temp

Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>

cmake/cpack/CMakeCPackOptions.cmake

@@ -1,13 +1,10 @@
-if(CPACK_GENERATOR MATCHES "DEB")
+if(CPACK_GENERATOR MATCHES "DEB" OR CPACK_GENERATOR MATCHES "RPM")
 	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco_inject_kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-endif()
-
-if(CPACK_GENERATOR MATCHES "RPM")
-	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco_inject_kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod-inject.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-modern-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-plugin.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
 endif()
 
 if(CPACK_GENERATOR MATCHES "TGZ")

cmake/modules/driver.cmake

@@ -26,8 +26,8 @@ else()
   # In case you want to test against another driver version (or branch, or commit) just pass the variable -
   # ie., `cmake -DDRIVER_VERSION=dev ..`
   if(NOT DRIVER_VERSION)
-    set(DRIVER_VERSION "3.0.1+driver")
-    set(DRIVER_CHECKSUM "SHA256=f50003043c804aa21990560de02db42e203ee09d050112a4a5dd2b05f22a8a6c")
+    set(DRIVER_VERSION "bb9702d5d3d3358804b1d483e7648dc55a2b7826")
+    set(DRIVER_CHECKSUM "SHA256=447aa085ccedcd649e91f68aefff13d4ca2a9ddc0faa5c4e30dd76d45ae47267")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

cmake/modules/falcosecurity-libs-repo/CMakeLists.txt

@@ -19,7 +19,7 @@ message(STATUS "Libs version: ${FALCOSECURITY_LIBS_VERSION}")
 
 ExternalProject_Add(
   falcosecurity-libs
-  URL "https://github.com/falcosecurity/libs/archive/${FALCOSECURITY_LIBS_VERSION}.tar.gz"
+  URL "https://github.com/Andreagit97/libs/archive/${FALCOSECURITY_LIBS_VERSION}.tar.gz"
   URL_HASH "${FALCOSECURITY_LIBS_CHECKSUM}"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""

cmake/modules/falcosecurity-libs.cmake

@@ -27,8 +27,8 @@ else()
   # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
   # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..`
   if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "0.9.0")
-    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=5319a1b6a72eba3d9524cf084be5fc2ed81e3e90b3bee8edbe58b8646af0cbcb")
+    set(FALCOSECURITY_LIBS_VERSION "bb9702d5d3d3358804b1d483e7648dc55a2b7826")
+    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=447aa085ccedcd649e91f68aefff13d4ca2a9ddc0faa5c4e30dd76d45ae47267")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

docker/tester/Dockerfile

@@ -15,7 +15,7 @@ RUN if [ "$TARGETARCH" = "amd64" ] ; then curl -L -o grpcurl.tar.gz \
     https://github.com/fullstorydev/grpcurl/releases/download/v1.8.6/grpcurl_1.8.6_linux_arm64.tar.gz; \
     fi;
 
-RUN dnf install -y python-pip python docker findutils jq unzip && dnf clean all
+RUN dnf install -y python-pip python docker findutils jq unzip sed curl && dnf clean all
 ENV PATH="/root/.local/bin/:${PATH}"
 RUN pip install --user avocado-framework==69.0
 RUN pip install --user avocado-framework-plugin-varianter-yaml-to-mux==69.0

scripts/CMakeLists.txt

@@ -15,26 +15,28 @@
 # limitations under the License.
 #
 
+# Systemd
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod-inject.service"
+		DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod.service"
+		DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-bpf.service"
+		DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-modern-bpf.service"
+		DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-plugin.service"
+		DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
+
+# Debian
 configure_file(debian/postinst.in debian/postinst)
 configure_file(debian/postrm.in debian/postrm)
 configure_file(debian/prerm.in debian/prerm)
 
-file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco.service"
-	DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")
-
-file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco_inject_kmod.service"
-	DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")
-
+# Rpm
 configure_file(rpm/postinstall.in rpm/postinstall)
 configure_file(rpm/postuninstall.in rpm/postuninstall)
 configure_file(rpm/preuninstall.in rpm/preuninstall)
 
-file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco.service"
-	DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")
-
-file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco_inject_kmod.service"
-	DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")
-
 configure_file(falco-driver-loader falco-driver-loader @ONLY)
 
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")

scripts/debian/falco_inject_kmod.service

@@ -1,13 +0,0 @@
-[Unit]
-Description=Falco: Container Native Runtime Security
-Documentation=https://falco.org/docs/
-Before=falco.service
-Wants=falco.service
-
-[Service]
-Type=oneshot
-User=root
-ExecStart=/sbin/modprobe falco
-
-[Install]
-WantedBy=multi-user.target

scripts/debian/postinst.in

@@ -17,58 +17,65 @@
 #
 set -e
 
-DKMS_PACKAGE_NAME="@PACKAGE_NAME@"
-DKMS_VERSION="@DRIVER_VERSION@"
-NAME="@PACKAGE_NAME@"
+chosen_driver=
 
-postinst_found=0
+if [ "$1" = "configure" ]; then
+        if [ -x /usr/bin/dialog ]; then
+          # If dialog is installed, create a dialog to let users choose the correct driver for them
+          CHOICE=$(dialog --clear --backtitle "Choose your preferred driver" --title "Falco driver" --menu "Choose one of the following options:" 15 40 4 \
+                1 "Don't start" \
+                2 "Kmod" \
+                3 "eBPF" \
+                4 "Modern eBPF" \
+                5 "Plugin" \
+                2>&1 >/dev/tty)
+            clear
+            case $CHOICE in
+                2)
+                    chosen_driver="kmod"
+                    ;;
+                3)
+                    chosen_driver="bpf"
+                    ;;
+                4)
+                    chosen_driver="modern-bpf"
+                    ;;
+                5)
+                    chosen_driver="plugin"
+                    ;;
+            esac
+        fi
+fi
 
-case "$1" in
-	configure)
-		for DKMS_POSTINST in /usr/lib/dkms/common.postinst /usr/share/$DKMS_PACKAGE_NAME/postinst; do
-			if [ -f $DKMS_POSTINST ]; then
-				$DKMS_POSTINST $DKMS_PACKAGE_NAME $DKMS_VERSION /usr/share/$DKMS_PACKAGE_NAME "" $2
-				postinst_found=1
-				break
-			fi
-		done
-		if [ "$postinst_found" -eq 0 ]; then
-			echo "ERROR: DKMS version is too old and $DKMS_PACKAGE_NAME was not"
-			echo "built with legacy DKMS support."
-			echo "You must either rebuild $DKMS_PACKAGE_NAME with legacy postinst"
-			echo "support or upgrade DKMS to a more current version."
-			exit 1
-		fi
-	;;
+# If needed, try to load/compile the driver through falco-driver-loader
+case "$chosen_driver" in
+    "kmod")
+      echo "[POST-INSTALL] Call falco-driver-loader module:\n"
+      falco-driver-loader module
+      ;;
+    "bpf")
+      echo "[POST-INSTALL] Call falco-driver-loader bpf:\n"
+      falco-driver-loader bpf
+      ;;
 esac
 
-# Based off what debhelper dh_systemd_enable/13.3.4 would have added
-# ref: https://www.debian.org/doc/manuals/debmake-doc/ch05.en.html#debhelper
-
 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
-        # This will only remove masks created by d-s-h on package removal.
-        deb-systemd-helper unmask 'falco.service' >/dev/null || true
-
-        # was-enabled defaults to true, so new installations run enable.
-        if deb-systemd-helper --quiet was-enabled 'falco.service'; then
-                # Enables the unit on first installation, creates new
-                # symlinks on upgrades if the unit file has changed.
-                deb-systemd-helper enable 'falco.service' >/dev/null || true
-        else
-                # Update the statefile to add new symlinks (if any), which need to be
-                # cleaned up on purge. Also remove old symlinks.
-                deb-systemd-helper update-state 'falco.service' >/dev/null || true
+        if [ -n "$chosen_driver" ]; then
+            echo "[POST-INSTALL] enable falco-$chosen_driver.service:\n"
+            systemctl --system enable "falco-$chosen_driver.service" || true
+            echo "[POST-INSTALL] start falco-$chosen_driver.service:\n"
+            systemctl --system start "falco-$chosen_driver.service" || true
         fi
 fi
 
 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
-        if [ -d /run/systemd/system ]; then
-                systemctl --system daemon-reload >/dev/null || true
-                if [ -n "$2" ]; then
-                        _dh_action=restart
-                else
-                        _dh_action=start
-                fi
-                deb-systemd-invoke $_dh_action 'falco.service' >/dev/null || true
-        fi
+    if [ -d /run/systemd/system ]; then
+      echo "[POST-INSTALL] trigger deamon-reload:\n"
+      systemctl --system daemon-reload || true
+      if [ -n "$chosen_driver" ]; then
+        echo "[POST-INSTALL] trigger condrestart:\n"
+        # restart falco on upgrade if service is already running
+        systemctl --system condrestart "falco-$chosen_driver.service" || true
+      fi
+    fi
 fi

scripts/debian/postrm.in

@@ -22,18 +22,11 @@
 set -e
 
 if [ -d /run/systemd/system ] && [ "$1" = remove ]; then
-        systemctl --system daemon-reload >/dev/null || true
-fi
-
-if [ "$1" = "remove" ]; then
-        if [ -x "/usr/bin/deb-systemd-helper" ]; then
-                deb-systemd-helper mask 'falco.service' >/dev/null || true
-        fi
-fi
-
-if [ "$1" = "purge" ]; then
-        if [ -x "/usr/bin/deb-systemd-helper" ]; then
-                deb-systemd-helper purge 'falco.service' >/dev/null || true
-                deb-systemd-helper unmask 'falco.service' >/dev/null || true
-        fi
+        echo "[POST-REMOVE] disable falco services:\n"
+        systemctl --system disable 'falco-kmod.service' || true
+        systemctl --system disable 'falco-bpf.service' || true
+        systemctl --system disable 'falco-modern-bpf.service' || true
+        systemctl --system disable 'falco-plugin.service' || true
+        echo "[POST-REMOVE] trigger deamon-reload:\n"
+        systemctl --system daemon-reload || true
 fi

scripts/debian/prerm.in

@@ -22,11 +22,16 @@ set -e
 # Currently running falco service uses the driver, so stop it before driver cleanup
 
 if [ -d /run/systemd/system ] && [ "$1" = remove ]; then
-        deb-systemd-invoke stop 'falco.service' >/dev/null || true
+        echo "[POST-REMOVE] stop falco services:\n"
+        systemctl --system stop 'falco-kmod.service' || true
+        systemctl --system stop 'falco-bpf.service' || true
+        systemctl --system stop 'falco-modern-bpf.service' || true
+        systemctl --system stop 'falco-plugin.service' || true
 fi
 
 case "$1" in
 	remove|upgrade|deconfigure)
-		/usr/bin/falco-driver-loader --clean
+                echo "[POST-REMOVE] call falco-driver-loader --clean:\n"
+		falco-driver-loader --clean
 	;;
 esac

scripts/falco-driver-loader

@@ -114,8 +114,7 @@ get_target_id() {
 		# Older CentOS distros
 		OS_ID=centos
 	else
-		>&2 echo "Detected an unsupported target system, please get in touch with the Falco community"
-		exit 1
+		return 1
 	fi
 
 	# Overwrite the OS_ID if /etc/VERSION file is present.
@@ -164,6 +163,7 @@ get_target_id() {
 		TARGET_ID=$(echo "${OS_ID}" | tr '[:upper:]' '[:lower:]')
 		;;
 	esac
+	return 0
 }
 
 flatcar_relocate_tools() {
@@ -211,7 +211,13 @@ load_kernel_module_compile() {
 	fi
 
 	# Try to compile using all the available gcc versions
-	for CURRENT_GCC in $(which gcc) $(ls "$(dirname "$(which gcc)")"/gcc-* | grep 'gcc-[0-9]\+' | sort -n -r -k 2 -t -); do
+	for CURRENT_GCC in $(ls "$(dirname "$(which gcc)")"/gcc*); do
+		# Filter away gcc-{ar,nm,...}
+		# Only gcc compiler has `-print-search-dirs` option.
+		${CURRENT_GCC} -print-search-dirs 2>&1 | grep "install:"
+		if [ "$?" -ne "0" ]; then
+			continue
+		fi
 		echo "* Trying to dkms install ${DRIVER_NAME} module with GCC ${CURRENT_GCC}"
 		echo "#!/usr/bin/env bash" > /tmp/falco-dkms-make
 		echo "make CC=${CURRENT_GCC} \$@" >> /tmp/falco-dkms-make
@@ -232,13 +238,14 @@ load_kernel_module_compile() {
 				return
 			fi
 			echo "* ${DRIVER_NAME} module found: ${KO_FILE}"
-			echo "* Trying insmod"
+			echo "* Trying to modprobe"
 			chcon -t modules_object_t "$KO_FILE" > /dev/null 2>&1 || true
-			if insmod "$KO_FILE" > /dev/null 2>&1; then
+			depmod ${KERNEL_RELEASE}
+			if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then
 				echo "* Success: ${DRIVER_NAME} module found and loaded in dkms"
 				exit 0
 			else
-				echo "* Unable to insmod ${DRIVER_NAME} module"
+				echo "* Unable to load ${DRIVER_NAME} module"
 			fi
 		else
 			DKMS_LOG="/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/build/make.log"
@@ -253,8 +260,6 @@ load_kernel_module_compile() {
 }
 
 load_kernel_module_download() {
-	get_target_id
-
 	local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
 	local URL=$(echo "${1}/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" | sed s/+/%2B/g)
 
@@ -262,11 +267,14 @@ load_kernel_module_download() {
 	if curl -L --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" "${URL}"; then
 		echo "* Download succeeded"
 		chcon -t modules_object_t "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" > /dev/null 2>&1 || true
-		if insmod "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}"; then
-			echo "* Success: ${DRIVER_NAME} module found and inserted"
+		mkdir -p /lib/modules/${KERNEL_RELEASE}/kernel/drivers/falco/
+		cp ${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME} /lib/modules/${KERNEL_RELEASE}/kernel/drivers/falco/falco.ko
+		depmod ${KERNEL_RELEASE}
+		if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then
+			echo "* Success: ${DRIVER_NAME} module found and loaded with modprobe"
 			exit 0
 		else
-			>&2 echo "Unable to insmod the prebuilt ${DRIVER_NAME} module"
+			>&2 echo "Unable to load the prebuilt ${DRIVER_NAME} module"
 		fi	
 	else
 		>&2 echo "Unable to find a prebuilt ${DRIVER_NAME} module"
@@ -374,8 +382,6 @@ load_kernel_module() {
 
 	echo "* Looking for a ${DRIVER_NAME} module locally (kernel ${KERNEL_RELEASE})"
 
-	get_target_id
-
 	local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
 	echo "* Filename '${FALCO_KERNEL_MODULE_FILENAME}' is composed of:"
 	print_filename_components
@@ -383,7 +389,10 @@ load_kernel_module() {
 	if [ -f "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" ]; then
 		echo "* Found a prebuilt ${DRIVER_NAME} module at ${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}, loading it"
 		chcon -t modules_object_t "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" > /dev/null 2>&1 || true
-		insmod "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module found and inserted"
+		mkdir -p /lib/modules/${KERNEL_RELEASE}/kernel/drivers/falco/
+		cp ${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME} /lib/modules/${KERNEL_RELEASE}/kernel/drivers/falco/falco.ko
+		depmod ${KERNEL_RELEASE}
+		modprobe "${DRIVER_NAME}" && echo "* Success: ${DRIVER_NAME} module found and loaded"
 		exit $?
 	fi
 
@@ -544,8 +553,6 @@ load_bpf_probe() {
 		mount -t debugfs nodev /sys/kernel/debug
 	fi
 
-	get_target_id
-
 	BPF_PROBE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.o"
 	echo "* Filename '${BPF_PROBE_FILENAME}' is composed of:"
 	print_filename_components
@@ -638,6 +645,8 @@ DRIVER_VERSION=${DRIVER_VERSION:-"@DRIVER_VERSION@"}
 DRIVER_NAME=${DRIVER_NAME:-"@DRIVER_NAME@"}
 FALCO_VERSION="@FALCO_VERSION@"
 
+TARGET_ID="placeholder" # when no target id can be fetched, we try to build the driver from source anyway, using a placeholder name
+
 DRIVER="module"
 if [ -v FALCO_BPF_PROBE ]; then
 	DRIVER="bpf"
@@ -711,6 +720,18 @@ if [ -z "$source_only" ]; then
 		exit 1
 	fi
 
+	get_target_id
+	res=$?
+	if [ $res != 0 ]; then
+		if [ -n "$ENABLE_COMPILE" ]; then
+			ENABLE_DOWNLOAD=
+			>&2 echo "Detected an unsupported target system, please get in touch with the Falco community. Trying to compile anyway."
+		else
+			>&2 echo "Detected an unsupported target system, please get in touch with the Falco community."
+			exit 1
+		fi
+	fi
+
 	if [ -n "$clean" ]; then
 		if [ -n "$has_opts" ]; then
 			>&2 echo "Cannot use --clean with other options"

scripts/rpm/falco_inject_kmod.service

@@ -1,13 +0,0 @@
-[Unit]
-Description=Falco: Container Native Runtime Security
-Documentation=https://falco.org/docs/
-Before=falco.service
-Wants=falco.service
-
-[Service]
-Type=oneshot
-User=root
-ExecStart=/sbin/modprobe falco
-
-[Install]
-WantedBy=multi-user.target

scripts/rpm/postinstall.in

@@ -16,21 +16,46 @@
 #
 set -e
 
-mod_version="@DRIVER_VERSION@"
-dkms add -m falco -v $mod_version --rpm_safe_upgrade
-if [ `uname -r | grep -c "BOOT"` -eq 0 ] && [ -e /lib/modules/`uname -r`/build/include ]; then
-	dkms build -m falco -v $mod_version
-	dkms install --force -m falco -v $mod_version
-elif [ `uname -r | grep -c "BOOT"` -gt 0 ]; then
-	echo -e ""
-	echo -e "Module build for the currently running kernel was skipped since you"
-	echo -e "are running a BOOT variant of the kernel."
-else
-	echo -e ""
-	echo -e "Module build for the currently running kernel was skipped since the"
-	echo -e "kernel source for this kernel does not seem to be installed."
+chosen_driver=
+
+if [ $1 -eq 1 ]; then
+        if [ -x /usr/bin/dialog ]; then
+            # If dialog is installed, create a dialog to let users choose the correct driver for them
+            CHOICE=$(dialog --clear --backtitle "Choose your preferred driver" --title "Falco driver" --menu "Choose one of the following options:" 15 40 4 \
+                    1 "Don't start" \
+                    2 "Kmod" \
+                    3 "eBPF" \
+                    4 "Modern eBPF" \
+                    5 "Plugin" \
+                    2>&1 >/dev/tty)
+                clear
+                case $CHOICE in
+                    2)
+                        chosen_driver="kmod"
+                        ;;
+                    3)
+                        chosen_driver="bpf"
+                        ;;
+                    4)
+                        chosen_driver="modern-bpf"
+                        ;;
+                    5)
+                        chosen_driver="plugin"
+                        ;;
+                esac
+        fi
 fi
 
+# If needed, try to load/compile the driver through falco-driver-loader
+case "$chosen_driver" in
+    "kmod")
+      falco-driver-loader module
+      ;;
+    "bpf")
+      falco-driver-loader bpf
+      ;;
+esac
+
 # validate rpm macros by `rpm -qp --scripts <rpm>`
 # RPM scriptlets: https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd
 #                 https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
@@ -38,27 +63,23 @@ fi
 # systemd_post macro expands to
 # if postinst:
 #   `systemd-update-helper install-system-units <service>`
-%systemd_post 'falco.service'
+%systemd_post "falco-$chosen_driver.service"
 
 # post install mirrored from .deb
 if [ $1 -eq 1 ]; then
-        # This will only remove masks created on package removal.
-        /usr/bin/systemctl --system unmask 'falco.service' >/dev/null || true
-
-        # enable falco on installation
-        # note: DEB postinstall script checks for changed symlinks
-        /usr/bin/systemctl --system enable 'falco.service' >/dev/null || true
-
-        # start falco on installation
-        /usr/bin/systemctl --system start 'falco.service' >/dev/null || true
+        if [ -n "$chosen_driver" ]; then
+            systemctl --system enable "falco-$chosen_driver.service" || true
+            systemctl --system start "falco-$chosen_driver.service" || true
+        fi
 fi
 
 # post upgrade mirrored from .deb
 if [ $1 -gt 1 ]; then
     if [ -d /run/systemd/system ]; then
-        /usr/bin/systemctl --system daemon-reload >/dev/null || true
-
-        # restart falco on upgrade if service is already running
-        /usr/bin/systemctl --system condrestart 'falco.service' >/dev/null || true
+        systemctl --system daemon-reload || true
+        if [ -n "$chosen_driver" ]; then
+          # restart falco on upgrade if service is already running
+          systemctl --system condrestart "falco-$chosen_driver.service" || true
+        fi
     fi
 fi

scripts/rpm/postuninstall.in

@@ -17,17 +17,10 @@
 
 set -e
 
-# post uninstall mirrored from .deb
-if [ -d /run/systemd/system ] && [ "$1" = 0 ]; then
-        /usr/bin/systemctl --system daemon-reload >/dev/null || true
-        /usr/bin/systemctl --system mask 'falco.service' >/dev/null || true
+if [ -d /run/systemd/system ] && [ $1 -eq 0 ]; then
+        systemctl --system disable 'falco-kmod.service'|| true
+        systemctl --system disable 'falco-bpf.service' || true
+        systemctl --system disable 'falco-modern-bpf.service' || true
+        systemctl --system disable 'falco-plugin.service' || true
+        systemctl --system daemon-reload || true
 fi
-
-# validate rpm macros by `rpm -qp --scripts <rpm>`
-# RPM scriptlets: https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd
-#                 https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
-
-# systemd_postun_with_restart macro expands to
-# if package upgrade, not uninstall:
-#   `systemd-update-helper mark-restart-system-units <service>`
-%systemd_postun_with_restart 'falco.service'

scripts/rpm/preuninstall.in

@@ -19,11 +19,13 @@ set -e
 # pre uninstall mirrored from .deb
 # Currently running falco service uses the driver, so stop it before driver cleanup
 if [ -d /run/systemd/system ] && [ $1 -eq 0 ]; then
-        # stop falco service before uninstall
-        /usr/bin/systemctl --system stop 'falco.service' >/dev/null || true
+        systemctl --system stop 'falco-kmod.service' || true
+        systemctl --system stop 'falco-bpf.service' || true
+        systemctl --system stop 'falco-modern-bpf.service' || true
+        systemctl --system stop 'falco-plugin.service' || true
 fi
 
-/usr/bin/falco-driver-loader --clean
+falco-driver-loader --clean
 
 # validate rpm macros by `rpm -qp --scripts <rpm>`
 # RPM scriptlets: https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd
@@ -32,4 +34,7 @@ fi
 # systemd_preun macro expands to
 # if preuninstall:
 #  `systemd-update-helper remove-system-units <service>`
-%systemd_preun 'falco.service'
+%systemd_preun 'falco-kmod.service'
+%systemd_preun 'falco-bpf.service'
+%systemd_preun 'falco-modern-bpf.service'
+%systemd_preun 'falco-plugin.service'

scripts/systemd/falco-bpf.service

@@ -1,14 +1,15 @@
 [Unit]
-Description=Falco: Container Native Runtime Security
+Description=Falco: Container Native Runtime Security with ebpf
 Documentation=https://falco.org/docs/
-After=falco_inject_kmod.service
-Requires=falco_inject_kmod.service
+Conflicts=falco-kmod.service
+Conflicts=falco-modern-bpf.service
+Conflicts=falco-plugin.service
 
 [Service]
 Type=simple
 User=root
+Environment=FALCO_BPF_PROBE=
 ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
-ExecStopPost=/sbin/rmmod falco
 UMask=0077
 TimeoutSec=30
 RestartSec=15s
@@ -18,7 +19,6 @@ NoNewPrivileges=yes
 ProtectHome=read-only
 ProtectSystem=full
 ProtectKernelTunables=true
-ReadWritePaths=/sys/module/falco
 RestrictRealtime=true
 RestrictAddressFamilies=~AF_PACKET
 StandardOutput=null

scripts/systemd/falco-kmod-inject.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=Falco: Container Native Runtime Security with kmod, inject.
+Documentation=https://falco.org/docs/
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+User=root
+ExecStart=/sbin/modprobe falco
+ExecStop=/sbin/rmmod falco

scripts/systemd/falco-kmod.service

@@ -0,0 +1,29 @@
+[Unit]
+Description=Falco: Container Native Runtime Security with kmod
+Documentation=https://falco.org/docs/
+After=falco-kmod-inject.service
+Requires=falco-kmod-inject.service
+Conflicts=falco-bpf.service
+Conflicts=falco-modern-bpf.service
+Conflicts=falco-plugin.service
+
+[Service]
+Type=simple
+User=root
+ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
+UMask=0077
+TimeoutSec=30
+RestartSec=15s
+Restart=on-failure
+PrivateTmp=true
+NoNewPrivileges=yes
+ProtectHome=read-only
+ProtectSystem=full
+ProtectKernelTunables=true
+ReadWritePaths=/sys/module/falco
+RestrictRealtime=true
+RestrictAddressFamilies=~AF_PACKET
+StandardOutput=null
+
+[Install]
+WantedBy=multi-user.target

scripts/systemd/falco-modern-bpf.service

@@ -0,0 +1,26 @@
+[Unit]
+Description=Falco: Container Native Runtime Security with modern ebpf
+Documentation=https://falco.org/docs/
+Conflicts=falco-kmod.service
+Conflicts=falco-bpf.service
+Conflicts=falco-plugin.service
+
+[Service]
+Type=simple
+User=root
+ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid --modern-bpf
+UMask=0077
+TimeoutSec=30
+RestartSec=15s
+Restart=on-failure
+PrivateTmp=true
+NoNewPrivileges=yes
+ProtectHome=read-only
+ProtectSystem=full
+ProtectKernelTunables=true
+RestrictRealtime=true
+RestrictAddressFamilies=~AF_PACKET
+StandardOutput=null
+
+[Install]
+WantedBy=multi-user.target

scripts/systemd/falco-plugin.service

@@ -1,14 +1,14 @@
 [Unit]
-Description=Falco: Container Native Runtime Security
+Description=Falco: Container Native Runtime Security with plugin
 Documentation=https://falco.org/docs/
-After=falco_inject_kmod.service
-Requires=falco_inject_kmod.service
+Conflicts=falco-kmod.service
+Conflicts=falco-bpf.service
+Conflicts=falco-modern-bpf.service
 
 [Service]
 Type=simple
-User=root
+User=%u
 ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
-ExecStopPost=/sbin/rmmod falco
 UMask=0077
 TimeoutSec=30
 RestartSec=15s
@@ -18,9 +18,9 @@ NoNewPrivileges=yes
 ProtectHome=read-only
 ProtectSystem=full
 ProtectKernelTunables=true
-ReadWritePaths=/sys/module/falco
 RestrictRealtime=true
 RestrictAddressFamilies=~AF_PACKET
+StandardOutput=null
 
 [Install]
 WantedBy=multi-user.target

userspace/engine/falco_engine.cpp

@@ -346,6 +346,11 @@ unique_ptr<falco_engine::rule_result> falco_engine::process_event(std::size_t so
 
 	if(source_idx == m_syscall_source_idx)
 	{
+		if(m_syscall_source == NULL)
+		{
+			m_syscall_source = find_source(m_syscall_source_idx);
+		}
+
 		source = m_syscall_source;
 	}
 	else
@@ -387,7 +392,6 @@ std::size_t falco_engine::add_source(const std::string &source,
 	if(source == falco_common::syscall_source)
 	{
 		m_syscall_source_idx = idx;
-		m_syscall_source = find_source(m_syscall_source_idx);
 	}
 
 	return idx;

userspace/falco/configuration.h

@@ -400,7 +400,8 @@ namespace YAML {
 
 			if(node["open_params"] && !node["open_params"].IsNull())
 			{
-				rhs.m_open_params = node["open_params"].as<std::string>();
+				string open_params = node["open_params"].as<std::string>();
+				rhs.m_open_params = trim(open_params);
 			}
 
 			return true;