chore(cmake): bump falcoctl dependency version to 0.12.2

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>

.github/workflows/reusable_build_packages.yaml

@@ -31,7 +31,7 @@ on:
         type: boolean
         default: false
 
-permissions:  
+permissions:
   contents: read
 
 jobs:
@@ -73,8 +73,8 @@ jobs:
 
       - name: Install systemd rpm macros
         run: |
-          wget https://www.rpmfind.net/linux/centos-stream/9-stream/BaseOS/${{ inputs.arch }}/os/Packages/systemd-rpm-macros-252-51.el9.noarch.rpm
-          sudo alien -d -i systemd-rpm-macros-252-51.el9.noarch.rpm
+          wget https://www.rpmfind.net/linux/centos-stream/9-stream/BaseOS/${{ inputs.arch }}/os/Packages/systemd-rpm-macros-252-59.el9.noarch.rpm
+          sudo alien -d -i systemd-rpm-macros-252-59.el9.noarch.rpm
 
       - name: Checkout
         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
@@ -344,44 +344,6 @@ jobs:
           path: |
             ${{ github.workspace }}/build/falco-${{ inputs.version }}-wasm.tar.gz
 
-  build-win32-package:
-    if: ${{ inputs.arch == 'x86_64' }}
-    runs-on: windows-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
-        with:
-          fetch-depth: 0
-
-      - name: Install NSIS
-        run: choco install nsis -y
-
-      # NOTE: Backslash doesn't work as line continuation on Windows.
-      - name: Prepare project
-        run: |
-          cmake -B build -S . -DCMAKE_BUILD_TYPE=Release -DMINIMAL_BUILD=On -DUSE_BUNDLED_DEPS=On -DBUILD_FALCO_UNIT_TESTS=On -DFALCO_VERSION=${{ inputs.version }}
-
-      - name: Build project
-        run: |
-          cmake --build build --target package --config Release
-
-      - name: Run unit Tests
-        run: |
-          build/unit_tests/Release/falco_unit_tests.exe
-
-      - name: Upload Falco win32 installer
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
-        with:
-          name: falco-installer-Release-win32.exe
-          path: build/falco-*.exe
-
-      - name: Upload Falco win32 package
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
-        with:
-          name: falco-Release-win32.exe
-          path: |
-            ${{ github.workspace }}/build/userspace/falco/Release/falco.exe
-
   build-macos-package:
     if: ${{ inputs.arch == 'x86_64' }}
     runs-on: macos-latest

.github/workflows/reusable_publish_packages.yaml

@@ -82,11 +82,6 @@ jobs:
           GPG_KEY: ${{ secrets.GPG_KEY }}
         run: printenv GPG_KEY | gpg --import -
 
-      - name: Sign rpms
-        run: |
-          rpmsign --define '_gpg_name Falcosecurity Package Signing' --addsign /tmp/falco-build-rpm/falco-*.rpm
-          rpm -qp --qf '%|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{%{RSAHEADER:pgpsig}}:{(none)}|}|\n' /tmp/falco-build-rpm/falco-*.rpm
-
       - name: Publish wasm
         run: |
           ./scripts/publish-wasm -f /tmp/falco-wasm/falco-${{ inputs.version }}-wasm.tar.gz

CHANGELOG.md

@@ -1,5 +1,82 @@
 # Change Log
 
+## v0.42.0
+
+Released on 2025-10-22
+
+
+### Major Changes
+
+* feat: add `falco_libs.thread_table_auto_purging_interval_s` and `thread_table_auto_purging_thread_timeout_s` configuration options [[#3670](https://github.com/falcosecurity/falco/pull/3670)] - [@ekoops](https://github.com/ekoops)
+* feat: log plugin version info at loading time [[#3657](https://github.com/falcosecurity/falco/pull/3657)] - [@FedeDP](https://github.com/FedeDP)
+* feat: ability to add statically defined fields via `static_fields` configuration [[#3557](https://github.com/falcosecurity/falco/pull/3557)] - [@FedeDP](https://github.com/FedeDP)
+* feat(engine): emit warning when a rule containing the `evt.dir` field in output is encountered [[#3697](https://github.com/falcosecurity/falco/pull/3697)] - [@irozzo-1A](https://github.com/irozzo-1A)
+* feat(engine): emit warning when a rule containing a condition on the deprecated `evt.dir` field is encountered [[#3690](https://github.com/falcosecurity/falco/pull/3690)] - [@irozzo-1A](https://github.com/irozzo-1A)
+* new: ability to record `.scap` files (capture feature) [[#3645](https://github.com/falcosecurity/falco/pull/3645)] - [@leogr](https://github.com/leogr)
+* new(docker): includes sha on the image labels [[#3658](https://github.com/falcosecurity/falco/pull/3658)] - [@jcchavezs](https://github.com/jcchavezs)
+* new(cmake,userspace,ci): add mimalloc support [[#3616](https://github.com/falcosecurity/falco/pull/3616)] - [@FedeDP](https://github.com/FedeDP)
+
+
+### Minor Changes
+
+* docs(falco.yaml): refactor config documentation [[#3685](https://github.com/falcosecurity/falco/pull/3685)] - [@leogr](https://github.com/leogr)
+* build: fix `debian:buster` apt debian repo URL in `:driver-loader-buster` container image [[#3644](https://github.com/falcosecurity/falco/pull/3644)] - [@ekoops](https://github.com/ekoops)
+* build: updagrade libs to version 0.22.1 [[#3705](https://github.com/falcosecurity/falco/pull/3705)] - [@irozzo-1A](https://github.com/irozzo-1A)
+* build: upgrade drivers to v9.0.0+driver [[#3701](https://github.com/falcosecurity/falco/pull/3701)] - [@irozzo-1A](https://github.com/irozzo-1A)
+* build: upgrade cpp-httplib to v0.23.1 [[#3647](https://github.com/falcosecurity/falco/pull/3647)] - [@FedeDP](https://github.com/FedeDP)
+* update: upgrade default ruleset to v5.0.0 [[#3700](https://github.com/falcosecurity/falco/pull/3700)] - [@leogr](https://github.com/leogr)
+* build: upgrade `falcoctl` to v0.11.4 [[#3694](https://github.com/falcosecurity/falco/pull/3694)] - [@leogr](https://github.com/leogr)
+* chore(prometheus): deprecate enter events drop stats [[#3675](https://github.com/falcosecurity/falco/pull/3675)] - [@irozzo-1A](https://github.com/irozzo-1A)
+
+
+### Bug Fixes
+
+* fix(cmake): correct abseil-cpp for alpine build [[#3598](https://github.com/falcosecurity/falco/pull/3598)] - [@RomanenkoDenys](https://github.com/RomanenkoDenys)
+* fix: enable handling of multiple actions configured with `syscall_event_drops.actions` [[#3676](https://github.com/falcosecurity/falco/pull/3676)] - [@terror96](https://github.com/terror96)
+* fix: disable dry-run restarts when Falco runs with config-watching disabled [[#3640](https://github.com/falcosecurity/falco/pull/3640)] - [@Proximyst](https://github.com/Proximyst)
+
+
+
+### Non user-facing changes
+
+* fix(userspace/falco): correct default duration calculation [[#3715](https://github.com/falcosecurity/falco/pull/3715)] - [@leogr](https://github.com/leogr)
+* chore(falcoctl): update falco rules to version 5 [[#3712](https://github.com/falcosecurity/falco/pull/3712)] - [@irozzo-1A](https://github.com/irozzo-1A)
+* doc(OWNERS): move incertum (Melissa Kilby) to emeritus_approvers [[#3605](https://github.com/falcosecurity/falco/pull/3605)] - [@incertum](https://github.com/incertum)
+* update(cmake): update libs and driver to latest master [[#3689](https://github.com/falcosecurity/falco/pull/3689)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* chore(docker): use new `ENV` syntax in place of deprecated one [[#3696](https://github.com/falcosecurity/falco/pull/3696)] - [@ekoops](https://github.com/ekoops)
+* chore(cmake/modules): update rules to 5.0.0-rc1 [[#3698](https://github.com/falcosecurity/falco/pull/3698)] - [@leogr](https://github.com/leogr)
+* fix(userspace/engine): fix logger date format [[#3672](https://github.com/falcosecurity/falco/pull/3672)] - [@ekoops](https://github.com/ekoops)
+* docs(OWNERS): add `ekoops`(Leonardo Di Giovanna) as approver [[#3688](https://github.com/falcosecurity/falco/pull/3688)] - [@ekoops](https://github.com/ekoops)
+* update(cmake): update libs and driver to latest master [[#3665](https://github.com/falcosecurity/falco/pull/3665)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* Refactor: cppcheck cleanups [[#3649](https://github.com/falcosecurity/falco/pull/3649)] - [@sgaist](https://github.com/sgaist)
+* update(userspace/engine): update falco engine version and checksum [[#3648](https://github.com/falcosecurity/falco/pull/3648)] - [@ekoops](https://github.com/ekoops)
+* update(cmake): update libs and driver to latest master [[#3662](https://github.com/falcosecurity/falco/pull/3662)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* update(cmake): update libs and driver to latest master [[#3661](https://github.com/falcosecurity/falco/pull/3661)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* update(cmake): update libs and driver to latest master [[#3653](https://github.com/falcosecurity/falco/pull/3653)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* chore(ci): disable mimalloc for master builds. [[#3655](https://github.com/falcosecurity/falco/pull/3655)] - [@FedeDP](https://github.com/FedeDP)
+* chore(deps): Bump submodules/falcosecurity-rules from `1208816` to `be38001` [[#3651](https://github.com/falcosecurity/falco/pull/3651)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* docs(falco.yaml): avoid out-of-sync config options for `container` pl… [[#3650](https://github.com/falcosecurity/falco/pull/3650)] - [@leogr](https://github.com/leogr)
+* update(cmake): update libs and driver to latest master [[#3636](https://github.com/falcosecurity/falco/pull/3636)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* update(CHANGELOG.md): release 0.41.3 (cherry-pick) [[#3634](https://github.com/falcosecurity/falco/pull/3634)] - [@ekoops](https://github.com/ekoops)
+* update(cmake): update libs and driver to latest master [[#3628](https://github.com/falcosecurity/falco/pull/3628)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* update(CHANGELOG.md): release 0.41.2 (cherry-pick) [[#3623](https://github.com/falcosecurity/falco/pull/3623)] - [@ekoops](https://github.com/ekoops)
+* update(cmake): update libs and driver to latest master [[#3618](https://github.com/falcosecurity/falco/pull/3618)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* update(cmake): update libs and driver to latest master [[#3602](https://github.com/falcosecurity/falco/pull/3602)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* chore(falco.yaml): clean up plugins config leftover [[#3596](https://github.com/falcosecurity/falco/pull/3596)] - [@leogr](https://github.com/leogr)
+* chore(deps): Bump submodules/falcosecurity-rules from `b4437c4` to `4d51b18` [[#3607](https://github.com/falcosecurity/falco/pull/3607)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(docs): cherry pick CHANGELOG. [[#3600](https://github.com/falcosecurity/falco/pull/3600)] - [@FedeDP](https://github.com/FedeDP)
+* update(cmake): update libs and driver to latest master [[#3592](https://github.com/falcosecurity/falco/pull/3592)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* update(docs): bumped changelog for release 0.41.0, master sync [[#3586](https://github.com/falcosecurity/falco/pull/3586)] - [@FedeDP](https://github.com/FedeDP)
+* chore(deps): Bump submodules/falcosecurity-rules from `cb17833` to `b4437c4` [[#3578](https://github.com/falcosecurity/falco/pull/3578)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+
+### Statistics
+
+|   MERGED PRS    | NUMBER |
+|-----------------|--------|
+| Not user-facing |     29 |
+| Release note    |     23 |
+| Total           |     52 |
+
 ## v0.41.3
 
 Released on 2025-07-01

CMakeLists.txt

@@ -288,6 +288,12 @@ if(NOT WIN32
    AND NOT MUSL_OPTIMIZED_BUILD
 )
 	include(falcoctl)
+	set(CONTAINER_VERSION "0.6.1")
+	if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+		set(CONTAINER_HASH "008989992ed1f31b3ffb94ba6b64ca5a8e2f91611a10c9d6213c5c0a499d0679")
+	else() # arm64
+		set(CONTAINER_HASH "f90a700b4c2b411b23e7cc461b61a316b242994aad853c3e6baf12481fb6f6c9")
+	endif()
 	include(container_plugin)
 
 	# Generate a binary_dir/falco.yaml that automatically enables the plugin to be used for local

RELEASE.md

@@ -87,10 +87,10 @@ Before proceeding with the release, make sure to complete the following preparat
 - Double-check, by using the following filters, if there is any closed issue/merge PR with no milestone assigned:
   - `is:issue state:closed no:milestone closed:>YYYY-MM-DD`
     [filter](https://github.com/falcosecurity/falco/issues?q=is%3Aissue%20state%3Aclosed%20no%3Amilestone%20closed%3A%3EYYYY-MM-DD)
-  - `is:pr state:closed no:milestone closed:>YYYY-MM-DD`
+  - `is:pr is:merged no:milestone closed:>YYYY-MM-DD`
     [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD)
 - Assign any issue/PR identified in the previous point to the milestone corresponding to the currently undergoing release
-- Check the release note block of every PR matching the `is:pr is:merged closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+closed%3A%3EYYYY-MM-DD)
+- Check the release note block of every PR matching the `is:pr is:merged milestone:M.m.p` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+milestone%3AM.m.p)
     - Ensure the release note block follows the [commit convention](https://github.com/falcosecurity/.github/blob/master/CONTRIBUTING.md#commit-convention), otherwise fix its content
     - If the PR has no milestone, assign it to the milestone currently undergoing release
 
@@ -116,7 +116,7 @@ The release PR is meant to be made against the respective `release/M.m.x` branch
     - If any, manually correct it then open an issue to automate version number bumping later
     - Versions table in the `README.md` updates itself automatically
 - Generate the change log using [rn2md](https://github.com/leodido/rn2md):
-    - Execute `rn2md -r falcosecurity/falco -m M.m.p -b release/M.m.x`
+    - Execute `rn2md -r falcosecurity/falco -m M.m.p`
     - In case `rn2md` emits error try to generate an GitHub OAuth access token and provide it with the `-t` flag
 - Add the latest changes on top the previous `CHANGELOG.md`
 - Submit a PR with the above modifications
@@ -129,16 +129,18 @@ The release PR is meant to be made against the respective `release/M.m.x` branch
 Core maintainers and/or the release manager can decide to publish pre-releases at any time before the final release
 is live for development and testing purposes.
 
-The prerelease tag must be formatted as `M.m.p-r` where `r` is the prerelease version information (e.g. `0.35.0-rc1`.)
+The pre-release must be associated with a newly created tag. The tag is intended to be created while drafting the new pre-release through the GitHub form (this is indeed the only way to correctly associate the tag with a target branch; more on this below).
+The pre-release tag must be formatted as `M.m.p-r`, where `r` is the pre-release version information (e.g. `0.35.0-rc1`).
 
-To do so:
+To create both pre-release tag and pre-release, do the following:
 
 - [Draft a new release](https://github.com/falcosecurity/falco/releases/new)
-- Use `M.m.p-r` both as tag version and release title.
+- Use `M.m.p-r` both as tag version and release title
+- Associate `release/M.m.x` as "target branch" for the new tag
 - Check the "Set as a pre-release" checkbox and make sure "Set as the latest release" is unchecked
 - It is recommended to add a brief description so that other contributors will understand the reason why the prerelease is published
 - Publish the prerelease!
-- The release pipeline will start automatically. Packages will be uploaded to the `-dev` bucket and container images will be tagged with the specified tag.
+- The release pipeline will start automatically. Packages will be uploaded to the `-dev` bucket and container images will be tagged with the specified tag
 
 In order to check the status of the release pipeline click on the [GitHub Actions tab](https://github.com/falcosecurity/falco/actions?query=event%3Arelease) in the Falco repository and filter by release.
 
@@ -150,6 +152,7 @@ Assume `M.m.p` is the new version.
 
 - [Draft a new release](https://github.com/falcosecurity/falco/releases/new)
 - Use `M.m.p` both as tag version and release title
+- Associate `release/M.m.x` as "target branch" for the new tag
 - Do NOT fill body, since it will be autogenerated by the [github release workflow](.github/workflows/release.yaml)
 - Publish the release!
 - The release pipeline will start automatically upon publication and all packages and container images will be uploaded to the stable repositories.

cmake/cpack/debian/conffiles

@@ -1,3 +1,3 @@
 /etc/falco/falco.yaml
-/etc/falco/falcoctl.yaml
 /etc/falco/falco_rules.local.yaml
+/etc/falcoctl/falcoctl.yaml

cmake/modules/CompilerFlags.cmake

@@ -23,6 +23,7 @@ endif()
 string(TOLOWER "${CMAKE_BUILD_TYPE}" CMAKE_BUILD_TYPE)
 if(CMAKE_BUILD_TYPE STREQUAL "debug")
 	set(KBUILD_FLAGS "${FALCO_EXTRA_DEBUG_FLAGS} ${FALCO_EXTRA_FEATURE_FLAGS}")
+	add_definitions(-DBUILD_TYPE_DEBUG)
 elseif(CMAKE_BUILD_TYPE STREQUAL "relwithdebinfo")
 	set(KBUILD_FLAGS "${FALCO_EXTRA_FEATURE_FLAGS}")
 	add_definitions(-DBUILD_TYPE_RELWITHDEBINFO)
@@ -59,10 +60,6 @@ if(NOT MSVC)
 	if(USE_ASAN)
 		set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -fsanitize=address")
 	endif()
-	# todo(leogr): this should be passed down to libs cmake modules RTLD_DEEPBIND flag is
-	# incompatible with sanitizer runtime (see https://github.com/google/sanitizers/issues/611 for
-	# details)
-	add_compile_definitions(DISABLE_RTLD_DEEPBIND=$<IF:$<BOOL:${USE_ASAN}>,1,0>)
 
 	if(USE_UBSAN)
 		set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -fsanitize=undefined")

cmake/modules/driver.cmake

@@ -35,9 +35,9 @@ else()
 	# FALCOSECURITY_LIBS_VERSION. In case you want to test against another driver version (or
 	# branch, or commit) just pass the variable - ie., `cmake -DDRIVER_VERSION=dev ..`
 	if(NOT DRIVER_VERSION)
-		set(DRIVER_VERSION "1de61cd2b7abcfbb492b5da7fbeaef5b0a5c0f20")
+		set(DRIVER_VERSION "9.1.0+driver")
 		set(DRIVER_CHECKSUM
-			"SHA256=fe98c0343954a7789c6cef692480905a60d943de657385d109b537e23689146e"
+			"SHA256=14cba5b610bf48cd0a0a94b1156ed86bfb552c7ed24b68b1028360fa3af18cbb"
 		)
 	endif()
 

cmake/modules/falcoctl.cmake

@@ -20,16 +20,16 @@ option(ADD_FALCOCTL_DEPENDENCY "Add falcoctl dependency while building falco" ON
 if(ADD_FALCOCTL_DEPENDENCY)
 	string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} FALCOCTL_SYSTEM_NAME)
 
-	set(FALCOCTL_VERSION "0.11.4")
+	set(FALCOCTL_VERSION "0.12.2")
 
 	message(STATUS "Building with falcoctl: ${FALCOCTL_VERSION}")
 
 	if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
 		set(FALCOCTL_SYSTEM_PROC_GO "amd64")
-		set(FALCOCTL_HASH "8015cadcb4328abcbf140c3ca88031cd46426f7f3279d2802f0937ab1e41d66c")
+		set(FALCOCTL_HASH "7e0e232aa73825383d3382b3af8a38466289a768f9c1c7f25bd7e11a3ed6980a")
 	else() # aarch64
 		set(FALCOCTL_SYSTEM_PROC_GO "arm64")
-		set(FALCOCTL_HASH "246874f1168abb7a8463509c6191ede460e5a2b8a39058ef5c4a17b67cb86c85")
+		set(FALCOCTL_HASH "9b7dd75189f997da6423bcdb5dfe68840f20c56f95d30d323d26d0c4bd75a8e3")
 	endif()
 
 	ExternalProject_Add(

cmake/modules/falcosecurity-libs.cmake

@@ -42,9 +42,9 @@ else()
 	# version (or branch, or commit) just pass the variable - ie., `cmake
 	# -DFALCOSECURITY_LIBS_VERSION=dev ..`
 	if(NOT FALCOSECURITY_LIBS_VERSION)
-		set(FALCOSECURITY_LIBS_VERSION "1de61cd2b7abcfbb492b5da7fbeaef5b0a5c0f20")
+		set(FALCOSECURITY_LIBS_VERSION "0.23.1")
 		set(FALCOSECURITY_LIBS_CHECKSUM
-			"SHA256=fe98c0343954a7789c6cef692480905a60d943de657385d109b537e23689146e"
+			"SHA256=38c580626b072ed24518e8285a629923c8c4c6d6794b91b3b93474db7fd85cf7"
 		)
 	endif()
 

cmake/modules/rules.cmake

@@ -18,9 +18,9 @@ include(ExternalProject)
 
 if(NOT DEFINED FALCOSECURITY_RULES_FALCO_PATH)
 	# falco_rules.yaml
-	set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-5.0.0-rc1")
+	set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-5.0.0")
 	set(FALCOSECURITY_RULES_FALCO_CHECKSUM
-		"SHA256=0dd309a8d6ef2e98600da117a958c399d8c682ca7b27883528ccf5ed39867545"
+		"SHA256=ca87d972e102a9f960fed41f90d2736a73079fcc7e787187028f455ad58b1637"
 	)
 	set(FALCOSECURITY_RULES_FALCO_PATH
 		"${PROJECT_BINARY_DIR}/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml"

docker/driver-loader-buster/Dockerfile

@@ -17,11 +17,12 @@ LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc
 ARG TARGETARCH
 
 ARG VERSION_BUCKET=deb
-ENV VERSION_BUCKET=${VERSION_BUCKET}
-
-ENV FALCO_VERSION=${FALCO_VERSION}
-ENV HOST_ROOT=/host
-ENV HOME=/root
+ARG HOST_ROOT=/host
+ARG HOME=/root
+ENV FALCO_VERSION="${FALCO_VERSION}" \
+    VERSION_BUCKET="${VERSION_BUCKET}" \
+    HOST_ROOT="${HOST_ROOT}" \
+    HOME="${HOME}"
 
 RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
 
@@ -136,6 +137,6 @@ RUN curl -L -o binutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dep
 	&& dpkg -i *binutils*.deb \
 	&& rm -f *binutils*.deb
 
-COPY ./docker/driver-loader-buster/docker-entrypoint.sh /
+COPY docker/driver-loader-buster/docker-entrypoint.sh /
 
 ENTRYPOINT ["/docker-entrypoint.sh"]

docker/falco-debian/Dockerfile

@@ -15,14 +15,15 @@ LABEL org.opencontainers.image.authors='The Falco Authors https://falco.org' \
 LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /proc:/host/proc:ro -v /etc:/host/etc:ro falcosecurity/falco:latest-debian"
 
 ARG VERSION_BUCKET=deb
+ARG HOST_ROOT=/host
+ARG HOME=/root
 
-ENV FALCO_VERSION=${FALCO_VERSION}
-ENV VERSION_BUCKET=${VERSION_BUCKET}
+ENV FALCO_VERSION="${FALCO_VERSION}" \
+    VERSION_BUCKET="${VERSION_BUCKET}" \
+    HOST_ROOT="${HOST_ROOT}" \
+    HOME="${HOME}"
 
-ENV HOST_ROOT=/host
-ENV HOME=/root
-
-RUN apt-get -y update && apt-get -y install ca-certificates curl jq ca-certificates gnupg2 \
+RUN apt-get -y update && apt-get -y install curl jq ca-certificates gnupg2 \
 	&& apt clean -y && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /
@@ -35,6 +36,6 @@ RUN curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add - \
 	&& rm -rf /var/lib/apt/lists/*
 
 # Change the falco config within the container to enable ISO 8601 output.
-ADD ./config/falco.iso8601_timeformat.yaml /etc/falco/config.d/
+ADD config/falco.iso8601_timeformat.yaml /etc/falco/config.d/
 
 CMD ["/usr/bin/falco"]

docker/falco/Dockerfile

@@ -16,30 +16,33 @@ LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run
 # NOTE: for the "least privileged" use case, please refer to the official documentation
 
 ARG VERSION_BUCKET=bin
+ARG HOST_ROOT=/host
+ARG HOME=/root
 
-ENV FALCO_VERSION=${FALCO_VERSION}
-ENV VERSION_BUCKET=${VERSION_BUCKET}
-ENV HOST_ROOT=/host
-ENV HOME=/root
+ENV FALCO_VERSION="${FALCO_VERSION}" \
+    VERSION_BUCKET="${VERSION_BUCKET}" \
+    HOST_ROOT="${HOST_ROOT}" \
+    HOME="${HOME}"
 
 RUN apk update && apk add curl ca-certificates jq libstdc++
 
 WORKDIR /
 
-RUN FALCO_VERSION_URLENCODED=$(echo -n ${FALCO_VERSION}|jq -sRr @uri) && \
+RUN ARCH=$(uname -m) && \
+    FALCO_VERSION_URLENCODED=$(echo -n "${FALCO_VERSION}" | jq -sRr @uri) && \
+    echo "Downloading Falco ${FALCO_VERSION} for ${ARCH}" && \
     curl -L -o falco.tar.gz \
-    https://download.falco.org/packages/${VERSION_BUCKET}/$(uname -m)/falco-${FALCO_VERSION_URLENCODED}-$(uname -m).tar.gz && \
+    https://download.falco.org/packages/${VERSION_BUCKET}/${ARCH}/falco-${FALCO_VERSION_URLENCODED}-${ARCH}.tar.gz && \
     tar -xvf falco.tar.gz && \
     rm -f falco.tar.gz && \
-    mv falco-${FALCO_VERSION}-$(uname -m) falco && \
+    mv falco-${FALCO_VERSION}-${ARCH} falco && \
     rm -rf /falco/usr/src/falco-* && \
     cp -r /falco/* / && \
-    rm -rf /falco
+    rm -rf /falco && \
+    rm -rf /usr/bin/falcoctl /etc/falcoctl/
+
 
 # Change the falco config within the container to enable ISO 8601 output.
-ADD ./config/falco.iso8601_timeformat.yaml /etc/falco/config.d/
-
-# Falcoctl is not included here.
-RUN rm -rf /usr/bin/falcoctl /etc/falcoctl/
+ADD config/falco.iso8601_timeformat.yaml /etc/falco/config.d/
 
 CMD ["/usr/bin/falco"]

falco.yaml

@@ -70,9 +70,9 @@
 #     file_output [Stable]
 #     http_output [Stable]
 #     program_output [Stable]
-#     grpc_output [Stable]
+#     grpc_output [Deprecated]
 # Falco exposed services
-#     grpc [Stable]
+#     grpc [Deprecated]
 #     webserver [Stable]
 # Falco logging / alerting / metrics related to software functioning (basic)
 #     log_stderr [Stable]
@@ -282,12 +282,14 @@ rules_files:
 #
 # -- Falco supports different engines to generate events.
 # Choose the appropriate engine kind based on your system's configuration and requirements.
+# DEPRECATION NOTICE: the Legacy eBPF probe and the gVisor engine are currently deprecated. Consider using other
+# engines.
 #
 # Available engines:
 # - `kmod`: Kernel Module
-# - `ebpf`: Legacy eBPF probe
+# - `ebpf`: Legacy eBPF probe (deprecated)
 # - `modern_ebpf`: Modern eBPF (CO-RE eBPF probe)
-# - `gvisor`: gVisor sandbox
+# - `gvisor`: gVisor sandbox (deprecated)
 # - `replay`: Replay a scap trace file
 # - `nodriver`: No driver is injected into the system.
 #   This is useful to debug and to run plugins with 'syscall' source.
@@ -438,7 +440,8 @@ engine:
   kmod:
     buf_size_preset: 4
     drop_failed_exit: false
-  # -- Engine-specific configuration for Legacy eBPF (ebpf) engine.
+  # -- Engine-specific configuration for Legacy eBPF (ebpf) engine. DEPRECATION NOTICE: the Legacy eBPF engine is
+  # deprecated.
   ebpf:
     # -- Path to the elf file to load.
     probe: ${HOME}/.falco/falco-bpf.o
@@ -453,7 +456,7 @@ engine:
   replay:
     # -- Path to the capture file to replay (eg: /path/to/file.scap)
     capture_file: ""
-  # -- Engine-specific configuration for gVisor (gvisor) engine.
+  # -- Engine-specific configuration for gVisor (gvisor) engine. DEPRECATION NOTICE: the gVisor engine is deprecated.
   gvisor:
     # -- A Falco-compatible configuration file can be generated with
     # '--gvisor-generate-config' and utilized for both runsc and Falco.
@@ -798,7 +801,7 @@ append_output:
 # Falco outputs channels #
 ##########################
 
-# Falco supports various output channels, such as syslog, stdout, file, gRPC,
+# Falco supports various output channels, such as syslog, stdout, file, gRPC (deprecated),
 # webhook, and more. You can enable or disable these channels as needed to
 # control where Falco alerts and log messages are directed. This flexibility
 # allows seamless integration with your preferred logging and alerting systems.
@@ -894,14 +897,14 @@ program_output:
   # -- The program to execute.
   program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
 
-# [Stable] `grpc_output`
+# [Deprecated] `grpc_output`
 #
-# -- Use gRPC as an output service.
+# -- Use gRPC as an output service. DEPRECATION NOTICE: The gRPC output is deprecated. Consider using other outputs.
 #
 # gRPC is a modern and high-performance framework for remote procedure calls
 # (RPC). It utilizes protocol buffers for efficient data serialization. The gRPC
 # output in Falco provides a modern and efficient way to integrate with other
-# systems. By default the setting is turned off. Enabling this option stores
+# systems. By default, the setting is turned off. Enabling this option stores
 # output events in memory until they are consumed by a gRPC client. Ensure that
 # you have a consumer for the output events or leave it disabled.
 grpc_output:
@@ -912,7 +915,10 @@ grpc_output:
 # Falco exposed services #
 ##########################
 
-# [Stable] `grpc`
+# [Deprecated] `grpc`
+#
+# -- A gRPC server (needed by the gRPC output). DEPRECATION NOTICE: The gRPC server is deprecated as a consequence of
+# the gRPC output deprecation.
 #
 # Falco provides support for running a gRPC server using two main binding types:
 # 1. Over the network with mandatory mutual TLS authentication (mTLS), which

proposals/20251215-legacy-bpf-grpc-output-gvisor-engine-deprecation.md

@@ -0,0 +1,127 @@
+# Legacy eBPF probe, gVisor libscap engine and gRPC output deprecations
+
+## Summary
+
+This proposal aims to formalize motivations and procedures for deprecating the legacy eBPF probe, the gRPC output and
+the gVisor libscap engine.
+
+One of the key objectives of Falco is to maintain a seamless user experience, regardless of the system call event source
+actually used. This objective imposes strong requirements among all drivers and engines acting as system call source
+(i.e.: gVisor libscap engine), feature parity, among each other, above all. Feature parity raises challenges from both
+technical and maintainability perspectives, and these challenges are not justified if the driver/engine is no/little
+used. For these reasons, this document aims for raising consensus regarding the legacy eBPF probe and gRPC output
+deprecation.
+
+Similar arguments could be raised in favor of the gRPC output deprecation: this output requires dependency on the
+gRPC framework, that introduces a non-negligible build time overhead and maintainability burden (especially in a C++
+codebase), not justified by the little usage of the output.
+
+Upcoming evidences of non-negligible use of the gVisor engine and the gRPC output could be addressed by providing a
+separate source plugin in case of gVisor, and a Falco Sidekick output as a replacement of the gRPC output.
+
+## Motivation
+
+### Legacy eBPF probe deprecation
+
+The following matrix details the current minimum kernel version officially supported by each driver, for each
+architecture:
+
+|             | Kernel module                                                                                | legacy eBPF probe                                                                           | Modern eBPF probe | Status |
+| ----------- |----------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------| ----------------- | ------ |
+| **x86_64**  | >= 3.10                                                                                        | >= 4.14                                                                                     | >= 5.8            | _STABLE_ |
+| **aarch64** | >= [3.16](https://github.com/torvalds/linux/commit/055b1212d141f1f398fca548f8147787c0b6253f) | >= 4.17                                                                                     | >= 5.8            | _STABLE_ |
+| **s390x**   | >= 3.10                                                                                        | >= [5.5](https://github.com/torvalds/linux/commit/6ae08ae3dea)                              | >= 5.8            | _EXPERIMENTAL_ |
+| **riscv64** | >= [5.0](https://github.com/torvalds/linux/commit/5aeb1b36cedd3a1dfdbfe368629fed52dee34103)  | N/A                                                                                         | N/A               | _EXPERIMENTAL_ |
+| **ppc64le** | >= 3.10                                                                                        | >= [5.1](https://github.com/torvalds/linux/commit/ed1cd6deb013a11959d17a94e35ce159197632da) | >= 5.8               | _STABLE_ |
+
+The legacy eBPF probe strives to provide a little more coverage than the modern eBPF one. This increased coverage comes
+at cost of flexibility and maintainability. Indeed:
+1. it cannot leverage CORE eBPF features - as a result, falcosecurity must maintain a great number of officially
+supported eBPF objects, each one built for a specific officially-supported kernel flavor; this increases the
+maintainability burden and makes the system less flexible to kernel configurations/structures changes
+2. old kernel versions support is difficult to retain - the verifier imposes huge limitations on old kernel versions,
+and any tiny change easily result in the verifier rejecting the code
+3. it is difficult to keep it up to date with other drivers - some desired features cannot be implemented in any way
+using eBPF on old kernel flavors, due to lack of eBPF helpers/program types or verifier limitations (e.g.: there is no
+way of implementing a synchronous data harvesting mechanism like the one provided by BPF iterators). As falcosecurity
+strives for feature parity among drivers, this imposes a big limitation on the other drivers. Please notice that:
+   1. the kernel module is unconstrained on the nature of feature it can support
+   2. the modern eBPF probe can easily rely on CORE features to probe for kernel features and use them if available
+
+Besides the above, the legacy eBPF probe provides support for a range of versions that is entirely contained by the
+kernel module supported range. Additionally, different distro kernel flavors already back-port features required by the
+modern eBPF, enabling its usage on kernel older than `5.8`.
+
+The above considerations, together with the evidence of its little usage, make the legacy eBPF probe a good candidate
+for deprecation.
+
+### gVisor libscap engine deprecation
+
+gVisor libscap engine implements a system call event source by leveraging events coming from gVisor itself through gRPC.
+
+There is evidence that this engine is little used. Moreover, gVisor doesn't provide all information required to build
+all supported event types, indeed resulting in a system call source not completely equivalent to the ones provided by
+drivers. Finally, it requires `falcosecurity/libs` being dependent on protobuf, this latter introducing a non-negligible
+build time overhead and maintainability burden.
+
+Deprecating it would allow to streamline system call event sources alignment, maintainability, and reduce build time for
+both `falcosecurity/falco` and `falcosecurity/libs`.
+
+### gRPC output deprecation
+
+The gRPC output provides a mechanism through which a gRPC client can subscribe to the Falco alerts stream. This output
+leverages a gRPC server embedded into Falco.
+
+As for the legacy eBPF probe and the gVisor libscap engine, there is evidence that this output is little used. Also,
+similarly to the gVisor libscap engine, this requires Falco being dependent on the protobuf, and additionally, on the
+entire C++ gRPC framework. Finally, the little amount of data that is sent through the gRPC stream, and the
+communication model (only involving a one-way communication from the server to the client) doesn't justify the need of
+using gRPC.
+
+Deprecating it would allow to reduce the build system, streamline maintainability, and reduce build time for
+`falcosecurity/falco`.
+
+## Goals
+
+* Deprecate the legacy eBPF probe, the gVisor libscap engine, and the gRPC output
+* Detail a plan to follow during the deprecation period, before completely remove any of the aforementioned components
+
+## Non-goals
+
+* Implement a gVisor source plugin as gVisor libscap engine alternative
+* Implement the gRPC output as Falco Sidekick output
+* Detail a plan to follow after taking the decision to completely remove any of the aforementioned components
+
+## The plan
+
+This section aims to detail the plan to follow contextually and after the deprecation mark, but before taking any
+definitive removal decision about the legacy eBPF probe, the gVisor libscap engine, and the gRPC output (collectively
+referred to hereinafter as "the components" or simply "components").
+
+The deprecation of these components introduces user-facing changes that must be addressed as prescribed by the current
+deprecation policy for "non-backward compatible user-facing changes" (see
+[20231220-features-adoption-and-deprecation.md#deprecation-policy](./20231220-features-adoption-and-deprecation.md#deprecation-policy)).
+
+All components are stable, and given that the current stable Falco version is `0.43.0` (ante `1.0.0`), the minimum
+deprecation period length is 1 release: this means that components cannot be removed before Falco `0.44.0`.
+
+At high level, the action plan is to inform users, during the deprecation period, about the deprecation: this is
+achieved by emitting a deprecation notice if the user try to leverage any of the feature exposed by any component, and
+by updating the website in any of the relevant areas.
+
+During the deprecation period, but before taking decision to remove the components, projects belonging to the
+`falcosecurity` organization will be updated to not use/rely on any of these. Specifically:
+- on `falcosecurity/libs`, any CI job building and testing the legacy eBPF probe will be removed
+- on `falcosecurity/kernel-testing`, playbooks will not build and test the legacy eBPF probe anymore
+- on `falcosecurity/event-generator`, the internal gRPC alert retriever will be replaced with an HTTP alert retriever,
+leveraging the existing HTTP output.
+
+## The non-plan
+
+This proposal does not address any design or implementation aspect of the gVisor engine and gRPC output replacement, nor
+formalizes in any way the conditions under which a replacement should be delivered. Upcoming evidences of non-negligible
+use of the gVisor engine and the gRPC output may be addressed by providing a separate source plugin in case of gVisor,
+and a Falco Sidekick output as a replacement of the gRPC output, but these latter possibilities should be intended as
+suggestions, and will not constraint in any way any related future choice.
+
+Finally, this proposal doesn't detail any aspect of the eventual removal.

scripts/debian/postinst.in

@@ -60,7 +60,7 @@ if [ "$1" = "configure" ]; then
                     1 "Manual configuration (no unit is started)" \
                     2 "Automatic selection" \
                     3 "Kmod" \
-                    4 "eBPF" \
+                    4 "eBPF (deprecated)" \
                     5 "Modern eBPF" \
                     2>&1 >/dev/tty)
         fi

scripts/falcoctl/falcoctl.yaml.in

@@ -7,10 +7,10 @@ driver:
     hostroot: "/"
 artifact:
   follow:
-    every: 6h0m0s
+    every: 168h0m0s
     falcoVersions: http://localhost:8765/versions
     refs:
-    - falco-rules:4
+    - falco-rules:5
 indexes:
 - name: falcosecurity
   url: https://falcosecurity.github.io/falcoctl/index.yaml

scripts/publish-rpm

@@ -14,6 +14,16 @@ check_program() {
   fi
 }
 
+# Sign RPM packages with embedded GPG signature using rpmsign
+#
+# $@: paths of RPM files to sign.
+rpmsign_packages() {
+    echo "Signing RPM packages with rpmsign..."
+    rpmsign --define '_gpg_name Falcosecurity Package Signing' --resign "$@"
+    echo "Verifying RPM signatures..."
+    rpm -qp --qf '%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}: %|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{%{RSAHEADER:pgpsig}}:{(none)}|}|\n' "$@"
+}
+
 # Updates the signature of a RPM package in the local repository
 #
 # $1: path of the repository.
@@ -127,6 +137,8 @@ fi
 check_program createrepo
 check_program gpg
 check_program aws
+check_program rpmsign
+check_program rpm
 
 # settings
 s3_bucket_repo="s3://falco-distribution/packages/${repo}"
@@ -140,19 +152,32 @@ aws s3 cp ${s3_bucket_repo} ${tmp_repo_path} --recursive
 
 # update signatures for all existing packages
 if [ "${sign_all}" ]; then
+  # collect all RPM files
+  rpm_files=()
   for file in ${tmp_repo_path}/*; do
-    if [ -f "$file" ]; then # exclude directories, symlinks, etc...
-      if [[ ! $file == *.asc ]]; then # exclude signature files
-        package=$(basename -- ${file})
-        echo "Signing ${package}..."
-        sign_rpm ${tmp_repo_path} ${file}
-
-        echo "Syncing ${package}.asc to ${s3_bucket_repo}..."
-        aws s3 cp ${tmp_repo_path}/${package}.asc ${s3_bucket_repo}/${package}.asc --acl public-read
-      fi
+    if [ -f "$file" ] && [[ $file == *.rpm ]]; then
+      rpm_files+=("$file")
     fi
   done
+
+  # sign all RPM packages with embedded GPG signature
+  if [ ${#rpm_files[@]} -gt 0 ]; then
+    rpmsign_packages "${rpm_files[@]}"
+  fi
+
+  # create detached signatures and upload
+  for file in "${rpm_files[@]}"; do
+    package=$(basename -- ${file})
+    echo "Creating detached signature for ${package}..."
+    sign_rpm ${tmp_repo_path} ${file}
+
+    echo "Syncing ${package} and ${package}.asc to ${s3_bucket_repo}..."
+    aws s3 cp ${tmp_repo_path}/${package} ${s3_bucket_repo}/${package} --acl public-read
+    aws s3 cp ${tmp_repo_path}/${package}.asc ${s3_bucket_repo}/${package}.asc --acl public-read
+  done
+  aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/*.rpm
   aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/*.asc
+  update_repo ${tmp_repo_path}
   sign_repo ${tmp_repo_path}
 fi
 
@@ -161,8 +186,9 @@ if [[ ${repo} == "rpm-dev" ]]; then
   reduce_dir_size ${tmp_repo_path} 10 rpm
 fi
 
-# update the repo by adding new packages
+# sign and add new packages to the repo
 if ! [ ${#files[@]} -eq 0 ]; then
+  rpmsign_packages "${files[@]}"
   for file in "${files[@]}"; do
     echo "Adding ${file}..."
     add_rpm ${tmp_repo_path} ${file}

scripts/rpm/postinstall.in

@@ -59,7 +59,7 @@ if [ $1 -ge 1 ]; then
                     1 "Manual configuration (no unit is started)" \
                     2 "Automatic selection" \
                     3 "Kmod" \
-                    4 "eBPF" \
+                    4 "eBPF (deprecated)" \
                     5 "Modern eBPF" \
                     2>&1 >/dev/tty)
         fi

userspace/engine/falco_engine_version.h

@@ -20,7 +20,7 @@ limitations under the License.
 
 // The version of this Falco engine
 #define FALCO_ENGINE_VERSION_MAJOR 0
-#define FALCO_ENGINE_VERSION_MINOR 57
+#define FALCO_ENGINE_VERSION_MINOR 58
 #define FALCO_ENGINE_VERSION_PATCH 0
 
 #define FALCO_ENGINE_VERSION                                                               \
@@ -36,4 +36,4 @@ limitations under the License.
 // It represents the fields supported by this version of Falco,
 // the event types, and the underlying driverevent schema. It's used to
 // detetect changes in engine version in our CI jobs.
-#define FALCO_ENGINE_CHECKSUM "a9787fa5f87bfec984774540fa9c0282c06ea04696625c3a90898bb108c5cb16"
+#define FALCO_ENGINE_CHECKSUM "952fa3356bfd266419810be51ae659eab48093a66da26fff3897022a9de2c08c"

userspace/engine/falco_load_result.cpp

@@ -143,7 +143,12 @@ const std::string& falco::load_result::warning_desc(warning_code wc) {
 	return warning_descs[static_cast<int>(wc)];
 }
 
-static const std::string deprecated_fields[] = {"evt.dir"};
+static const std::string deprecated_fields[] = {"evt.dir",
+                                                "evt.latency",
+                                                "evt.latency.s",
+                                                "evt.latency.ns",
+                                                "evt.latency.human",
+                                                "evt.wait_latency"};
 
 // Compile-time check to ensure deprecated_fields array has the correct size
 static_assert(
@@ -155,10 +160,19 @@ const std::string& falco::load_result::deprecated_field_str(deprecated_field df)
 	return deprecated_fields[static_cast<int>(df)];
 }
 
+// Shared description suffix for latency fields
+static const std::string latency_field_desc_suffix =
+        "field is not available due to the drop of enter events.";
+
 static const std::string deprecated_field_descs[] = {
         "due to the drop of enter events, 'evt.dir = <' always evaluates to true, and 'evt.dir = "
         ">' always evaluates to false. The rule expression can be simplified by removing the "
-        "condition on 'evt.dir'"};
+        "condition on 'evt.dir'",
+        latency_field_desc_suffix,
+        latency_field_desc_suffix,
+        latency_field_desc_suffix,
+        latency_field_desc_suffix,
+        latency_field_desc_suffix};
 
 // Compile-time check to ensure deprecated_field_descs array has the correct size
 static_assert(

userspace/engine/falco_load_result.h

@@ -75,7 +75,15 @@ public:
 	// impact.
 	static const std::string& warning_desc(warning_code ec);
 
-	enum class deprecated_field { DEPRECATED_FIELD_EVT_DIR, DEPRECATED_FIELD_NOT_FOUND };
+	enum class deprecated_field {
+		DEPRECATED_FIELD_EVT_DIR,
+		DEPRECATED_FIELD_EVT_LATENCY,
+		DEPRECATED_FIELD_EVT_LATENCY_S,
+		DEPRECATED_FIELD_EVT_LATENCY_NS,
+		DEPRECATED_FIELD_EVT_LATENCY_HUMAN,
+		DEPRECATED_FIELD_EVT_WAIT_LATENCY,
+		DEPRECATED_FIELD_NOT_FOUND
+	};
 
 	// The deprecated field as a string
 	static const std::string& deprecated_field_str(deprecated_field df);

userspace/engine/rule_loader.h

@@ -216,7 +216,7 @@ struct deprecated_field_warning : warning {
 
 	std::string as_string() const override {
 		return warning::as_string() + ": field '" + falco::load_result::deprecated_field_str(df) +
-		       "' is deprecated";
+		       "'";
 	};
 	std::string description() const override {
 		return warning::description() + ": " + falco::load_result::deprecated_field_desc(df);

userspace/falco/app/actions/load_config.cpp

@@ -78,14 +78,14 @@ falco::app::run_result falco::app::actions::load_config(const falco::app::state&
 falco::app::run_result falco::app::actions::require_config_file(const falco::app::state& s) {
 #ifndef __EMSCRIPTEN__
 	if(s.options.conf_filename.empty()) {
-#ifndef BUILD_TYPE_RELEASE
+#ifdef BUILD_TYPE_DEBUG
 		return run_result::fatal(std::string("You must create a config file at ") +
 		                         FALCO_SOURCE_CONF_FILE + ", " + FALCO_INSTALL_CONF_FILE +
 		                         " or by passing -c");
-#else   // BUILD_TYPE_RELEASE
+#else
 		return run_result::fatal(std::string("You must create a config file at ") +
 		                         FALCO_INSTALL_CONF_FILE + " or by passing -c");
-#endif  // BUILD_TYPE_RELEASE
+#endif
 	}
 #endif  // __EMSCRIPTEN__
 	return run_result::ok();

userspace/falco/app/actions/print_generated_gvisor_config.cpp

@@ -17,6 +17,7 @@ limitations under the License.
 
 #include "config_falco.h"
 #include "actions.h"
+#include "logger.h"
 
 using namespace falco::app;
 using namespace falco::app::actions;
@@ -26,6 +27,10 @@ falco::app::run_result falco::app::actions::print_generated_gvisor_config(falco:
 		return run_result::ok();
 	}
 
+	falco_logger::log(falco_logger::level::WARNING,
+	                  "Using feature for deprecated gVisor engine. Please consider switching to "
+	                  "another engine.");
+
 	sinsp i;
 	std::string gvisor_config =
 	        i.generate_gvisor_config(s.options.gvisor_generate_config_with_socket);

userspace/falco/app/actions/process_events.cpp

@@ -320,9 +320,16 @@ static falco::app::run_result do_inspect(
 					if(capture_mode_t::RULES == s.config->m_capture_mode && rule_res.capture) {
 						capture = true;
 					}
-					// Extend deadline if defined by the rule
-					if((rule_res.capture_duration_ns + ev->get_ts()) > dump_deadline_ts) {
-						dump_deadline_ts = ev->get_ts() + rule_res.capture_duration_ns;
+					// Compute the capture deadline for this event,
+					// based on the rule’s duration or the default one if unspecified
+					auto evt_deadline_ts =
+					        ev->get_ts() + (rule_res.capture_duration_ns > 0
+					                                ? rule_res.capture_duration_ns
+					                                : s.config->m_capture_default_duration_ns);
+					// Update the capture deadline if this event needs to extend it beyond the
+					// current deadline or if no deadline is currently set
+					if(evt_deadline_ts > dump_deadline_ts) {
+						dump_deadline_ts = evt_deadline_ts;
 					}
 				}
 			}
@@ -336,10 +343,6 @@ static falco::app::run_result do_inspect(
 				                                     ev->get_num()),
 				             true);  // Enable compression
 				dump_started_ts = ev->get_ts();
-				// If no rule has set a deadline, use the default one
-				if(dump_deadline_ts == 0) {
-					dump_deadline_ts = dump_started_ts + s.config->m_capture_default_duration_ns;
-				}
 			}
 		}
 

userspace/falco/app/options.cpp

@@ -51,7 +51,7 @@ bool options::parse(int argc, char **argv, std::string &errstr) {
 			return false;
 		}
 	} else {
-#ifndef BUILD_TYPE_RELEASE
+#ifdef BUILD_TYPE_DEBUG
 		conf_stream.open(FALCO_SOURCE_CONF_FILE);
 		if(conf_stream.is_open()) {
 			conf_filename = FALCO_SOURCE_CONF_FILE;
@@ -93,7 +93,7 @@ void options::define(cxxopts::Options& opts)
 {
 	opts.add_options()
 		("h,help",                   "Print this help list and exit.", cxxopts::value(help)->default_value("false"))
-#ifdef BUILD_TYPE_RELEASE
+#ifndef BUILD_TYPE_DEBUG
 		("c",                        "Configuration file. If not specified uses " FALCO_INSTALL_CONF_FILE ".", cxxopts::value(conf_filename), "<path>")
 #else
 		("c",                        "Configuration file. If not specified tries " FALCO_SOURCE_CONF_FILE ", " FALCO_INSTALL_CONF_FILE ".", cxxopts::value(conf_filename), "<path>")
@@ -104,7 +104,7 @@ void options::define(cxxopts::Options& opts)
 		("dry-run",                  "Run Falco without processing events. It can help check that the configuration and rules do not have any errors.", cxxopts::value(dry_run)->default_value("false"))
 		("enable-source",            "Enable a specific <event_source>. By default, all loaded sources get enabled. Available sources are 'syscall' plus all sources defined by loaded plugins supporting the event sourcing capability. This option can be passed multiple times. When using this option, only the event sources specified by it will be enabled. This option can not be mixed with --disable-source. This option has no effect when reproducing events from a capture file.", cxxopts::value(enable_sources), "<event_source>")
 #ifdef HAS_GVISOR
-		("gvisor-generate-config",   "Generate a configuration file that can be used for gVisor and exit. See --gvisor-config for more details.", cxxopts::value<std::string>(gvisor_generate_config_with_socket)->implicit_value("/run/falco/gvisor.sock"), "<socket_path>")
+		("gvisor-generate-config",   "DEPRECATED: Generate a configuration file that can be used for gVisor and exit.", cxxopts::value<std::string>(gvisor_generate_config_with_socket)->implicit_value("/run/falco/gvisor.sock"), "<socket_path>")
 #endif
 		("i",                        "Print those events that are ignored by default for performance reasons and exit.", cxxopts::value(print_ignored_events)->default_value("false"))
 		("L",                        "Show the name and description of all rules and exit. If json_output is set to true, it prints details about all rules, macros, and lists in JSON format.", cxxopts::value(describe_all_rules)->default_value("false"))
@@ -117,7 +117,7 @@ void options::define(cxxopts::Options& opts)
 		("N",                        "Only print field names when used in conjunction with the --list option. It has no effect when used with other options.", cxxopts::value(names_only)->default_value("false"))
 		("o,option",                 "Set the value of option <opt> to <val>. Overrides values in the configuration file. <opt> can be identified using its location in the configuration file using dot notation. Elements of list entries can be accessed via square brackets [].\n    E.g. base.id = val\n         base.subvalue.subvalue2 = val\n         base.list[1]=val", cxxopts::value(cmdline_config_options), "<opt>=<val>")
 		("plugin-info",              "Print info for the plugin specified by <plugin_name> and exit.\nThis includes all descriptive information like name and author, along with the\nschema format for the init configuration and a list of suggested open parameters.\n<plugin_name> can be the plugin's name or its configured 'library_path'.", cxxopts::value(print_plugin_info), "<plugin_name>")
-		("p,print",                  "DEPRECATED: use -o append_output... instead. Print additional information in the rule's output.\nUse -pc or -pcontainer to append container details to syscall events.\nUse -pk or -pkubernetes to add both container and Kubernetes details to syscall events.\nIf using gVisor, choose -pcg or -pkg variants (or -pcontainer-gvisor and -pkubernetes-gvisor, respectively).\nThe details will be directly appended to the rule's output.\nAlternatively, use -p <output_format> for a custom format. In this case, the given <output_format> will be appended to the rule's output without any replacement to all events, including plugin events.", cxxopts::value(print_additional), "<output_format>")
+		("p,print",                  "DEPRECATED: use -o append_output... instead. Print additional information in the rule's output.\nUse -pc or -pcontainer to append container details to syscall events.\nUse -pk or -pkubernetes to add both container and Kubernetes details to syscall events.\nThe details will be directly appended to the rule's output.\nAlternatively, use -p <output_format> for a custom format. In this case, the given <output_format> will be appended to the rule's output without any replacement to all events, including plugin events.", cxxopts::value(print_additional), "<output_format>")
 		("P,pidfile",                "Write PID to specified <pid_file> path. By default, no PID file is created.", cxxopts::value(pidfilename)->default_value(""), "<pid_file>")
 		("r",                        "Rules file or directory to be loaded. This option can be passed multiple times. Falco defaults to the values in the configuration file when this option is not specified. Only files with .yml or .yaml extension are considered.", cxxopts::value<std::vector<std::string>>(), "<rules_file>")
 		("support",                  "Print support information, including version, rules files used, loaded configuration, etc., and exit. The output is in JSON format.", cxxopts::value(print_support)->default_value("false"))

userspace/falco/configuration.cpp

@@ -254,6 +254,12 @@ void falco_configuration::load_engine_config(const std::string &config_name) {
 		                       driver_mode_str + "' is not a valid kind.");
 	}
 
+	if(m_engine_mode == engine_kind_t::EBPF || m_engine_mode == engine_kind_t::GVISOR) {
+		falco_logger::log(falco_logger::level::WARNING,
+		                  "Using deprecated engine '" + driver_mode_str +
+		                          "'. Please consider switching to another engine.");
+	}
+
 	switch(m_engine_mode) {
 	case engine_kind_t::KMOD:
 		m_kmod.m_buf_size_preset = m_config.get_scalar<int16_t>("engine.kmod.buf_size_preset",
@@ -473,6 +479,11 @@ void falco_configuration::load_yaml(const std::string &config_name) {
 	}
 
 	m_grpc_enabled = m_config.get_scalar<bool>("grpc.enabled", false);
+	if(m_grpc_enabled) {
+		falco_logger::log(falco_logger::level::WARNING,
+		                  "Using deprecated gRPC server (deprecated as consequence of gRPC output "
+		                  "deprecation).");
+	}
 	m_grpc_bind_address = m_config.get_scalar<std::string>("grpc.bind_address", "0.0.0.0:5060");
 	m_grpc_threadiness = m_config.get_scalar<uint32_t>("grpc.threadiness", 0);
 	if(m_grpc_threadiness == 0) {
@@ -488,8 +499,13 @@ void falco_configuration::load_yaml(const std::string &config_name) {
 
 	falco::outputs::config grpc_output;
 	grpc_output.name = "grpc";
+	const auto grpc_output_enabled = m_config.get_scalar<bool>("grpc_output.enabled", true);
+	if(grpc_output_enabled) {
+		falco_logger::log(falco_logger::level::WARNING,
+		                  "Using deprecated gRPC output. Please consider using other outputs.");
+	}
 	// gRPC output is enabled only if gRPC server is enabled too
-	if(m_config.get_scalar<bool>("grpc_output.enabled", true) && m_grpc_enabled) {
+	if(grpc_output_enabled && m_grpc_enabled) {
 		m_outputs.push_back(grpc_output);
 	}
 

userspace/falco/falco_metrics.cpp

@@ -150,13 +150,15 @@ std::string falco_metrics::falco_to_text_prometheus(
 	// # HELP falcosecurity_falco_outputs_queue_num_drops_total https://falco.org/docs/metrics/
 	// # TYPE falcosecurity_falco_outputs_queue_num_drops_total counter
 	// falcosecurity_falco_outputs_queue_num_drops_total 0
-	additional_wrapper_metrics.emplace_back(libs::metrics::libsinsp_metrics::new_metric(
-	        "outputs_queue_num_drops",
-	        METRICS_V2_MISC,
-	        METRIC_VALUE_TYPE_U64,
-	        METRIC_VALUE_UNIT_COUNT,
-	        METRIC_VALUE_METRIC_TYPE_MONOTONIC,
-	        state.outputs->get_outputs_queue_num_drops()));
+	if(state.outputs != nullptr) {
+		additional_wrapper_metrics.emplace_back(libs::metrics::libsinsp_metrics::new_metric(
+		        "outputs_queue_num_drops",
+		        METRICS_V2_MISC,
+		        METRIC_VALUE_TYPE_U64,
+		        METRIC_VALUE_UNIT_COUNT,
+		        METRIC_VALUE_METRIC_TYPE_MONOTONIC,
+		        state.outputs->get_outputs_queue_num_drops()));
+	}
 
 	// # HELP falcosecurity_falco_reload_timestamp_nanoseconds https://falco.org/docs/metrics/
 	// # TYPE falcosecurity_falco_reload_timestamp_nanoseconds gauge

userspace/falco/outputs_program.cpp

@@ -16,12 +16,22 @@ limitations under the License.
 */
 
 #include "outputs_program.h"
+#include "logger.h"
 #include <stdio.h>
+#include <cerrno>
+#include <cstring>
 
 void falco::outputs::output_program::open_pfile() {
 	if(m_pfile == nullptr) {
 		m_pfile = popen(m_oc.options["program"].c_str(), "w");
 
+		if(m_pfile == nullptr) {
+			falco_logger::log(falco_logger::level::ERR,
+			                  "Failed to open program output: " + m_oc.options["program"] +
+			                          " (error: " + std::string(std::strerror(errno)) + ")");
+			return;
+		}
+
 		if(!m_buffered) {
 			setvbuf(m_pfile, NULL, _IONBF, 0);
 		}
@@ -31,7 +41,9 @@ void falco::outputs::output_program::open_pfile() {
 void falco::outputs::output_program::output(const message *msg) {
 	open_pfile();
 
-	fprintf(m_pfile, "%s\n", msg->msg.c_str());
+	if(m_pfile != nullptr) {
+		fprintf(m_pfile, "%s\n", msg->msg.c_str());
+	}
 
 	if(m_oc.options["keep_alive"] != "true") {
 		cleanup();

userspace/falco/outputs_program.h

@@ -32,7 +32,7 @@ class output_program : public abstract_output {
 private:
 	void open_pfile();
 
-	FILE *m_pfile;
+	FILE *m_pfile = nullptr;
 };
 
 }  // namespace outputs