bump libs

Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>

.circleci/config.yml

@@ -555,7 +555,7 @@ jobs:
           name: Build and publish no-driver
           command: |
             cd /source/falco
-            docker buildx build --push --build-arg VERSION_BUCKET=bin --build-arg FALCO_VERSION=${CIRCLE_TAG} \
+            docker buildx build --push --build-arg VERSION_BUCKET=bin-dev --build-arg FALCO_VERSION=${CIRCLE_TAG} \
               -t "falcosecurity/falco-no-driver:x86_64-${CIRCLE_TAG}" \
               -t falcosecurity/falco-no-driver:x86_64-latest \
               -t "falcosecurity/falco:x86_64-${CIRCLE_TAG}-slim" \
@@ -569,7 +569,7 @@ jobs:
           name: Build and publish falco
           command: |
             cd /source/falco
-            docker buildx build --push --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} \
+            docker buildx build --push --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${CIRCLE_TAG} \
               -t "falcosecurity/falco:x86_64-${CIRCLE_TAG}" \
               -t "falcosecurity/falco:x86_64-latest" \
               -t "public.ecr.aws/falcosecurity/falco:x86_64-${CIRCLE_TAG}" \
@@ -624,7 +624,7 @@ jobs:
           name: Build and publish falco
           command: |
             cd /tmp/source-arm64/falco
-            docker buildx build --push --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} \
+            docker buildx build --push --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${CIRCLE_TAG} \
               -t "falcosecurity/falco:aarch64-${CIRCLE_TAG}" \
               -t "falcosecurity/falco:aarch64-latest" \
               -t "public.ecr.aws/falcosecurity/falco:aarch64-${CIRCLE_TAG}" \

CHANGELOG.md

@@ -1,147 +1,5 @@
 # Change Log
 
-## v0.33.0
-
-Released on 2022-10-19
-
-### Major Changes
-
-
-* new: add a `drop_pct` referred to the global number of events [[#2130](https://github.com/falcosecurity/falco/pull/2130)] - [@Andreagit97](https://github.com/Andreagit97)
-* new: print some info about eBPF and enabled sources when Falco starts [[#2133](https://github.com/falcosecurity/falco/pull/2133)] - [@Andreagit97](https://github.com/Andreagit97)
-* new(userspace): print architecture information [[#2147](https://github.com/falcosecurity/falco/pull/2147)] - [@Andreagit97](https://github.com/Andreagit97)
-* new(CI): add CodeQL security scanning to Falco. [[#2171](https://github.com/falcosecurity/falco/pull/2171)] - [@Andreagit97](https://github.com/Andreagit97)
-* new: configure syscall buffer dimension from Falco [[#2214](https://github.com/falcosecurity/falco/pull/2214)] - [@Andreagit97](https://github.com/Andreagit97)
-* new(cmdline): add development support for modern BPF probe [[#2221](https://github.com/falcosecurity/falco/pull/2221)] - [@Andreagit97](https://github.com/Andreagit97)
-* new(falco-driver-loader): `DRIVERS_REPO` now supports the use of multiple download URLs (comma separated) [[#2165](https://github.com/falcosecurity/falco/pull/2165)] - [@IanRobertson-wpe](https://github.com/IanRobertson-wpe)
-* new(userspace/engine): support alternative plugin version requirements in checks [[#2190](https://github.com/falcosecurity/falco/pull/2190)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* new: support running multiple event sources in parallel [[#2182](https://github.com/falcosecurity/falco/pull/2182)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* new(userspace/falco): automatically create paths for grpc unix socket and gvisor endpoint. [[#2189](https://github.com/falcosecurity/falco/pull/2189)] - [@FedeDP](https://github.com/FedeDP)
-* new(scripts): allow falco-driver-loader to properly distinguish any ubuntu flavor [[#2178](https://github.com/falcosecurity/falco/pull/2178)] - [@FedeDP](https://github.com/FedeDP)
-* new: add option to enable event sources selectively [[#2085](https://github.com/falcosecurity/falco/pull/2085)] - [@jasondellaluce](https://github.com/jasondellaluce)
-
-
-### Minor Changes
-
-* docs(falco-driver-loader): add some comments in `falco-driver-loader` [[#2153](https://github.com/falcosecurity/falco/pull/2153)] - [@Andreagit97](https://github.com/Andreagit97)
-* update(cmake): use latest libs tag `0.9.0` [[#2257](https://github.com/falcosecurity/falco/pull/2257)] - [@Andreagit97](https://github.com/Andreagit97)
-* update(.circleci): re-enabled cppcheck [[#2186](https://github.com/falcosecurity/falco/pull/2186)] - [@leogr](https://github.com/leogr)
-* update(userspace/engine): improve falco files loading performance [[#2151](https://github.com/falcosecurity/falco/pull/2151)] - [@VadimZy](https://github.com/VadimZy)
-* update(cmake): use latest driver tag 3.0.1+driver [[#2251](https://github.com/falcosecurity/falco/pull/2251)] - [@Andreagit97](https://github.com/Andreagit97)
-* update(userspace/falco)!: adapt stats writer for multiple parallel event sources [[#2182](https://github.com/falcosecurity/falco/pull/2182)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* refactor(userspace/engine): remove falco engine APIs that returned a required_engine_version [[#2096](https://github.com/falcosecurity/falco/pull/2096)] - [@mstemm](https://github.com/mstemm)
-* update(userspace/engine): add some small changes to rules matching that reduce cpu usage with high event volumes (> 1M syscalls/sec) [[#2210](https://github.com/falcosecurity/falco/pull/2210)] - [@mstemm](https://github.com/mstemm)
-* rules: added process IDs to default rules [[#2211](https://github.com/falcosecurity/falco/pull/2211)] - [@spyder-kyle](https://github.com/spyder-kyle)
-* update(scripts/debian): falco.service systemd unit is now cleaned-up during (re)install and removal via the DEB and RPM packages [[#2138](https://github.com/falcosecurity/falco/pull/2138)] - [@Happy-Dude](https://github.com/Happy-Dude)
-* update(userspace/falco): move on from deprecated libs API for printing event list [[#2253](https://github.com/falcosecurity/falco/pull/2253)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* chore(userspace/falco): improve cli helper and log options with debug level [[#2252](https://github.com/falcosecurity/falco/pull/2252)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* update(userspace): minor pre-release improvements [[#2236](https://github.com/falcosecurity/falco/pull/2236)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* update: bumped libs to fd46dd139a8e35692a7d40ab2f0ed2016df827cf. [[#2201](https://github.com/falcosecurity/falco/pull/2201)] - [@FedeDP](https://github.com/FedeDP)
-* update!: gVisor sock default path changed from `/tmp/gvisor.sock` to `/run/falco/gvisor.sock`  [[#2163](https://github.com/falcosecurity/falco/pull/2163)] - [@vjjmiras](https://github.com/vjjmiras)
-* update!: gRPC server sock default path changed from `/run/falco.sock.sock` to `/run/falco/falco.sock` [[#2163](https://github.com/falcosecurity/falco/pull/2163)] - [@vjjmiras](https://github.com/vjjmiras)
-* update(scripts/falco-driver-loader): minikube environment is now correctly detected [[#2191](https://github.com/falcosecurity/falco/pull/2191)] - [@alacuku](https://github.com/alacuku)
-* update(rules/falco_rules.yaml): `required_engine_version` changed to 13 [[#2179](https://github.com/falcosecurity/falco/pull/2179)] - [@incertum](https://github.com/incertum)
-* refactor(userspace/falco): re-design stats writer and make it thread-safe [[#2109](https://github.com/falcosecurity/falco/pull/2109)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* refactor(userspace/falco): make signal handlers thread safe [[#2091](https://github.com/falcosecurity/falco/pull/2091)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* refactor(userspace/engine): strengthen and document thread-safety guarantees of falco_engine::process_event [[#2082](https://github.com/falcosecurity/falco/pull/2082)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* update(userspace/falco): make webserver threadiness configurable [[#2090](https://github.com/falcosecurity/falco/pull/2090)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* refactor(userspace/falco): reduce app actions dependency on app state and inspector [[#2097](https://github.com/falcosecurity/falco/pull/2097)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* update(userspace/falco): use move semantics in falco logger [[#2095](https://github.com/falcosecurity/falco/pull/2095)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* update: use `FALCO_HOSTNAME` env var to override the hostname value [[#2174](https://github.com/falcosecurity/falco/pull/2174)] - [@leogr](https://github.com/leogr)
-* update: bump libs and driver versions to 6599e2efebce30a95f27739d655d53f0d5f686e4 [[#2177](https://github.com/falcosecurity/falco/pull/2177)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* refactor(userspace/falco): make output rate limiter optional and output engine explicitly thread-safe [[#2139](https://github.com/falcosecurity/falco/pull/2139)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* update(falco.yaml)!: notification rate limiter disabled by default. [[#2139](https://github.com/falcosecurity/falco/pull/2139)] - [@jasondellaluce](https://github.com/jasondellaluce)
-
-
-### Bug Fixes
-
-* fix: compute the `drop ratio` in the right way [[#2128](https://github.com/falcosecurity/falco/pull/2128)] - [@Andreagit97](https://github.com/Andreagit97)
-* fix(falco_service): falco service needs to write under /sys/module/falco [[#2238](https://github.com/falcosecurity/falco/pull/2238)] - [@Andreagit97](https://github.com/Andreagit97)
-* fix(userspace): cleanup output of ruleset validation result [[#2248](https://github.com/falcosecurity/falco/pull/2248)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* fix(userspace): properly print ignored syscalls messages when not in `-A` mode [[#2243](https://github.com/falcosecurity/falco/pull/2243)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* fix(falco): clarify pid/tid and container info in gvisor [[#2223](https://github.com/falcosecurity/falco/pull/2223)] - [@LucaGuerra](https://github.com/LucaGuerra)
-* fix(userspace/engine): avoid reading duplicate exception values [[#2200](https://github.com/falcosecurity/falco/pull/2200)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* fix: hostname was not present when `json_output: true` [[#2174](https://github.com/falcosecurity/falco/pull/2174)] - [@leogr](https://github.com/leogr)
-
-
-### Rule Changes
-
-* rule(macro: known_gke_mount_in_privileged_containers): add new macro [[#2198](https://github.com/falcosecurity/falco/pull/2198)] - [@hi120ki](https://github.com/hi120ki)
-* rule(Mount Launched in Privileged Container): add GKE default pod into allowlist in Mount Launched of Privileged Container rule [[#2198](https://github.com/falcosecurity/falco/pull/2198)] - [@hi120ki](https://github.com/hi120ki)
-* rule(list: known_binaries_to_read_environment_variables_from_proc_files): add new list [[#2193](https://github.com/falcosecurity/falco/pull/2193)] - [@hi120ki](https://github.com/hi120ki)
-* rule(Read environment variable from /proc files): add rule to detect an attempt to read process environment variables from /proc files [[#2193](https://github.com/falcosecurity/falco/pull/2193)] - [@hi120ki](https://github.com/hi120ki)
-* rule(macro: k8s_containers): add falco no-driver images [[#2234](https://github.com/falcosecurity/falco/pull/2234)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* rule(macro: open_file_failed): add new macro [[#2118](https://github.com/falcosecurity/falco/pull/2118)] - [@incertum](https://github.com/incertum)
-* rule(macro: directory_traversal): add new macro [[#2118](https://github.com/falcosecurity/falco/pull/2118)] - [@incertum](https://github.com/incertum)
-* rule(Directory traversal monitored file read): add new rule [[#2118](https://github.com/falcosecurity/falco/pull/2118)] - [@incertum](https://github.com/incertum)
-* rule(Modify Container Entrypoint): new rule created to detect CVE-2019-5736 [[#2188](https://github.com/falcosecurity/falco/pull/2188)] - [@darryk10](https://github.com/darryk10)
-* rule(Program run with disallowed http proxy env)!: disabled by default [[#2179](https://github.com/falcosecurity/falco/pull/2179)] - [@incertum](https://github.com/incertum)
-* rule(Container Drift Detected (chmod))!: disabled by default [[#2179](https://github.com/falcosecurity/falco/pull/2179)] - [@incertum](https://github.com/incertum)
-* rule(Container Drift Detected (open+create))!: disabled by default [[#2179](https://github.com/falcosecurity/falco/pull/2179)] - [@incertum](https://github.com/incertum)
-* rule(Packet socket created in container)!: removed consider_packet_socket_communication macro [[#2179](https://github.com/falcosecurity/falco/pull/2179)] - [@incertum](https://github.com/incertum)
-* rule(macro: consider_packet_socket_communication)!: remove unused macro [[#2179](https://github.com/falcosecurity/falco/pull/2179)] - [@incertum](https://github.com/incertum)
-* rule(Interpreted procs outbound network activity)!: disabled by default [[#2166](https://github.com/falcosecurity/falco/pull/2166)] - [@incertum](https://github.com/incertum)
-* rule(Interpreted procs inbound network activity)!: disabled by default [[#2166](https://github.com/falcosecurity/falco/pull/2166)] - [@incertum](https://github.com/incertum)
-* rule(Contact cloud metadata service from container)!: disabled by default [[#2166](https://github.com/falcosecurity/falco/pull/2166)] - [@incertum](https://github.com/incertum)
-* rule(macro: consider_interpreted_outbound)!: remove unused macro [[#2166](https://github.com/falcosecurity/falco/pull/2166)] - [@incertum](https://github.com/incertum)
-* rule(macro: consider_interpreted_inbound)!: remove unused macro [[#2166](https://github.com/falcosecurity/falco/pull/2166)] - [@incertum](https://github.com/incertum)
-* rule(macro: consider_metadata_access)!: remove unused macro [[#2166](https://github.com/falcosecurity/falco/pull/2166)] - [@incertum](https://github.com/incertum)
-* rule(Unexpected outbound connection destination)!: disabled by default [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
-* rule(Unexpected inbound connection source)!: disabled by default [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
-* rule(Read Shell Configuration File)!: disabled by default [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
-* rule(Schedule Cron Jobs)!: disabled by default [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
-* rule(Launch Suspicious Network Tool on Host)!: disabled by default [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
-* rule(Create Hidden Files or Directories)!: disabled by default [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
-* rule(Outbound or Inbound Traffic not to Authorized Server Process and Port)!: disabled by default [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
-* rule(Network Connection outside Local Subnet)!: disabled by default [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
-* rule(macro: consider_all_outbound_conns)!: remove unused macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
-* rule(macro: consider_all_inbound_conns)!: remove unused macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
-* rule(macro: consider_shell_config_reads)!: remove unused macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
-* rule(macro: consider_all_cron_jobs)!: remove unused macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
-* rule(macro: consider_all_inbound_conns)!: remove unused macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
-* rule(macro: consider_hidden_file_creation)!: remove unused macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
-* rule(macro: allowed_port)!: remove unused macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
-* rule(macro: enabled_rule_network_only_subnet)!: remove unused macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
-* rule(macro: consider_userfaultfd_activities)!: remove unused macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
-* rule(macro: consider_all_chmods)!: remove unused macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
-* rule(Set Setuid or Setgid bit)!: removed consider_all_chmods macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
-* rule(Container Drift Detected (chmod))!: removed consider_all_chmods macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
-* rule(Unprivileged Delegation of Page Faults Handling to a Userspace Process)!: removed consider_userfaultfd_activities macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
-
-
-### Non user-facing changes
-
-* new(userspace): support `SCAP_FILTERED_EVENT` return code [[#2148](https://github.com/falcosecurity/falco/pull/2148)] - [@Andreagit97](https://github.com/Andreagit97)
-* chore(test/utils): remove unused script [[#2157](https://github.com/falcosecurity/falco/pull/2157)] - [@Andreagit97](https://github.com/Andreagit97)
-* Enrich pull request template [[#2162](https://github.com/falcosecurity/falco/pull/2162)] - [@Andreagit97](https://github.com/Andreagit97)
-* vote: update(OWNERS): add Andrea Terzolo to owners [[#2185](https://github.com/falcosecurity/falco/pull/2185)] - [@Andreagit97](https://github.com/Andreagit97)
-* fix(CI): codespell should ignore `ro` word [[#2173](https://github.com/falcosecurity/falco/pull/2173)] - [@Andreagit97](https://github.com/Andreagit97)
-* chore: bump plugin version [[#2256](https://github.com/falcosecurity/falco/pull/2256)] - [@Andreagit97](https://github.com/Andreagit97)
-* fix(userspace/falco): avoid using CPU when main thread waits for parallel event sources [[#2255](https://github.com/falcosecurity/falco/pull/2255)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* fix(scripts): inject kmod script fails with some systemd versions [[#2250](https://github.com/falcosecurity/falco/pull/2250)] - [@Andreagit97](https://github.com/Andreagit97)
-* chore(userspace/falco): make logging optional when terminating, restarting, and reopening outputs [[#2249](https://github.com/falcosecurity/falco/pull/2249)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* chore: bump libs version [[#2244](https://github.com/falcosecurity/falco/pull/2244)] - [@Andreagit97](https://github.com/Andreagit97)
-* update(userspace): solve warnings and performance tips from cppcheck [[#2247](https://github.com/falcosecurity/falco/pull/2247)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* fix(userspace/falco): make signal termination more robust with multi-threading [[#2235](https://github.com/falcosecurity/falco/pull/2235)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* fix(userspace/falco): make termination and signal handlers more stable [[#2239](https://github.com/falcosecurity/falco/pull/2239)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* fix(userspace): safely check string bounded access [[#2237](https://github.com/falcosecurity/falco/pull/2237)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* chore: bump libs/driver to the latest release branch commit [[#2232](https://github.com/falcosecurity/falco/pull/2232)] - [@Andreagit97](https://github.com/Andreagit97)
-* fix(userspace/falco): check plugin requirements when validating rule files [[#2233](https://github.com/falcosecurity/falco/pull/2233)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* fix(userspace): add explicit constructors and initializations [[#2229](https://github.com/falcosecurity/falco/pull/2229)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* Add StackRox to adopters [[#2187](https://github.com/falcosecurity/falco/pull/2187)] - [@Molter73](https://github.com/Molter73)
-* fix(process_events): check the return value of `open_live_inspector` [[#2215](https://github.com/falcosecurity/falco/pull/2215)] - [@Andreagit97](https://github.com/Andreagit97)
-* fix(userspace/engine): properly include stdexcept header to fix build. [[#2197](https://github.com/falcosecurity/falco/pull/2197)] - [@FedeDP](https://github.com/FedeDP)
-* refactor(userspace/engine): split rule loader classes for a more testable design [[#2206](https://github.com/falcosecurity/falco/pull/2206)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* chore(OWNERS): cleanup inactive reviewer [[#2204](https://github.com/falcosecurity/falco/pull/2204)] - [@leogr](https://github.com/leogr)
-* fix(circleci): falco-driver-loader image build must be done starting from just-pushed falco master image. [[#2194](https://github.com/falcosecurity/falco/pull/2194)] - [@FedeDP](https://github.com/FedeDP)
-* Support condition parse errors in rule loading results [[#2155](https://github.com/falcosecurity/falco/pull/2155)] - [@mstemm](https://github.com/mstemm)
-* docs: readme update [[#2183](https://github.com/falcosecurity/falco/pull/2183)] - [@leogr](https://github.com/leogr)
-* cleanup: rename legacy references [[#2180](https://github.com/falcosecurity/falco/pull/2180)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* refactor(userspace/engine): increase const coherence in falco engine [[#2081](https://github.com/falcosecurity/falco/pull/2081)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* Rules result handle multiple files [[#2158](https://github.com/falcosecurity/falco/pull/2158)] - [@mstemm](https://github.com/mstemm)
-* fix: print full rule load errors/warnings without verbose/-v [[#2156](https://github.com/falcosecurity/falco/pull/2156)] - [@mstemm](https://github.com/mstemm)
-
-
 ## v0.32.2
 
 Released on 2022-08-09

CMakeLists.txt

@@ -233,5 +233,3 @@ endif()
 
 # Packages configuration
 include(CPackConfig)
-
-add_subdirectory(docker/dev)

cmake/cpack/CMakeCPackOptions.cmake

@@ -1,13 +1,11 @@
 if(CPACK_GENERATOR MATCHES "DEB")
 	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
 	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco_inject_kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
 endif()
 
 if(CPACK_GENERATOR MATCHES "RPM")
 	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
 	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco_inject_kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
 endif()
 
 if(CPACK_GENERATOR MATCHES "TGZ")

cmake/modules/driver.cmake

@@ -26,8 +26,8 @@ else()
   # In case you want to test against another driver version (or branch, or commit) just pass the variable -
   # ie., `cmake -DDRIVER_VERSION=dev ..`
   if(NOT DRIVER_VERSION)
-    set(DRIVER_VERSION "3.0.1+driver")
-    set(DRIVER_CHECKSUM "SHA256=f50003043c804aa21990560de02db42e203ee09d050112a4a5dd2b05f22a8a6c")
+    set(DRIVER_VERSION "f61834a221aeaca1794af9c87dd2870a42aa6fc8")
+    set(DRIVER_CHECKSUM "SHA256=b8e8e20adee2bf9023955461d635e603bd6e03546a0ea5f24e885e5336ff69ad")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

cmake/modules/falcosecurity-libs.cmake

@@ -27,8 +27,8 @@ else()
   # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
   # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..`
   if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "0.9.0")
-    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=5319a1b6a72eba3d9524cf084be5fc2ed81e3e90b3bee8edbe58b8646af0cbcb")
+    set(FALCOSECURITY_LIBS_VERSION "f61834a221aeaca1794af9c87dd2870a42aa6fc8")
+    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=b8e8e20adee2bf9023955461d635e603bd6e03546a0ea5f24e885e5336ff69ad")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

cmake/modules/plugins.cmake

@@ -19,11 +19,11 @@ if(NOT DEFINED PLUGINS_COMPONENT_NAME)
     set(PLUGINS_COMPONENT_NAME "${CMAKE_PROJECT_NAME}-plugins")
 endif()
 
-set(PLUGIN_K8S_AUDIT_VERSION "0.4.0")
+set(PLUGIN_K8S_AUDIT_VERSION "0.4.0-rc1")
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-    set(PLUGIN_K8S_AUDIT_HASH "ded0b5419f40084547620ccc48b19768e5e89457b85cfe8fbe496ca72267a3a4")
+    set(PLUGIN_K8S_AUDIT_HASH "9b77560861ae2b1539a32a542e0b282b4ae83e0a8c26aad7ecefd3e721e9eb99")
 else() # aarch64
-    set(PLUGIN_K8S_AUDIT_HASH "775cba666612114bc5b0c36f2e3c4557f5adbffcca2d77e72be87c6fcbf51ceb")
+    set(PLUGIN_K8S_AUDIT_HASH "9c7de9a1213dc2e125f1ad2302818e5d34a7c95bfc67532b9d37395c60785d02")
 endif()
 
 ExternalProject_Add(
@@ -39,18 +39,18 @@ install(FILES "${PROJECT_BINARY_DIR}/k8saudit-plugin-prefix/src/k8saudit-plugin/
 ExternalProject_Add(
   k8saudit-rules
   URL "https://download.falco.org/plugins/stable/k8saudit-rules-${PLUGIN_K8S_AUDIT_VERSION}.tar.gz"
-  URL_HASH "SHA256=53948fac0345e718d673142a992ac820135f771141dfaa9719c7575ac8ae6878"
+  URL_HASH "SHA256=f65982fd1c6bc12ae8db833c36127a70252464bd5983fd75c39b91d630eb7f40"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""
   INSTALL_COMMAND "")
 
 install(FILES "${PROJECT_BINARY_DIR}/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml" DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
 
-set(PLUGIN_CLOUDTRAIL_VERSION "0.6.0")
+set(PLUGIN_CLOUDTRAIL_VERSION "0.6.0-rc1")
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-    set(PLUGIN_CLOUDTRAIL_HASH "80e0c33f30c01a90efb7e9a671d978ff9679c462e3105020238abf31230e49a9")
+    set(PLUGIN_CLOUDTRAIL_HASH "a6c6acf16f7b4acd2b836e2be514346ee15a1e5adce936bd97ab6338d16ad6f9")
 else() # aarch64
-    set(PLUGIN_CLOUDTRAIL_HASH "a3e739932e66d44be848a68857fa15f56134d5246a1b9ab912c81f91b68fb23f")
+    set(PLUGIN_CLOUDTRAIL_HASH "a6105cb3864a613b3488c60c723163630484bc36b2aa219fb1c730c7735fb5fa")
 endif()
 
 ExternalProject_Add(
@@ -66,18 +66,18 @@ install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-plugin-prefix/src/cloudtrail-plu
 ExternalProject_Add(
   cloudtrail-rules
   URL "https://download.falco.org/plugins/stable/cloudtrail-rules-${PLUGIN_CLOUDTRAIL_VERSION}.tar.gz"
-  URL_HASH "SHA256=e0dccb7b0f1d24b1e526a33ffd973ea5f2ac2879dbc999e119419ebfd24305ff"
+  URL_HASH "SHA256=4df7a0d56300d6077807bc205a8ab7ab3b45c495adcc209c5cca1e8da6fc93c6"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""
   INSTALL_COMMAND "")
 
   install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-rules-prefix/src/cloudtrail-rules/aws_cloudtrail_rules.yaml" DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
 
-set(PLUGIN_JSON_VERSION "0.6.0")
+set(PLUGIN_JSON_VERSION "0.6.0-rc1")
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-    set(PLUGIN_JSON_HASH "15fb7eddd978e8bb03f05412e9446e264e4548d7423b3d724b99d6d87a8c1b27")
+    set(PLUGIN_JSON_HASH "7969e4731e529c5a9d9895ee52ec1845d4d1889cfa3562170288bb7a593bf6b9")
 else() # aarch64
-    set(PLUGIN_JSON_HASH "4db23f35a750e10a5b7b54c9aa469a7587705e7faa22927e941b41f3c5533e9f")
+    set(PLUGIN_JSON_HASH "c19fd1b64228ff95b1dc88d441143017807aa59ba57ae868a5f7db85b93bff99")
 endif()
 
 ExternalProject_Add(

docker/README.md

@@ -13,6 +13,5 @@ This directory contains various ways to package Falco as a container and related
 | [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/getting-started/source/) for more details on building from source. Used to build Falco (CI). |
 | [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). |
 | _not to be published_ | docker/local | Built on-the-fly and used by falco-tester. |
-| _not to be published_ | docker/dev | Built on-the-fly to test local Falco development. |
 
-> Note: `falco-builder`, `falco-tester`, `docker/local`, `docker/dev` images are not integrated into the release process because they are development and CI tools that need to be manually pushed only when updated.
+> Note: `falco-builder`, `falco-tester` (and the `docker/local` image that it's built on the fly) are not integrated into the release process because they are development and CI tools that need to be manually pushed only when updated.

docker/dev/CMakeLists.txt

@@ -1,20 +0,0 @@
-# Build a docker container for local development
-if(CMAKE_SYSTEM_NAME MATCHES "Linux")
-  set(DEV_DOCKER_CXT ${CMAKE_BINARY_DIR}/docker/dev-docker-ctx)
-
-  # This target prepares the `tar.gz` artifact that will be passed to the dockerfile.
-  add_custom_target(dev-docker-prepare
-    COMMAND mkdir -p ${DEV_DOCKER_CXT}
-    COMMAND "${CMAKE_COMMAND}" --build . --target package
-    COMMAND ${CMAKE_COMMAND} -E copy_if_different ${CMAKE_BINARY_DIR}/falco-${FALCO_VERSION}-${FALCO_TARGET_ARCH}.tar.gz ${DEV_DOCKER_CXT}/falco.tar.gz
-    DEPENDS falco
-  )
-
-  add_custom_target(dev-docker
-    COMMAND docker build
-      --tag falco-nodriver-dev
-      -f ${CMAKE_SOURCE_DIR}/docker/dev/nodriver.Dockerfile
-      ${DEV_DOCKER_CXT}
-    DEPENDS dev-docker-prepare
-  )
-endif()

docker/dev/README.md

@@ -1,59 +0,0 @@
-# Falco development image
-
-This docker image can be easily generated starting from a clean Falco build.
-
-## 1. Clone the Falco repo ⬇️
-
-```bash
-git clone https://github.com/falcosecurity/falco.git
-```
-
-## 2. Prepare the build directory 🏗️
-
-### `falco-runner-image` tag
-
-The CMake command that we will see in the next section builds Falco locally on your machine, and push it into a docker image, so as you may imagine the final image that will run Falco must have a similar `GLIBC` version to your local one. For this reason, you have to use docker tags.
-
-The `nodriver.Dockerfile` will use the `falco-runner-image` tag to build the final image as you can see here:
-
-```dockerfile
-FROM falco-runner-image AS runner
-
-...
-```
-
-For example, if I build Falco locally on a un `ubuntu:22-04` machine I will instruct docker to use `ubuntu:22-04` as a final running image.
-
-```bash
-docker tag ubuntu:22.04 falco-runner-image
-```
-
-In this way the `nodriver.Dockerfile` will use `ubuntu:22-04` during the building phase.
-
-### Cmake command
-
-Now that we set the `falco-runner-image` tag, we are ready to build our Falco image. Starting from the project root:
-
-```bash
-mkdir build && cd build
-cmake -DUSE_BUNDLED_DEPS=On -DCREATE_TEST_TARGETS=Off -DCPACK_GENERATOR=TGZ -DFALCO_ETC_DIR=/etc/falco ..
-make dev-docker
-```
-> __Please note__: These cmake options `-DUSE_BUNDLED_DEPS=On -DCREATE_TEST_TARGETS=Off -DCPACK_GENERATOR=TGZ -DFALCO_ETC_DIR=/etc/falco` are the required ones but you can provide additional options to build the image according to your needs (for example you can pass `-DMINIMAL_BUILD=On` if you want a minimal build image or `-DBUILD_FALCO_MODERN_BPF=ON` if you want to include the modern bpf probe inside the image)
-
-## 3. Run the docker image locally 🏎️
-
-```bash
-docker run --rm -i -t \
-           --privileged \
-           -v /var/run/docker.sock:/host/var/run/docker.sock \
-           -v /dev:/host/dev \
-           -v /proc:/host/proc:ro \
-           falco-nodriver-dev
-```
-
-If you change something in the Falco source code you can simply rebuild the image with:
-
-```bash
-make dev-docker
-```

docker/dev/nodriver.Dockerfile

@@ -1,33 +0,0 @@
-FROM ubuntu:22.04 AS builder
-
-COPY ./falco.tar.gz /
-
-WORKDIR /
-
-# 1. We remove the Falco directory with the name related to the version and the arch
-# 2. We remove the source folder
-# 3. We remove the `falco-driver-loader` binary
-RUN mkdir falco; \
-    tar -xzf falco.tar.gz -C falco --strip-component 1; \
-    rm -rf /falco/usr/src; \
-    rm /falco/usr/bin/falco-driver-loader
-
-# the time displayed in log messages and output messages will be in ISO 8601.
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new; \
-    mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml
-
-# Please note: it could be necessary to change this base image according
-# to the `glibc` version of the machine where you build the tar.gz package
-# use `docker tag ubuntu:22.04 falco-runner-image` for example
-FROM falco-runner-image AS runner
-
-LABEL name="falcosecurity/falco-nodriver-dev"
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-LABEL usage="docker run -it --rm --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
-
-COPY --from=builder /falco /
-
-ENV HOST_ROOT /host
-ENV HOME /root
-
-CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

scripts/CMakeLists.txt

@@ -22,9 +22,6 @@ configure_file(debian/prerm.in debian/prerm)
 file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco.service"
 	DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")
 
-file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco_inject_kmod.service"
-	DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")
-
 configure_file(rpm/postinstall.in rpm/postinstall)
 configure_file(rpm/postuninstall.in rpm/postuninstall)
 configure_file(rpm/preuninstall.in rpm/preuninstall)
@@ -32,9 +29,6 @@ configure_file(rpm/preuninstall.in rpm/preuninstall)
 file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco.service"
 	DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")
 
-file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco_inject_kmod.service"
-	DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")
-
 configure_file(falco-driver-loader falco-driver-loader @ONLY)
 
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")

scripts/debian/falco.service

@@ -1,12 +1,11 @@
 [Unit]
 Description=Falco: Container Native Runtime Security
 Documentation=https://falco.org/docs/
-After=falco_inject_kmod.service
-Requires=falco_inject_kmod.service
 
 [Service]
 Type=simple
 User=root
+ExecStartPre=/sbin/modprobe falco
 ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
 ExecStopPost=/sbin/rmmod falco
 UMask=0077
@@ -18,7 +17,6 @@ NoNewPrivileges=yes
 ProtectHome=read-only
 ProtectSystem=full
 ProtectKernelTunables=true
-ReadWritePaths=/sys/module/falco
 RestrictRealtime=true
 RestrictAddressFamilies=~AF_PACKET
 

scripts/debian/falco_inject_kmod.service

@@ -1,13 +0,0 @@
-[Unit]
-Description=Falco: Container Native Runtime Security
-Documentation=https://falco.org/docs/
-Before=falco.service
-Wants=falco.service
-
-[Service]
-Type=oneshot
-User=root
-ExecStart=/sbin/modprobe falco
-
-[Install]
-WantedBy=multi-user.target

scripts/rpm/falco.service

@@ -1,12 +1,11 @@
 [Unit]
 Description=Falco: Container Native Runtime Security
 Documentation=https://falco.org/docs/
-After=falco_inject_kmod.service
-Requires=falco_inject_kmod.service
 
 [Service]
 Type=simple
 User=root
+ExecStartPre=/sbin/modprobe falco
 ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
 ExecStopPost=/sbin/rmmod falco
 UMask=0077
@@ -18,7 +17,6 @@ NoNewPrivileges=yes
 ProtectHome=read-only
 ProtectSystem=full
 ProtectKernelTunables=true
-ReadWritePaths=/sys/module/falco
 RestrictRealtime=true
 RestrictAddressFamilies=~AF_PACKET
 StandardOutput=null

scripts/rpm/falco_inject_kmod.service

@@ -1,13 +0,0 @@
-[Unit]
-Description=Falco: Container Native Runtime Security
-Documentation=https://falco.org/docs/
-Before=falco.service
-Wants=falco.service
-
-[Service]
-Type=oneshot
-User=root
-ExecStart=/sbin/modprobe falco
-
-[Install]
-WantedBy=multi-user.target

test/falco_tests.yaml

@@ -457,6 +457,11 @@ trace_files: !mux
         item_name: some macro
         code: LOAD_ERR_VALIDATE
         message: "Undefined macro 'foo' used in filter."
+    validate_warnings:
+      - item_type: macro
+        item_name: some macro
+        code: LOAD_UNUSED_MACRO
+        message: "Macro not referred to by any other rule/macro"
     validate_rules_file:
       - rules/invalid_overwrite_macro_multiple_docs.yaml
     trace_file: trace_files/cat_write.scap

userspace/engine/filter_evttype_resolver.cpp

@@ -19,8 +19,6 @@ limitations under the License.
 
 using namespace libsinsp::filter;
 
-extern sinsp_evttables g_infotables;
-
 static bool is_evttype_operator(const std::string& op)
 {
 	return op == "==" || op == "=" || op == "!=" || op == "in";
@@ -46,7 +44,8 @@ void filter_evttype_resolver::visitor::evttypes(const std::string& evtname, falc
 {
 	// Fill in from 2 to PPM_EVENT_MAX-1. 0 and 1 are excluded as
 	// those are PPM_GENERIC_E/PPME_GENERIC_X
-	const struct ppm_event_info* etable = g_infotables.m_event_info;
+	static sinsp s_inspector;
+	const auto etable = s_inspector.get_event_info_tables()->m_event_info;
 	for(uint16_t i = 2; i < PPM_EVENT_MAX; i++)
 	{
 		// Skip unused events or events not matching the requested evtname

userspace/engine/filter_warning_resolver.h

@@ -48,7 +48,7 @@ public:
 private:
 	struct visitor : public libsinsp::filter::ast::base_expr_visitor
 	{
-		visitor(): m_is_equality_check(false), m_warnings(nullptr) {}
+		visitor(): m_is_equality_check(false) {}
 		visitor(visitor&&) = default;
 		visitor& operator = (visitor&&) = default;
 		visitor(const visitor&) = delete;

userspace/engine/rule_loader.cpp

@@ -58,7 +58,7 @@ rule_loader::context::context(const std::string& name)
 
 rule_loader::context::context(const YAML::Node &item,
 			      const item_type item_type,
-			      const std::string& item_name,
+			      const std::string item_name,
 			      const context& parent)
 {
 	init(parent.name(), position(item.Mark()), item_type, item_name, parent);
@@ -108,7 +108,7 @@ const std::string& rule_loader::context::name() const
 void rule_loader::context::init(const std::string& name,
 				const position& pos,
 				const item_type item_type,
-				const std::string& item_name,
+				const std::string item_name,
 				const context& parent)
 {
 	// Copy parent locations
@@ -546,7 +546,7 @@ rule_loader::rule_info::rule_info(context &ctx)
 {
 }
 
-rule_loader::rule_load_exception::rule_load_exception(falco::load_result::error_code ec, const std::string& msg, const context& ctx)
+rule_loader::rule_load_exception::rule_load_exception(falco::load_result::error_code ec, std::string msg, const context& ctx)
 	: ec(ec), msg(msg), ctx(ctx)
 {
 }

userspace/engine/rule_loader.h

@@ -64,7 +64,7 @@ namespace rule_loader
 		struct position
 		{
 			position() : pos(0), line(0), column(0) {};
-			explicit position(const YAML::Mark& mark) : pos(mark.pos), line(mark.line), column(mark.column) {};
+			position(const YAML::Mark& mark) : pos(mark.pos), line(mark.line), column(mark.column) {};
 			~position() = default;
 			position(position&&) = default;
 			position& operator = (position&&) = default;
@@ -80,10 +80,10 @@ namespace rule_loader
 		{
 			location(): item_type(context::item_type::VALUE_FOR) {}
 			location(
-				const std::string& n,
+				const std::string n,
 				const position& p,
 				context::item_type i,
-				const std::string& in):
+				const std::string in):
 					name(n), pos(p), item_type(i), item_name(in) {}
 			location(location&&) = default;
 			location& operator = (location&&) = default;
@@ -108,10 +108,10 @@ namespace rule_loader
 			std::string item_name;
 		};
 
-		explicit context(const std::string& name);
+		context(const std::string& name);
 		context(const YAML::Node& item,
 			item_type item_type,
-			const std::string& item_name,
+			const std::string item_name,
 			const context& parent);
 
 		// Build a context from a condition expression +
@@ -152,7 +152,7 @@ namespace rule_loader
 		void init(const std::string& name,
 			  const position& pos,
 			  const item_type item_type,
-			  const std::string& item_name,
+			  const std::string item_name,
 			  const context& parent);
 
 		// A chain of locations from the current item, its
@@ -167,7 +167,7 @@ namespace rule_loader
 
 	struct warning
 	{
-		warning(): wc(falco::load_result::warning_code::LOAD_UNKNOWN_SOURCE), ctx("no-filename-given") {}
+		warning(): ctx("no-filename-given") {}
 		warning(
 			falco::load_result::warning_code w,
 			const std::string& m,
@@ -184,7 +184,7 @@ namespace rule_loader
 
 	struct error
 	{
-		error(): ec(falco::load_result::error_code::LOAD_ERR_FILE_READ), ctx("no-filename-given") {}
+		error(): ctx("no-filename-given") {}
 		error(
 			falco::load_result::error_code e,
 			const std::string& m,
@@ -202,7 +202,7 @@ namespace rule_loader
 	class rule_load_exception : public std::exception
 	{
 	public:
-		rule_load_exception(falco::load_result::error_code ec, const std::string& msg, const context& ctx);
+		rule_load_exception(falco::load_result::error_code ec, std::string msg, const context& ctx);
 		virtual ~rule_load_exception();
 		rule_load_exception(rule_load_exception&&) = default;
 		rule_load_exception& operator = (rule_load_exception&&) = default;
@@ -267,7 +267,7 @@ namespace rule_loader
 		explicit configuration(
 			const std::string& cont,
 			const indexed_vector<falco_source>& srcs,
-			const std::string& name)
+			std::string name)
 				: content(cont), sources(srcs), name(name),
 				  default_ruleset_id(0), replace_output_container_info(false),
 				  min_priority(falco_common::PRIORITY_DEBUG)
@@ -313,7 +313,7 @@ namespace rule_loader
 		struct requirement
 		{
 			requirement() = default;
-			requirement(const std::string& n, const std::string& v):
+			requirement(const std::string n, const std::string v):
 				name(n), version(v) { }
 			requirement(requirement&&) = default;
 			requirement& operator = (requirement&&) = default;

userspace/engine/rule_loader_compiler.cpp

@@ -516,7 +516,6 @@ void rule_loader::compiler::compile(
 	catch(rule_load_exception &e)
 	{
 		cfg.res->add_error(e.ec, e.msg, e.ctx);
-		return;
 	}
 
 	// print info on any dangling lists or macros that were not used anywhere

userspace/falco/app_actions/load_config.cpp

@@ -27,10 +27,6 @@ application::run_result application::load_config()
 
 		// log after config init because config determines where logs go
 		falco_logger::log(LOG_INFO, "Falco version: " + std::string(FALCO_VERSION) + " (" + std::string(FALCO_TARGET_ARCH) + ")\n");
-		if (!m_state->cmdline.empty())
-		{
-			falco_logger::log(LOG_DEBUG, "CLI args: " + m_state->cmdline);
-		}
 		falco_logger::log(LOG_INFO, "Falco initialized with configuration file: " + m_options.conf_filename + "\n");
 	}
 	else

userspace/falco/app_actions/print_syscall_events.cpp

@@ -16,97 +16,17 @@ limitations under the License.
 
 #include "application.h"
 
+#include <fields_info.h>
+
 using namespace falco::app;
 
-struct event_entry
-{
-	bool is_enter;
-	bool available;
-	std::string name;
-	struct ppm_event_info info;
-};
-
-static std::vector<event_entry> get_event_entries(bool include_generics, const std::unordered_set<uint32_t>& available)
-{
-	event_entry entry;
-	std::vector<event_entry> events;
-	std::unique_ptr<sinsp> inspector(new sinsp());
-	const struct ppm_event_info* etable = inspector->get_event_info_tables()->m_event_info;
-
-	// skip generic events
-	for(uint32_t evt = PPME_GENERIC_X + 1; evt < PPM_EVENT_MAX; evt++)
-	{
-		if (!sinsp::is_old_version_event(evt)
-				&& !sinsp::is_unused_event(evt)
-				&& !sinsp::is_unknown_event(evt))
-		{
-			entry.is_enter = PPME_IS_ENTER(evt);
-			entry.available = available.find(evt) != available.end();
-			entry.name = etable[evt].name;
-			entry.info = etable[evt];
-			events.push_back(entry);
-		}
-	}
-
-	if (include_generics)
-	{
-		// append generic events
-		const auto generic_syscalls = inspector->get_events_names({PPME_GENERIC_E});
-		for (const auto& name : generic_syscalls)
-		{
-			for(uint32_t evt = PPME_GENERIC_E; evt <= PPME_GENERIC_X; evt++)
-			{
-				entry.is_enter = PPME_IS_ENTER(evt);
-				entry.available = available.find(evt) != available.end();
-				entry.name = name;
-				entry.info = etable[evt];
-				events.push_back(entry);
-			}
-		}
-	}
-
-	return events;
-}
-
 application::run_result application::print_syscall_events()
 {
 	if(m_options.list_syscall_events)
 	{
-		configure_interesting_sets();
-		const auto events = get_event_entries(false, m_state->ppm_event_info_of_interest);
-
-		if(m_options.markdown)
-		{
-			printf("Falco | Dir | Event\n");
-			printf(":-----|:----|:-----\n");
-		}
-
-		for (const auto& e : events)
-		{
-			char dir = e.is_enter ? '>' : '<';
-			if (m_options.markdown)
-			{
-				printf(e.available ? "Yes" : "No");
-				printf(" | %c | **%s**(", dir, e.name.c_str());
-			}
-			else
-			{
-				printf("%c %s(", dir, e.name.c_str());
-			}
-
-			for(uint32_t k = 0; k < e.info.nparams; k++)
-			{
-				if(k != 0)
-				{
-					printf(", ");
-				}
-
-				printf("%s %s", param_type_to_string(e.info.params[k].type),
-					e.info.params[k].name);
-			}
-			printf(")\n");
-		}
-
+		// We know this function doesn't hold into the raw pointer value
+		std::unique_ptr<sinsp> inspector(new sinsp());
+		list_events(inspector.get(), m_options.markdown);
 		return run_result::exit();
 	}
 

userspace/falco/app_actions/print_version.cpp

@@ -38,8 +38,8 @@ application::run_result application::print_version()
 		unsigned long driver_schema_minor = PPM_API_VERSION_MINOR(driver_schema_version);
 		unsigned long driver_schema_patch = PPM_API_VERSION_PATCH(driver_schema_version);
 		printf("Driver:\n");
-		printf("  API version:    %lu.%lu.%lu\n", driver_api_major, driver_api_minor, driver_api_patch);
-		printf("  Schema version: %lu.%lu.%lu\n", driver_schema_major, driver_schema_minor, driver_schema_patch);
+		printf("  API version:    %ld.%ld.%ld\n", driver_api_major, driver_api_minor, driver_api_patch);
+		printf("  Schema version: %ld.%ld.%ld\n", driver_schema_major, driver_schema_minor, driver_schema_patch);
 		printf("  Default driver: %s\n", DRIVER_VERSION);
 
 		return run_result::exit();

userspace/falco/app_actions/process_events.cpp

@@ -228,7 +228,7 @@ void application::process_inspector_events(
 		std::shared_ptr<sinsp> inspector,
 		std::shared_ptr<stats_writer> statsw,
 		std::string source, // an empty source represents capture mode
-		application::source_sync_context* sync,
+		std::atomic<bool>* finished,
 		application::run_result* res) noexcept
 {
 	try
@@ -277,10 +277,7 @@ void application::process_inspector_events(
 		*res = run_result::fatal(e.what());
 	}
 
-	if (sync)
-	{
-		sync->finish();
-	}
+	finished->store(true, std::memory_order_seq_cst);
 }
 
 static std::shared_ptr<stats_writer> init_stats_writer(const cmdline_options& opts)
@@ -318,7 +315,8 @@ application::run_result application::process_events()
 			return res;
 		}
 
-		process_inspector_events(m_state->offline_inspector, statsw, "", nullptr, &res);
+		std::atomic<bool> finished;
+		process_inspector_events(m_state->offline_inspector, statsw, "", &finished, &res);
 		m_state->offline_inspector->close();
 
 		// Honor -M also when using a trace file.
@@ -341,18 +339,19 @@ application::run_result application::process_events()
 
 			// the name of the source of which events are processed
 			std::string source;
+			// set to true when the event processing loop finishes
+			std::unique_ptr<std::atomic<bool>> finished;
+			// set to true when the result has been collected after finishing
+			std::unique_ptr<std::atomic<bool>> joined;
 			// the result of the event processing loop
 			application::run_result res;
 			// if non-null, the thread on which events are processed
 			std::unique_ptr<std::thread> thread;
-			// used for thread synchronization purposes
-			std::unique_ptr<application::source_sync_context> sync;
 		};
 
 		print_enabled_event_sources();
 
 		// start event processing for all enabled sources
-		falco::semaphore termination_sem(m_state->enabled_sources.size());
 		std::vector<live_context> ctxs;
 		ctxs.reserve(m_state->enabled_sources.size());
 		for (const auto& source : m_state->enabled_sources)
@@ -360,33 +359,35 @@ application::run_result application::process_events()
 			ctxs.emplace_back();
 			auto& ctx = ctxs[ctxs.size() - 1];
 			ctx.source = source;
-			ctx.sync.reset(new application::source_sync_context(termination_sem));
+			ctx.finished.reset(new std::atomic<bool>());
+			ctx.joined.reset(new std::atomic<bool>());
+			ctx.finished->store(false, std::memory_order_seq_cst);
+			ctx.joined->store(false, std::memory_order_seq_cst);
 			auto src_info = m_state->source_infos.at(source);
 
 			try
 			{
 				falco_logger::log(LOG_DEBUG, "Opening event source '" + source + "'\n");
-				termination_sem.acquire();
 				res = open_live_inspector(src_info->inspector, source);
 				if (!res.success)
 				{
 					// note: we don't return here because we need to reach
 					// the thread termination loop below to make sure all
 					// already-spawned threads get terminated gracefully
-					ctx.sync->finish();
+					ctx.finished->store(true, std::memory_order_seq_cst);
 					break;
 				}
 
 				if (m_state->enabled_sources.size() == 1)
 				{
 					// optimization: with only one source we don't spawn additional threads
-					process_inspector_events(src_info->inspector, statsw, source, ctx.sync.get(), &ctx.res);
+					process_inspector_events(src_info->inspector, statsw, source, ctx.finished.get(), &ctx.res);
 				}
 				else
 				{
 					ctx.thread.reset(new std::thread(
 						&application::process_inspector_events,
-						this, src_info->inspector, statsw, source, ctx.sync.get(), &ctx.res));
+						this, src_info->inspector, statsw, source, ctx.finished.get(), &ctx.res));
 				}
 			}
 			catch (std::exception &e)
@@ -395,7 +396,7 @@ application::run_result application::process_events()
 				// the thread termination loop below to make sure all
 				// already-spawned threads get terminated gracefully
 				ctx.res = run_result::fatal(e.what());
-				ctx.sync->finish();
+				ctx.finished->store(true, std::memory_order_seq_cst);
 				break;
 			}
 		}
@@ -407,24 +408,16 @@ application::run_result application::process_events()
 		size_t closed_count = 0;
 		while (closed_count < ctxs.size())
 		{
-			// This is shared across all running event source threads an
-			// keeps the main thread sleepy until one of the parallel
-			// threads terminates and invokes release(). At that point,
-			// we know that at least one thread finished running and we can
-			// attempt joining it. Not that this also works when only one
-			// event source is enabled, in which we have no additional threads.
-			termination_sem.acquire();
-
 			if (!res.success && !termination_forced)
 			{
 				falco_logger::log(LOG_INFO, "An error occurred in an event source, forcing termination...\n");
-				terminate(false);
+				terminate();
 				termination_forced = true;
 			}
-
 			for (auto &ctx : ctxs)
 			{
-				if (ctx.sync->finished() && !ctx.sync->joined())
+				if (ctx.finished->load(std::memory_order_seq_cst)
+						&& !ctx.joined->load(std::memory_order_seq_cst))
 				{
 					if (ctx.thread)
 					{
@@ -443,7 +436,7 @@ application::run_result application::process_events()
 					m_state->source_infos.at(ctx.source)->inspector->close();
 
 					res = run_result::merge(res, ctx.res);
-					ctx.sync->join();
+					ctx.joined->store(true, std::memory_order_seq_cst);
 					closed_count++;
 				}
 			}

userspace/falco/app_actions/validate_rules_files.cpp

@@ -89,30 +89,33 @@ application::run_result application::validate_rules_files()
 			{
 				results.push_back(res->as_json(rc));
 			}
-			
-			if(summary != "")
-			{
-				summary += "\n";
-			}
-
-			// Add to the summary if not successful, or successful
-			// with no warnings.
-			if(!res->successful() || (res->successful() && !res->has_warnings()))
-			{
-				summary += res->as_string(true, rc);
-			}
 			else
 			{
-				// If here, there must be only warnings.
-				// Add a line to the summary noting that the
-				// file was ok with warnings, without actually
-				// printing the warnings.
-				summary += filename + ": Ok, with warnings";
-
-				// If verbose is true, print the warnings now.
-				if(m_options.verbose)
+				if(summary != "")
 				{
-					fprintf(stderr, "%s\n", res->as_string(true, rc).c_str());
+					summary += "\n";
+				}
+
+				// Add to the summary if not successful, or successful
+				// with no warnings.
+				if(!res->successful() ||
+				   (res->successful() && !res->has_warnings()))
+				{
+					summary += res->as_string(true, rc);
+				}
+				else
+				{
+					// If here, there must be only warnings.
+					// Add a line to the summary noting that the
+					// file was ok with warnings, without actually
+					// printing the warnings.
+					summary += filename + ": Ok, with warnings";
+
+					// If verbose is true, print the warnings now.
+					if(m_options.verbose)
+					{
+						fprintf(stderr, "%s\n", res->as_string(true, rc).c_str());
+					}
 				}
 			}
 		}

userspace/falco/app_cmdline_options.cpp

@@ -30,10 +30,7 @@ namespace app {
 cmdline_options::cmdline_options()
 	: event_buffer_format(sinsp_evt::PF_NORMAL),
 	  gvisor_config(""),	
-	  list_fields(false),
 	  list_plugins(false),
-	  list_syscall_events(false),
-	  markdown(false),
 	  modern_bpf(false),
 	  m_cmdline_opts("falco", "Falco - Cloud Native Runtime Security")
 {
@@ -159,15 +156,15 @@ void cmdline_options::define()
 #else
 		("c",                             "Configuration file. If not specified tries " FALCO_SOURCE_CONF_FILE ", " FALCO_INSTALL_CONF_FILE ".", cxxopts::value(conf_filename), "<path>")
 #endif
-		("A",                             "Monitor all events, including those not interesting to Falco. Please use the -i option to list all ignored events. This option has effect only on live captures.", cxxopts::value(all_events)->default_value("false"))
+		("A",                             "Monitor all events, including not interesting ones. Please use the `-i` command line option to see the ignored events. This option is implicit when the capture is not live.", cxxopts::value(all_events)->default_value("false"))
 		("b,print-base64",                "Print data buffers in base64. This is useful for encoding binary data that needs to be used over media designed to consume this format.")
-		("cri",                           "Path to CRI socket for container metadata. Use the specified socket to fetch data from a CRI-compatible runtime. If not specified, uses the libs default. This option can be passed multiple times to specify socket to be tried until a successful one is found.", cxxopts::value(cri_socket_paths), "<path>")
+		("cri",                           "Path to CRI socket for container metadata. Use the specified socket to fetch data from a CRI-compatible runtime. If not specified, uses libs default. It can be passed multiple times to specify socket to be tried until a successful one is found.", cxxopts::value(cri_socket_paths), "<path>")
 		("d,daemon",                      "Run as a daemon.", cxxopts::value(daemon)->default_value("false"))
 		("disable-cri-async",             "Disable asynchronous CRI metadata fetching. This is useful to let the input event wait for the container metadata fetch to finish before moving forward. Async fetching, in some environments leads to empty fields for container metadata when the fetch is not fast enough to be completed asynchronously. This can have a performance penalty on your environment depending on the number of containers and the frequency at which they are created/started/stopped.", cxxopts::value(disable_cri_async)->default_value("false"))
-		("disable-source",                "Disable a specific event source. By default, all loaded sources get enabled. Available sources are 'syscall' and all sources defined by loaded plugins supporting the event sourcing capability. This option can be passed multiple times. This has no offect when reading events from a trace file. Can not disable all event sources. Can not be mixed with --enable-source.", cxxopts::value(disable_sources), "<event_source>")
-		("D",                             "Disable any rules with names having the substring <substring>. This option can be passed multiple times. Can not be mixed with -t.", cxxopts::value(disabled_rule_substrings), "<substring>")
+		("disable-source",                "Disable a specific event source. Available event sources are: syscall or any source from a configured plugin with event sourcing capability. It can be passed multiple times. It has no offect when reading events from a trace file. Can not disable all event sources. Can not be mixed with enable-source.", cxxopts::value(disable_sources), "<event_source>")
+		("D",                             "Disable any rules with names having the substring <substring>. Can be specified multiple times. Can not be specified with -t.", cxxopts::value(disabled_rule_substrings), "<substring>")
 		("e",                             "Read the events from a trace file <events_file> in .scap format instead of tapping into live.", cxxopts::value(trace_filename), "<events_file>")
-		("enable-source",                 "Enable a specific event source. If used, all loaded sources get disabled by default and only the ones passed with this option get enabled. Available sources are 'syscall' and all sources defined by loaded plugins supporting the event sourcing capability. This option can be passed multiple times. This has no offect when reading events from a trace file. Can not be mixed with --disable-source.", cxxopts::value(enable_sources), "<event_source>")
+		("enable-source",                 "Enable a specific event source. If used, only event sources passed with this options get enabled. Available event sources are: syscall or any source from a configured plugin with event sourcing capability. It can be passed multiple times. It has no offect when reading events from a trace file. Can not be mixed with disable-source.", cxxopts::value(enable_sources), "<event_source>")
 #ifdef HAS_GVISOR
 		("g,gvisor-config",				  "Parse events from gVisor using the specified configuration file. A falco-compatible configuration file can be generated with --gvisor-generate-config and can be used for both runsc and Falco.", cxxopts::value(gvisor_config), "<gvisor_config>")
 		("gvisor-generate-config",		  "Generate a configuration file that can be used for gVisor.", cxxopts::value<std::string>(gvisor_generate_config_with_socket)->implicit_value("/run/falco/gvisor.sock"), "<socket_path>")
@@ -180,7 +177,7 @@ void cmdline_options::define()
 #ifndef MINIMAL_BUILD
 		("k,k8s-api",                     "Enable Kubernetes support by connecting to the API server specified as argument. E.g. \"http://admin:password@127.0.0.1:8080\". The API server can also be specified via the environment variable FALCO_K8S_API.", cxxopts::value(k8s_api), "<url>")
 		("K,k8s-api-cert",                "Use the provided files names to authenticate user and (optionally) verify the K8S API server identity. Each entry must specify full (absolute, or relative to the current directory) path to the respective file. Private key password is optional (needed only if key is password protected). CA certificate is optional. For all files, only PEM file format is supported. Specifying CA certificate only is obsoleted - when single entry is provided for this option, it will be interpreted as the name of a file containing bearer token. Note that the format of this command-line option prohibits use of files whose names contain ':' or '#' characters in the file name.", cxxopts::value(k8s_api_cert), "(<bt_file> | <cert_file>:<key_file[#password]>[:<ca_cert_file>])")
-		("k8s-node",                      "The node name will be used as a filter when requesting metadata of pods to the API server. Usually, this should be set to the current node on which Falco is running. If empty, no filter is set, which may have a performance penalty on large clusters.", cxxopts::value(k8s_node_name), "<node_name>")
+		("k8s-node",                      "The node name will be used as a filter when requesting metadata of pods to the API server. Usually, it should be set to the current node on which Falco is running. If empty, no filter is set, which may have a performance penalty on large clusters.", cxxopts::value(k8s_node_name), "<node_name>")
 #endif
 		("L",                             "Show the name and description of all rules and exit.", cxxopts::value(describe_all_rules)->default_value("false"))
 		("l",                             "Show the name and description of the rule with name <rule> and exit.", cxxopts::value(describe_rule), "<rule>")
@@ -199,19 +196,19 @@ void cmdline_options::define()
 		("plugin-info",                   "Print info for a single plugin and exit.\nThis includes all descriptivo info like name and author, along with the\nschema format for the init configuration and a list of suggested open parameters.\n<plugin_name> can be the name of the plugin or its configured library_path.", cxxopts::value(print_plugin_info), "<plugin_name>")
 		("p,print",                       "Add additional information to each falco notification's output.\nWith -pc or -pcontainer will use a container-friendly format.\nWith -pk or -pkubernetes will use a kubernetes-friendly format.\nWith -pm or -pmesos will use a mesos-friendly format.\nAdditionally, specifying -pc/-pk/-pm will change the interpretation of %container.info in rule output fields.", cxxopts::value(print_additional), "<output_format>")
 		("P,pidfile",                     "When run as a daemon, write pid to specified file", cxxopts::value(pidfilename)->default_value("/var/run/falco.pid"), "<pid_file>")
-		("r",                             "Rules file/directory (defaults to value set in configuration file, or /etc/falco_rules.yaml). This option can be passed multiple times to read from multiple files/directories.", cxxopts::value<std::vector<std::string>>(), "<rules_file>")
+		("r",                             "Rules file/directory (defaults to value set in configuration file, or /etc/falco_rules.yaml). Can be specified multiple times to read from multiple files/directories.", cxxopts::value<std::vector<std::string>>(), "<rules_file>")
 		("s",                             "If specified, append statistics related to Falco's reading/processing of events to this file (only useful in live mode).", cxxopts::value(stats_filename), "<stats_file>")
 		("stats-interval",                "When using -s <stats_file>, write statistics every <msec> ms. This uses signals, so don't recommend intervals below 200 ms. Defaults to 5000 (5 seconds).", cxxopts::value(stats_interval)->default_value("5000"),  "<msec>")
 		("S,snaplen",                     "Capture the first <len> bytes of each I/O buffer. By default, the first 80 bytes are captured. Use this option with caution, it can generate huge trace files.", cxxopts::value(snaplen)->default_value("0"), "<len>")
 		("support",                       "Print support information including version, rules files used, etc. and exit.", cxxopts::value(print_support)->default_value("false"))
-		("T",                             "Disable any rules with a tag=<tag>. This option can be passed multiple times. Can not be mized with -t", cxxopts::value<std::vector<std::string>>(), "<tag>")
-		("t",                             "Only run those rules with a tag=<tag>. This option can be passed multiple times. Can not be mixed with -T/-D.", cxxopts::value<std::vector<std::string>>(), "<tag>")
+		("T",                             "Disable any rules with a tag=<tag>. Can be specified multiple times. Can not be specified with -t", cxxopts::value<std::vector<std::string>>(), "<tag>")
+		("t",                             "Only run those rules with a tag=<tag>. Can be specified multiple times. Can not be specified with -T/-D.", cxxopts::value<std::vector<std::string>>(), "<tag>")
 		("U,unbuffered",                  "Turn off output buffering to configured outputs. This causes every single line emitted by falco to be flushed which generates higher CPU usage but is useful when piping those outputs into another process or into a script.", cxxopts::value(unbuffered_outputs)->default_value("false"))
 		("u,userspace",                   "Parse events from userspace. To be used in conjunction with the ptrace(2) based driver (pdig)", cxxopts::value(userspace)->default_value("false"))
-		("V,validate",                    "Read the contents of the specified rules(s) file and exit. This option can be passed multiple times to validate multiple files.", cxxopts::value(validate_rules_filenames), "<rules_file>")
+		("V,validate",                    "Read the contents of the specified rules(s) file and exit. Can be specified multiple times to validate multiple files.", cxxopts::value(validate_rules_filenames), "<rules_file>")
 		("v",                             "Verbose output.", cxxopts::value(verbose)->default_value("false"))
 		("version",                       "Print version number.", cxxopts::value(print_version_info)->default_value("false"))
-		("page-size",                     "Print the system page size (may help you to choose the right syscall ring-buffer size).", cxxopts::value(print_page_size)->default_value("false"));
+		("page-size",                     "Print the system page size (may help you to choose the right syscall buffer size).", cxxopts::value(print_page_size)->default_value("false"));
 
 
 	m_cmdline_opts.set_width(140);

userspace/falco/application.cpp

@@ -98,25 +98,19 @@ application::~application()
 {
 }
 
-void application::terminate(bool verbose)
+void application::terminate()
 {
 	if (should_take_action_to_signal(falco::app::g_terminate))
 	{
-		if (verbose)
-		{
-			falco_logger::log(LOG_INFO, "SIGINT received, exiting...\n");
-		}
+		falco_logger::log(LOG_INFO, "SIGINT received, exiting...\n");
 	}
 }
 
-void application::reopen_outputs(bool verbose)
+void application::reopen_outputs()
 {
 	if (should_take_action_to_signal(falco::app::g_reopen_outputs))
 	{
-		if (verbose)
-		{
-			falco_logger::log(LOG_INFO, "SIGUSR1 received, reopening outputs...\n");
-		}
+		falco_logger::log(LOG_INFO, "SIGUSR1 received, reopening outputs...\n");
 		if(m_state != nullptr && m_state->outputs != nullptr)
 		{
 			m_state->outputs->reopen_outputs();
@@ -125,14 +119,11 @@ void application::reopen_outputs(bool verbose)
 	}
 }
 
-void application::restart(bool verbose)
+void application::restart()
 {
 	if (should_take_action_to_signal(falco::app::g_restart))
 	{
-		if (verbose)
-		{
-			falco_logger::log(LOG_INFO, "SIGHUP received, restarting...\n");
-		}
+		falco_logger::log(LOG_INFO, "SIGHUP received, restarting...\n");
 	}
 }
 

userspace/falco/application.h

@@ -16,7 +16,6 @@ limitations under the License.
 
 #pragma once
 
-#include "semaphore.h"
 #include "configuration.h"
 #include "stats_writer.h"
 #ifndef MINIMAL_BUILD
@@ -199,67 +198,6 @@ private:
 		bool proceed;
 	};
 
-	// used to synchronize different event source running in parallel
-	class source_sync_context
-	{
-	public:
-		source_sync_context(falco::semaphore& s)
-			: m_finished(false), m_joined(false), m_semaphore(s) { }
-		source_sync_context(source_sync_context&&) = default;
-		source_sync_context& operator = (source_sync_context&&) = default;
-		source_sync_context(const source_sync_context&) = delete;
-		source_sync_context& operator = (const source_sync_context&) = delete;
-
-		inline void finish()
-		{
-			bool v = false;
-			while (!m_finished.compare_exchange_weak(
-					v, true, 
-					std::memory_order_seq_cst,
-					std::memory_order_seq_cst))
-			{
-				if (v)
-				{
-					throw falco_exception("source_sync_context has been finished twice");
-				}
-			}
-			m_semaphore.release();
-		}
-
-		inline void join()
-		{
-			bool v = false;
-			while (!m_joined.compare_exchange_weak(
-					v, true, 
-					std::memory_order_seq_cst,
-					std::memory_order_seq_cst))
-			{
-				if (v)
-				{
-					throw falco_exception("source_sync_context has been joined twice");
-				}
-			}
-		}
-
-		inline bool joined()
-		{
-			return m_joined.load(std::memory_order_seq_cst);
-		}
-
-		inline bool finished()
-		{
-			return m_finished.load(std::memory_order_seq_cst);
-		}
-		
-	private:
-		// set to true when the event processing loop finishes
-		std::atomic<bool> m_finished;
-		// set to true when the result has been collected after finishing
-		std::atomic<bool> m_joined;
-		// used to notify the waiting thread when finished gets set to true
-		falco::semaphore& m_semaphore;
-	};
-
 	// Convenience method. Read a sequence of filenames and fill
 	// in a vector of rules contents.
         // Also fill in the provided rules_contents_t with a mapping from
@@ -369,7 +307,7 @@ private:
 		std::shared_ptr<sinsp> inspector,
 		std::shared_ptr<stats_writer> statsw,
 		std::string source, // an empty source represents capture mode
-		application::source_sync_context* sync,
+		std::atomic<bool>* finished,
 		run_result* res) noexcept;
 
 	/* Returns true if we are in capture mode. */
@@ -384,9 +322,9 @@ private:
 	}
 
 	// used in signal handlers to control the flow of the application
-	void terminate(bool verbose=true);
-	void restart(bool verbose=true);
-	void reopen_outputs(bool verbose=true);
+	void terminate();
+	void restart();
+	void reopen_outputs();
 	inline bool should_terminate()
 	{
 		return g_terminate.load(std::memory_order_seq_cst) != APP_SIGNAL_NOT_SET;

userspace/falco/configuration.cpp

@@ -32,31 +32,13 @@ limitations under the License.
 using namespace std;
 
 falco_configuration::falco_configuration():
-	m_json_output(false),
-	m_json_include_output_property(true),
-	m_json_include_tags_property(true),
-	m_notifications_rate(0),
-	m_notifications_max_burst(1000),
-	m_watch_config_files(true),
 	m_buffered_outputs(false),
 	m_time_format_iso_8601(false),
-	m_output_timeout(2000),
-	m_grpc_enabled(false),
-	m_grpc_threadiness(0),
 	m_webserver_enabled(false),
 	m_webserver_threadiness(0),
 	m_webserver_listen_port(8765),
 	m_webserver_k8s_healthz_endpoint("/healthz"),
 	m_webserver_ssl_enabled(false),
-	m_syscall_evt_drop_threshold(.1),
-	m_syscall_evt_drop_rate(.03333),
-	m_syscall_evt_drop_max_burst(1),
-	m_syscall_evt_simulate_drops(false),
-	m_syscall_evt_timeout_max_consecutives(1000),
-	m_metadata_download_max_mb(100),
-	m_metadata_download_chunk_wait_us(1000),
-	m_metadata_download_watch_freq_sec(1),
-	m_syscall_buf_size_preset(4),
 	m_config(NULL)
 {
 }
@@ -69,7 +51,7 @@ falco_configuration::~falco_configuration()
 	}
 }
 
-void falco_configuration::init(const string& conf_filename, const vector<string> &cmdline_options)
+void falco_configuration::init(string conf_filename, const vector<string> &cmdline_options)
 {
 	string m_config_file = conf_filename;
 	m_config = new yaml_configuration();

userspace/falco/configuration.h

@@ -216,7 +216,7 @@ public:
 	falco_configuration();
 	virtual ~falco_configuration();
 
-	void init(const std::string& conf_filename, const std::vector<std::string>& cmdline_options);
+	void init(std::string conf_filename, const std::vector<std::string>& cmdline_options);
 	void init(const std::vector<std::string>& cmdline_options);
 
 	static void read_rules_file_directory(const string& path, list<string>& rules_filenames, list<string> &rules_folders);

userspace/falco/event_drops.cpp

@@ -24,8 +24,7 @@ syscall_evt_drop_mgr::syscall_evt_drop_mgr():
 	m_inspector(NULL),
 	m_outputs(NULL),
 	m_next_check_ts(0),
-	m_simulate_drops(false),
-	m_threshold(0)
+	m_simulate_drops(false)
 {
 }
 

userspace/falco/falco_outputs.cpp

@@ -50,7 +50,7 @@ falco_outputs::falco_outputs(
 	uint32_t timeout,
 	bool buffered,
 	bool time_format_iso_8601,
-	const std::string& hostname)
+	std::string hostname)
 {
 	m_formats.reset(new falco_formats(engine, json_include_output_property, json_include_tags_property));
 
@@ -271,7 +271,7 @@ inline void falco_outputs::push(const ctrl_msg& cmsg)
 void falco_outputs::worker() noexcept
 {
 	watchdog<std::string> wd;
-	wd.start([&](const std::string& payload) -> void {
+	wd.start([&](std::string payload) -> void {
 		falco_logger::log(LOG_CRIT, "\"" + payload + "\" output timeout, all output channels are blocked\n");
 	});
 

userspace/falco/falco_outputs.h

@@ -47,7 +47,7 @@ public:
 		uint32_t timeout,
 		bool buffered,
 		bool time_format_iso_8601,
-		const std::string& hostname);
+		std::string hostname);
 
 	virtual ~falco_outputs();
 

userspace/falco/grpc_server.cpp

@@ -128,12 +128,12 @@ void falco::grpc::server::thread_process(int thread_index)
 }
 
 void falco::grpc::server::init(
-	const std::string& server_addr,
+	std::string server_addr,
 	int threadiness,
-	const std::string& private_key,
-	const std::string& cert_chain,
-	const std::string& root_certs,
-	const std::string& log_level)
+	std::string private_key,
+	std::string cert_chain,
+	std::string root_certs,
+	std::string log_level)
 {
 	m_server_addr = server_addr;
 	m_threadiness = threadiness;

userspace/falco/grpc_server.h

@@ -33,12 +33,12 @@ public:
 	virtual ~server() = default;
 
 	void init(
-		const std::string& server_addr,
+		std::string server_addr,
 		int threadiness,
-		const std::string& private_key,
-		const std::string& cert_chain,
-		const std::string& root_certs,
-		const std::string& log_level
+		std::string private_key,
+		std::string cert_chain,
+		std::string root_certs,
+		std::string log_level
 	);
 	void thread_process(int thread_index);
 	void run();

userspace/falco/outputs.h

@@ -63,7 +63,7 @@ class abstract_output
 public:
 	virtual ~abstract_output() {}
 
-	void init(const config& oc, bool buffered, const std::string& hostname, bool json_output)
+	void init(config oc, bool buffered, std::string hostname, bool json_output)
 	{
 		m_oc = oc;
 		m_buffered = buffered;

userspace/falco/semaphore.h

@@ -1,62 +0,0 @@
-/*
-Copyright (C) 2022 The Falco Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-#include <mutex>
-#include <condition_variable>
-
-namespace falco
-{
-    /**
-     * @brief A simple semaphore implementation. Unfortunately, a standard
-     * semaphore is only available since C++20, which currently we don't target.
-     */
-    class semaphore
-    {
-    public:
-        /**
-         * @brief Creates a semaphore with the given initial counter value
-         */
-        semaphore(int c = 0): count(c) {}
-
-        /**
-         * @brief Increments the internal counter and unblocks acquirers
-         */
-        inline void release()
-        {
-            std::unique_lock<std::mutex> lock(mtx);
-            count++;
-            cv.notify_one();
-        }
-
-        /**
-         * @brief Decrements the internal counter or blocks until it can
-         */
-        inline void acquire()
-        {
-            std::unique_lock<std::mutex> lock(mtx);
-            while (count == 0)
-            {
-                cv.wait(lock);
-            }
-            count--;
-        }
-
-    private:
-        std::mutex mtx;
-        std::condition_variable cv;
-        int count;
-    };
-};