chore(cmake): bump libs/drivers to 0.23.1/9.1.0+driver

The previously used driver version was already the `9.1.0+driver`:
simply replace the commit SHA with the release name.

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>

CMakeLists.txt

@@ -288,6 +288,12 @@ if(NOT WIN32
    AND NOT MUSL_OPTIMIZED_BUILD
 )
 	include(falcoctl)
+	set(CONTAINER_VERSION "0.6.0")
+	if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+		set(CONTAINER_HASH "f9c322dc2aa4cbda492a5e6258532f771e960db45509a53bc1a528a01f4b6168")
+	else() # arm64
+		set(CONTAINER_HASH "f2015a5c758b5eb79869ec1593352adf5c955990e58e08047b4c1344c6b07676")
+	endif()
 	include(container_plugin)
 
 	# Generate a binary_dir/falco.yaml that automatically enables the plugin to be used for local

cmake/modules/driver.cmake

@@ -35,9 +35,9 @@ else()
 	# FALCOSECURITY_LIBS_VERSION. In case you want to test against another driver version (or
 	# branch, or commit) just pass the variable - ie., `cmake -DDRIVER_VERSION=dev ..`
 	if(NOT DRIVER_VERSION)
-		set(DRIVER_VERSION "9e6a8ccd4e4f5796f45ad486decd00b4996129b7")
+		set(DRIVER_VERSION "9.1.0+driver")
 		set(DRIVER_CHECKSUM
-			"SHA256=87902814e29718529094b89ff2a3ddbd4ee7aa77da824d4acbaad0d863e04ce9"
+			"SHA256=14cba5b610bf48cd0a0a94b1156ed86bfb552c7ed24b68b1028360fa3af18cbb"
 		)
 	endif()
 

cmake/modules/falcosecurity-libs.cmake

@@ -42,9 +42,9 @@ else()
 	# version (or branch, or commit) just pass the variable - ie., `cmake
 	# -DFALCOSECURITY_LIBS_VERSION=dev ..`
 	if(NOT FALCOSECURITY_LIBS_VERSION)
-		set(FALCOSECURITY_LIBS_VERSION "9e6a8ccd4e4f5796f45ad486decd00b4996129b7")
+		set(FALCOSECURITY_LIBS_VERSION "0.23.1")
 		set(FALCOSECURITY_LIBS_CHECKSUM
-			"SHA256=87902814e29718529094b89ff2a3ddbd4ee7aa77da824d4acbaad0d863e04ce9"
+			"SHA256=38c580626b072ed24518e8285a629923c8c4c6d6794b91b3b93474db7fd85cf7"
 		)
 	endif()
 

docker/driver-loader-buster/Dockerfile

@@ -17,11 +17,12 @@ LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc
 ARG TARGETARCH
 
 ARG VERSION_BUCKET=deb
-ENV VERSION_BUCKET=${VERSION_BUCKET}
-
-ENV FALCO_VERSION=${FALCO_VERSION}
-ENV HOST_ROOT=/host
-ENV HOME=/root
+ARG HOST_ROOT=/host
+ARG HOME=/root
+ENV FALCO_VERSION="${FALCO_VERSION}" \
+    VERSION_BUCKET="${VERSION_BUCKET}" \
+    HOST_ROOT="${HOST_ROOT}" \
+    HOME="${HOME}"
 
 RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
 
@@ -136,6 +137,6 @@ RUN curl -L -o binutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dep
 	&& dpkg -i *binutils*.deb \
 	&& rm -f *binutils*.deb
 
-COPY ./docker/driver-loader-buster/docker-entrypoint.sh /
+COPY docker/driver-loader-buster/docker-entrypoint.sh /
 
 ENTRYPOINT ["/docker-entrypoint.sh"]

docker/falco-debian/Dockerfile

@@ -15,14 +15,15 @@ LABEL org.opencontainers.image.authors='The Falco Authors https://falco.org' \
 LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /proc:/host/proc:ro -v /etc:/host/etc:ro falcosecurity/falco:latest-debian"
 
 ARG VERSION_BUCKET=deb
+ARG HOST_ROOT=/host
+ARG HOME=/root
 
-ENV FALCO_VERSION=${FALCO_VERSION}
-ENV VERSION_BUCKET=${VERSION_BUCKET}
+ENV FALCO_VERSION="${FALCO_VERSION}" \
+    VERSION_BUCKET="${VERSION_BUCKET}" \
+    HOST_ROOT="${HOST_ROOT}" \
+    HOME="${HOME}"
 
-ENV HOST_ROOT=/host
-ENV HOME=/root
-
-RUN apt-get -y update && apt-get -y install ca-certificates curl jq ca-certificates gnupg2 \
+RUN apt-get -y update && apt-get -y install curl jq ca-certificates gnupg2 \
 	&& apt clean -y && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /
@@ -35,6 +36,6 @@ RUN curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add - \
 	&& rm -rf /var/lib/apt/lists/*
 
 # Change the falco config within the container to enable ISO 8601 output.
-ADD ./config/falco.iso8601_timeformat.yaml /etc/falco/config.d/
+ADD config/falco.iso8601_timeformat.yaml /etc/falco/config.d/
 
 CMD ["/usr/bin/falco"]

docker/falco/Dockerfile

@@ -16,22 +16,26 @@ LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run
 # NOTE: for the "least privileged" use case, please refer to the official documentation
 
 ARG VERSION_BUCKET=bin
+ARG HOST_ROOT=/host
+ARG HOME=/root
 
-ENV FALCO_VERSION=${FALCO_VERSION}
-ENV VERSION_BUCKET=${VERSION_BUCKET}
-ENV HOST_ROOT=/host
-ENV HOME=/root
+ENV FALCO_VERSION="${FALCO_VERSION}" \
+    VERSION_BUCKET="${VERSION_BUCKET}" \
+    HOST_ROOT="${HOST_ROOT}" \
+    HOME="${HOME}"
 
 RUN apk update && apk add curl ca-certificates jq libstdc++
 
 WORKDIR /
 
-RUN FALCO_VERSION_URLENCODED=$(echo -n ${FALCO_VERSION}|jq -sRr @uri) && \
+RUN ARCH=$(uname -m) && \
+    FALCO_VERSION_URLENCODED=$(echo -n "${FALCO_VERSION}" | jq -sRr @uri) && \
+    echo "Downloading Falco ${FALCO_VERSION} for ${ARCH}" && \
     curl -L -o falco.tar.gz \
-    https://download.falco.org/packages/${VERSION_BUCKET}/$(uname -m)/falco-${FALCO_VERSION_URLENCODED}-$(uname -m).tar.gz && \
+    https://download.falco.org/packages/${VERSION_BUCKET}/${ARCH}/falco-${FALCO_VERSION_URLENCODED}-${ARCH}.tar.gz && \
     tar -xvf falco.tar.gz && \
     rm -f falco.tar.gz && \
-    mv falco-${FALCO_VERSION}-$(uname -m) falco && \
+    mv falco-${FALCO_VERSION}-${ARCH} falco && \
     rm -rf /falco/usr/src/falco-* && \
     cp -r /falco/* / && \
     rm -rf /falco && \
@@ -39,6 +43,6 @@ RUN FALCO_VERSION_URLENCODED=$(echo -n ${FALCO_VERSION}|jq -sRr @uri) && \
 
 
 # Change the falco config within the container to enable ISO 8601 output.
-ADD ./config/falco.iso8601_timeformat.yaml /etc/falco/config.d/
+ADD config/falco.iso8601_timeformat.yaml /etc/falco/config.d/
 
 CMD ["/usr/bin/falco"]

falco.yaml

@@ -70,9 +70,9 @@
 #     file_output [Stable]
 #     http_output [Stable]
 #     program_output [Stable]
-#     grpc_output [Stable]
+#     grpc_output [Deprecated]
 # Falco exposed services
-#     grpc [Stable]
+#     grpc [Deprecated]
 #     webserver [Stable]
 # Falco logging / alerting / metrics related to software functioning (basic)
 #     log_stderr [Stable]
@@ -282,12 +282,14 @@ rules_files:
 #
 # -- Falco supports different engines to generate events.
 # Choose the appropriate engine kind based on your system's configuration and requirements.
+# DEPRECATION NOTICE: the Legacy eBPF probe and the gVisor engine are currently deprecated. Consider using other
+# engines.
 #
 # Available engines:
 # - `kmod`: Kernel Module
-# - `ebpf`: Legacy eBPF probe
+# - `ebpf`: Legacy eBPF probe (deprecated)
 # - `modern_ebpf`: Modern eBPF (CO-RE eBPF probe)
-# - `gvisor`: gVisor sandbox
+# - `gvisor`: gVisor sandbox (deprecated)
 # - `replay`: Replay a scap trace file
 # - `nodriver`: No driver is injected into the system.
 #   This is useful to debug and to run plugins with 'syscall' source.
@@ -438,7 +440,8 @@ engine:
   kmod:
     buf_size_preset: 4
     drop_failed_exit: false
-  # -- Engine-specific configuration for Legacy eBPF (ebpf) engine.
+  # -- Engine-specific configuration for Legacy eBPF (ebpf) engine. DEPRECATION NOTICE: the Legacy eBPF engine is
+  # deprecated.
   ebpf:
     # -- Path to the elf file to load.
     probe: ${HOME}/.falco/falco-bpf.o
@@ -453,7 +456,7 @@ engine:
   replay:
     # -- Path to the capture file to replay (eg: /path/to/file.scap)
     capture_file: ""
-  # -- Engine-specific configuration for gVisor (gvisor) engine.
+  # -- Engine-specific configuration for gVisor (gvisor) engine. DEPRECATION NOTICE: the gVisor engine is deprecated.
   gvisor:
     # -- A Falco-compatible configuration file can be generated with
     # '--gvisor-generate-config' and utilized for both runsc and Falco.
@@ -798,7 +801,7 @@ append_output:
 # Falco outputs channels #
 ##########################
 
-# Falco supports various output channels, such as syslog, stdout, file, gRPC,
+# Falco supports various output channels, such as syslog, stdout, file, gRPC (deprecated),
 # webhook, and more. You can enable or disable these channels as needed to
 # control where Falco alerts and log messages are directed. This flexibility
 # allows seamless integration with your preferred logging and alerting systems.
@@ -894,14 +897,14 @@ program_output:
   # -- The program to execute.
   program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
 
-# [Stable] `grpc_output`
+# [Deprecated] `grpc_output`
 #
-# -- Use gRPC as an output service.
+# -- Use gRPC as an output service. DEPRECATION NOTICE: The gRPC output is deprecated. Consider using other outputs.
 #
 # gRPC is a modern and high-performance framework for remote procedure calls
 # (RPC). It utilizes protocol buffers for efficient data serialization. The gRPC
 # output in Falco provides a modern and efficient way to integrate with other
-# systems. By default the setting is turned off. Enabling this option stores
+# systems. By default, the setting is turned off. Enabling this option stores
 # output events in memory until they are consumed by a gRPC client. Ensure that
 # you have a consumer for the output events or leave it disabled.
 grpc_output:
@@ -912,7 +915,10 @@ grpc_output:
 # Falco exposed services #
 ##########################
 
-# [Stable] `grpc`
+# [Deprecated] `grpc`
+#
+# -- A gRPC server (needed by the gRPC output). DEPRECATION NOTICE: The gRPC server is deprecated as a consequence of
+# the gRPC output deprecation.
 #
 # Falco provides support for running a gRPC server using two main binding types:
 # 1. Over the network with mandatory mutual TLS authentication (mTLS), which

userspace/falco/configuration.cpp

@@ -254,6 +254,12 @@ void falco_configuration::load_engine_config(const std::string &config_name) {
 		                       driver_mode_str + "' is not a valid kind.");
 	}
 
+	if(m_engine_mode == engine_kind_t::EBPF || m_engine_mode == engine_kind_t::GVISOR) {
+		falco_logger::log(falco_logger::level::WARNING,
+		                  "Using deprecated engine '" + driver_mode_str +
+		                          "'. Please consider switching to another engine.");
+	}
+
 	switch(m_engine_mode) {
 	case engine_kind_t::KMOD:
 		m_kmod.m_buf_size_preset = m_config.get_scalar<int16_t>("engine.kmod.buf_size_preset",
@@ -473,6 +479,11 @@ void falco_configuration::load_yaml(const std::string &config_name) {
 	}
 
 	m_grpc_enabled = m_config.get_scalar<bool>("grpc.enabled", false);
+	if(m_grpc_enabled) {
+		falco_logger::log(falco_logger::level::WARNING,
+		                  "Using deprecated gRPC server (deprecated as consequence of gRPC output "
+		                  "deprecation).");
+	}
 	m_grpc_bind_address = m_config.get_scalar<std::string>("grpc.bind_address", "0.0.0.0:5060");
 	m_grpc_threadiness = m_config.get_scalar<uint32_t>("grpc.threadiness", 0);
 	if(m_grpc_threadiness == 0) {
@@ -488,8 +499,13 @@ void falco_configuration::load_yaml(const std::string &config_name) {
 
 	falco::outputs::config grpc_output;
 	grpc_output.name = "grpc";
+	const auto grpc_output_enabled = m_config.get_scalar<bool>("grpc_output.enabled", true);
+	if(grpc_output_enabled) {
+		falco_logger::log(falco_logger::level::WARNING,
+		                  "Using deprecated gRPC output. Please consider using other outputs.");
+	}
 	// gRPC output is enabled only if gRPC server is enabled too
-	if(m_config.get_scalar<bool>("grpc_output.enabled", true) && m_grpc_enabled) {
+	if(grpc_output_enabled && m_grpc_enabled) {
 		m_outputs.push_back(grpc_output);
 	}
 

userspace/falco/outputs_program.cpp

@@ -16,12 +16,22 @@ limitations under the License.
 */
 
 #include "outputs_program.h"
+#include "logger.h"
 #include <stdio.h>
+#include <cerrno>
+#include <cstring>
 
 void falco::outputs::output_program::open_pfile() {
 	if(m_pfile == nullptr) {
 		m_pfile = popen(m_oc.options["program"].c_str(), "w");
 
+		if(m_pfile == nullptr) {
+			falco_logger::log(falco_logger::level::ERR,
+			                  "Failed to open program output: " + m_oc.options["program"] +
+			                          " (error: " + std::string(std::strerror(errno)) + ")");
+			return;
+		}
+
 		if(!m_buffered) {
 			setvbuf(m_pfile, NULL, _IONBF, 0);
 		}
@@ -31,7 +41,9 @@ void falco::outputs::output_program::open_pfile() {
 void falco::outputs::output_program::output(const message *msg) {
 	open_pfile();
 
-	fprintf(m_pfile, "%s\n", msg->msg.c_str());
+	if(m_pfile != nullptr) {
+		fprintf(m_pfile, "%s\n", msg->msg.c_str());
+	}
 
 	if(m_oc.options["keep_alive"] != "true") {
 		cleanup();

userspace/falco/outputs_program.h

@@ -32,7 +32,7 @@ class output_program : public abstract_output {
 private:
 	void open_pfile();
 
-	FILE *m_pfile;
+	FILE *m_pfile = nullptr;
 };
 
 }  // namespace outputs