chore: make plugin library path traversal check cross-platform

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>

.github/workflows/master.yaml

@@ -56,9 +56,6 @@ jobs:
 
   publish-dev-packages:
     needs: [fetch-version, test-dev-packages, test-dev-packages-arm64]
-    permissions:
-      id-token: write
-      contents: read
     uses: ./.github/workflows/reusable_publish_packages.yaml
     with:
       bucket_suffix: '-dev'
@@ -87,10 +84,6 @@ jobs:
     
   publish-dev-docker:
     needs: [fetch-version, build-dev-docker, build-dev-docker-arm64]
-    permissions:
-      attestations: write
-      id-token: write
-      contents: read
     uses: ./.github/workflows/reusable_publish_docker.yaml
     with:
       tag: master

.github/workflows/release.yaml

@@ -96,9 +96,6 @@ jobs:
 
   publish-packages:
     needs: [release-settings, test-packages, test-packages-arm64]
-    permissions:
-      id-token: write
-      contents: read
     uses: ./.github/workflows/reusable_publish_packages.yaml
     with:
       bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }}
@@ -128,10 +125,6 @@ jobs:
 
   publish-docker:
     needs: [release-settings, build-docker, build-docker-arm64]
-    permissions:
-      attestations: write
-      id-token: write
-      contents: read
     uses: ./.github/workflows/reusable_publish_docker.yaml
     secrets: inherit
     with:

CMakeLists.txt

@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2023 The Falco Authors.
+# Copyright (C) 2026 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
 # in compliance with the License. You may obtain a copy of the License at
@@ -134,10 +134,17 @@ if(NOT DEFINED FALCO_COMPONENT_NAME)
 endif()
 
 if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
-	set(CMAKE_INSTALL_PREFIX
+	if(WIN32)
-		/usr
+		set(CMAKE_INSTALL_PREFIX
-		CACHE PATH "Default install path" FORCE
+			"C:/Program Files/${CMAKE_PROJECT_NAME}"
-	)
+			CACHE PATH "Default install path" FORCE
+		)
+	else()
+		set(CMAKE_INSTALL_PREFIX
+			/usr
+			CACHE PATH "Default install path" FORCE
+		)
+	endif()
 endif()
 
 set(CMD_MAKE make)

cmake/modules/driver.cmake

@@ -35,9 +35,9 @@ else()
 	# FALCOSECURITY_LIBS_VERSION. In case you want to test against another driver version (or
 	# branch, or commit) just pass the variable - ie., `cmake -DDRIVER_VERSION=dev ..`
 	if(NOT DRIVER_VERSION)
-		set(DRIVER_VERSION "ed3ac8a370d5a3d946ed735df40c85fc7395052e")
+		set(DRIVER_VERSION "7b08f8a0a12b56d59eab73052e637ca123623f61")
 		set(DRIVER_CHECKSUM
-			"SHA256=ef21c3e15038aa2ba2be5841e7cde0d6675ecffb6e2840468fe81418d97ec95f"
+			"SHA256=43c72a98e48d04177c8223ccdfe88de6f09958f2330b6b9ee26882f1a77e369f"
 		)
 	endif()
 

cmake/modules/falcosecurity-libs.cmake

@@ -42,9 +42,9 @@ else()
 	# version (or branch, or commit) just pass the variable - ie., `cmake
 	# -DFALCOSECURITY_LIBS_VERSION=dev ..`
 	if(NOT FALCOSECURITY_LIBS_VERSION)
-		set(FALCOSECURITY_LIBS_VERSION "ed3ac8a370d5a3d946ed735df40c85fc7395052e")
+		set(FALCOSECURITY_LIBS_VERSION "7b08f8a0a12b56d59eab73052e637ca123623f61")
 		set(FALCOSECURITY_LIBS_CHECKSUM
-			"SHA256=ef21c3e15038aa2ba2be5841e7cde0d6675ecffb6e2840468fe81418d97ec95f"
+			"SHA256=43c72a98e48d04177c8223ccdfe88de6f09958f2330b6b9ee26882f1a77e369f"
 		)
 	endif()
 

falco.yaml

@@ -1180,7 +1180,7 @@ metrics:
   # (a.k.a. the threadtable).
   state_counters_enabled: true
   # -- Add kernel side event and drop counters to metrics output.
-  # This is an alternative to `syscall_event_drops`, but with some differences.
+  # This isan alternative to `syscall_event_drops`, but with some differences.
   # These counters reflect monotonic values since Falco's start and are exported at a
   # constant stats interval.
   kernel_event_counters_enabled: true
@@ -1200,10 +1200,6 @@ metrics:
   # Please note that if the respective plugin has no metrics implemented,
   # there will be no metrics available.
   plugins_metrics_enabled: true
-  # -- Add kernel side iterator event and drop counters to metrics output.
-  # These counters reflect monotonic values since Falco's start and are exported at a
-  # constant stats interval.
-  kernel_iter_event_counters_enabled: true
   # -- Add jemalloc stats to metrics output.
   # This option requires that Falco is built with jemalloc support, otherwise
   # it will have no effect.

unit_tests/falco/test_configuration_schema.cpp

@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2023 The Falco Authors.
+Copyright (C) 2026 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -146,6 +146,57 @@ plugins:
 	EXPECT_EQ(falco_config.m_plugins[0].m_init_config, "");
 }
 
+TEST(Configuration, plugin_library_path_traversal) {
+	falco_configuration falco_config;
+	config_loaded_res res;
+
+	// A relative path that stays within the plugins dir should succeed.
+	std::string config = R"(
+plugins:
+  - name: myplugin
+    library_path: libmyplugin.so
+)";
+	EXPECT_NO_THROW(res = falco_config.init_from_content(config, {}));
+	EXPECT_VALIDATION_STATUS(res, yaml_helper::validation_ok);
+
+	// A relative path with ".." that escapes the plugins dir must be rejected.
+	config = R"(
+plugins:
+  - name: evil
+    library_path: ../../tmp/evil.so
+)";
+	EXPECT_THROW(falco_config.init_from_content(config, {}), std::exception);
+
+	// Traversal via "./" prefix followed by ".." must also be rejected.
+	config = R"(
+plugins:
+  - name: evil
+    library_path: ./../../tmp/evil.so
+)";
+	EXPECT_THROW(falco_config.init_from_content(config, {}), std::exception);
+
+	// Nested traversal that descends then escapes must be rejected.
+	config = R"(
+plugins:
+  - name: evil
+    library_path: subdir/../../../tmp/evil.so
+)";
+	EXPECT_THROW(falco_config.init_from_content(config, {}), std::exception);
+
+#ifndef _WIN32
+	// Absolute paths bypass the prefix logic and are allowed as-is.
+	// This test uses a Unix absolute path syntax.
+	config = R"(
+plugins:
+  - name: myplugin
+    library_path: /opt/falco/plugins/libmyplugin.so
+)";
+	EXPECT_NO_THROW(res = falco_config.init_from_content(config, {}));
+	EXPECT_VALIDATION_STATUS(res, yaml_helper::validation_ok);
+	EXPECT_EQ(falco_config.m_plugins[0].m_library_path, "/opt/falco/plugins/libmyplugin.so");
+#endif
+}
+
 TEST(Configuration, schema_yaml_helper_validator) {
 	yaml_helper conf;
 	falco_configuration falco_config;

userspace/engine/compat.h

@@ -1,59 +0,0 @@
-// SPDX-License-Identifier: Apache-2.0
-/*
-Copyright (C) 2025 The Falco Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-#pragma once
-
-#include <ctime>
-#include <cstring>
-
-// Portable gmtime_r: Windows provides gmtime_s with reversed arg order.
-inline struct tm* falco_gmtime_r(const time_t* timer, struct tm* buf) {
-#ifdef _WIN32
-	return gmtime_s(buf, timer) == 0 ? buf : nullptr;
-#else
-	return gmtime_r(timer, buf);
-#endif
-}
-
-// Portable localtime_r: Windows provides localtime_s with reversed arg order.
-inline struct tm* falco_localtime_r(const time_t* timer, struct tm* buf) {
-#ifdef _WIN32
-	return localtime_s(buf, timer) == 0 ? buf : nullptr;
-#else
-	return localtime_r(timer, buf);
-#endif
-}
-
-// Portable strerror_r: returns const char* on all platforms.
-//
-// - glibc with _GNU_SOURCE: returns char* that may point to buf or a static string
-// - musl/macOS/WASM (XSI): returns int, always writes to buf
-// - Windows: no strerror_r, uses strerror_s instead
-//
-// We check __GLIBC__ (not _GNU_SOURCE alone) because musl defines _GNU_SOURCE
-// but always provides the XSI variant.
-inline const char* falco_strerror_r(int errnum, char* buf, size_t len) {
-#if defined(__GLIBC__) && defined(_GNU_SOURCE)
-	return strerror_r(errnum, buf, len);
-#elif defined(_WIN32)
-	strerror_s(buf, len, errnum);
-	return buf;
-#else
-	strerror_r(errnum, buf, len);
-	return buf;
-#endif
-}

userspace/engine/falco_engine.cpp

@@ -15,12 +15,15 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+#include <cstdlib>
 #ifndef _WIN32
 #include <unistd.h>
 #else
+#include <stdlib.h>
 #include <io.h>
+#define srandom srand
+#define random rand
 #endif
-#include <random>
 #include <string>
 #include <fstream>
 #include <functional>
@@ -49,7 +52,7 @@ const std::string falco_engine::s_default_ruleset = "falco-default-ruleset";
 
 using namespace falco;
 
-falco_engine::falco_engine(bool /* seed_rng */):
+falco_engine::falco_engine(bool seed_rng):
         m_syscall_source(NULL),
         m_syscall_source_idx(SIZE_MAX),
         m_rule_reader(std::make_shared<rule_loader::reader>()),
@@ -59,6 +62,10 @@ falco_engine::falco_engine(bool /* seed_rng */):
         m_min_priority(falco_common::PRIORITY_DEBUG),
         m_sampling_ratio(1),
         m_sampling_multiplier(0) {
+	if(seed_rng) {
+		srandom((unsigned)getpid());
+	}
+
 	m_default_ruleset_id = find_ruleset_id(s_default_ruleset);
 
 	fill_engine_state_funcs(m_engine_state);
@@ -1000,8 +1007,6 @@ inline bool falco_engine::should_drop_evt() const {
 		return false;
 	}
 
-	thread_local std::mt19937 rng(std::random_device{}());
+	double coin = (random() * (1.0 / RAND_MAX));
-	std::uniform_real_distribution<double> dist(0.0, 1.0);
-	double coin = dist(rng);
 	return (coin >= (1.0 / (m_sampling_multiplier * m_sampling_ratio)));
 }

userspace/engine/falco_engine_version.h

@@ -20,7 +20,7 @@ limitations under the License.
 
 // The version of this Falco engine
 #define FALCO_ENGINE_VERSION_MAJOR 0
-#define FALCO_ENGINE_VERSION_MINOR 61
+#define FALCO_ENGINE_VERSION_MINOR 60
 #define FALCO_ENGINE_VERSION_PATCH 0
 
 #define FALCO_ENGINE_VERSION                                                               \
@@ -36,4 +36,4 @@ limitations under the License.
 // It represents the fields supported by this version of Falco,
 // the event types, and the underlying driverevent schema. It's used to
 // detetect changes in engine version in our CI jobs.
-#define FALCO_ENGINE_CHECKSUM "cff88efbc5ebf54d4a0763342ac480da48880d9c6edf9f65c65cda5c1b1fdc7c"
+#define FALCO_ENGINE_CHECKSUM "17c1ac99576c032a58895a10f7091cf777008a1059b7f1bff3c78a6451b17fdf"

userspace/engine/formats.cpp

@@ -17,7 +17,6 @@ limitations under the License.
 
 #include <nlohmann/json.hpp>
 
-#include "compat.h"
 #include "formats.h"
 #include "falco_engine.h"
 
@@ -99,9 +98,7 @@ std::string falco_formats::format_event(sinsp_evt *evt,
 		char time_ns[12];   // sizeof ".sssssssssZ"
 		std::string iso8601evttime;
 
-		struct tm tm_buf;
+		strftime(time_sec, sizeof(time_sec), "%FT%T", gmtime(&evttime));
-		falco_gmtime_r(&evttime, &tm_buf);
-		strftime(time_sec, sizeof(time_sec), "%FT%T", &tm_buf);
 		snprintf(time_ns, sizeof(time_ns), ".%09luZ", evt->get_ts() % 1000000000);
 		iso8601evttime = time_sec;
 		iso8601evttime += time_ns;

userspace/engine/logger.cpp

@@ -16,7 +16,6 @@ limitations under the License.
 */
 
 #include <ctime>
-#include "compat.h"
 #include "logger.h"
 
 #include "falco_common.h"
@@ -123,16 +122,14 @@ void falco_logger::log(falco_logger::level priority, const std::string&& msg) {
 		std::time_t result = std::time(nullptr);
 		if(falco_logger::time_format_iso_8601) {
 			char buf[sizeof "YYYY-MM-DDTHH:MM:SS-0000"];
-			struct tm gtm;
+			const struct tm* gtm = std::gmtime(&result);
-			if(falco_gmtime_r(&result, &gtm) != NULL &&
+			if(gtm != NULL && (strftime(buf, sizeof(buf), "%FT%T%z", gtm) != 0)) {
-			   (strftime(buf, sizeof(buf), "%FT%T%z", &gtm) != 0)) {
 				fprintf(stderr, "%s: %s", buf, copy.c_str());
 			}
 		} else {
-			struct tm ltm;
+			const struct tm* ltm = std::localtime(&result);
-			falco_localtime_r(&result, &ltm);
 			char tstr[std::size("WWW MMM DD HH:mm:ss YYYY")];
-			std::strftime(std::data(tstr), std::size(tstr), "%a %b %d %H:%M:%S %Y", &ltm);
+			std::strftime(std::data(tstr), std::size(tstr), "%a %b %d %H:%M:%S %Y", ltm);
 			fprintf(stderr, "%s: %s", tstr, copy.c_str());
 		}
 	}

userspace/falco/app/actions/create_signal_handlers.cpp

@@ -18,7 +18,6 @@ limitations under the License.
 #include <functional>
 
 #include "actions.h"
-#include "compat.h"
 #include "../app.h"
 #include "../signals.h"
 
@@ -50,10 +49,12 @@ bool create_handler(int sig, void (*func)(int), run_result& ret) {
 #ifdef __linux__
 	if(signal(sig, func) == SIG_ERR) {
 		char errbuf[1024];
-		const char* errstr = falco_strerror_r(errno, errbuf, sizeof(errbuf));
+		if(strerror_r(errno, errbuf, sizeof(errbuf)) != 0) {
+			snprintf(errbuf, sizeof(errbuf) - 1, "Errno %d", errno);
+		}
 
 		ret = run_result::fatal(std::string("Could not create signal handler for ") +
-		                        strsignal(sig) + ": " + errstr);
+		                        strsignal(sig) + ": " + errbuf);
 	}
 #endif
 	return ret.success;

userspace/falco/app/actions/print_kernel_version.cpp

@@ -16,7 +16,6 @@ limitations under the License.
 */
 
 #include "actions.h"
-#include "compat.h"
 #include "helpers.h"
 #include "../app.h"
 #include <fstream>
@@ -37,13 +36,10 @@ falco::app::run_result falco::app::actions::print_kernel_version(const falco::ap
 	std::ifstream input_file("/proc/version");
 	if(!input_file.is_open()) {
 		// We don't want to fail, we just need to log something
-		int saved_errno = errno;
+		falco_logger::log(
-		char errbuf[256];
+		        falco_logger::level::INFO,
-		const char* errstr = falco_strerror_r(saved_errno, errbuf, sizeof(errbuf));
+		        "Cannot read under '/proc/version' (err_message: '" + std::string(strerror(errno)) +
-		falco_logger::log(falco_logger::level::INFO,
+		                "', err_code: " + std::to_string(errno) + "). No info provided, go on.");
-		                  "Cannot read under '/proc/version' (err_message: '" +
-		                          std::string(errstr) + "', err_code: " +
-		                          std::to_string(saved_errno) + "). No info provided, go on.");
 		return run_result::ok();
 	}
 

userspace/falco/app/actions/print_support.cpp

@@ -20,7 +20,6 @@ limitations under the License.
 #else
 #include <windows.h>
 #endif
-#include "compat.h"
 #include <iostream>
 
 #include "actions.h"
@@ -96,9 +95,7 @@ falco::app::run_result falco::app::actions::print_support(falco::app::state& s)
 	nlohmann::json support;
 
 	if(get_sysinfo(support) != 0) {
-		char errbuf[256];
+		return run_result::fatal(std::string("Could not get system info: ") + strerror(errno));
-		const char* errstr = falco_strerror_r(errno, errbuf, sizeof(errbuf));
-		return run_result::fatal(std::string("Could not get system info: ") + errstr);
 	}
 
 	const falco::versions_info infos(s.offline_inspector);

userspace/falco/config_json_schema.h

@@ -569,9 +569,6 @@ const char config_schema_string[] = LONG_STRING_CONST(
                 "plugins_metrics_enabled": {
                     "type": "boolean"
                 },
-            	"kernel_iter_event_counters_enabled": {
-					"type": "boolean"
-				},
                 "convert_memory_to_mb": {
                     "type": "boolean"
                 },

userspace/falco/configuration.cpp

@@ -590,9 +590,6 @@ void falco_configuration::load_yaml(const std::string &config_name) {
 	if(m_config.get_scalar<bool>("metrics.plugins_metrics_enabled", true)) {
 		m_metrics_flags |= METRICS_V2_PLUGINS;
 	}
-	if(m_config.get_scalar<bool>("metrics.kernel_iter_event_counters_enabled", true)) {
-		m_metrics_flags |= METRICS_V2_KERNEL_ITER_COUNTERS;
-	}
 	if(m_config.get_scalar<bool>("metrics.jemalloc_stats_enabled", true)) {
 		m_metrics_flags |= METRICS_V2_JEMALLOC_STATS;
 	}

userspace/falco/configuration.h

@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2025 The Falco Authors.
+Copyright (C) 2026 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -31,6 +31,7 @@ limitations under the License.
 #include <set>
 #include <iostream>
 #include <fstream>
+#include <filesystem>
 
 #include "config_falco.h"
 #include "yaml_helper.h"
@@ -400,9 +401,35 @@ struct convert<falco_configuration::plugin_config> {
 			return false;
 		}
 		rhs.m_library_path = node["library_path"].as<std::string>();
-		if(!rhs.m_library_path.empty() && rhs.m_library_path.at(0) != '/') {
+		if(!rhs.m_library_path.empty() &&
-			// prepend share dir if path is not absolute
+		   !std::filesystem::path(rhs.m_library_path).is_absolute() &&
-			rhs.m_library_path = std::string(FALCO_ENGINE_PLUGINS_DIR) + rhs.m_library_path;
+		   rhs.m_library_path.at(0) != '/') {
+			// Relative path: resolve against the plugins directory
+			// and verify the result stays within it.
+			auto full_path = std::filesystem::path(FALCO_ENGINE_PLUGINS_DIR) / rhs.m_library_path;
+			// lexically_normal resolves . and .. purely lexically,
+			// without filesystem access (unlike weakly_canonical which
+			// leaves .. unresolved for non-existent path components).
+			auto normalized = full_path.lexically_normal();
+			auto plugins_dir = std::filesystem::path(FALCO_ENGINE_PLUGINS_DIR).lexically_normal();
+			auto rel = normalized.lexically_relative(plugins_dir);
+			if(rel.empty()) {
+				throw YAML::Exception(node["library_path"].Mark(),
+				                      "plugin library_path '" +
+				                              node["library_path"].as<std::string>() +
+				                              "' resolves outside the plugins directory (" +
+				                              std::string(FALCO_ENGINE_PLUGINS_DIR) + ")");
+			}
+			for(const auto& component : rel) {
+				if(component == "..") {
+					throw YAML::Exception(node["library_path"].Mark(),
+					                      "plugin library_path '" +
+					                              node["library_path"].as<std::string>() +
+					                              "' resolves outside the plugins directory (" +
+					                              std::string(FALCO_ENGINE_PLUGINS_DIR) + ")");
+				}
+			}
+			rhs.m_library_path = normalized.string();
 		}
 
 		if(node["init_config"] && !node["init_config"].IsNull()) {

userspace/falco/falco_metrics.cpp

@@ -59,8 +59,6 @@ namespace fs = std::filesystem;
     - `libbpf_stats_enabled` -> Resides in libs; must be retrieved by the syscalls inspector;
       not available for other inspectors.
     - `plugins_metrics_enabled` -> Must be retrieved for each inspector.
-    - `kernel_iter_event_counters_enabled` -> Resides in libs; must be retrieved by the syscalls
-      inspector; not available for other inspectors.
     - `jemalloc_stats_enabled` -> Agnostic; resides in falco; inspector is irrelevant;
       only performed once.
 */
@@ -310,7 +308,6 @@ std::string falco_metrics::sources_to_text_prometheus(
 		// kernel_event_counters_enabled
 		// kernel_event_counters_per_cpu_enabled
 		// libbpf_stats_enabled
-		// kernel_iter_event_counters_enabled
 		auto metrics_collector =
 		        libs::metrics::libs_metrics_collector(source_inspector.get(),
 		                                              state.config->m_metrics_flags);

userspace/falco/falco_outputs.cpp

@@ -16,7 +16,6 @@ limitations under the License.
 */
 
 #include "falco_outputs.h"
-#include "compat.h"
 #include "config_falco.h"
 
 #include "formats.h"
@@ -182,9 +181,7 @@ void falco_outputs::handle_msg(uint64_t ts,
 		char time_ns[12];   // sizeof ".sssssssssZ"
 		std::string iso8601evttime;
 
-		struct tm tm_buf;
+		strftime(time_sec, sizeof(time_sec), "%FT%T", gmtime(&evttime));
-		falco_gmtime_r(&evttime, &tm_buf);
-		strftime(time_sec, sizeof(time_sec), "%FT%T", &tm_buf);
 		snprintf(time_ns, sizeof(time_ns), ".%09luZ", ts % 1000000000);
 		iso8601evttime = time_sec;
 		iso8601evttime += time_ns;

userspace/falco/outputs_program.cpp

@@ -16,7 +16,6 @@ limitations under the License.
 */
 
 #include "outputs_program.h"
-#include "compat.h"
 #include "logger.h"
 #include <stdio.h>
 #include <cerrno>
@@ -27,11 +26,9 @@ void falco::outputs::output_program::open_pfile() {
 		m_pfile = popen(m_oc.options["program"].c_str(), "w");
 
 		if(m_pfile == nullptr) {
-			char errbuf[256];
-			const char* errstr = falco_strerror_r(errno, errbuf, sizeof(errbuf));
 			falco_logger::log(falco_logger::level::ERR,
 			                  "Failed to open program output: " + m_oc.options["program"] +
-			                          " (error: " + errstr + ")");
+			                          " (error: " + std::string(std::strerror(errno)) + ")");
 			return;
 		}
 
@@ -41,7 +38,7 @@ void falco::outputs::output_program::open_pfile() {
 	}
 }
 
-void falco::outputs::output_program::output(const message* msg) {
+void falco::outputs::output_program::output(const message *msg) {
 	open_pfile();
 
 	if(m_pfile != nullptr) {

userspace/falco/stats_writer.cpp

@@ -24,7 +24,6 @@ limitations under the License.
 
 #include <nlohmann/json.hpp>
 
-#include "compat.h"
 #include "falco_common.h"
 #include "stats_writer.h"
 #include "logger.h"
@@ -72,9 +71,7 @@ bool stats_writer::init_ticker(uint32_t interval_msec, std::string& err) {
 	memset(&handler, 0, sizeof(handler));
 	handler.sa_handler = &timer_handler;
 	if(sigaction(SIGALRM, &handler, NULL) == -1) {
-		char errbuf[256];
+		err = std::string("Could not set up signal handler for periodic timer: ") + strerror(errno);
-		const char* errstr = falco_strerror_r(errno, errbuf, sizeof(errbuf));
-		err = std::string("Could not set up signal handler for periodic timer: ") + errstr;
 		return false;
 	}
 
@@ -96,9 +93,7 @@ bool stats_writer::init_ticker(uint32_t interval_msec, std::string& err) {
 	memset(&handler, 0, sizeof(handler));
 	handler.sa_handler = &timer_handler;
 	if(sigaction(SIGALRM, &handler, NULL) == -1) {
-		char errbuf[256];
+		err = std::string("Could not set up signal handler for periodic timer: ") + strerror(errno);
-		const char* errstr = falco_strerror_r(errno, errbuf, sizeof(errbuf));
-		err = std::string("Could not set up signal handler for periodic timer: ") + errstr;
 		return false;
 	}
 
@@ -124,9 +119,7 @@ bool stats_writer::init_ticker(uint32_t interval_msec, std::string& err) {
 	memset(&handler, 0, sizeof(handler));
 	handler.sa_handler = &timer_handler;
 	if(sigaction(SIGALRM, &handler, NULL) == -1) {
-		char errbuf[256];
+		err = std::string("Could not set up signal handler for periodic timer: ") + strerror(errno);
-		const char* errstr = falco_strerror_r(errno, errbuf, sizeof(errbuf));
-		err = std::string("Could not set up signal handler for periodic timer: ") + errstr;
 		return false;
 	}
 
@@ -138,18 +131,14 @@ bool stats_writer::init_ticker(uint32_t interval_msec, std::string& err) {
 	// delete any previously set timer
 	if(s_timerid_exists) {
 		if(timer_delete(s_timerid) == -1) {
-			char errbuf[256];
+			err = std::string("Could not delete previous timer: ") + strerror(errno);
-			const char* errstr = falco_strerror_r(errno, errbuf, sizeof(errbuf));
-			err = std::string("Could not delete previous timer: ") + errstr;
 			return false;
 		}
 		s_timerid_exists = false;
 	}
 
 	if(timer_create(CLOCK_MONOTONIC, &sev, &s_timerid) == -1) {
-		char errbuf[256];
+		err = std::string("Could not create periodic timer: ") + strerror(errno);
-		const char* errstr = falco_strerror_r(errno, errbuf, sizeof(errbuf));
-		err = std::string("Could not create periodic timer: ") + errstr;
 		return false;
 	}
 	s_timerid_exists = true;
@@ -159,9 +148,7 @@ bool stats_writer::init_ticker(uint32_t interval_msec, std::string& err) {
 	timer.it_interval = timer.it_value;
 
 	if(timer_settime(s_timerid, 0, &timer, NULL) == -1) {
-		char errbuf[256];
+		err = std::string("Could not set up periodic timer: ") + strerror(errno);
-		const char* errstr = falco_strerror_r(errno, errbuf, sizeof(errbuf));
-		err = std::string("Could not set up periodic timer: ") + errstr;
 		return false;
 	}
 
@@ -498,7 +485,6 @@ void stats_writer::collector::get_metrics_output_fields_additional(
 		// state_counters_enabled
 		// kernel_event_counters_enabled
 		// libbpf_stats_enabled
-		// kernel_iter_event_counters_enabled
 
 		// Refresh / New snapshot
 		auto& libs_metrics_collector = m_writer->m_libs_metrics_collectors[src];
@@ -522,8 +508,7 @@ void stats_writer::collector::get_metrics_output_fields_additional(
 			char metric_name[METRIC_NAME_MAX] = "falco.";
 			if((metric.flags & METRICS_V2_LIBBPF_STATS) ||
 			   (metric.flags & METRICS_V2_KERNEL_COUNTERS) ||
-			   (metric.flags & METRICS_V2_KERNEL_COUNTERS_PER_CPU) ||
+			   (metric.flags & METRICS_V2_KERNEL_COUNTERS_PER_CPU)) {
-			   (metric.flags & METRICS_V2_KERNEL_ITER_COUNTERS)) {
 				strlcpy(metric_name, "scap.", sizeof(metric_name));
 			}
 			if(metric.flags & METRICS_V2_PLUGINS) {
@@ -639,8 +624,7 @@ void stats_writer::collector::collect(const std::shared_ptr<sinsp>& inspector,
 			// Note: src is static for live captures
 			if(src != falco_common::syscall_source) {
 				flags &= ~(METRICS_V2_KERNEL_COUNTERS | METRICS_V2_KERNEL_COUNTERS_PER_CPU |
-				           METRICS_V2_STATE_COUNTERS | METRICS_V2_LIBBPF_STATS |
+				           METRICS_V2_STATE_COUNTERS | METRICS_V2_LIBBPF_STATS);
-				           METRICS_V2_KERNEL_ITER_COUNTERS);
 			}
 			m_writer->m_libs_metrics_collectors[src] =
 			        std::make_unique<libs::metrics::libs_metrics_collector>(inspector.get(), flags);