by default
-# If it's not empty, docker build will fail instead of
-# silently overwriting the existing directory
-RUN rm -df /lib/modules \
-	&& ln -s $HOST_ROOT/lib/modules /lib/modules
-
-COPY ./docker-entrypoint.sh /
-
-ENTRYPOINT ["/docker-entrypoint.sh"]
+# Falcoctl is not included here.
+RUN rm -rf /usr/bin/falcoctl /etc/falcoctl/
 
 CMD ["/usr/bin/falco"]

docker/falco/docker-entrypoint.sh

@@ -1,136 +0,0 @@
-#!/usr/bin/env bash
-# SPDX-License-Identifier: Apache-2.0
-#
-# Copyright (C) 2023 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-
-print_usage() {
-	echo ""
-	echo "Usage:"
-	echo "  docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro -e 'FALCO_DRIVER_LOADER_OPTIONS=[driver] [options]' falcosecurity/falco:latest"
-	echo ""
-	echo "Available FALCO_DRIVER_LOADER_OPTIONS drivers:"
-	echo "  auto	       leverage automatic driver selection logic (default)"
-	echo "  modern_ebpf    modern eBPF CORE probe"
-	echo "  kmod           kernel module"
-	echo "  ebpf           eBPF probe"
-	echo ""
-	echo "FALCO_DRIVER_LOADER_OPTIONS options:"
-	echo "  --help           show this help message"
-	echo "  --clean          try to remove an already present driver installation"
-	echo "  --compile        try to compile the driver locally (default true)"
-	echo "  --download       try to download a prebuilt driver (default true)"
- 	echo "  --http-insecure	 enable insecure downloads"
-	echo "  --print-env      skip execution and print env variables for other tools to consume"
-	echo ""
-	echo "Environment variables:"
-	echo "  FALCOCTL_DRIVER_REPOS         specify different URL(s) where to look for prebuilt Falco drivers (comma separated)"
-	echo "  FALCOCTL_DRIVER_NAME          specify a different name for the driver"
-	echo "  FALCOCTL_DRIVER_HTTP_HEADERS  specify comma separated list of http headers for driver download (e.g. 'x-emc-namespace: default,Proxy-Authenticate: Basic')"
-	echo ""
-}
-
-# Set the SKIP_DRIVER_LOADER variable to skip loading the driver
-
-if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
-    echo "* Setting up /usr/src links from host"
-
-    for i in "$HOST_ROOT/usr/src"/*
-    do
-        base=$(basename "$i")
-        ln -s "$i" "/usr/src/$base"
-    done
-
-    # convert the optional space-separated env variable FALCO_DRIVER_LOADER_OPTIONS to array, prevent 
-    # shell expansion and use it as argument list for falcoctl
-    read -a falco_driver_loader_option_arr <<< $FALCO_DRIVER_LOADER_OPTIONS
-
-    ENABLE_COMPILE="false"
-    ENABLE_DOWNLOAD="false"
-    HTTP_INSECURE="false"
-    driver=
-    has_opts=
-    for opt in "${falco_driver_loader_option_arr[@]}"
-    do
-        case "$opt" in
-            auto|kmod|ebpf|modern_ebpf)
-                if [ -n "$driver" ]; then
-                    >&2 echo "Only one driver per invocation"
-                    print_usage
-                    exit 1
-                else
-                    driver=$opt
-                fi
-                ;;
-            -h|--help)
-                print_usage
-                exit 0
-                ;;    
-            --clean)
-                /usr/bin/falcoctl driver cleanup
-                exit 0
-                ;;
-            --compile)
-                ENABLE_COMPILE="true"
-                has_opts="true"
-                ;;
-            --download)
-                ENABLE_DOWNLOAD="true"
-                has_opts="true"
-                ;;
-            --http-insecure)
-                HTTP_INSECURE="true"
-                ;;
-            --print-env)
-                /usr/bin/falcoctl driver printenv
-                exit 0
-                ;;
-            --*)
-                >&2 echo "Unknown option: $opt"
-                print_usage
-                exit 1
-                ;;
-            *)
-                >&2 echo "Unknown driver: $opt"
-                print_usage
-                exit 1
-                ;;
-        esac
-    done
-
-    # No opts passed, enable both compile and download
-    if [ -z "$has_opts" ]; then
-        ENABLE_COMPILE="true"
-        ENABLE_DOWNLOAD="true"
-    fi
-
-    # Default value: auto
-    if [ -z "$driver" ]; then
-      driver="auto"
-    fi
-
-    if [ "$driver" != "auto" ]; then
-      /usr/bin/falcoctl driver config --type $driver
-    else
-      # Needed because we need to configure Falco to start with correct driver
-      /usr/bin/falcoctl driver config --type modern_ebpf --type kmod --type ebpf
-    fi
-    /usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD --http-insecure=$HTTP_INSECURE --http-headers="$FALCOCTL_DRIVER_HTTP_HEADERS"
-
-fi
-
-exec "$@"

docker/no-driver/Dockerfile

@@ -1,39 +0,0 @@
-FROM debian:12 as builder
-
-ARG FALCO_VERSION
-ARG VERSION_BUCKET=bin
-
-ENV FALCO_VERSION=${FALCO_VERSION}
-ENV VERSION_BUCKET=${VERSION_BUCKET}
-
-RUN apt-get -y update && apt-get -y install gridsite-clients curl ca-certificates
-
-WORKDIR /
-
-RUN curl -L -o falco.tar.gz \
-    https://download.falco.org/packages/${VERSION_BUCKET}/$(uname -m)/falco-$(urlencode ${FALCO_VERSION})-$(uname -m).tar.gz && \
-    tar -xvf falco.tar.gz && \
-    rm -f falco.tar.gz && \
-    mv falco-${FALCO_VERSION}-$(uname -m) falco && \
-    rm -rf /falco/usr/src/falco-*
-
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
-    && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml
-
-FROM debian:12-slim
-
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
-
-LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
-# NOTE: for the "least privileged" use case, please refer to the official documentation
-
-RUN apt-get -y update && apt-get -y install ca-certificates curl jq libelf1 \
-    && apt clean -y && rm -rf /var/lib/apt/lists/*
-
-ENV HOST_ROOT /host
-ENV HOME /root
-
-COPY --from=builder /falco /
-
-CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/no-driver/Dockerfile.distroless

@@ -1,40 +0,0 @@
-FROM cgr.dev/chainguard/wolfi-base as builder
-
-ARG FALCO_VERSION
-ARG VERSION_BUCKET=bin
-
-ENV FALCO_VERSION=${FALCO_VERSION}
-ENV VERSION_BUCKET=${VERSION_BUCKET}
-
-RUN apk update && apk add build-base gcc curl ca-certificates jq elfutils
-
-WORKDIR /
-
-RUN FALCO_VERSION_URLENCODED=$(echo -n ${FALCO_VERSION}|jq -sRr @uri) && \
-    curl -L -o falco.tar.gz \
-    https://download.falco.org/packages/${VERSION_BUCKET}/$(uname -m)/falco-${FALCO_VERSION_URLENCODED}-$(uname -m).tar.gz && \
-    tar -xvf falco.tar.gz && \
-    rm -f falco.tar.gz && \
-    mv falco-${FALCO_VERSION}-$(uname -m) falco && \
-    rm -rf /falco/usr/src/falco-*
-
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
-    && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml
-
-FROM cgr.dev/chainguard/wolfi-base
-
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
-
-LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
-# NOTE: for the "least privileged" use case, please refer to the official documentation
-
-RUN apk update && apk add libelf libstdc++
-
-ENV HOST_ROOT /host
-ENV HOME /root
-
-USER root
-COPY --from=builder /falco /
-
-CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

falco.yaml

@@ -480,6 +480,14 @@ plugins:
   - name: json
     library_path: libjson.so
 
+# [Sandbox] `plugins_hostinfo`
+#
+# Uncomment to disable host info support for source plugins
+# that DO NOT generate raw events from the libscap event table
+# or for plugins that DO NOT parse raw events generated by drivers,
+# effectively dropping the `proc-fs` hostPath volume requirement for them:
+# https://github.com/falcosecurity/charts/blob/bd57711e7c8e00919ea288716e0d9d5fdad8867e/charts/falco/templates/pod-template.tpl#L302-L304
+# plugins_hostinfo: false
 
 ##########################
 # Falco outputs settings #
@@ -492,6 +500,13 @@ plugins:
 # the /etc/localtime configuration.
 time_format_iso_8601: false
 
+# [Incubating] `buffer_format_base64`
+#
+# When enabled, Falco will output data buffer with base64 encoding. This is useful
+# for encoding binary data that needs to be used over media designed to consume
+# this format.
+buffer_format_base64: false
+
 # [Stable] `priority`
 #
 # Any rule with a priority level more severe than or equal to the specified
@@ -538,9 +553,14 @@ json_include_tags_property: true
 
 # [Stable] `buffered_outputs`
 #
-# Enabling buffering for the output queue can offer performance optimization,
-# efficient resource usage, and smoother data flow, resulting in a more reliable
-# output mechanism. By default, buffering is disabled (false).
+# Global buffering option for output channels. When disabled, the output channel
+# that supports buffering flushes the output buffer on every alert. This can lead to 
+# increased CPU usage but is useful when piping outputs to another process or script. 
+# Buffering is currently supported by `file_output`, `program_output`, and `std_output`. 
+# Some output channels may implement buffering strategies you cannot control. 
+# Additionally, this setting is separate from the `output_queue` option. The output queue 
+# sits between the rule engine and the output channels, while output buffering occurs 
+# afterward once the specific channel implementation outputs the formatted message.
 buffered_outputs: false
 
 # [Incubating] `rule_matching`
@@ -568,7 +588,7 @@ rule_matching: first
 #
 # Falco utilizes tbb::concurrent_bounded_queue for handling outputs, and this parameter
 # allows you to customize the queue capacity. Please refer to the official documentation:
-# https://oneapi-src.github.io/oneTBB/main/tbb_userguide/Concurrent_Queue_Classes.html.
+# https://uxlfoundation.github.io/oneTBB/main/tbb_userguide/Concurrent_Queue_Classes.html.
 # On a healthy system with optimized Falco rules, the queue should not fill up.
 # If it does, it is most likely happening due to the entire event flow being too slow,
 # indicating that the server is under heavy load.
@@ -611,6 +631,7 @@ outputs_queue:
 #             affect the regular Falco message in any way. These can be specified as a
 #             custom name with a custom format or as any supported field
 #             (see: https://falco.org/docs/reference/rules/supported-fields/)
+#   `suggested_output`: enable the use of extractor plugins suggested fields for the matching source output.
 #
 # Example:
 # 
@@ -627,6 +648,13 @@ outputs_queue:
 # property you will find three new ones: "evt.cpu", "home_directory" which will contain the value of the
 # environment variable $HOME, and "evt.hostname" which will contain the hostname.
 
+# By default, we enable suggested_output for any source.
+# This means that any extractor plugin that indicates some of its fields
+# as suggested output formats, will see these fields in the output
+# in the form "foo_bar=$foo.bar"
+append_output:
+  - suggested_output: true
+
 
 ##########################
 # Falco outputs channels #
@@ -1096,6 +1124,8 @@ syscall_event_drops:
 # there will be no metrics available. In other words, there are no default or 
 # generic plugin metrics at this time. This may be subject to change.
 #
+# `jemalloc_stats_enabled`: Falco can now expose jemalloc related stats.
+#
 # If metrics are enabled, the web server can be configured to activate the
 # corresponding Prometheus endpoint using `webserver.prometheus_metrics_enabled`.
 # Prometheus output can be used in combination with the other output options.
@@ -1117,6 +1147,7 @@ metrics:
   kernel_event_counters_per_cpu_enabled: false
   libbpf_stats_enabled: true
   plugins_metrics_enabled: true
+  jemalloc_stats_enabled: false
   convert_memory_to_mb: true
   include_empty_values: false
 
@@ -1155,6 +1186,14 @@ metrics:
 # Falco, the `base_syscalls` option allows for finer end-user control of
 # syscalls traced by Falco.
 #
+# --- [base_syscalls.all]
+#
+# `base_syscalls.all` enables monitoring of all events supported by Falco and
+# defined in rules and configs.
+# By default some events, such as `write`, are ignored (run `falco -i` to get
+# the full list) unless base_syscalls.all is true.
+# This option may negatively impact performance.
+#
 # --- [base_syscalls.custom_set]
 #
 # CAUTION: Misconfiguration of this setting may result in incomplete Falco event
@@ -1259,8 +1298,15 @@ base_syscalls:
 # `metrics.state_counters_enabled` to measure how the internal state handling is performing, 
 # and the fields called `n_drops_full_threadtable` or `n_store_evts_drops` will inform you
 # if you should increase this value for optimal performance.
+#
+# `snaplen`
+#
+# Set how many bytes are collected of each I/O buffer for 'syscall' events.
+# Use this option with caution since it can have a strong performance impact.
+#
 falco_libs:
   thread_table_size: 262144
+  snaplen: 80
 
 # [Incubating] `container_engines`
 #
@@ -1284,8 +1330,6 @@ falco_libs:
 # - `container_engines.cri.disable_async`: Since API lookups may not always be quick or 
 # perfect, resulting in empty fields for container metadata, you can use this option option 
 # to disable asynchronous fetching. Note that missing fields may still occasionally occur.
-# 
-# The equivalent (stable) CLI args are `--cri` or `--disable-cri-async`.
 
 container_engines:
   docker:

unit_tests/engine/test_alt_rule_loader.cpp

@@ -15,6 +15,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+#include <memory>
 #include <string>
 
 #include <gtest/gtest.h>
@@ -41,7 +42,10 @@ struct test_object_info {
 
 struct test_compile_output : public rule_loader::compile_output {
 	test_compile_output() = default;
-	~test_compile_output() = default;
+	virtual ~test_compile_output() = default;
+	virtual std::unique_ptr<compile_output> clone() const override {
+		return std::make_unique<test_compile_output>(*this);
+	}
 
 	std::set<std::string> defined_test_properties;
 };
@@ -320,3 +324,33 @@ TEST(engine_loader_alt_loader, falco_engine_alternate_loader) {
 	EXPECT_TRUE(defined_properties.find("other-value") != defined_properties.end());
 	EXPECT_TRUE(defined_properties.find("not-exists-value") == defined_properties.end());
 };
+
+TEST(engine_loader_alt_loader, clone_compile_output) {
+	sinsp inspector;
+	sinsp_filter_check_list filterchecks;
+	indexed_vector<falco_source> sources;
+
+	std::shared_ptr<rule_loader::configuration> cfg =
+	        create_configuration(inspector, filterchecks, sources);
+
+	test_reader reader;
+	test_collector collector;
+	test_compiler compiler;
+
+	EXPECT_TRUE(reader.read(*cfg, collector));
+
+	std::unique_ptr<rule_loader::compile_output> compile_output = compiler.new_compile_output();
+
+	compiler.compile(*cfg, collector, *compile_output);
+
+	const test_compile_output& original_ref =
+	        dynamic_cast<const test_compile_output&>(*(compile_output.get()));
+
+	std::unique_ptr<rule_loader::compile_output> copy = compile_output->clone();
+	const test_compile_output& copy_ref = dynamic_cast<const test_compile_output&>(*(copy.get()));
+
+	EXPECT_EQ(copy_ref.lists, original_ref.lists);
+	EXPECT_EQ(copy_ref.macros, original_ref.macros);
+	EXPECT_EQ(copy_ref.rules, original_ref.rules);
+	EXPECT_EQ(copy_ref.defined_test_properties, original_ref.defined_test_properties);
+}

unit_tests/engine/test_rule_loader.cpp

@@ -1222,3 +1222,108 @@ TEST_F(test_falco_engine, exceptions_fields_transformer_space_quoted) {
 	EXPECT_EQ(get_compiled_rule_condition("test_rule"),
 	          "(evt.type = open and not tolower(proc.name) = test)");
 }
+
+TEST_F(test_falco_engine, redefine_rule_different_source) {
+	auto rules_content = R"END(
+- rule: LD_PRELOAD trick
+  desc: Some desc
+  condition: ka.verb = GET
+  output: some output
+  priority: INFO
+  source: k8s_audit
+
+- rule: LD_PRELOAD trick
+  desc: Some desc
+  condition: and 1 = 2
+  output: Some output
+  priority: INFO
+  source: syscall
+)END";
+
+	ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
+	ASSERT_TRUE(check_error_message("Rule has been re-defined with a different source"));
+}
+
+TEST_F(test_falco_engine, append_across_sources) {
+	auto rules_content = R"END(
+- rule: LD_PRELOAD trick
+  desc: Some desc
+  condition: ka.verb = GET
+  output: some output
+  priority: INFO
+  source: k8s_audit
+
+- rule: LD_PRELOAD trick
+  desc: Some desc
+  condition: and 1 = 2
+  output: Some output
+  priority: INFO
+  source: syscall
+  append: true
+)END";
+
+	ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
+	ASSERT_TRUE(check_error_message("Rule has been re-defined with a different source"));
+}
+
+TEST_F(test_falco_engine, selective_replace_across_sources) {
+	auto rules_content = R"END(
+- rule: LD_PRELOAD trick
+  desc: Some desc
+  condition: ka.verb = GET
+  output: some output
+  priority: INFO
+  source: k8s_audit
+
+- rule: LD_PRELOAD trick
+  condition: 1 = 2
+  override:
+    condition: replace
+  source: syscall
+)END";
+
+	ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
+	ASSERT_TRUE(check_error_message("Rule has been re-defined with a different source"));
+}
+
+TEST_F(test_falco_engine, empty_source_addl_rule) {
+	auto rules_content = R"END(
+- rule: LD_PRELOAD trick
+  desc: Some desc
+  condition: evt.type=execve
+  output: some output
+  priority: INFO
+  source: syscall
+
+- rule: LD_PRELOAD trick
+  desc: Some desc
+  condition: and proc.name=apache
+  output: Some output
+  priority: INFO
+  source:
+  append: true
+)END";
+
+	EXPECT_TRUE(load_rules(rules_content, "rules.yaml"));
+}
+
+TEST_F(test_falco_engine, empty_string_source_addl_rule) {
+	auto rules_content = R"END(
+- rule: LD_PRELOAD trick
+  desc: Some desc
+  condition: evt.type=execve
+  output: some output
+  priority: INFO
+  source: syscall
+
+- rule: LD_PRELOAD trick
+  desc: Some desc
+  condition: and proc.name=apache
+  output: Some output
+  priority: INFO
+  source: ""
+  append: true
+)END";
+
+	EXPECT_TRUE(load_rules(rules_content, "rules.yaml"));
+}

unit_tests/falco/app/actions/test_configure_interesting_sets.cpp

@@ -528,10 +528,47 @@ TEST_F(test_falco_engine, selection_empty_custom_base_set_repair) {
 	ASSERT_EQ(s7.selected_sc_set.size(), s7_state_set.size());
 }
 
+TEST_F(test_falco_engine, selection_base_syscalls_all) {
+	load_rules(ruleset_from_filters(s_sample_filters), "dummy_ruleset.yaml");
+
+	falco::app::state s7;
+	s7.engine = m_engine;
+
+	// simulate empty custom set but repair option set.
+	s7.config->m_base_syscalls_custom_set = {};
+	s7.config->m_base_syscalls_repair = true;
+	s7.config->m_base_syscalls_all = true;
+	auto result = falco::app::actions::configure_interesting_sets(s7);
+	auto s7_rules_set = s7.engine->sc_codes_for_ruleset(s_sample_source, s_sample_ruleset);
+	ASSERT_TRUE(result.success);
+	ASSERT_EQ(result.errstr, "");
+	auto selected_sc_names = libsinsp::events::sc_set_to_event_names(s7.selected_sc_set);
+	auto expected_sc_names = strset_t({// note: expecting syscalls from mock rules and
+	                                   // `sinsp_repair_state_sc_set` enforced syscalls
+	                                   "connect",
+	                                   "accept",
+	                                   "accept4",
+	                                   "umount2",
+	                                   "open",
+	                                   "ptrace",
+	                                   "mmap",
+	                                   "execve",
+	                                   "procexit",
+	                                   "bind",
+	                                   "socket",
+	                                   "clone3",
+	                                   "close",
+	                                   "setuid"});
+	ASSERT_NAMES_CONTAIN(selected_sc_names, expected_sc_names);
+	auto s7_state_set = libsinsp::events::sinsp_repair_state_sc_set(s7_rules_set);
+	ASSERT_EQ(s7.selected_sc_set, s7_state_set);
+	ASSERT_EQ(s7.selected_sc_set.size(), s7_state_set.size());
+}
+
 TEST(ConfigureInterestingSets, ignored_set_expected_size) {
 	// unit test fence to make sure we don't have unexpected regressions
 	// in the ignored set, to be updated in the future
-	ASSERT_EQ(falco::app::ignored_sc_set().size(), 14);
+	ASSERT_EQ(falco::app::ignored_sc_set().size(), 12);
 
 	// we don't expect to ignore any syscall in the default base set
 	ASSERT_EQ(falco::app::ignored_sc_set().intersect(libsinsp::events::sinsp_state_sc_set()).size(),

userspace/engine/falco_engine_version.h

@@ -20,7 +20,7 @@ limitations under the License.
 
 // The version of this Falco engine
 #define FALCO_ENGINE_VERSION_MAJOR 0
-#define FALCO_ENGINE_VERSION_MINOR 43
+#define FALCO_ENGINE_VERSION_MINOR 46
 #define FALCO_ENGINE_VERSION_PATCH 0
 
 #define FALCO_ENGINE_VERSION                                                               \
@@ -36,4 +36,4 @@ limitations under the License.
 // It represents the fields supported by this version of Falco,
 // the event types, and the underlying driverevent schema. It's used to
 // detetect changes in engine version in our CI jobs.
-#define FALCO_ENGINE_CHECKSUM "8a7f383c1e7682c484096bb6a5cb68c29b818acbe65fa2854acbcc98277fd7e0"
+#define FALCO_ENGINE_CHECKSUM "24861acb14c5b9f7d293dd37d1623949135e1a865f2d813cbd660212b71ada33"

userspace/engine/falco_rule.h

@@ -35,6 +35,11 @@ struct falco_list {
 	falco_list& operator=(const falco_list&) = default;
 	~falco_list() = default;
 
+	bool operator==(const falco_list& rhs) const {
+		return (this->used == rhs.used && this->id == rhs.id && this->name == rhs.name &&
+		        this->items == rhs.items);
+	}
+
 	bool used;
 	std::size_t id;
 	std::string name;
@@ -53,6 +58,14 @@ struct falco_macro {
 	falco_macro& operator=(const falco_macro&) = default;
 	~falco_macro() = default;
 
+	bool operator==(const falco_macro& rhs) const {
+		// Note this only ensures that the shared_ptrs are
+		// pointing to the same underlying memory, not that
+		// they are logically equal.
+		return (this->used == rhs.used && this->id == rhs.id && this->name == rhs.name &&
+		        this->condition.get() == rhs.condition.get());
+	}
+
 	bool used;
 	std::size_t id;
 	std::string name;
@@ -71,6 +84,17 @@ struct falco_rule {
 	falco_rule& operator=(const falco_rule&) = default;
 	~falco_rule() = default;
 
+	bool operator==(const falco_rule& rhs) const {
+		// Note this only ensures that the shared_ptrs are
+		// pointing to the same underlying memory, not that
+		// they are logically equal.
+		return (this->id == rhs.id && this->source == rhs.source && this->name == rhs.name &&
+		        this->description == rhs.description && this->output == rhs.output &&
+		        this->tags == rhs.tags && this->exception_fields == rhs.exception_fields &&
+		        this->priority == rhs.priority && this->condition.get() == rhs.condition.get() &&
+		        this->filter.get() == rhs.filter.get());
+	}
+
 	std::size_t id;
 	std::string source;
 	std::string name;

userspace/engine/falco_utils.cpp

@@ -23,7 +23,7 @@ limitations under the License.
 
 #include <re2/re2.h>
 #if defined(__linux__) and !defined(MINIMAL_BUILD) and !defined(__EMSCRIPTEN__)
-#include <openssl/sha.h>
+#include <openssl/evp.h>
 #endif
 #include <cstring>
 #include <fstream>
@@ -144,22 +144,22 @@ std::string calculate_file_sha256sum(const std::string& filename) {
 		return "";
 	}
 
-	SHA256_CTX sha256_context;
-	SHA256_Init(&sha256_context);
+	std::unique_ptr<EVP_MD_CTX, decltype(&EVP_MD_CTX_free)> ctx(EVP_MD_CTX_new(), EVP_MD_CTX_free);
+	EVP_DigestInit_ex(ctx.get(), EVP_sha256(), nullptr);
 
 	constexpr size_t buffer_size = 4096;
 	char buffer[buffer_size];
 	while(file.read(buffer, buffer_size)) {
-		SHA256_Update(&sha256_context, buffer, buffer_size);
+		EVP_DigestUpdate(ctx.get(), buffer, buffer_size);
 	}
-	SHA256_Update(&sha256_context, buffer, file.gcount());
+	EVP_DigestUpdate(ctx.get(), buffer, file.gcount());
 
-	unsigned char digest[SHA256_DIGEST_LENGTH];
-	SHA256_Final(digest, &sha256_context);
+	std::vector<uint8_t> digest(EVP_MD_size(EVP_sha256()));
+	EVP_DigestFinal_ex(ctx.get(), digest.data(), nullptr);
 
-	std::stringstream ss;
-	for(int i = 0; i < SHA256_DIGEST_LENGTH; ++i) {
-		ss << std::hex << std::setw(2) << std::setfill('0') << static_cast<unsigned>(digest[i]);
+	std::ostringstream ss;
+	for(auto& c : digest) {
+		ss << std::hex << std::setw(2) << std::setfill('0') << (int)c;
 	}
 	return ss.str();
 }

userspace/engine/indexable_ruleset.h

@@ -85,11 +85,15 @@ public:
 		return m_rulesets[ruleset_id]->event_codes();
 	}
 
-	void enable(const std::string &pattern, match_type match, uint16_t ruleset_id) override {
+	virtual void enable(const std::string &pattern,
+	                    match_type match,
+	                    uint16_t ruleset_id) override {
 		enable_disable(pattern, match, true, ruleset_id);
 	}
 
-	void disable(const std::string &pattern, match_type match, uint16_t ruleset_id) override {
+	virtual void disable(const std::string &pattern,
+	                     match_type match,
+	                     uint16_t ruleset_id) override {
 		enable_disable(pattern, match, false, ruleset_id);
 	}
 

userspace/engine/indexed_vector.h

@@ -34,6 +34,9 @@ public:
 	indexed_vector& operator=(indexed_vector&&) = default;
 	indexed_vector(const indexed_vector&) = default;
 	indexed_vector& operator=(const indexed_vector&) = default;
+	bool operator==(const indexed_vector& rhs) const {
+		return (this->m_entries == rhs.m_entries && this->m_index == rhs.m_index);
+	}
 
 	/*!
 	    \brief Returns the number of elements

userspace/engine/rule_loader.h

@@ -250,7 +250,7 @@ public:
 	                 const context& ctx);
 
 	void set_schema_validation_status(const std::vector<std::string>& status);
-	std::string schema_validation();
+	std::string schema_validation() override;
 
 protected:
 	const std::string& as_summary_string();
@@ -488,6 +488,7 @@ struct rule_update_info {
 	context cond_ctx;
 	std::string name;
 	std::optional<std::string> cond;
+	std::string source;
 	std::optional<std::string> output;
 	std::optional<std::string> desc;
 	std::optional<std::set<std::string>> tags;

userspace/engine/rule_loader_collector.cpp

@@ -182,10 +182,8 @@ void rule_loader::collector::append(configuration& cfg, macro_info& info) {
 }
 
 void rule_loader::collector::define(configuration& cfg, rule_info& info) {
-	const auto* prev = m_rule_infos.at(info.name);
-	THROW(prev && prev->source != info.source,
-	      "Rule has been re-defined with a different source",
-	      info.ctx);
+	auto prev = find_prev_rule(info);
+	(void)prev;
 
 	const auto* source = cfg.sources.at(info.source);
 	if(!source) {
@@ -205,7 +203,7 @@ void rule_loader::collector::define(configuration& cfg, rule_info& info) {
 }
 
 void rule_loader::collector::append(configuration& cfg, rule_update_info& info) {
-	auto prev = m_rule_infos.at(info.name);
+	auto prev = find_prev_rule(info);
 
 	THROW(!prev, ERROR_NO_PREVIOUS_RULE_APPEND, info.ctx);
 	THROW(!info.has_any_value(),
@@ -275,7 +273,7 @@ void rule_loader::collector::append(configuration& cfg, rule_update_info& info)
 }
 
 void rule_loader::collector::selective_replace(configuration& cfg, rule_update_info& info) {
-	auto prev = m_rule_infos.at(info.name);
+	auto prev = find_prev_rule(info);
 
 	THROW(!prev, ERROR_NO_PREVIOUS_RULE_REPLACE, info.ctx);
 	THROW(!info.has_any_value(),
@@ -330,6 +328,19 @@ void rule_loader::collector::selective_replace(configuration& cfg, rule_update_i
 	replace_info(prev, info, m_cur_index++);
 }
 
+template<typename ruleInfo>
+rule_loader::rule_info* rule_loader::collector::find_prev_rule(ruleInfo& info) {
+	auto ret = m_rule_infos.at(info.name);
+
+	// Throw an error if both the original rule and current rule
+	// have the same name and explicitly have different sources.
+	THROW(ret && (ret->source != "" && info.source != "" && ret->source != info.source),
+	      "Rule has been re-defined with a different source",
+	      info.ctx);
+
+	return ret;
+}
+
 void rule_loader::collector::enable(configuration& cfg, rule_info& info) {
 	auto prev = m_rule_infos.at(info.name);
 	THROW(!prev, "Rule has 'enabled' key but no rule by that name already exists", info.ctx);

userspace/engine/rule_loader_collector.h

@@ -97,6 +97,9 @@ public:
 	virtual void selective_replace(configuration& cfg, rule_update_info& info);
 
 private:
+	template<typename ruleInfo>
+	rule_info* find_prev_rule(ruleInfo& info);
+
 	uint32_t m_cur_index;
 	indexed_vector<rule_info> m_rule_infos;
 	indexed_vector<macro_info> m_macro_infos;

userspace/engine/rule_loader_compile_output.h

@@ -20,6 +20,8 @@ limitations under the License.
 #include "indexed_vector.h"
 #include "falco_rule.h"
 
+#include <memory>
+
 namespace rule_loader {
 struct compile_output {
 	compile_output() = default;
@@ -29,6 +31,10 @@ struct compile_output {
 	compile_output(const compile_output&) = default;
 	compile_output& operator=(const compile_output&) = default;
 
+	virtual std::unique_ptr<compile_output> clone() const {
+		return std::make_unique<compile_output>(*this);
+	};
+
 	indexed_vector<falco_list> lists;
 	indexed_vector<falco_macro> macros;
 	indexed_vector<falco_rule> rules;

userspace/engine/rule_loader_reader.cpp

@@ -53,7 +53,8 @@ static void decode_val_generic(const YAML::Node& item,
                                const char* key,
                                T& out,
                                const rule_loader::context& ctx,
-                               bool optional) {
+                               bool optional,
+                               bool can_be_empty) {
 	const YAML::Node& val = item[key];
 
 	if(!val.IsDefined() && optional) {
@@ -61,10 +62,19 @@ static void decode_val_generic(const YAML::Node& item,
 	}
 
 	THROW(!val.IsDefined(), std::string("Item has no mapping for key '") + key + "'", ctx);
+	if(val.IsNull() && can_be_empty) {
+		return;
+	}
+
 	THROW(val.IsNull(), std::string("Mapping for key '") + key + "' is empty", ctx);
 
 	rule_loader::context valctx(val, rule_loader::context::VALUE_FOR, key, ctx);
 	THROW(!val.IsScalar(), "Value is not a scalar value", valctx);
+
+	if(val.Scalar().empty() && can_be_empty) {
+		return;
+	}
+
 	THROW(val.Scalar().empty(), "Value must be non-empty", valctx);
 
 	THROW(!YAML::convert<T>::decode(val, out), "Can't decode YAML scalar value", valctx);
@@ -75,9 +85,10 @@ static void decode_val_generic(const YAML::Node& item,
                                const char* key,
                                std::optional<T>& out,
                                const rule_loader::context& ctx,
-                               bool optional) {
+                               bool optional,
+                               bool can_be_empty) {
 	T decoded;
-	decode_val_generic(item, key, decoded, ctx, optional);
+	decode_val_generic(item, key, decoded, ctx, optional, can_be_empty);
 	out = decoded;
 }
 
@@ -87,8 +98,9 @@ void rule_loader::reader::decode_val(const YAML::Node& item,
                                      T& out,
                                      const rule_loader::context& ctx) {
 	bool optional = false;
+	bool can_be_empty = false;
 
-	decode_val_generic(item, key, out, ctx, optional);
+	decode_val_generic(item, key, out, ctx, optional, can_be_empty);
 }
 
 template void rule_loader::reader::decode_val<std::string>(const YAML::Node& item,
@@ -102,8 +114,20 @@ void rule_loader::reader::decode_optional_val(const YAML::Node& item,
                                               T& out,
                                               const rule_loader::context& ctx) {
 	bool optional = true;
+	bool can_be_empty = false;
 
-	decode_val_generic(item, key, out, ctx, optional);
+	decode_val_generic(item, key, out, ctx, optional, can_be_empty);
+}
+
+template<typename T>
+void rule_loader::reader::decode_optional_empty_val(const YAML::Node& item,
+                                                    const char* key,
+                                                    T& out,
+                                                    const rule_loader::context& ctx) {
+	bool optional = true;
+	bool can_be_empty = true;
+
+	decode_val_generic(item, key, out, ctx, optional, can_be_empty);
 }
 
 template void rule_loader::reader::decode_optional_val<std::string>(
@@ -591,6 +615,9 @@ void rule_loader::reader::read_item(rule_loader::configuration& cfg,
 
 		rule_loader::context ctx(item, rule_loader::context::RULE, name, parent);
 
+		std::string source = "";
+		decode_optional_empty_val(item, "source", source, ctx);
+
 		bool has_append_flag = false;
 		decode_optional_val(item, "append", has_append_flag, ctx);
 		if(has_append_flag) {
@@ -648,6 +675,7 @@ void rule_loader::reader::read_item(rule_loader::configuration& cfg,
 				                         "append",
 				                         "condition",
 				                         ctx)) {
+					v.source = source;
 					decode_val(item, "condition", v.cond, ctx);
 				}
 
@@ -682,6 +710,7 @@ void rule_loader::reader::read_item(rule_loader::configuration& cfg,
 				                         "replace",
 				                         "condition",
 				                         ctx)) {
+					v.source = source;
 					decode_val(item, "condition", v.cond, ctx);
 				}
 
@@ -765,6 +794,7 @@ void rule_loader::reader::read_item(rule_loader::configuration& cfg,
 		} else if(has_append_flag) {
 			rule_loader::rule_update_info v(ctx);
 			v.name = name;
+			v.source = source;
 
 			if(item["condition"].IsDefined()) {
 				v.cond_ctx = rule_loader::context(item["condition"],

userspace/engine/rule_loader_reader.h

@@ -66,6 +66,11 @@ public:
 	                                const char* key,
 	                                T& out,
 	                                const rule_loader::context& ctx);
+	template<typename T>
+	static void decode_optional_empty_val(const YAML::Node& item,
+	                                      const char* key,
+	                                      T& out,
+	                                      const rule_loader::context& ctx);
 
 protected:
 	virtual void read_item(rule_loader::configuration& cfg,

userspace/falco/CMakeLists.txt

@@ -68,9 +68,13 @@ set(FALCO_INCLUDE_DIRECTORIES
 )
 
 set(FALCO_DEPENDENCIES cxxopts)
-
 set(FALCO_LIBRARIES falco_engine sinsp yaml-cpp)
 
+if(USE_JEMALLOC)
+	list(APPEND FALCO_DEPENDENCIES jemalloc)
+	list(APPEND FALCO_LIBRARIES ${JEMALLOC_LIB})
+endif()
+
 if(NOT WIN32)
 	target_sources(falco_application PRIVATE outputs_program.cpp outputs_syslog.cpp)
 endif()
@@ -96,6 +100,7 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux" AND NOT MINIMAL_BUILD)
 	list(
 		APPEND
 		FALCO_INCLUDE_DIRECTORIES
+		FALCO_INCLUDE_DIRECTORIES
 		"${OPENSSL_INCLUDE_DIR}"
 		"${GRPC_INCLUDE}"
 		"${GRPCPP_INCLUDE}"
@@ -189,6 +194,25 @@ if(MUSL_OPTIMIZED_BUILD AND CMAKE_BUILD_TYPE STREQUAL "release")
 	)
 endif()
 
+# TODO: Add win32 support. https://github.com/falcosecurity/falco/issues/3445
+if(CMAKE_BUILD_TYPE STREQUAL "relwithdebinfo" AND NOT WIN32)
+	find_program(OBJCOPY_EXECUTABLE NAMES objcopy)
+	if(OBJCOPY_EXECUTABLE)
+		add_custom_command(
+			TARGET falco
+			POST_BUILD
+			COMMAND ${OBJCOPY_EXECUTABLE} --only-keep-debug $<TARGET_FILE:falco>
+					$<TARGET_FILE:falco>.debug
+			COMMAND ${OBJCOPY_EXECUTABLE} --strip-debug --strip-unneeded $<TARGET_FILE:falco>
+			COMMAND ${OBJCOPY_EXECUTABLE} --add-gnu-debuglink=$<TARGET_FILE:falco>.debug
+					$<TARGET_FILE:falco>
+			COMMENT "Generating separate debug file for falco"
+		)
+	else()
+		message(WARNING "objcopy not found; separate debug files will not be generated.")
+	endif()
+endif()
+
 if(EMSCRIPTEN)
 	install(
 		FILES "$<TARGET_FILE_DIR:falco>/falco.js" "$<TARGET_FILE_DIR:falco>/falco.wasm"

userspace/falco/app/actions/configure_interesting_sets.cpp

@@ -200,12 +200,22 @@ static void select_event_set(falco::app::state& s,
 		                          concat_set_in_order(non_rules_sc_set_names) + "\n");
 	}
 
-	/* -A flag behavior:
+	/* base_syscall.all / -A flag behavior:
 	 * (1) default: all syscalls in rules included, sinsp state enforcement
 	       without high volume syscalls
-	 * (2) -A flag set: all syscalls in rules included, sinsp state enforcement
+	 * (2) set: all syscalls in rules included, sinsp state enforcement
 	       and allowing high volume syscalls */
-	if(!s.options.all_events) {
+	bool all_events = false;
+	if(s.options.all_events) {
+		falco_logger::log(falco_logger::level::WARNING,
+		                  "The -A option is deprecated and will be removed. Use -o "
+		                  "base_syscalls.all=true instead.");
+		all_events = true;
+	}
+	if(s.config->m_base_syscalls_all) {
+		all_events = true;
+	}
+	if(!(s.options.all_events || s.config->m_base_syscalls_all)) {
 		auto ignored_sc_set = falco::app::ignored_sc_set();
 		auto erased_sc_set = s.selected_sc_set.intersect(ignored_sc_set);
 		s.selected_sc_set = s.selected_sc_set.diff(ignored_sc_set);

userspace/falco/app/actions/helpers_inspector.cpp

@@ -63,7 +63,9 @@ falco::app::run_result falco::app::actions::open_live_inspector(falco::app::stat
 					        "Opening '" + source + "' source with plugin '" + cfg->m_name + "'");
 					inspector->open_plugin(cfg->m_name,
 					                       cfg->m_open_params,
-					                       sinsp_plugin_platform::SINSP_PLATFORM_HOSTINFO);
+					                       s.config->m_plugins_hostinfo
+					                               ? sinsp_plugin_platform::SINSP_PLATFORM_HOSTINFO
+					                               : sinsp_plugin_platform::SINSP_PLATFORM_GENERIC);
 					return run_result::ok();
 				}
 			}

userspace/falco/app/actions/init_falco_engine.cpp

@@ -18,10 +18,47 @@ limitations under the License.
 #include "actions.h"
 #include <libsinsp/plugin_manager.h>
 #include <falco_common.h>
+#include <algorithm>
 
 using namespace falco::app;
 using namespace falco::app::actions;
 
+static inline std::string format_suggested_field(const filtercheck_field_info* info) {
+	std::ostringstream out;
+
+	// Replace "foo.bar" with "foo_bar"
+	auto name = info->m_name;
+	std::replace(name.begin(), name.end(), '.', '_');
+
+	// foo_bar=%foo.bar
+	out << name << "=%" << info->m_name;
+	return out.str();
+}
+
+static void add_suggested_output(const falco::app::state& s,
+                                 const std::string& src,
+                                 const falco_configuration::append_output_config& eo) {
+	auto src_info = s.source_infos.at(src);
+	if(!src_info) {
+		return;
+	}
+	auto& filterchecks = *src_info->filterchecks;
+	std::vector<const filter_check_info*> fields;
+	filterchecks.get_all_fields(fields);
+	for(const auto& fld : fields) {
+		for(int i = 0; i < fld->m_nfields; i++) {
+			const auto* fldinfo = &fld->m_fields[i];
+			if(fldinfo->is_format_suggested()) {
+				s.engine->add_extra_output_format(format_suggested_field(fldinfo),
+				                                  src,
+				                                  eo.m_tags,
+				                                  eo.m_rule,
+				                                  false);
+			}
+		}
+	}
+}
+
 void configure_output_format(falco::app::state& s) {
 	for(auto& eo : s.config->m_append_output) {
 		if(eo.m_format != "") {
@@ -32,6 +69,17 @@ void configure_output_format(falco::app::state& s) {
 			                                  false);
 		}
 
+		// Add suggested filtercheck formats to each source output
+		if(eo.m_suggested_output) {
+			if(eo.m_source.empty()) {
+				for(auto& src : s.loaded_sources) {
+					add_suggested_output(s, src, eo);
+				}
+			} else {
+				add_suggested_output(s, eo.m_source, eo);
+			}
+		}
+
 		for(auto const& ff : eo.m_formatted_fields) {
 			s.engine->add_extra_output_formatted_field(ff.first,
 			                                           ff.second,

userspace/falco/app/actions/init_inspectors.cpp

@@ -26,7 +26,18 @@ using namespace falco::app;
 using namespace falco::app::actions;
 
 static void init_syscall_inspector(falco::app::state& s, std::shared_ptr<sinsp> inspector) {
-	inspector->set_buffer_format(s.options.event_buffer_format);
+	sinsp_evt::param_fmt event_buffer_format = sinsp_evt::PF_NORMAL;
+	if(s.options.print_base64) {
+		falco_logger::log(falco_logger::level::WARNING,
+		                  "The -b/--print-base64 option is deprecated and will be removed. Use -o "
+		                  "buffer_format_base64=true instead.");
+		event_buffer_format = sinsp_evt::PF_BASE64;
+	}
+	if(s.config->m_buffer_format_base64) {
+		event_buffer_format = sinsp_evt::PF_BASE64;
+	}
+
+	inspector->set_buffer_format(event_buffer_format);
 
 	//
 	// Container engines
@@ -68,29 +79,23 @@ static void init_syscall_inspector(falco::app::state& s, std::shared_ptr<sinsp>
 		}
 	}
 
-	bool disable_cri_async =
-	        s.config->m_container_engines_disable_cri_async || s.options.disable_cri_async;
-	inspector->set_cri_async(!disable_cri_async);
-
-	if(disable_cri_async) {
+	inspector->set_cri_async(!s.config->m_container_engines_disable_cri_async);
+	if(s.config->m_container_engines_disable_cri_async) {
 		falco_logger::log(falco_logger::level::DEBUG, "Disabling async lookups for 'CRI'");
 	}
 
-	// Container engines configs via CLI args
-	// If required, set the CRI paths
-	for(auto& p : s.options.cri_socket_paths) {
-		if(!p.empty()) {
-			inspector->add_cri_socket_path(p);
-			falco_logger::log(falco_logger::level::DEBUG,
-			                  "Enabled container runtime socket at '" + p + "' via CLI args");
-		}
+	//
+	// If required, set the snaplen.
+	// In case both config and CLI options are specified, CLI takes precedence.
+	//
+	if(s.config->m_falco_libs_snaplen != 0) {
+		inspector->set_snaplen(s.config->m_falco_libs_snaplen);
 	}
-
-	//
-	// If required, set the snaplen
-	//
 	if(s.options.snaplen != 0) {
 		inspector->set_snaplen(s.options.snaplen);
+		falco_logger::log(falco_logger::level::WARNING,
+		                  "The -S/--snaplen option is deprecated and will be removed. Use -o "
+		                  "falco_libs.snaplen=<len> instead.");
 	}
 
 	if(s.is_driver_drop_failed_exit_enabled()) {

userspace/falco/app/options.cpp

@@ -74,7 +74,7 @@ bool options::parse(int argc, char **argv, std::string &errstr) {
 	}
 
 	if(m_cmdline_parsed.count("b") > 0) {
-		event_buffer_format = sinsp_evt::PF_BASE64;
+		print_base64 = true;
 	}
 
 	if(m_cmdline_parsed.count("r") > 0) {
@@ -83,18 +83,6 @@ bool options::parse(int argc, char **argv, std::string &errstr) {
 		}
 	}
 
-	if(m_cmdline_parsed.count("cri") > 0) {
-		falco_logger::log(falco_logger::level::WARNING,
-		                  "The --cri option is deprecated and will be removed in Falco 0.40.0. Use "
-		                  "-o container_engines.cri.sockets[]=<socket_path> instead.");
-	}
-
-	if(m_cmdline_parsed.count("disable-cri-async") > 0) {
-		falco_logger::log(falco_logger::level::WARNING,
-		                  "The --disable-cri-async option is deprecated and will be removed in "
-		                  "Falco 0.40.0. Use -o container_engines.cri.disable_async=true instead.");
-	}
-
 	list_fields = m_cmdline_parsed.count("list") > 0;
 
 	return true;
@@ -104,282 +92,51 @@ const std::string &options::usage() {
 	return m_usage_str;
 }
 
-void options::define(cxxopts::Options &opts) {
-	opts.add_options()("h,help",
-	                   "Print this help list and exit.",
-	                   cxxopts::value(help)->default_value("false"))
+// clang-format off
+void options::define(cxxopts::Options& opts)
+{
+	opts.add_options()
+		("h,help",                   "Print this help list and exit.", cxxopts::value(help)->default_value("false"))
 #ifdef BUILD_TYPE_RELEASE
-	        ("c",
-	         "Configuration file. If not specified uses " FALCO_INSTALL_CONF_FILE ".",
-	         cxxopts::value(conf_filename),
-	         "<path>")
+		("c",                        "Configuration file. If not specified uses " FALCO_INSTALL_CONF_FILE ".", cxxopts::value(conf_filename), "<path>")
 #else
-	        ("c",
-	         "Configuration file. If not specified tries " FALCO_SOURCE_CONF_FILE
-	         ", " FALCO_INSTALL_CONF_FILE ".",
-	         cxxopts::value(conf_filename),
-	         "<path>")
+		("c",                        "Configuration file. If not specified tries " FALCO_SOURCE_CONF_FILE ", " FALCO_INSTALL_CONF_FILE ".", cxxopts::value(conf_filename), "<path>")
 #endif
-	                ("config-schema",
-	                 "Print the config json schema and exit.",
-	                 cxxopts::value(print_config_schema)->default_value("false"))(
-	                        "rule-schema",
-	                        "Print the rule json schema and exit.",
-	                        cxxopts::value(print_rule_schema)->default_value("false"))(
-	                        "A",
-	                        "Monitor all events supported by Falco and defined in rules and "
-	                        "configs. Some events are ignored by default when -A is not specified "
-	                        "(the -i option lists these events ignored). Using -A can impact "
-	                        "performance. This option has no effect when reproducing events from a "
-	                        "capture file.",
-	                        cxxopts::value(all_events)->default_value("false"))(
-	                        "b,print-base64",
-	                        "Print data buffers in base64. This is useful for encoding binary data "
-	                        "that needs to be used over media designed to consume this format.")
-#if !defined(_WIN32) && !defined(__EMSCRIPTEN__) && !defined(MINIMAL_BUILD)
-	                        ("cri",
-	                         "DEPRECATED: use -o container_engines.cri.sockets[]=<socket_path> "
-	                         "instead. Path to CRI socket for container metadata. Use the "
-	                         "specified <path> to fetch data from a CRI-compatible runtime. If not "
-	                         "specified, built-in defaults for commonly known paths are used. This "
-	                         "option can be passed multiple times to specify a list of sockets to "
-	                         "be tried until a successful one is found.",
-	                         cxxopts::value(cri_socket_paths),
-	                         "<path>")(
-	                                "disable-cri-async",
-	                                "DEPRECATED: use -o container_engines.cri.disable_async=true "
-	                                "instead. Turn off asynchronous CRI metadata fetching. This is "
-	                                "useful to let the input event wait for the container metadata "
-	                                "fetch to finish before moving forward. Async fetching, in "
-	                                "some environments leads to empty fields for container "
-	                                "metadata when the fetch is not fast enough to be completed "
-	                                "asynchronously. This can have a performance penalty on your "
-	                                "environment depending on the number of containers and the "
-	                                "frequency at which they are created/started/stopped.",
-	                                cxxopts::value(disable_cri_async)->default_value("false"))
-#endif
-	                                ("disable-source",
-	                                 "Turn off a specific <event_source>. By default, all loaded "
-	                                 "sources get enabled. Available sources are 'syscall' plus "
-	                                 "all sources defined by loaded plugins supporting the event "
-	                                 "sourcing capability. This option can be passed multiple "
-	                                 "times, but turning off all event sources simultaneously is "
-	                                 "not permitted. This option can not be mixed with "
-	                                 "--enable-source. This option has no effect when reproducing "
-	                                 "events from a capture file.",
-	                                 cxxopts::value(disable_sources),
-	                                 "<event_source>")(
-	                                        "dry-run",
-	                                        "Run Falco without processing events. It can help "
-	                                        "check that the configuration and rules do not have "
-	                                        "any errors.",
-	                                        cxxopts::value(dry_run)->default_value("false"))(
-	                                        "enable-source",
-	                                        "Enable a specific <event_source>. By default, all "
-	                                        "loaded sources get enabled. Available sources are "
-	                                        "'syscall' plus all sources defined by loaded plugins "
-	                                        "supporting the event sourcing capability. This option "
-	                                        "can be passed multiple times. When using this option, "
-	                                        "only the event sources specified by it will be "
-	                                        "enabled. This option can not be mixed with "
-	                                        "--disable-source. This option has no effect when "
-	                                        "reproducing events from a capture file.",
-	                                        cxxopts::value(enable_sources),
-	                                        "<event_source>")
+		("config-schema",            "Print the config json schema and exit.", cxxopts::value(print_config_schema)->default_value("false"))
+		("rule-schema",              "Print the rule json schema and exit.", cxxopts::value(print_rule_schema)->default_value("false"))
+		("A",                        "DEPRECATED: use -o base_syscalls.all=true instead. Monitor all events supported by Falco and defined in rules and configs. Some events are ignored by default when -A is not specified (the -i option lists these events ignored). Using -A can impact performance. This option has no effect when reproducing events from a capture file.", cxxopts::value(all_events)->default_value("false"))
+		("b,print-base64",           "DEPRECATED: use -o buffer_format_base64=true. Print data buffers in base64. This is useful for encoding binary data that needs to be used over media designed to consume this format.")
+		("disable-source",           "Turn off a specific <event_source>. By default, all loaded sources get enabled. Available sources are 'syscall' plus all sources defined by loaded plugins supporting the event sourcing capability. This option can be passed multiple times, but turning off all event sources simultaneously is not permitted. This option can not be mixed with --enable-source. This option has no effect when reproducing events from a capture file.", cxxopts::value(disable_sources), "<event_source>")
+		("dry-run",                  "Run Falco without processing events. It can help check that the configuration and rules do not have any errors.", cxxopts::value(dry_run)->default_value("false"))
+		("enable-source",            "Enable a specific <event_source>. By default, all loaded sources get enabled. Available sources are 'syscall' plus all sources defined by loaded plugins supporting the event sourcing capability. This option can be passed multiple times. When using this option, only the event sources specified by it will be enabled. This option can not be mixed with --disable-source. This option has no effect when reproducing events from a capture file.", cxxopts::value(enable_sources), "<event_source>")
 #ifdef HAS_GVISOR
-	                                        ("gvisor-generate-config",
-	                                         "Generate a configuration file that can be used for "
-	                                         "gVisor and exit. See --gvisor-config for more "
-	                                         "details.",
-	                                         cxxopts::value<std::string>(
-	                                                 gvisor_generate_config_with_socket)
-	                                                 ->implicit_value("/run/falco/gvisor.sock"),
-	                                         "<socket_path>")
+		("gvisor-generate-config",   "Generate a configuration file that can be used for gVisor and exit. See --gvisor-config for more details.", cxxopts::value<std::string>(gvisor_generate_config_with_socket)->implicit_value("/run/falco/gvisor.sock"), "<socket_path>")
 #endif
-	                                                ("i",
-	                                                 "Print those events that are ignored by "
-	                                                 "default for performance reasons and exit. "
-	                                                 "See -A for more details.",
-	                                                 cxxopts::value(print_ignored_events)
-	                                                         ->default_value("false"))(
-	                                                        "L",
-	                                                        "Show the name and description of all "
-	                                                        "rules and exit. If json_output is set "
-	                                                        "to true, it prints details about all "
-	                                                        "rules, macros, and lists in JSON "
-	                                                        "format.",
-	                                                        cxxopts::value(describe_all_rules)
-	                                                                ->default_value("false"))(
-	                                                        "l",
-	                                                        "Show the name and description of the "
-	                                                        "rule specified <rule> and exit. If "
-	                                                        "json_output is set to true, it prints "
-	                                                        "details about the rule in JSON "
-	                                                        "format.",
-	                                                        cxxopts::value(describe_rule),
-	                                                        "<rule>")(
-	                                                        "list",
-	                                                        "List all defined fields and exit. If "
-	                                                        "<source> is provided, only list those "
-	                                                        "fields for the source <source>. "
-	                                                        "Current values for <source> are "
-	                                                        "\"syscall\" or any source from a "
-	                                                        "configured plugin with event sourcing "
-	                                                        "capability.",
-	                                                        cxxopts::value(list_source_fields)
-	                                                                ->implicit_value(""),
-	                                                        "<source>")(
-	                                                        "list-events",
-	                                                        "List all defined syscall events, "
-	                                                        "metaevents, tracepoint events and "
-	                                                        "exit.",
-	                                                        cxxopts::value<bool>(
-	                                                                list_syscall_events))(
-	                                                        "list-plugins",
-	                                                        "Print info on all loaded plugins and "
-	                                                        "exit.",
-	                                                        cxxopts::value(list_plugins)
-	                                                                ->default_value("false"))(
-	                                                        "M",
-	                                                        "Stop Falco execution after "
-	                                                        "<num_seconds> are passed.",
-	                                                        cxxopts::value(duration_to_tot)
-	                                                                ->default_value("0"),
-	                                                        "<num_seconds>")(
-	                                                        "markdown",
-	                                                        "Print output in Markdown format when "
-	                                                        "used in conjunction with --list or "
-	                                                        "--list-events options. It has no "
-	                                                        "effect when used with other options.",
-	                                                        cxxopts::value<bool>(markdown))(
-	                                                        "N",
-	                                                        "Only print field names when used in "
-	                                                        "conjunction with the --list option. "
-	                                                        "It has no effect when used with other "
-	                                                        "options.",
-	                                                        cxxopts::value(names_only)
-	                                                                ->default_value("false"))(
-	                                                        "o,option",
-	                                                        "Set the value of option <opt> to "
-	                                                        "<val>. Overrides values in the "
-	                                                        "configuration file. <opt> can be "
-	                                                        "identified using its location in the "
-	                                                        "configuration file using dot "
-	                                                        "notation. Elements of list entries "
-	                                                        "can be accessed via square brackets "
-	                                                        "[].\n    E.g. base.id = val\n         "
-	                                                        "base.subvalue.subvalue2 = val\n       "
-	                                                        "  base.list[1]=val",
-	                                                        cxxopts::value(cmdline_config_options),
-	                                                        "<opt>=<val>")(
-	                                                        "plugin-info",
-	                                                        "Print info for the plugin specified "
-	                                                        "by <plugin_name> and exit.\nThis "
-	                                                        "includes all descriptive information "
-	                                                        "like name and author, along with "
-	                                                        "the\nschema format for the init "
-	                                                        "configuration and a list of suggested "
-	                                                        "open parameters.\n<plugin_name> can "
-	                                                        "be the plugin's name or its "
-	                                                        "configured 'library_path'.",
-	                                                        cxxopts::value(print_plugin_info),
-	                                                        "<plugin_name>")(
-	                                                        "p,print",
-	                                                        "Print (or replace) additional "
-	                                                        "information in the rule's "
-	                                                        "output.\nUse -pc or -pcontainer to "
-	                                                        "append container details to syscall "
-	                                                        "events.\nUse -pk or -pkubernetes to "
-	                                                        "add both container and Kubernetes "
-	                                                        "details to syscall events.\nIf using "
-	                                                        "gVisor, choose -pcg or -pkg variants "
-	                                                        "(or -pcontainer-gvisor and "
-	                                                        "-pkubernetes-gvisor, "
-	                                                        "respectively).\nIf a syscall rule's "
-	                                                        "output contains %container.info, it "
-	                                                        "will be replaced with the "
-	                                                        "corresponding details. Otherwise, "
-	                                                        "these details will be directly "
-	                                                        "appended to the rule's "
-	                                                        "output.\nAlternatively, use -p "
-	                                                        "<output_format> for a custom format. "
-	                                                        "In this case, the given "
-	                                                        "<output_format> will be appended to "
-	                                                        "the rule's output without any "
-	                                                        "replacement to all events, including "
-	                                                        "plugin events.",
-	                                                        cxxopts::value(print_additional),
-	                                                        "<output_format>")(
-	                                                        "P,pidfile",
-	                                                        "Write PID to specified <pid_file> "
-	                                                        "path. By default, no PID file is "
-	                                                        "created.",
-	                                                        cxxopts::value(pidfilename)
-	                                                                ->default_value(""),
-	                                                        "<pid_file>")(
-	                                                        "r",
-	                                                        "Rules file or directory to be loaded. "
-	                                                        "This option can be passed multiple "
-	                                                        "times. Falco defaults to the values "
-	                                                        "in the configuration file when this "
-	                                                        "option is not specified.",
-	                                                        cxxopts::value<
-	                                                                std::vector<std::string>>(),
-	                                                        "<rules_file>")(
-	                                                        "S,snaplen",
-	                                                        "Collect only the first <len> bytes of "
-	                                                        "each I/O buffer for 'syscall' events. "
-	                                                        "By default, the first 80 bytes are "
-	                                                        "collected by the driver and sent to "
-	                                                        "the user space for processing. Use "
-	                                                        "this option with caution since it can "
-	                                                        "have a strong performance impact.",
-	                                                        cxxopts::value(snaplen)->default_value(
-	                                                                "0"),
-	                                                        "<len>")(
-	                                                        "support",
-	                                                        "Print support information, including "
-	                                                        "version, rules files used, loaded "
-	                                                        "configuration, etc., and exit. The "
-	                                                        "output is in JSON format.",
-	                                                        cxxopts::value(print_support)
-	                                                                ->default_value("false"))(
-	                                                        "U,unbuffered",
-	                                                        "Turn off output buffering for "
-	                                                        "configured outputs. This causes every "
-	                                                        "single line emitted by Falco to be "
-	                                                        "flushed, which generates higher CPU "
-	                                                        "usage but is useful when piping those "
-	                                                        "outputs into another process or a "
-	                                                        "script.",
-	                                                        cxxopts::value(unbuffered_outputs)
-	                                                                ->default_value("false"))(
-	                                                        "V,validate",
-	                                                        "Read the contents of the specified "
-	                                                        "<rules_file> file(s), validate the "
-	                                                        "loaded rules, and exit. This option "
-	                                                        "can be passed multiple times to "
-	                                                        "validate multiple files.",
-	                                                        cxxopts::value(
-	                                                                validate_rules_filenames),
-	                                                        "<rules_file>")(
-	                                                        "v",
-	                                                        "Enable verbose output.",
-	                                                        cxxopts::value(verbose)->default_value(
-	                                                                "false"))(
-	                                                        "version",
-	                                                        "Print version information and exit.",
-	                                                        cxxopts::value(print_version_info)
-	                                                                ->default_value("false"))(
-	                                                        "page-size",
-	                                                        "Print the system page size and exit. "
-	                                                        "This utility may help choose the "
-	                                                        "right syscall ring buffer size.",
-	                                                        cxxopts::value(print_page_size)
-	                                                                ->default_value("false"));
+		("i",                        "Print those events that are ignored by default for performance reasons and exit. See -A for more details.", cxxopts::value(print_ignored_events)->default_value("false"))
+		("L",                        "Show the name and description of all rules and exit. If json_output is set to true, it prints details about all rules, macros, and lists in JSON format.", cxxopts::value(describe_all_rules)->default_value("false"))
+		("l",                        "Show the name and description of the rule specified <rule> and exit. If json_output is set to true, it prints details about the rule in JSON format.", cxxopts::value(describe_rule), "<rule>")
+		("list",                     "List all defined fields and exit. If <source> is provided, only list those fields for the source <source>. Current values for <source> are \"syscall\" or any source from a configured plugin with event sourcing capability.", cxxopts::value(list_source_fields)->implicit_value(""), "<source>")
+		("list-events",              "List all defined syscall events, metaevents, tracepoint events and exit.", cxxopts::value<bool>(list_syscall_events))
+		("list-plugins",             "Print info on all loaded plugins and exit.", cxxopts::value(list_plugins)->default_value("false"))
+		("M",                        "Stop Falco execution after <num_seconds> are passed.", cxxopts::value(duration_to_tot)->default_value("0"), "<num_seconds>")
+		("markdown",                 "Print output in Markdown format when used in conjunction with --list or --list-events options. It has no effect when used with other options.", cxxopts::value<bool>(markdown))
+		("N",                        "Only print field names when used in conjunction with the --list option. It has no effect when used with other options.", cxxopts::value(names_only)->default_value("false"))
+		("o,option",                 "Set the value of option <opt> to <val>. Overrides values in the configuration file. <opt> can be identified using its location in the configuration file using dot notation. Elements of list entries can be accessed via square brackets [].\n    E.g. base.id = val\n         base.subvalue.subvalue2 = val\n         base.list[1]=val", cxxopts::value(cmdline_config_options), "<opt>=<val>")
+		("plugin-info",              "Print info for the plugin specified by <plugin_name> and exit.\nThis includes all descriptive information like name and author, along with the\nschema format for the init configuration and a list of suggested open parameters.\n<plugin_name> can be the plugin's name or its configured 'library_path'.", cxxopts::value(print_plugin_info), "<plugin_name>")
+		("p,print",                  "Print (or replace) additional information in the rule's output.\nUse -pc or -pcontainer to append container details to syscall events.\nUse -pk or -pkubernetes to add both container and Kubernetes details to syscall events.\nIf using gVisor, choose -pcg or -pkg variants (or -pcontainer-gvisor and -pkubernetes-gvisor, respectively).\nIf a syscall rule's output contains %container.info, it will be replaced with the corresponding details. Otherwise, these details will be directly appended to the rule's output.\nAlternatively, use -p <output_format> for a custom format. In this case, the given <output_format> will be appended to the rule's output without any replacement to all events, including plugin events.", cxxopts::value(print_additional), "<output_format>")
+		("P,pidfile",                "Write PID to specified <pid_file> path. By default, no PID file is created.", cxxopts::value(pidfilename)->default_value(""), "<pid_file>")
+		("r",                        "Rules file or directory to be loaded. This option can be passed multiple times. Falco defaults to the values in the configuration file when this option is not specified.", cxxopts::value<std::vector<std::string>>(), "<rules_file>")
+		("S,snaplen",                "DEPRECATED: use -o falco_libs.snaplen=<len> instead. Collect only the first <len> bytes of each I/O buffer for 'syscall' events. By default, the first 80 bytes are collected by the driver and sent to the user space for processing. Use this option with caution since it can have a strong performance impact.", cxxopts::value(snaplen)->default_value("0"), "<len>")
+		("support",                  "Print support information, including version, rules files used, loaded configuration, etc., and exit. The output is in JSON format.", cxxopts::value(print_support)->default_value("false"))
+		("U,unbuffered",             "Turn off output buffering for configured outputs. This causes every single line emitted by Falco to be flushed, which generates higher CPU usage but is useful when piping those outputs into another process or a script.", cxxopts::value(unbuffered_outputs)->default_value("false"))
+		("V,validate",               "Read the contents of the specified <rules_file> file(s), validate the loaded rules, and exit. This option can be passed multiple times to validate multiple files.", cxxopts::value(validate_rules_filenames), "<rules_file>")
+		("v",                        "Enable verbose output.", cxxopts::value(verbose)->default_value("false"))
+		("version",                  "Print version information and exit.", cxxopts::value(print_version_info)->default_value("false"))
+		("page-size",                "Print the system page size and exit. This utility may help choose the right syscall ring buffer size.", cxxopts::value(print_page_size)->default_value("false"));
 
 	opts.set_width(140);
 }
+// clang-format on
 
 };  // namespace app
 };  // namespace falco

userspace/falco/app/options.h

@@ -47,8 +47,7 @@ public:
 	std::string conf_filename;
 	bool all_events = false;
 	sinsp_evt::param_fmt event_buffer_format = sinsp_evt::PF_NORMAL;
-	std::vector<std::string> cri_socket_paths;
-	bool disable_cri_async = false;
+	bool print_base64 = false;
 	std::vector<std::string> disable_sources;
 	std::vector<std::string> enable_sources;
 	std::string gvisor_generate_config_with_socket;

userspace/falco/config_json_schema.h

@@ -44,6 +44,9 @@ const char config_schema_string[] = LONG_STRING_CONST(
                 "watch_config_files": {
                     "type": "boolean"
                 },
+                "plugins_hostinfo": {
+                    "type": "boolean"
+                },
                 "rules_files": {
                     "type": "array",
                     "items": {
@@ -80,6 +83,9 @@ const char config_schema_string[] = LONG_STRING_CONST(
                 "time_format_iso_8601": {
                     "type": "boolean"
                 },
+                "buffer_format_base64": {
+                    "type": "boolean"
+                },
                 "priority": {
                     "type": "string"
                 },
@@ -270,6 +276,9 @@ const char config_schema_string[] = LONG_STRING_CONST(
                             }
                         ]
                     }
+                },
+                "suggested_output": {
+                    "type": "boolean"
                 }
             }
         },
@@ -277,6 +286,9 @@ const char config_schema_string[] = LONG_STRING_CONST(
             "type": "object",
             "additionalProperties": false,
             "properties": {
+                "all": {
+                    "type": "boolean"
+                },
                 "custom_set": {
                     "type": "array",
                     "items": {
@@ -403,6 +415,9 @@ const char config_schema_string[] = LONG_STRING_CONST(
             "properties": {
                 "thread_table_size": {
                     "type": "integer"
+                },
+                "snaplen": {
+                    "type": "integer"
                 }
             },
             "minProperties": 1,
@@ -560,6 +575,9 @@ const char config_schema_string[] = LONG_STRING_CONST(
                 },
                 "include_empty_values": {
                     "type": "boolean"
+                },
+                "jemalloc_stats_enabled": {
+                    "type": "boolean"
                 }
             },
             "minProperties": 1,

userspace/falco/configuration.cpp

@@ -74,6 +74,7 @@ falco_configuration::falco_configuration():
         m_buffered_outputs(false),
         m_outputs_queue_capacity(DEFAULT_OUTPUTS_QUEUE_CAPACITY_UNBOUNDED_MAX_LONG_VALUE),
         m_time_format_iso_8601(false),
+        m_buffer_format_base64(false),
         m_output_timeout(2000),
         m_grpc_enabled(false),
         m_grpc_threadiness(0),
@@ -84,6 +85,8 @@ falco_configuration::falco_configuration():
         m_syscall_evt_simulate_drops(false),
         m_syscall_evt_timeout_max_consecutives(1000),
         m_falco_libs_thread_table_size(DEFAULT_FALCO_LIBS_THREAD_TABLE_SIZE),
+        m_falco_libs_snaplen(0),
+        m_base_syscalls_all(false),
         m_base_syscalls_repair(false),
         m_metrics_enabled(false),
         m_metrics_interval_str("5000"),
@@ -93,6 +96,7 @@ falco_configuration::falco_configuration():
         m_metrics_flags(0),
         m_metrics_convert_memory_to_mb(true),
         m_metrics_include_empty_values(false),
+        m_plugins_hostinfo(true),
         m_container_engines_mask(0),
         m_container_engines_disable_cri_async(false),
         m_container_engines_cri_socket_paths({"/run/containerd/containerd.sock",
@@ -489,6 +493,7 @@ void falco_configuration::load_yaml(const std::string &config_name) {
 	}
 
 	m_time_format_iso_8601 = m_config.get_scalar<bool>("time_format_iso_8601", false);
+	m_buffer_format_base64 = m_config.get_scalar<bool>("buffer_format_base64", false);
 
 	m_webserver_enabled = m_config.get_scalar<bool>("webserver.enabled", false);
 	m_webserver_config.m_threadiness = m_config.get_scalar<uint32_t>("webserver.threadiness", 0);
@@ -569,10 +574,14 @@ void falco_configuration::load_yaml(const std::string &config_name) {
 	        m_config.get_scalar<std::uint32_t>("falco_libs.thread_table_size",
 	                                           DEFAULT_FALCO_LIBS_THREAD_TABLE_SIZE);
 
+	// if falco_libs.snaplen is not set we'll let libs configure it
+	m_falco_libs_snaplen = m_config.get_scalar<std::uint64_t>("falco_libs.snaplen", 0);
+
 	m_base_syscalls_custom_set.clear();
 	m_config.get_sequence<std::unordered_set<std::string>>(m_base_syscalls_custom_set,
 	                                                       std::string("base_syscalls.custom_set"));
 	m_base_syscalls_repair = m_config.get_scalar<bool>("base_syscalls.repair", false);
+	m_base_syscalls_all = m_config.get_scalar<bool>("base_syscalls.all", false);
 
 	m_metrics_enabled = m_config.get_scalar<bool>("metrics.enabled", false);
 	m_metrics_interval_str = m_config.get_scalar<std::string>("metrics.interval", "5000");
@@ -602,12 +611,17 @@ void falco_configuration::load_yaml(const std::string &config_name) {
 	if(m_config.get_scalar<bool>("metrics.plugins_metrics_enabled", true)) {
 		m_metrics_flags |= METRICS_V2_PLUGINS;
 	}
+	if(m_config.get_scalar<bool>("metrics.jemalloc_stats_enabled", true)) {
+		m_metrics_flags |= METRICS_V2_JEMALLOC_STATS;
+	}
 
 	m_metrics_convert_memory_to_mb =
 	        m_config.get_scalar<bool>("metrics.convert_memory_to_mb", true);
 	m_metrics_include_empty_values =
 	        m_config.get_scalar<bool>("metrics.include_empty_values", false);
 
+	m_plugins_hostinfo = m_config.get_scalar<bool>("plugins_hostinfo", true);
+
 	m_config.get_sequence<std::vector<rule_selection_config>>(m_rules_selection, "rules");
 	m_config.get_sequence<std::vector<append_output_config>>(m_append_output, "append_output");
 
@@ -687,7 +701,7 @@ void falco_configuration::load_yaml(const std::string &config_name) {
 		m_container_engines_mask |= ((1 << CT_CRI) | (1 << CT_CRIO) | (1 << CT_CONTAINERD));
 		m_container_engines_cri_socket_paths.clear();
 		m_config.get_sequence<std::vector<std::string>>(m_container_engines_cri_socket_paths,
-		                                                "container_engines.cri.cri");
+		                                                "container_engines.cri.sockets");
 		m_container_engines_disable_cri_async =
 		        m_config.get_scalar<bool>("container_engines.cri.disable-cri-async", false);
 	}

userspace/falco/configuration.h

@@ -37,6 +37,9 @@ limitations under the License.
 #include "event_drops.h"
 #include "falco_outputs.h"
 
+// Falco only metric
+#define METRICS_V2_JEMALLOC_STATS 1 << 31
+
 enum class engine_kind_t : uint8_t { KMOD, EBPF, MODERN_EBPF, REPLAY, GVISOR, NODRIVER };
 
 // Map that holds { config filename | validation status } for each loaded config file.
@@ -100,6 +103,7 @@ public:
 		std::set<std::string> m_tags;
 		std::string m_rule;
 		std::string m_format;
+		bool m_suggested_output = false;
 		std::unordered_map<std::string, std::string> m_formatted_fields;
 		std::set<std::string> m_raw_fields;
 	};
@@ -153,6 +157,7 @@ public:
 	bool m_buffered_outputs;
 	size_t m_outputs_queue_capacity;
 	bool m_time_format_iso_8601;
+	bool m_buffer_format_base64;
 	uint32_t m_output_timeout;
 
 	bool m_grpc_enabled;
@@ -175,9 +180,11 @@ public:
 	uint32_t m_syscall_evt_timeout_max_consecutives;
 
 	uint32_t m_falco_libs_thread_table_size;
+	uint64_t m_falco_libs_snaplen;
 
 	// User supplied base_syscalls, overrides any Falco state engine enforcement.
 	std::unordered_set<std::string> m_base_syscalls_custom_set;
+	bool m_base_syscalls_all;
 	bool m_base_syscalls_repair;
 
 	// metrics configs
@@ -190,6 +197,7 @@ public:
 	bool m_metrics_convert_memory_to_mb;
 	bool m_metrics_include_empty_values;
 	std::vector<plugin_config> m_plugins;
+	bool m_plugins_hostinfo;
 
 	// container engines
 	uint64_t m_container_engines_mask;
@@ -287,6 +295,10 @@ struct convert<falco_configuration::append_output_config> {
 			}
 		}
 
+		if(node["suggested_output"]) {
+			rhs.m_suggested_output = node["suggested_output"].as<bool>();
+		}
+
 		return true;
 	}
 };

userspace/falco/falco_metrics.cpp

@@ -23,6 +23,10 @@ limitations under the License.
 
 #include <libsinsp/sinsp.h>
 
+#ifdef HAS_JEMALLOC
+#include <jemalloc.h>
+#endif
+
 namespace fs = std::filesystem;
 
 /*!
@@ -249,6 +253,38 @@ std::string falco_metrics::to_text(const falco::app::state& state) {
 				}
 			}
 		}
+#ifdef HAS_JEMALLOC
+		if(state.config->m_metrics_flags & METRICS_V2_JEMALLOC_STATS) {
+			nlohmann::json j;
+			malloc_stats_print(
+			        [](void* to, const char* from) {
+				        nlohmann::json* j = (nlohmann::json*)to;
+				        *j = nlohmann::json::parse(from);
+			        },
+			        &j,
+			        "Jmdablxeg");
+			const auto& j_stats = j["jemalloc"]["stats"];
+			for(auto it = j_stats.begin(); it != j_stats.end(); ++it) {
+				if(it.value().is_number_unsigned()) {
+					std::uint64_t val = it.value().template get<std::uint64_t>();
+					std::string key = "jemalloc." + it.key();
+					auto metric = libs::metrics::libsinsp_metrics::new_metric(
+					        key.c_str(),
+					        METRICS_V2_JEMALLOC_STATS,
+					        METRIC_VALUE_TYPE_U64,
+					        METRIC_VALUE_UNIT_MEMORY_BYTES,
+					        METRIC_VALUE_METRIC_TYPE_MONOTONIC,
+					        val);
+					prometheus_metrics_converter.convert_metric_to_unit_convention(metric);
+					prometheus_text +=
+					        prometheus_metrics_converter.convert_metric_to_text_prometheus(
+					                metric,
+					                "falcosecurity",
+					                "falco");
+				}
+			}
+		}
+#endif
 	}
 
 	// Libs metrics categories

userspace/falco/stats_writer.cpp

@@ -32,6 +32,10 @@ limitations under the License.
 #include <libscap/strl.h>
 #include <libscap/scap_vtable.h>
 
+#ifdef HAS_JEMALLOC
+#include <jemalloc.h>
+#endif
+
 namespace fs = std::filesystem;
 
 // note: ticker_t is an uint16_t, which is enough because we don't care about
@@ -360,7 +364,9 @@ void stats_writer::collector::get_metrics_output_fields_wrapper(
 		output_fields["evt.hostname"] =
 		        machine_info->hostname; /* Explicitly add hostname to log msg in case hostname rule
 		                                   output field is disabled. */
-		output_fields["falco.host_boot_ts"] = machine_info->boot_ts_epoch;
+		// This line generates a SIGTRAP in zig debug builds if the casting is removed.
+		// It seems caused by the pragma pack for the scap_machine_info structure.
+		output_fields["falco.host_boot_ts"] = (uint64_t)machine_info->boot_ts_epoch;
 		output_fields["falco.host_num_cpus"] = machine_info->num_cpus;
 	}
 	output_fields["falco.outputs_queue_num_drops"] =
@@ -432,6 +438,43 @@ void stats_writer::collector::get_metrics_output_fields_additional(
 		}
 	}
 
+#ifdef HAS_JEMALLOC
+	if(m_writer->m_config->m_metrics_flags & METRICS_V2_JEMALLOC_STATS) {
+		nlohmann::json j;
+		malloc_stats_print(
+		        [](void* to, const char* from) {
+			        nlohmann::json* j = (nlohmann::json*)to;
+			        *j = nlohmann::json::parse(from);
+		        },
+		        &j,
+		        "Jmdablxeg");
+		const auto& j_stats = j["jemalloc"]["stats"];
+		for(auto it = j_stats.begin(); it != j_stats.end(); ++it) {
+			if(it.value().is_number_unsigned()) {
+				std::uint64_t val = it.value().template get<std::uint64_t>();
+				if(m_writer->m_config->m_metrics_include_empty_values || val != 0) {
+					std::string key = "falco.jemalloc." + it.key() + "_bytes";
+					auto metric = libs::metrics::libsinsp_metrics::new_metric(
+					        key.c_str(),
+					        METRICS_V2_JEMALLOC_STATS,
+					        METRIC_VALUE_TYPE_U64,
+					        METRIC_VALUE_UNIT_MEMORY_BYTES,
+					        METRIC_VALUE_METRIC_TYPE_MONOTONIC,
+					        val);
+					if(m_writer->m_config->m_metrics_convert_memory_to_mb &&
+					   m_writer->m_output_rule_metrics_converter) {
+						m_writer->m_output_rule_metrics_converter
+						        ->convert_metric_to_unit_convention(metric);
+						output_fields[metric.name] = metric.value.d;
+					} else {
+						output_fields[metric.name] = metric.value.u64;
+					}
+				}
+			}
+		}
+	}
+#endif
+
 #if defined(__linux__) and !defined(MINIMAL_BUILD) and !defined(__EMSCRIPTEN__)
 	if(m_writer->m_libs_metrics_collector && m_writer->m_output_rule_metrics_converter) {
 		// Libs metrics categories

userspace/falco/webserver.cpp

@@ -69,9 +69,8 @@ void falco_webserver::start(const falco::app::state &state,
 		throw falco_exception("invalid webserver configuration");
 	}
 
-	std::atomic<bool> failed;
-	failed.store(false, std::memory_order_release);
-	m_server_thread = std::thread([this, webserver_config, &failed] {
+	m_failed.store(false, std::memory_order_release);
+	m_server_thread = std::thread([this, webserver_config] {
 		try {
 			this->m_server->listen(webserver_config.m_listen_address,
 			                       webserver_config.m_listen_port);
@@ -79,16 +78,16 @@ void falco_webserver::start(const falco::app::state &state,
 			falco_logger::log(falco_logger::level::ERR,
 			                  "falco_webserver: " + std::string(e.what()) + "\n");
 		}
-		failed.store(true, std::memory_order_release);
+		this->m_failed.store(true, std::memory_order_release);
 	});
 
 	// wait for the server to actually start up
 	// note: is_running() is atomic
-	while(!m_server->is_running() && !failed.load(std::memory_order_acquire)) {
+	while(!m_server->is_running() && !m_failed.load(std::memory_order_acquire)) {
 		std::this_thread::yield();
 	}
 	m_running = true;
-	if(failed.load(std::memory_order_acquire)) {
+	if(m_failed.load(std::memory_order_acquire)) {
 		stop();
 		throw falco_exception("an error occurred while starting webserver");
 	}

userspace/falco/webserver.h

@@ -45,4 +45,5 @@ private:
 	bool m_running = false;
 	std::unique_ptr<httplib::Server> m_server = nullptr;
 	std::thread m_server_thread;
+	std::atomic<bool> m_failed;
 };