temp

Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>

CMakeLists.txt

@@ -233,5 +233,3 @@ endif()
 
 # Packages configuration
 include(CPackConfig)
-
-add_subdirectory(docker/dev)

cmake/cpack/CMakeCPackOptions.cmake

@@ -1,13 +1,10 @@
-if(CPACK_GENERATOR MATCHES "DEB")
+if(CPACK_GENERATOR MATCHES "DEB" OR CPACK_GENERATOR MATCHES "RPM")
 	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod-inject.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco_inject_kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-endif()
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-modern-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-if(CPACK_GENERATOR MATCHES "RPM")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-plugin.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco_inject_kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
 endif()
 
 if(CPACK_GENERATOR MATCHES "TGZ")

cmake/modules/driver.cmake

@@ -26,8 +26,8 @@ else()
   # In case you want to test against another driver version (or branch, or commit) just pass the variable -
   # ie., `cmake -DDRIVER_VERSION=dev ..`
   if(NOT DRIVER_VERSION)
-    set(DRIVER_VERSION "3.0.1+driver")
+    set(DRIVER_VERSION "bb9702d5d3d3358804b1d483e7648dc55a2b7826")
-    set(DRIVER_CHECKSUM "SHA256=f50003043c804aa21990560de02db42e203ee09d050112a4a5dd2b05f22a8a6c")
+    set(DRIVER_CHECKSUM "SHA256=447aa085ccedcd649e91f68aefff13d4ca2a9ddc0faa5c4e30dd76d45ae47267")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

cmake/modules/falcosecurity-libs-repo/CMakeLists.txt

@@ -19,7 +19,7 @@ message(STATUS "Libs version: ${FALCOSECURITY_LIBS_VERSION}")
 
 ExternalProject_Add(
   falcosecurity-libs
-  URL "https://github.com/falcosecurity/libs/archive/${FALCOSECURITY_LIBS_VERSION}.tar.gz"
+  URL "https://github.com/Andreagit97/libs/archive/${FALCOSECURITY_LIBS_VERSION}.tar.gz"
   URL_HASH "${FALCOSECURITY_LIBS_CHECKSUM}"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""

cmake/modules/falcosecurity-libs.cmake

@@ -27,8 +27,8 @@ else()
   # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
   # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..`
   if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "0.9.0")
+    set(FALCOSECURITY_LIBS_VERSION "bb9702d5d3d3358804b1d483e7648dc55a2b7826")
-    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=5319a1b6a72eba3d9524cf084be5fc2ed81e3e90b3bee8edbe58b8646af0cbcb")
+    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=447aa085ccedcd649e91f68aefff13d4ca2a9ddc0faa5c4e30dd76d45ae47267")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

docker/README.md

@@ -13,6 +13,5 @@ This directory contains various ways to package Falco as a container and related
 | [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/getting-started/source/) for more details on building from source. Used to build Falco (CI). |
 | [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). |
 | _not to be published_ | docker/local | Built on-the-fly and used by falco-tester. |
-| _not to be published_ | docker/dev | Built on-the-fly to test local Falco development. |
 
-> Note: `falco-builder`, `falco-tester`, `docker/local`, `docker/dev` images are not integrated into the release process because they are development and CI tools that need to be manually pushed only when updated.
+> Note: `falco-builder`, `falco-tester` (and the `docker/local` image that it's built on the fly) are not integrated into the release process because they are development and CI tools that need to be manually pushed only when updated.

docker/dev/CMakeLists.txt

@@ -1,20 +0,0 @@
-# Build a docker container for local development
-if(CMAKE_SYSTEM_NAME MATCHES "Linux")
-  set(DEV_DOCKER_CXT ${CMAKE_BINARY_DIR}/docker/dev-docker-ctx)
-
-  # This target prepares the `tar.gz` artifact that will be passed to the dockerfile.
-  add_custom_target(dev-docker-prepare
-    COMMAND mkdir -p ${DEV_DOCKER_CXT}
-    COMMAND "${CMAKE_COMMAND}" --build . --target package
-    COMMAND ${CMAKE_COMMAND} -E copy_if_different ${CMAKE_BINARY_DIR}/falco-${FALCO_VERSION}-${FALCO_TARGET_ARCH}.tar.gz ${DEV_DOCKER_CXT}/falco.tar.gz
-    DEPENDS falco
-  )
-
-  add_custom_target(dev-docker
-    COMMAND docker build
-      --tag falco-nodriver-dev
-      -f ${CMAKE_SOURCE_DIR}/docker/dev/nodriver.Dockerfile
-      ${DEV_DOCKER_CXT}
-    DEPENDS dev-docker-prepare
-  )
-endif()

docker/dev/README.md

@@ -1,59 +0,0 @@
-# Falco development image
-
-This docker image can be easily generated starting from a clean Falco build.
-
-## 1. Clone the Falco repo ⬇️
-
-```bash
-git clone https://github.com/falcosecurity/falco.git
-```
-
-## 2. Prepare the build directory 🏗️
-
-### `falco-runner-image` tag
-
-The CMake command that we will see in the next section builds Falco locally on your machine, and push it into a docker image, so as you may imagine the final image that will run Falco must have a similar `GLIBC` version to your local one. For this reason, you have to use docker tags.
-
-The `nodriver.Dockerfile` will use the `falco-runner-image` tag to build the final image as you can see here:
-
-```dockerfile
-FROM falco-runner-image AS runner
-
-...
-```
-
-For example, if I build Falco locally on a un `ubuntu:22-04` machine I will instruct docker to use `ubuntu:22-04` as a final running image.
-
-```bash
-docker tag ubuntu:22.04 falco-runner-image
-```
-
-In this way the `nodriver.Dockerfile` will use `ubuntu:22-04` during the building phase.
-
-### Cmake command
-
-Now that we set the `falco-runner-image` tag, we are ready to build our Falco image. Starting from the project root:
-
-```bash
-mkdir build && cd build
-cmake -DUSE_BUNDLED_DEPS=On -DCREATE_TEST_TARGETS=Off -DCPACK_GENERATOR=TGZ -DFALCO_ETC_DIR=/etc/falco ..
-make dev-docker
-```
-> __Please note__: These cmake options `-DUSE_BUNDLED_DEPS=On -DCREATE_TEST_TARGETS=Off -DCPACK_GENERATOR=TGZ -DFALCO_ETC_DIR=/etc/falco` are the required ones but you can provide additional options to build the image according to your needs (for example you can pass `-DMINIMAL_BUILD=On` if you want a minimal build image or `-DBUILD_FALCO_MODERN_BPF=ON` if you want to include the modern bpf probe inside the image)
-
-## 3. Run the docker image locally 🏎️
-
-```bash
-docker run --rm -i -t \
-           --privileged \
-           -v /var/run/docker.sock:/host/var/run/docker.sock \
-           -v /dev:/host/dev \
-           -v /proc:/host/proc:ro \
-           falco-nodriver-dev
-```
-
-If you change something in the Falco source code you can simply rebuild the image with:
-
-```bash
-make dev-docker
-```

docker/dev/nodriver.Dockerfile

@@ -1,33 +0,0 @@
-FROM ubuntu:22.04 AS builder
-
-COPY ./falco.tar.gz /
-
-WORKDIR /
-
-# 1. We remove the Falco directory with the name related to the version and the arch
-# 2. We remove the source folder
-# 3. We remove the `falco-driver-loader` binary
-RUN mkdir falco; \
-    tar -xzf falco.tar.gz -C falco --strip-component 1; \
-    rm -rf /falco/usr/src; \
-    rm /falco/usr/bin/falco-driver-loader
-
-# the time displayed in log messages and output messages will be in ISO 8601.
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new; \
-    mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml
-
-# Please note: it could be necessary to change this base image according
-# to the `glibc` version of the machine where you build the tar.gz package
-# use `docker tag ubuntu:22.04 falco-runner-image` for example
-FROM falco-runner-image AS runner
-
-LABEL name="falcosecurity/falco-nodriver-dev"
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-LABEL usage="docker run -it --rm --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
-
-COPY --from=builder /falco /
-
-ENV HOST_ROOT /host
-ENV HOME /root
-
-CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/tester/Dockerfile

@@ -15,7 +15,7 @@ RUN if [ "$TARGETARCH" = "amd64" ] ; then curl -L -o grpcurl.tar.gz \
     https://github.com/fullstorydev/grpcurl/releases/download/v1.8.6/grpcurl_1.8.6_linux_arm64.tar.gz; \
     fi;
 
-RUN dnf install -y python-pip python docker findutils jq unzip && dnf clean all
+RUN dnf install -y python-pip python docker findutils jq unzip sed curl && dnf clean all
 ENV PATH="/root/.local/bin/:${PATH}"
 RUN pip install --user avocado-framework==69.0
 RUN pip install --user avocado-framework-plugin-varianter-yaml-to-mux==69.0

scripts/CMakeLists.txt

@@ -15,26 +15,28 @@
 # limitations under the License.
 #
 
+# Systemd
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod-inject.service"
+		DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod.service"
+		DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-bpf.service"
+		DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-modern-bpf.service"
+		DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-plugin.service"
+		DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
+
+# Debian
 configure_file(debian/postinst.in debian/postinst)
 configure_file(debian/postrm.in debian/postrm)
 configure_file(debian/prerm.in debian/prerm)
 
-file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco.service"
+# Rpm
-	DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")
-
-file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco_inject_kmod.service"
-	DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")
-
 configure_file(rpm/postinstall.in rpm/postinstall)
 configure_file(rpm/postuninstall.in rpm/postuninstall)
 configure_file(rpm/preuninstall.in rpm/preuninstall)
 
-file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco.service"
-	DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")
-
-file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco_inject_kmod.service"
-	DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")
-
 configure_file(falco-driver-loader falco-driver-loader @ONLY)
 
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")

scripts/debian/falco_inject_kmod.service

@@ -1,13 +0,0 @@
-[Unit]
-Description=Falco: Container Native Runtime Security
-Documentation=https://falco.org/docs/
-Before=falco.service
-Wants=falco.service
-
-[Service]
-Type=oneshot
-User=root
-ExecStart=/sbin/modprobe falco
-
-[Install]
-WantedBy=multi-user.target

scripts/debian/postinst.in

@@ -17,58 +17,65 @@
 #
 set -e
 
-DKMS_PACKAGE_NAME="@PACKAGE_NAME@"
+chosen_driver=
-DKMS_VERSION="@DRIVER_VERSION@"
-NAME="@PACKAGE_NAME@"
 
-postinst_found=0
+if [ "$1" = "configure" ]; then
+        if [ -x /usr/bin/dialog ]; then
+          # If dialog is installed, create a dialog to let users choose the correct driver for them
+          CHOICE=$(dialog --clear --backtitle "Choose your preferred driver" --title "Falco driver" --menu "Choose one of the following options:" 15 40 4 \
+                1 "Don't start" \
+                2 "Kmod" \
+                3 "eBPF" \
+                4 "Modern eBPF" \
+                5 "Plugin" \
+                2>&1 >/dev/tty)
+            clear
+            case $CHOICE in
+                2)
+                    chosen_driver="kmod"
+                    ;;
+                3)
+                    chosen_driver="bpf"
+                    ;;
+                4)
+                    chosen_driver="modern-bpf"
+                    ;;
+                5)
+                    chosen_driver="plugin"
+                    ;;
+            esac
+        fi
+fi
 
-case "$1" in
+# If needed, try to load/compile the driver through falco-driver-loader
-	configure)
+case "$chosen_driver" in
-		for DKMS_POSTINST in /usr/lib/dkms/common.postinst /usr/share/$DKMS_PACKAGE_NAME/postinst; do
+    "kmod")
-			if [ -f $DKMS_POSTINST ]; then
+      echo "[POST-INSTALL] Call falco-driver-loader module:\n"
-				$DKMS_POSTINST $DKMS_PACKAGE_NAME $DKMS_VERSION /usr/share/$DKMS_PACKAGE_NAME "" $2
+      falco-driver-loader module
-				postinst_found=1
+      ;;
-				break
+    "bpf")
-			fi
+      echo "[POST-INSTALL] Call falco-driver-loader bpf:\n"
-		done
+      falco-driver-loader bpf
-		if [ "$postinst_found" -eq 0 ]; then
+      ;;
-			echo "ERROR: DKMS version is too old and $DKMS_PACKAGE_NAME was not"
-			echo "built with legacy DKMS support."
-			echo "You must either rebuild $DKMS_PACKAGE_NAME with legacy postinst"
-			echo "support or upgrade DKMS to a more current version."
-			exit 1
-		fi
-	;;
 esac
 
-# Based off what debhelper dh_systemd_enable/13.3.4 would have added
-# ref: https://www.debian.org/doc/manuals/debmake-doc/ch05.en.html#debhelper
-
 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
-        # This will only remove masks created by d-s-h on package removal.
+        if [ -n "$chosen_driver" ]; then
-        deb-systemd-helper unmask 'falco.service' >/dev/null || true
+            echo "[POST-INSTALL] enable falco-$chosen_driver.service:\n"
-
+            systemctl --system enable "falco-$chosen_driver.service" || true
-        # was-enabled defaults to true, so new installations run enable.
+            echo "[POST-INSTALL] start falco-$chosen_driver.service:\n"
-        if deb-systemd-helper --quiet was-enabled 'falco.service'; then
+            systemctl --system start "falco-$chosen_driver.service" || true
-                # Enables the unit on first installation, creates new
-                # symlinks on upgrades if the unit file has changed.
-                deb-systemd-helper enable 'falco.service' >/dev/null || true
-        else
-                # Update the statefile to add new symlinks (if any), which need to be
-                # cleaned up on purge. Also remove old symlinks.
-                deb-systemd-helper update-state 'falco.service' >/dev/null || true
         fi
 fi
 
 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
-        if [ -d /run/systemd/system ]; then
+    if [ -d /run/systemd/system ]; then
-                systemctl --system daemon-reload >/dev/null || true
+      echo "[POST-INSTALL] trigger deamon-reload:\n"
-                if [ -n "$2" ]; then
+      systemctl --system daemon-reload || true
-                        _dh_action=restart
+      if [ -n "$chosen_driver" ]; then
-                else
+        echo "[POST-INSTALL] trigger condrestart:\n"
-                        _dh_action=start
+        # restart falco on upgrade if service is already running
-                fi
+        systemctl --system condrestart "falco-$chosen_driver.service" || true
-                deb-systemd-invoke $_dh_action 'falco.service' >/dev/null || true
+      fi
-        fi
+    fi
 fi

scripts/debian/postrm.in

@@ -22,18 +22,11 @@
 set -e
 
 if [ -d /run/systemd/system ] && [ "$1" = remove ]; then
-        systemctl --system daemon-reload >/dev/null || true
+        echo "[POST-REMOVE] disable falco services:\n"
-fi
+        systemctl --system disable 'falco-kmod.service' || true
-
+        systemctl --system disable 'falco-bpf.service' || true
-if [ "$1" = "remove" ]; then
+        systemctl --system disable 'falco-modern-bpf.service' || true
-        if [ -x "/usr/bin/deb-systemd-helper" ]; then
+        systemctl --system disable 'falco-plugin.service' || true
-                deb-systemd-helper mask 'falco.service' >/dev/null || true
+        echo "[POST-REMOVE] trigger deamon-reload:\n"
-        fi
+        systemctl --system daemon-reload || true
-fi
-
-if [ "$1" = "purge" ]; then
-        if [ -x "/usr/bin/deb-systemd-helper" ]; then
-                deb-systemd-helper purge 'falco.service' >/dev/null || true
-                deb-systemd-helper unmask 'falco.service' >/dev/null || true
-        fi
 fi

scripts/debian/prerm.in

@@ -22,11 +22,16 @@ set -e
 # Currently running falco service uses the driver, so stop it before driver cleanup
 
 if [ -d /run/systemd/system ] && [ "$1" = remove ]; then
-        deb-systemd-invoke stop 'falco.service' >/dev/null || true
+        echo "[POST-REMOVE] stop falco services:\n"
+        systemctl --system stop 'falco-kmod.service' || true
+        systemctl --system stop 'falco-bpf.service' || true
+        systemctl --system stop 'falco-modern-bpf.service' || true
+        systemctl --system stop 'falco-plugin.service' || true
 fi
 
 case "$1" in
 	remove|upgrade|deconfigure)
-		/usr/bin/falco-driver-loader --clean
+                echo "[POST-REMOVE] call falco-driver-loader --clean:\n"
+		falco-driver-loader --clean
 	;;
 esac

scripts/falco-driver-loader

@@ -114,8 +114,7 @@ get_target_id() {
 		# Older CentOS distros
 		OS_ID=centos
 	else
-		>&2 echo "Detected an unsupported target system, please get in touch with the Falco community"
+		return 1
-		exit 1
 	fi
 
 	# Overwrite the OS_ID if /etc/VERSION file is present.
@@ -164,6 +163,7 @@ get_target_id() {
 		TARGET_ID=$(echo "${OS_ID}" | tr '[:upper:]' '[:lower:]')
 		;;
 	esac
+	return 0
 }
 
 flatcar_relocate_tools() {
@@ -211,7 +211,13 @@ load_kernel_module_compile() {
 	fi
 
 	# Try to compile using all the available gcc versions
-	for CURRENT_GCC in $(which gcc) $(ls "$(dirname "$(which gcc)")"/gcc-* | grep 'gcc-[0-9]\+' | sort -n -r -k 2 -t -); do
+	for CURRENT_GCC in $(ls "$(dirname "$(which gcc)")"/gcc*); do
+		# Filter away gcc-{ar,nm,...}
+		# Only gcc compiler has `-print-search-dirs` option.
+		${CURRENT_GCC} -print-search-dirs 2>&1 | grep "install:"
+		if [ "$?" -ne "0" ]; then
+			continue
+		fi
 		echo "* Trying to dkms install ${DRIVER_NAME} module with GCC ${CURRENT_GCC}"
 		echo "#!/usr/bin/env bash" > /tmp/falco-dkms-make
 		echo "make CC=${CURRENT_GCC} \$@" >> /tmp/falco-dkms-make
@@ -232,13 +238,14 @@ load_kernel_module_compile() {
 				return
 			fi
 			echo "* ${DRIVER_NAME} module found: ${KO_FILE}"
-			echo "* Trying insmod"
+			echo "* Trying to modprobe"
 			chcon -t modules_object_t "$KO_FILE" > /dev/null 2>&1 || true
-			if insmod "$KO_FILE" > /dev/null 2>&1; then
+			depmod ${KERNEL_RELEASE}
+			if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then
 				echo "* Success: ${DRIVER_NAME} module found and loaded in dkms"
 				exit 0
 			else
-				echo "* Unable to insmod ${DRIVER_NAME} module"
+				echo "* Unable to load ${DRIVER_NAME} module"
 			fi
 		else
 			DKMS_LOG="/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/build/make.log"
@@ -253,8 +260,6 @@ load_kernel_module_compile() {
 }
 
 load_kernel_module_download() {
-	get_target_id
-
 	local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
 	local URL=$(echo "${1}/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" | sed s/+/%2B/g)
 
@@ -262,11 +267,14 @@ load_kernel_module_download() {
 	if curl -L --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" "${URL}"; then
 		echo "* Download succeeded"
 		chcon -t modules_object_t "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" > /dev/null 2>&1 || true
-		if insmod "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}"; then
+		mkdir -p /lib/modules/${KERNEL_RELEASE}/kernel/drivers/falco/
-			echo "* Success: ${DRIVER_NAME} module found and inserted"
+		cp ${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME} /lib/modules/${KERNEL_RELEASE}/kernel/drivers/falco/falco.ko
+		depmod ${KERNEL_RELEASE}
+		if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then
+			echo "* Success: ${DRIVER_NAME} module found and loaded with modprobe"
 			exit 0
 		else
-			>&2 echo "Unable to insmod the prebuilt ${DRIVER_NAME} module"
+			>&2 echo "Unable to load the prebuilt ${DRIVER_NAME} module"
 		fi	
 	else
 		>&2 echo "Unable to find a prebuilt ${DRIVER_NAME} module"
@@ -374,8 +382,6 @@ load_kernel_module() {
 
 	echo "* Looking for a ${DRIVER_NAME} module locally (kernel ${KERNEL_RELEASE})"
 
-	get_target_id
-
 	local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
 	echo "* Filename '${FALCO_KERNEL_MODULE_FILENAME}' is composed of:"
 	print_filename_components
@@ -383,7 +389,10 @@ load_kernel_module() {
 	if [ -f "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" ]; then
 		echo "* Found a prebuilt ${DRIVER_NAME} module at ${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}, loading it"
 		chcon -t modules_object_t "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" > /dev/null 2>&1 || true
-		insmod "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module found and inserted"
+		mkdir -p /lib/modules/${KERNEL_RELEASE}/kernel/drivers/falco/
+		cp ${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME} /lib/modules/${KERNEL_RELEASE}/kernel/drivers/falco/falco.ko
+		depmod ${KERNEL_RELEASE}
+		modprobe "${DRIVER_NAME}" && echo "* Success: ${DRIVER_NAME} module found and loaded"
 		exit $?
 	fi
 
@@ -544,8 +553,6 @@ load_bpf_probe() {
 		mount -t debugfs nodev /sys/kernel/debug
 	fi
 
-	get_target_id
-
 	BPF_PROBE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.o"
 	echo "* Filename '${BPF_PROBE_FILENAME}' is composed of:"
 	print_filename_components
@@ -638,6 +645,8 @@ DRIVER_VERSION=${DRIVER_VERSION:-"@DRIVER_VERSION@"}
 DRIVER_NAME=${DRIVER_NAME:-"@DRIVER_NAME@"}
 FALCO_VERSION="@FALCO_VERSION@"
 
+TARGET_ID="placeholder" # when no target id can be fetched, we try to build the driver from source anyway, using a placeholder name
+
 DRIVER="module"
 if [ -v FALCO_BPF_PROBE ]; then
 	DRIVER="bpf"
@@ -711,6 +720,18 @@ if [ -z "$source_only" ]; then
 		exit 1
 	fi
 
+	get_target_id
+	res=$?
+	if [ $res != 0 ]; then
+		if [ -n "$ENABLE_COMPILE" ]; then
+			ENABLE_DOWNLOAD=
+			>&2 echo "Detected an unsupported target system, please get in touch with the Falco community. Trying to compile anyway."
+		else
+			>&2 echo "Detected an unsupported target system, please get in touch with the Falco community."
+			exit 1
+		fi
+	fi
+
 	if [ -n "$clean" ]; then
 		if [ -n "$has_opts" ]; then
 			>&2 echo "Cannot use --clean with other options"

scripts/rpm/falco_inject_kmod.service

@@ -1,13 +0,0 @@
-[Unit]
-Description=Falco: Container Native Runtime Security
-Documentation=https://falco.org/docs/
-Before=falco.service
-Wants=falco.service
-
-[Service]
-Type=oneshot
-User=root
-ExecStart=/sbin/modprobe falco
-
-[Install]
-WantedBy=multi-user.target

scripts/rpm/postinstall.in

@@ -16,21 +16,46 @@
 #
 set -e
 
-mod_version="@DRIVER_VERSION@"
+chosen_driver=
-dkms add -m falco -v $mod_version --rpm_safe_upgrade
+
-if [ `uname -r | grep -c "BOOT"` -eq 0 ] && [ -e /lib/modules/`uname -r`/build/include ]; then
+if [ $1 -eq 1 ]; then
-	dkms build -m falco -v $mod_version
+        if [ -x /usr/bin/dialog ]; then
-	dkms install --force -m falco -v $mod_version
+            # If dialog is installed, create a dialog to let users choose the correct driver for them
-elif [ `uname -r | grep -c "BOOT"` -gt 0 ]; then
+            CHOICE=$(dialog --clear --backtitle "Choose your preferred driver" --title "Falco driver" --menu "Choose one of the following options:" 15 40 4 \
-	echo -e ""
+                    1 "Don't start" \
-	echo -e "Module build for the currently running kernel was skipped since you"
+                    2 "Kmod" \
-	echo -e "are running a BOOT variant of the kernel."
+                    3 "eBPF" \
-else
+                    4 "Modern eBPF" \
-	echo -e ""
+                    5 "Plugin" \
-	echo -e "Module build for the currently running kernel was skipped since the"
+                    2>&1 >/dev/tty)
-	echo -e "kernel source for this kernel does not seem to be installed."
+                clear
+                case $CHOICE in
+                    2)
+                        chosen_driver="kmod"
+                        ;;
+                    3)
+                        chosen_driver="bpf"
+                        ;;
+                    4)
+                        chosen_driver="modern-bpf"
+                        ;;
+                    5)
+                        chosen_driver="plugin"
+                        ;;
+                esac
+        fi
 fi
 
+# If needed, try to load/compile the driver through falco-driver-loader
+case "$chosen_driver" in
+    "kmod")
+      falco-driver-loader module
+      ;;
+    "bpf")
+      falco-driver-loader bpf
+      ;;
+esac
+
 # validate rpm macros by `rpm -qp --scripts <rpm>`
 # RPM scriptlets: https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd
 #                 https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
@@ -38,27 +63,23 @@ fi
 # systemd_post macro expands to
 # if postinst:
 #   `systemd-update-helper install-system-units <service>`
-%systemd_post 'falco.service'
+%systemd_post "falco-$chosen_driver.service"
 
 # post install mirrored from .deb
 if [ $1 -eq 1 ]; then
-        # This will only remove masks created on package removal.
+        if [ -n "$chosen_driver" ]; then
-        /usr/bin/systemctl --system unmask 'falco.service' >/dev/null || true
+            systemctl --system enable "falco-$chosen_driver.service" || true
-
+            systemctl --system start "falco-$chosen_driver.service" || true
-        # enable falco on installation
+        fi
-        # note: DEB postinstall script checks for changed symlinks
-        /usr/bin/systemctl --system enable 'falco.service' >/dev/null || true
-
-        # start falco on installation
-        /usr/bin/systemctl --system start 'falco.service' >/dev/null || true
 fi
 
 # post upgrade mirrored from .deb
 if [ $1 -gt 1 ]; then
     if [ -d /run/systemd/system ]; then
-        /usr/bin/systemctl --system daemon-reload >/dev/null || true
+        systemctl --system daemon-reload || true
-
+        if [ -n "$chosen_driver" ]; then
-        # restart falco on upgrade if service is already running
+          # restart falco on upgrade if service is already running
-        /usr/bin/systemctl --system condrestart 'falco.service' >/dev/null || true
+          systemctl --system condrestart "falco-$chosen_driver.service" || true
+        fi
     fi
 fi

scripts/rpm/postuninstall.in

@@ -17,17 +17,10 @@
 
 set -e
 
-# post uninstall mirrored from .deb
+if [ -d /run/systemd/system ] && [ $1 -eq 0 ]; then
-if [ -d /run/systemd/system ] && [ "$1" = 0 ]; then
+        systemctl --system disable 'falco-kmod.service'|| true
-        /usr/bin/systemctl --system daemon-reload >/dev/null || true
+        systemctl --system disable 'falco-bpf.service' || true
-        /usr/bin/systemctl --system mask 'falco.service' >/dev/null || true
+        systemctl --system disable 'falco-modern-bpf.service' || true
+        systemctl --system disable 'falco-plugin.service' || true
+        systemctl --system daemon-reload || true
 fi
-
-# validate rpm macros by `rpm -qp --scripts <rpm>`
-# RPM scriptlets: https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd
-#                 https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
-
-# systemd_postun_with_restart macro expands to
-# if package upgrade, not uninstall:
-#   `systemd-update-helper mark-restart-system-units <service>`
-%systemd_postun_with_restart 'falco.service'

scripts/rpm/preuninstall.in

@@ -19,11 +19,13 @@ set -e
 # pre uninstall mirrored from .deb
 # Currently running falco service uses the driver, so stop it before driver cleanup
 if [ -d /run/systemd/system ] && [ $1 -eq 0 ]; then
-        # stop falco service before uninstall
+        systemctl --system stop 'falco-kmod.service' || true
-        /usr/bin/systemctl --system stop 'falco.service' >/dev/null || true
+        systemctl --system stop 'falco-bpf.service' || true
+        systemctl --system stop 'falco-modern-bpf.service' || true
+        systemctl --system stop 'falco-plugin.service' || true
 fi
 
-/usr/bin/falco-driver-loader --clean
+falco-driver-loader --clean
 
 # validate rpm macros by `rpm -qp --scripts <rpm>`
 # RPM scriptlets: https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd
@@ -32,4 +34,7 @@ fi
 # systemd_preun macro expands to
 # if preuninstall:
 #  `systemd-update-helper remove-system-units <service>`
-%systemd_preun 'falco.service'
+%systemd_preun 'falco-kmod.service'
+%systemd_preun 'falco-bpf.service'
+%systemd_preun 'falco-modern-bpf.service'
+%systemd_preun 'falco-plugin.service'

scripts/systemd/falco-bpf.service

@@ -1,14 +1,15 @@
 [Unit]
-Description=Falco: Container Native Runtime Security
+Description=Falco: Container Native Runtime Security with ebpf
 Documentation=https://falco.org/docs/
-After=falco_inject_kmod.service
+Conflicts=falco-kmod.service
-Requires=falco_inject_kmod.service
+Conflicts=falco-modern-bpf.service
+Conflicts=falco-plugin.service
 
 [Service]
 Type=simple
 User=root
+Environment=FALCO_BPF_PROBE=
 ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
-ExecStopPost=/sbin/rmmod falco
 UMask=0077
 TimeoutSec=30
 RestartSec=15s
@@ -18,7 +19,6 @@ NoNewPrivileges=yes
 ProtectHome=read-only
 ProtectSystem=full
 ProtectKernelTunables=true
-ReadWritePaths=/sys/module/falco
 RestrictRealtime=true
 RestrictAddressFamilies=~AF_PACKET
 StandardOutput=null

scripts/systemd/falco-kmod-inject.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=Falco: Container Native Runtime Security with kmod, inject.
+Documentation=https://falco.org/docs/
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+User=root
+ExecStart=/sbin/modprobe falco
+ExecStop=/sbin/rmmod falco

scripts/systemd/falco-kmod.service

@@ -0,0 +1,29 @@
+[Unit]
+Description=Falco: Container Native Runtime Security with kmod
+Documentation=https://falco.org/docs/
+After=falco-kmod-inject.service
+Requires=falco-kmod-inject.service
+Conflicts=falco-bpf.service
+Conflicts=falco-modern-bpf.service
+Conflicts=falco-plugin.service
+
+[Service]
+Type=simple
+User=root
+ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
+UMask=0077
+TimeoutSec=30
+RestartSec=15s
+Restart=on-failure
+PrivateTmp=true
+NoNewPrivileges=yes
+ProtectHome=read-only
+ProtectSystem=full
+ProtectKernelTunables=true
+ReadWritePaths=/sys/module/falco
+RestrictRealtime=true
+RestrictAddressFamilies=~AF_PACKET
+StandardOutput=null
+
+[Install]
+WantedBy=multi-user.target

scripts/systemd/falco-modern-bpf.service

@@ -0,0 +1,26 @@
+[Unit]
+Description=Falco: Container Native Runtime Security with modern ebpf
+Documentation=https://falco.org/docs/
+Conflicts=falco-kmod.service
+Conflicts=falco-bpf.service
+Conflicts=falco-plugin.service
+
+[Service]
+Type=simple
+User=root
+ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid --modern-bpf
+UMask=0077
+TimeoutSec=30
+RestartSec=15s
+Restart=on-failure
+PrivateTmp=true
+NoNewPrivileges=yes
+ProtectHome=read-only
+ProtectSystem=full
+ProtectKernelTunables=true
+RestrictRealtime=true
+RestrictAddressFamilies=~AF_PACKET
+StandardOutput=null
+
+[Install]
+WantedBy=multi-user.target

scripts/systemd/falco-plugin.service

@@ -1,14 +1,14 @@
 [Unit]
-Description=Falco: Container Native Runtime Security
+Description=Falco: Container Native Runtime Security with plugin
 Documentation=https://falco.org/docs/
-After=falco_inject_kmod.service
+Conflicts=falco-kmod.service
-Requires=falco_inject_kmod.service
+Conflicts=falco-bpf.service
+Conflicts=falco-modern-bpf.service
 
 [Service]
 Type=simple
-User=root
+User=%u
 ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
-ExecStopPost=/sbin/rmmod falco
 UMask=0077
 TimeoutSec=30
 RestartSec=15s
@@ -18,9 +18,9 @@ NoNewPrivileges=yes
 ProtectHome=read-only
 ProtectSystem=full
 ProtectKernelTunables=true
-ReadWritePaths=/sys/module/falco
 RestrictRealtime=true
 RestrictAddressFamilies=~AF_PACKET
+StandardOutput=null
 
 [Install]
 WantedBy=multi-user.target

userspace/engine/falco_engine.cpp

@@ -346,6 +346,11 @@ unique_ptr<falco_engine::rule_result> falco_engine::process_event(std::size_t so
 
 	if(source_idx == m_syscall_source_idx)
 	{
+		if(m_syscall_source == NULL)
+		{
+			m_syscall_source = find_source(m_syscall_source_idx);
+		}
+
 		source = m_syscall_source;
 	}
 	else
@@ -387,7 +392,6 @@ std::size_t falco_engine::add_source(const std::string &source,
 	if(source == falco_common::syscall_source)
 	{
 		m_syscall_source_idx = idx;
-		m_syscall_source = find_source(m_syscall_source_idx);
 	}
 
 	return idx;

userspace/falco/configuration.h

@@ -400,7 +400,8 @@ namespace YAML {
 
 			if(node["open_params"] && !node["open_params"].IsNull())
 			{
-				rhs.m_open_params = node["open_params"].as<std::string>();
+				string open_params = node["open_params"].as<std::string>();
+				rhs.m_open_params = trim(open_params);
 			}
 
 			return true;