new(ci): run driver loader tests on arm64 too.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

.github/workflows/reusable_build_packages.yaml

@@ -119,9 +119,7 @@ jobs:
             ${{ github.workspace }}/build/falco-*.rpm
             
   build-musl-package:
-    # x86_64 only for now
-    if: ${{ inputs.arch == 'x86_64' }}
-    runs-on: ubuntu-latest
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-latest' }}
     container: alpine:3.17
     steps:
       # Always install deps before invoking checkout action, to properly perform a full clone.
@@ -152,14 +150,14 @@ jobs:
       - name: Rename static package
         run: |
           cd build
-          mv falco-${{ inputs.version }}-x86_64.tar.gz falco-${{ inputs.version }}-static-x86_64.tar.gz 
+          mv falco-${{ inputs.version }}-${{ inputs.arch }}.tar.gz falco-${{ inputs.version }}-static-${{ inputs.arch }}.tar.gz 
           
       - name: Upload Falco static package
         uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
-          name: falco-${{ inputs.version }}-static-x86_64.tar.gz
+          name: falco-${{ inputs.version }}-static-${{ inputs.arch }}.tar.gz
           path: |
-            ${{ github.workspace }}/build/falco-${{ inputs.version }}-static-x86_64.tar.gz
+            ${{ github.workspace }}/build/falco-${{ inputs.version }}-static-${{ inputs.arch }}.tar.gz
 
   build-wasm-package:
     if: ${{ inputs.arch == 'x86_64' }}

.github/workflows/reusable_publish_packages.yaml

@@ -70,8 +70,14 @@ jobs:
         with:
           name: falco-${{ inputs.version }}-static-x86_64.tar.gz
           path: /tmp/falco-build-bin-static
-
-      - name: Import gpg key
+          
+      - name: Download static binary aarch64
+        uses: actions/download-artifact@v3
+        with:
+          name: falco-${{ inputs.version }}-static-aarch64.tar.gz
+          path: /tmp/falco-build-bin-static    
+        
+      - name: Import gpg key 
         env:
           GPG_KEY: ${{ secrets.GPG_KEY }}
         run: printenv GPG_KEY | gpg --import -
@@ -93,6 +99,7 @@ jobs:
       - name: Publish static
         run: |
           ./scripts/publish-bin -f /tmp/falco-build-bin-static/falco-${{ inputs.version }}-static-x86_64.tar.gz -r bin${{ inputs.bucket_suffix }} -a x86_64
+          ./scripts/publish-bin -f /tmp/falco-build-bin-static/falco-${{ inputs.version }}-static-aarch64.tar.gz -r bin${{ inputs.bucket_suffix }} -a aarch64
           
   publish-packages-deb:
     runs-on: ubuntu-latest

.github/workflows/reusable_test_packages.yaml

@@ -47,22 +47,7 @@ jobs:
       - name: Install dependencies for falco-driver-loader tests
         run: |
           sudo apt update -y
-          sudo apt install -y --no-install-recommends build-essential clang make llvm gcc dkms
-
-      - name: Install kernel headers (workaround)
-        if: inputs.arch == 'aarch64'
-        run: |
-          sudo mkdir -p /usr/src
-          sudo git clone --depth 1 --branch v$(uname -r) git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git /usr/src/linux
-          sudo rm /lib/modules/$(uname -r)/build
-          sudo ln -s /usr/src/linux-headers-$(uname -r)/ /lib/modules/$(uname -r)/build
-          sudo rm /lib/modules/$(uname -r)/source
-          sudo ln -s /usr/src/linux-headers-$(uname -r)/ /lib/modules/$(uname -r)/source
-
-      - name: Install kernel headers
-        if: inputs.arch == 'x86_64'
-        run: |
-          sudo apt install -y --no-install-recommends linux-headers-$(uname -r)
+          sudo apt install -y --no-install-recommends build-essential clang make llvm gcc dkms linux-headers-$(uname -r)
 
       - name: Install go-junit-report
         run: |
@@ -76,36 +61,19 @@ jobs:
           go generate ./...
           popd
 
-      - name: Run Falco regression tests
+      - name: Run regression tests
         env:
+          # fixme(leogr): this is a workaround for https://github.com/falcosecurity/falco/issues/2784
           HOST_ROOT: ""
         run: |
           pushd submodules/falcosecurity-testing
           ./build/falco.test -falco-static=${{ inputs.static && 'true' || 'false' }} -test.timeout=90s -test.v >> ./report.txt 2>&1 || true
-          popd
-
-      - name: Run Falcoctl regression tests
-        env:
-          HOST_ROOT: ""
-        run: |
-          pushd submodules/falcosecurity-testing
-          ./build/falcoctl.test -test.timeout=90s -test.v >> ./report.txt 2>&1 || true
-          popd
-
-      - name: Run K8saudit regression tests
-        env:
-          HOST_ROOT: ""
-        run: |
-          pushd submodules/falcosecurity-testing
-          ./build/k8saudit.test -test.timeout=90s -test.v >> ./report.txt 2>&1 || true
-          popd
-
-      - name: Run Falco driver loader regression tests
-        env:
-          HOST_ROOT: ""
-        run: |
-          pushd submodules/falcosecurity-testing
-          sudo ./build/falco-driver-loader.test -test.timeout=90s -test.v
+          if ${{ inputs.static && 'false' || 'true' }}; then
+            ./build/falcoctl.test -test.timeout=90s -test.v >> ./report.txt 2>&1 || true
+            ./build/k8saudit.test -test.timeout=90s -test.v >> ./report.txt 2>&1 || true
+            sudo ./build/falco-driver-loader.test -test.timeout=90s -test.v >> ./report.txt 2>&1 || true
+          fi
+          cat ./report.txt | go-junit-report -set-exit-code > report.xml
           popd
 
       - name: Test Summary

.gitignore

@@ -5,4 +5,3 @@
 .vscode/*
 
 *.idea*
-CMakeUserPresets.json

README.md

@@ -2,7 +2,7 @@
 
 [![Latest release](https://img.shields.io/github/v/release/falcosecurity/falco?style=for-the-badge)](https://github.com/falcosecurity/falco/releases/latest) [![Supported Architectures](https://img.shields.io/badge/ARCHS-x86__64%7Caarch64-blueviolet?style=for-the-badge)](https://github.com/falcosecurity/falco/releases/latest) [![License](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING) [![Docs](https://img.shields.io/badge/docs-latest-green.svg?style=for-the-badge)](https://falco.org/docs)
 
-[![Falco Core Repository](https://github.com/falcosecurity/evolution/blob/main/repos/badges/falco-core-blue.svg)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#core-scope) [![Stable](https://img.shields.io/badge/status-stable-brightgreen?style=for-the-badge)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#stable)  [![OpenSSF Best Practices](https://img.shields.io/cii/summary/2317?label=OpenSSF%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) <a href="https://actuated.dev/"><img alt="Arm CI sponsored by Actuated" src="https://docs.actuated.dev/images/actuated-badge.png" width="120px"></img></a>
+[![Falco Core Repository](https://github.com/falcosecurity/evolution/blob/main/repos/badges/falco-core-blue.svg)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#core-scope) [![Stable](https://img.shields.io/badge/status-stable-brightgreen?style=for-the-badge)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#stable)  [![OpenSSF Best Practices](https://img.shields.io/cii/summary/2317?label=OpenSSF%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317)
 
 [![Falco](https://falco.org/img/brand/falco-horizontal-color.svg)](https://falco.org)
 

cmake/modules/driver.cmake

@@ -34,8 +34,8 @@ else()
   # In case you want to test against another driver version (or branch, or commit) just pass the variable -
   # ie., `cmake -DDRIVER_VERSION=dev ..`
   if(NOT DRIVER_VERSION)
-    set(DRIVER_VERSION "ea23169c13df2ce5d8ba7d6faecdaa65f36140cb")
-    set(DRIVER_CHECKSUM "SHA256=c84c80a9a2241667e1c0be7a611f071c9b0264ac81b98103d2272b939337d02f")
+    set(DRIVER_VERSION "000d576ef877cb115cbb56f97187a1d62221e2bd")
+    set(DRIVER_CHECKSUM "SHA256=4f078e3e448ba1d4ca2eff55a361a9a9d048f3a967fb4d91f0c91aa6fa22d5d2")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

cmake/modules/falcoctl.cmake

@@ -16,14 +16,14 @@ include(ExternalProject)
 
 string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} FALCOCTL_SYSTEM_NAME)
 
-set(FALCOCTL_VERSION "0.7.0-beta5")
+set(FALCOCTL_VERSION "0.6.2")
 
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
     set(FALCOCTL_SYSTEM_PROC_GO "amd64")
-    set(FALCOCTL_HASH "e08cdd3bed96bda2e45f54d86aec0f1ad986963ff30624578283b218829df225")
+    set(FALCOCTL_HASH "2d06d7577dbae91fb085f71477ff6e22076a815978bddd036984fa077236a515")
 else() # aarch64
     set(FALCOCTL_SYSTEM_PROC_GO "arm64")
-    set(FALCOCTL_HASH "582b6b73f77cfdf66dbcddadaa1073fa1802f24bd1670c1cf578e524fd3e8486")
+    set(FALCOCTL_HASH "0b711a1b3499f479d999f4f4d2c94fc4f0bc23a2506711b613e6eedb0593631b")
 endif()
 
 ExternalProject_Add(

cmake/modules/falcosecurity-libs.cmake

@@ -35,8 +35,8 @@ else()
   # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
   # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..`
   if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "ea23169c13df2ce5d8ba7d6faecdaa65f36140cb")
-    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=c84c80a9a2241667e1c0be7a611f071c9b0264ac81b98103d2272b939337d02f")
+    set(FALCOSECURITY_LIBS_VERSION "000d576ef877cb115cbb56f97187a1d62221e2bd")
+    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=4f078e3e448ba1d4ca2eff55a361a9a9d048f3a967fb4d91f0c91aa6fa22d5d2")
   endif()
 
   # cd /path/to/build && cmake /path/to/source
@@ -85,7 +85,6 @@ set(BUILD_LIBSCAP_EXAMPLES OFF CACHE BOOL "")
 
 set(USE_BUNDLED_TBB ON CACHE BOOL "")
 set(USE_BUNDLED_JSONCPP ON CACHE BOOL "")
-set(USE_BUNDLED_NLOHMANN_JSON ON CACHE BOOL "")
 set(USE_BUNDLED_VALIJSON ON CACHE BOOL "")
 set(USE_BUNDLED_RE2 ON CACHE BOOL "")
 set(USE_BUNDLED_UTHASH ON CACHE BOOL "")

cmake/modules/njson.cmake

@@ -12,15 +12,24 @@
 # specific language governing permissions and limitations under the License.
 #
 
-if(USE_BUNDLED_NLOHMANN_JSON)
-    ExternalProject_Add(njson
+#
+# nlohmann-json
+#
+if(NJSON_INCLUDE)
+    # Adding the custom target we can use it with `add_dependencies()`
+    if(NOT TARGET njson)
+        add_custom_target(njson)
+    endif()
+else()
+    # We always use the bundled version
+    set(NJSON_SRC "${PROJECT_BINARY_DIR}/njson-prefix/src/njson")
+    set(NJSON_INCLUDE "${NJSON_SRC}/single_include")
+    ExternalProject_Add(
+        njson
         URL "https://github.com/nlohmann/json/archive/v3.3.0.tar.gz"
         URL_HASH "SHA256=2fd1d207b4669a7843296c41d3b6ac5b23d00dec48dba507ba051d14564aa801"
-        CMAKE_ARGS -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=${PROJECT_BINARY_DIR}/njson-prefix -DJSON_BuildTests=OFF -DBUILD_TESTING=OFF
-    )
-
-    set(nlohmann_json_DIR ${PROJECT_BINARY_DIR}/njson-prefix/include)
-else()
-    find_package(nlohmann_json CONFIG REQUIRED)
-    add_custom_target(njson)
+        CONFIGURE_COMMAND ""
+        BUILD_COMMAND ""
+        INSTALL_COMMAND "")
+    message(STATUS "Using bundled nlohmann-json in '${NJSON_SRC}'")
 endif()

docker/driver-loader-legacy/docker-entrypoint.sh

@@ -18,28 +18,6 @@
 #
 
 
-print_usage() {
-	echo ""
-	echo "Usage:"
-	echo "  docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader-legacy:latest [driver] [options]"
-	echo ""
-	echo "Available drivers:"
-	echo "  kmod           kernel module (default)"
-	echo "  ebpf           eBPF probe"
-	echo ""
-	echo "Options:"
-	echo "  --help         show this help message"
-	echo "  --clean        try to remove an already present driver installation"
-	echo "  --compile      try to compile the driver locally (default true)"
-	echo "  --download     try to download a prebuilt driver (default true)"
-	echo "  --print-env    skip execution and print env variables for other tools to consume"
-	echo ""
-	echo "Environment variables:"
-	echo "  FALCOCTL_DRIVER_REPOS             specify different URL(s) where to look for prebuilt Falco drivers (comma separated)"
-	echo "  FALCOCTL_DRIVER_NAME              specify a different name for the driver"
-	echo ""
-}
-
 echo "* Setting up /usr/src links from host"
 
 for i in "$HOST_ROOT/usr/src"/*
@@ -48,64 +26,4 @@ do
     ln -s "$i" "/usr/src/$base"
 done
 
-ENABLE_COMPILE="false"
-ENABLE_DOWNLOAD="false"
-has_driver=
-has_opts=
-while test $# -gt 0; do
-	case "$1" in
-		kmod|ebpf)
-			if [ -n "$has_driver" ]; then
-				>&2 echo "Only one driver per invocation"
-				print_usage
-				exit 1
-			else
-				/usr/bin/falcoctl driver config --type $1
-				has_driver="true"
-			fi
-			;;
-		-h|--help)
-			print_usage
-			exit 0
-			;;
-		--clean)
-			/usr/bin/falcoctl driver cleanup
-			exit 0
-			;;
-		--compile)
-			ENABLE_COMPILE="true"
-			has_opts="true"
-			;;
-		--download)
-			ENABLE_DOWNLOAD="true"
-			has_opts="true"
-			;;
-		--source-only)
-		    >&2 echo "Support dropped in Falco 0.37.0."
-			print_usage
-			exit 1
-			;;
-		--print-env)
-			/usr/bin/falcoctl driver printenv
-			exit 0
-			;;
-		--*)
-			>&2 echo "Unknown option: $1"
-			print_usage
-			exit 1
-			;;
-		*)
-			>&2 echo "Unknown driver: $1"
-			print_usage
-			exit 1
-			;;
-	esac
-    shift
-done
-
-if [ -z "$has_opts" ]; then
-	ENABLE_COMPILE="true"
-	ENABLE_DOWNLOAD="true"
-fi
-
-/usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD
+/usr/bin/falco-driver-loader "$@"

docker/driver-loader/docker-entrypoint.sh

@@ -18,28 +18,6 @@
 #
 
 
-print_usage() {
-	echo ""
-	echo "Usage:"
-	echo "  docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader:latest [driver] [options]"
-	echo ""
-	echo "Available drivers:"
-	echo "  kmod           kernel module (default)"
-	echo "  ebpf           eBPF probe"
-	echo ""
-	echo "Options:"
-	echo "  --help         show this help message"
-	echo "  --clean        try to remove an already present driver installation"
-	echo "  --compile      try to compile the driver locally (default true)"
-	echo "  --download     try to download a prebuilt driver (default true)"
-	echo "  --print-env    skip execution and print env variables for other tools to consume"
-	echo ""
-	echo "Environment variables:"
-	echo "  FALCOCTL_DRIVER_REPOS             specify different URL(s) where to look for prebuilt Falco drivers (comma separated)"
-	echo "  FALCOCTL_DRIVER_NAME              specify a different name for the driver"
-	echo ""
-}
-
 echo "* Setting up /usr/src links from host"
 
 for i in "$HOST_ROOT/usr/src"/*
@@ -48,64 +26,4 @@ do
     ln -s "$i" "/usr/src/$base"
 done
 
-ENABLE_COMPILE="false"
-ENABLE_DOWNLOAD="false"
-has_driver=
-has_opts=
-while test $# -gt 0; do
-	case "$1" in
-		kmod|ebpf)
-			if [ -n "$has_driver" ]; then
-				>&2 echo "Only one driver per invocation"
-				print_usage
-				exit 1
-			else
-				/usr/bin/falcoctl driver config --type $1
-				has_driver="true"
-			fi
-			;;
-		-h|--help)
-			print_usage
-			exit 0
-			;;
-		--clean)
-			/usr/bin/falcoctl driver cleanup
-			exit 0
-			;;
-		--compile)
-			ENABLE_COMPILE="true"
-			has_opts="true"
-			;;
-		--download)
-			ENABLE_DOWNLOAD="true"
-			has_opts="true"
-			;;
-		--source-only)
-		    >&2 echo "Support dropped in Falco 0.37.0."
-			print_usage
-			exit 1
-			;;
-		--print-env)
-			/usr/bin/falcoctl driver printenv
-			exit 0
-			;;
-		--*)
-			>&2 echo "Unknown option: $1"
-			print_usage
-			exit 1
-			;;
-		*)
-			>&2 echo "Unknown driver: $1"
-			print_usage
-			exit 1
-			;;
-	esac
-    shift
-done
-
-if [ -z "$has_opts" ]; then
-	ENABLE_COMPILE="true"
-	ENABLE_DOWNLOAD="true"
-fi
-
-/usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD
+/usr/bin/falco-driver-loader "$@"

docker/falco/docker-entrypoint.sh

@@ -17,29 +17,6 @@
 # limitations under the License.
 #
 
-
-print_usage() {
-	echo ""
-	echo "Usage:"
-	echo "  docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro -e 'FALCO_DRIVER_LOADER_OPTIONS=[driver] [options]' falcosecurity/falco:latest"
-	echo ""
-	echo "Available FALCO_DRIVER_LOADER_OPTIONS drivers:"
-	echo "  kmod           kernel module (default)"
-	echo "  ebpf           eBPF probe"
-	echo ""
-	echo "FALCO_DRIVER_LOADER_OPTIONS options:"
-	echo "  --help         show this help message"
-	echo "  --clean        try to remove an already present driver installation"
-	echo "  --compile      try to compile the driver locally (default true)"
-	echo "  --download     try to download a prebuilt driver (default true)"
-	echo "  --print-env    skip execution and print env variables for other tools to consume"
-	echo ""
-	echo "Environment variables:"
-	echo "  FALCOCTL_DRIVER_REPOS             specify different URL(s) where to look for prebuilt Falco drivers (comma separated)"
-	echo "  FALCOCTL_DRIVER_NAME              specify a different name for the driver"
-	echo ""
-}
-
 # Set the SKIP_DRIVER_LOADER variable to skip loading the driver
 
 if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
@@ -52,69 +29,9 @@ if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
     done
 
     # convert the optional space-separated env variable FALCO_DRIVER_LOADER_OPTIONS to array, prevent 
-    # shell expansion and use it as argument list for falcoctl
+    # shell expansion and use it as argument list for falco-driver-loader
     read -a falco_driver_loader_option_arr <<< $FALCO_DRIVER_LOADER_OPTIONS
-
-    ENABLE_COMPILE="false"
-    ENABLE_DOWNLOAD="false"
-    has_driver=
-    has_opts=
-    for opt in "${falco_driver_loader_option_arr[@]}"
-    do
-        case "$opt" in
-            kmod|ebpf)
-                if [ -n "$has_driver" ]; then
-                    >&2 echo "Only one driver per invocation"
-                    print_usage
-                    exit 1
-                else
-                    /usr/bin/falcoctl driver config --type $opt
-                    has_driver="true"
-                fi
-                ;;
-            -h|--help)
-                print_usage
-                exit 0
-                ;;    
-            --clean)
-                /usr/bin/falcoctl driver cleanup
-                exit 0
-                ;;
-            --compile)
-                ENABLE_COMPILE="true"
-                has_opts="true"
-                ;;
-            --download)
-                ENABLE_DOWNLOAD="true"
-                has_opts="true"
-                ;;
-            --source-only)
-                >&2 echo "Support dropped in Falco 0.37.0."
-                print_usage
-                exit 1
-                ;;    
-            --print-env)
-                /usr/bin/falcoctl driver printenv
-                exit 0
-                ;;
-            --*)
-                >&2 echo "Unknown option: $1"
-                print_usage
-                exit 1
-                ;;
-            *)
-                >&2 echo "Unknown driver: $1"
-                print_usage
-                exit 1
-                ;;
-        esac
-    done
-    if [ -z "$has_opts" ]; then
-        ENABLE_COMPILE="true"
-        ENABLE_DOWNLOAD="true"
-    fi
-    /usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD
-
+    /usr/bin/falco-driver-loader "${falco_driver_loader_option_arr[@]}"
 fi
 
 exec "$@"

docker/no-driver/Dockerfile

@@ -15,7 +15,7 @@ RUN curl -L -o falco.tar.gz \
     tar -xvf falco.tar.gz && \
     rm -f falco.tar.gz && \
     mv falco-${FALCO_VERSION}-$(uname -m) falco && \
-    rm -rf /falco/usr/src/falco-*
+    rm -rf /falco/usr/src/falco-* /falco/usr/bin/falco-driver-loader
 
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
     && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml

docker/no-driver/Dockerfile.distroless

@@ -16,7 +16,7 @@ RUN FALCO_VERSION_URLENCODED=$(echo -n ${FALCO_VERSION}|jq -sRr @uri) && \
     tar -xvf falco.tar.gz && \
     rm -f falco.tar.gz && \
     mv falco-${FALCO_VERSION}-$(uname -m) falco && \
-    rm -rf /falco/usr/src/falco-*
+    rm -rf /falco/usr/src/falco-* /falco/usr/bin/falco-driver-loader
 
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
     && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml

falco.yaml

@@ -318,7 +318,7 @@ engine:
     drop_failed_exit: false
   ebpf:
     # path to the elf file to load.
-    probe: ${HOME}/.falco/falco-bpf.o
+    probe: /root/.falco/falco-bpf.o
     buf_size_preset: 4
     drop_failed_exit: false
   modern_ebpf:
@@ -566,8 +566,6 @@ http_output:
   client_key: "/etc/ssl/certs/client.key"
   # Whether to echo server answers to stdout
   echo: false
-  compress_uploads: false
-  keep_alive: false
 
 # [Stable] `program_output`
 #

scripts/CMakeLists.txt

@@ -41,6 +41,11 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 	configure_file(rpm/postinstall.in rpm/postinstall COPYONLY)
 	configure_file(rpm/postuninstall.in rpm/postuninstall COPYONLY)
 	configure_file(rpm/preuninstall.in rpm/preuninstall COPYONLY)
+
+	# driver loader
+	configure_file(falco-driver-loader falco-driver-loader @ONLY)
+	install(PROGRAMS ${PROJECT_BINARY_DIR}/scripts/falco-driver-loader
+		DESTINATION ${FALCO_BIN_DIR} COMPONENT "${FALCO_COMPONENT_NAME}")
 endif()
 
 # Install Falcoctl config file
@@ -48,6 +53,5 @@ if (NOT WIN32 AND NOT APPLE AND NOT EMSCRIPTEN AND NOT MUSL_OPTIMIZED_BUILD)
 	if(NOT DEFINED FALCOCTL_ETC_DIR)
 		set(FALCOCTL_ETC_DIR "${CMAKE_INSTALL_FULL_SYSCONFDIR}/falcoctl")
 	endif()
-	configure_file(${CMAKE_CURRENT_SOURCE_DIR}/falcoctl/falcoctl.yaml.in ${PROJECT_BINARY_DIR}/scripts/falcoctl/falcoctl.yaml)
-	install(FILES ${PROJECT_BINARY_DIR}/scripts/falcoctl/falcoctl.yaml DESTINATION "${FALCOCTL_ETC_DIR}" COMPONENT "${FALCO_COMPONENT_NAME}")
+	install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/falcoctl/falcoctl.yaml DESTINATION "${FALCOCTL_ETC_DIR}" COMPONENT "${FALCO_COMPONENT_NAME}")
 endif()

scripts/debian/postinst.in

@@ -18,8 +18,6 @@
 #
 
 chosen_driver=
-chosen_unit=
-CHOICE=
 
 # Every time we call this script we want to stat from a clean state.
 echo "[POST-INSTALL] Disable all possible 'falco' services:"
@@ -38,63 +36,58 @@ systemctl --system disable 'falcoctl-artifact-follow.service' || true
 systemctl --system unmask falcoctl-artifact-follow.service || true
 
 if [ "$1" = "configure" ]; then
-        case $FALCO_DRIVER_CHOICE in
-              kmod)
-                  CHOICE=2
-                  ;;
-              ebpf)
-                  CHOICE=3
-                  ;;
-              modern_ebpf)
-                  CHOICE=4
-                  ;;
-        esac     
-        if [ -z $CHOICE ] && [ -x /usr/bin/dialog ] && [ "${FALCO_FRONTEND}" != "noninteractive" ]; then          
-            # If dialog is installed, create a dialog to let users choose the correct driver for them
-            CHOICE=$(dialog --clear --title "Falco drivers" --menu "Choose your preferred driver:" 12 55 4 \
-                    1 "Manual configuration (no unit is started)" \
-                    2 "Kmod" \
-                    3 "eBPF" \
-                    4 "Modern eBPF" \
+        if [ -x /usr/bin/dialog ] && [ "${FALCO_FRONTEND}" != "noninteractive" ]; then
+          # If dialog is installed, create a dialog to let users choose the correct driver for them
+          CHOICE=$(dialog --clear --title "Falco drivers" --menu "Choose your preferred driver:" 12 55 4 \
+                1 "Manual configuration (no unit is started)" \
+                2 "Kmod" \
+                3 "eBPF" \
+                4 "Modern eBPF" \
+                2>&1 >/dev/tty)
+          case $CHOICE in
+                  2)
+                      chosen_driver="kmod"
+                      ;;
+                  3)
+                      chosen_driver="bpf"
+                      ;;
+                  4)
+                      chosen_driver="modern-bpf"
+                      ;;
+          esac
+          if [ -n "$chosen_driver" ]; then
+            CHOICE=$(dialog --clear --title "Falcoctl" --menu "Do you want to follow automatic ruleset updates?" 10 40 2 \
+                    1 "Yes" \
+                    2 "No" \
                     2>&1 >/dev/tty)
-        fi         
-        case $CHOICE in
-            2)
-                chosen_driver="kmod"
-                chosen_unit="kmod"
-                ;;
-            3)
-                chosen_driver="ebpf"
-                chosen_unit="bpf"
-                ;;
-            4)
-                chosen_driver="modern_ebpf"
-                chosen_unit="modern-bpf"
-                ;;
-        esac
-        if [ -n "$CHOICE" ]; then
-            echo "[POST-INSTALL] Configure falcoctl driver type:"
-            falcoctl driver config --type $chosen_driver
-            CHOICE=
-            case $FALCOCTL_ENABLED in
-                no)
-                    CHOICE=2
-                    ;;
-            esac
-            if [ -z $CHOICE ] &&  [ -x /usr/bin/dialog ] && [ "${FALCO_FRONTEND}" != "noninteractive" ]; then
-                CHOICE=$(dialog --clear --title "Falcoctl" --menu "Do you want to follow automatic ruleset updates?" 10 40 2 \
-                        1 "Yes" \
-                        2 "No" \
-                        2>&1 >/dev/tty)
-            fi  
             case $CHOICE in
                 2)
-                    # we don't want falcoctl enabled, we mask it
-                    systemctl --system mask falcoctl-artifact-follow.service || true
+                # we don't want falcoctl enabled, we mask it
+                systemctl --system mask falcoctl-artifact-follow.service || true
                 ;;
             esac
-        fi    
-        clear
+          fi
+          clear
+        else
+          case $FALCO_DRIVER_CHOICE in
+              module | kmod )
+                  chosen_driver="kmod"
+                  ;;
+              bpf | ebpf | eBPF )
+                  chosen_driver="bpf"
+                  ;;
+              modern-bpf | modern-ebpf | modern-eBPF )
+                  chosen_driver="modern-bpf"
+                  ;;
+          esac
+          case $FALCOCTL_ENABLED in
+              yes )
+                  ;;
+              no )
+                  systemctl --system mask falcoctl-artifact-follow.service || true
+                  ;;
+          esac
+        fi
 fi
 
 set -e
@@ -102,25 +95,25 @@ set -e
 echo "[POST-INSTALL] Trigger deamon-reload:"
 systemctl --system daemon-reload || true
 
-# If needed, try to load/compile the driver through falcoctl
+# If needed, try to load/compile the driver through falco-driver-loader
 case "$chosen_driver" in
     "kmod")
       # Only compile for kmod, in this way we use dkms
-      echo "[POST-INSTALL] Call 'falcoctl driver install for kmod:"
-      falcoctl driver install --download=false
+      echo "[POST-INSTALL] Call 'falco-driver-loader --compile module':"
+      falco-driver-loader --compile module
       ;;
-    "ebpf")
-      echo "[POST-INSTALL] Call 'falcoctl driver install for ebpf':"
-      falcoctl driver install
+    "bpf")
+      echo "[POST-INSTALL] Call 'falco-driver-loader bpf':"
+      falco-driver-loader bpf
       ;;
 esac
 
 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
-        if [ -n "$chosen_unit" ]; then
+        if [ -n "$chosen_driver" ]; then
             # we do this in 2 steps because `enable --now` is not always supported
-            echo "[POST-INSTALL] Enable 'falco-$chosen_unit.service':"
-            systemctl --system enable "falco-$chosen_unit.service" || true
-            echo "[POST-INSTALL] Start 'falco-$chosen_unit.service':"
-            systemctl --system start "falco-$chosen_unit.service" || true
+            echo "[POST-INSTALL] Enable 'falco-$chosen_driver.service':"
+            systemctl --system enable "falco-$chosen_driver.service" || true
+            echo "[POST-INSTALL] Start 'falco-$chosen_driver.service':"
+            systemctl --system start "falco-$chosen_driver.service" || true           
         fi
 fi

scripts/debian/prerm.in

@@ -31,7 +31,7 @@ case "$1" in
       systemctl --system stop 'falco-custom.service' || true
       systemctl --system stop 'falcoctl-artifact-follow.service' || true
 
-      echo "[PRE-REMOVE] Call 'falcoctl driver cleanup:'"
-      falcoctl driver cleanup
+      echo "[PRE-REMOVE] Call 'falco-driver-loader --clean:'"
+      falco-driver-loader --clean
     ;;
 esac

scripts/falco-driver-loader

@@ -0,0 +1,866 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Simple script that desperately tries to load the kernel instrumentation by
+# looking for it in a bunch of ways. Convenient when running Falco inside
+# a container or in other weird environments.
+#
+
+#
+# Returns 1 if $cos_ver > $base_ver, 0 otherwise
+#
+cos_version_greater() {
+	if [[ $cos_ver == "${base_ver}" ]]; then
+		return 0
+	fi
+
+	#
+	# COS build numbers are in the format x.y.z
+	#
+	a=$(echo "${cos_ver}" | cut -d. -f1)
+	b=$(echo "${cos_ver}" | cut -d. -f2)
+	c=$(echo "${cos_ver}" | cut -d. -f3)
+
+	d=$(echo "${base_ver}" | cut -d. -f1)
+	e=$(echo "${base_ver}" | cut -d. -f2)
+	f=$(echo "${base_ver}" | cut -d. -f3)
+
+	# Test the first component
+	if [[ $a -gt $d ]]; then
+		return 1
+	elif [[ $d -gt $a ]]; then
+		return 0
+	fi
+
+	# Test the second component
+	if [[ $b -gt $e ]]; then
+		return 1
+	elif [[ $e -gt $b ]]; then
+		return 0
+	fi
+
+	# Test the third component
+	if [[ $c -gt $f ]]; then
+		return 1
+	elif [[ $f -gt $c ]]; then
+		return 0
+	fi
+
+	# If we get here, probably malformatted version string?
+
+	return 0
+}
+
+get_kernel_config() {
+	if [ -f /proc/config.gz ]; then
+		echo "* Found kernel config at /proc/config.gz"
+		KERNEL_CONFIG_PATH=/proc/config.gz
+	elif [ -f "/boot/config-${KERNEL_RELEASE}" ]; then
+		echo "* Found kernel config at /boot/config-${KERNEL_RELEASE}"
+		KERNEL_CONFIG_PATH=/boot/config-${KERNEL_RELEASE}
+	elif [ -n "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/boot/config-${KERNEL_RELEASE}" ]; then
+		echo "* Found kernel config at ${HOST_ROOT}/boot/config-${KERNEL_RELEASE}"
+		KERNEL_CONFIG_PATH="${HOST_ROOT}/boot/config-${KERNEL_RELEASE}"
+	elif [ -f "/usr/lib/ostree-boot/config-${KERNEL_RELEASE}" ]; then
+		echo "* Found kernel config at /usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
+		KERNEL_CONFIG_PATH="/usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
+	elif [ -n "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}" ]; then
+		echo "* Found kernel config at ${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
+		KERNEL_CONFIG_PATH="${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
+	elif [ -f "/lib/modules/${KERNEL_RELEASE}/config" ]; then
+		# This code works both for native host and containers assuming that
+		# Dockerfile sets up the desired symlink /lib/modules -> $HOST_ROOT/lib/modules
+		echo "* Found kernel config at /lib/modules/${KERNEL_RELEASE}/config"
+		KERNEL_CONFIG_PATH="/lib/modules/${KERNEL_RELEASE}/config"
+	fi
+
+	if [ -z "${KERNEL_CONFIG_PATH}" ]; then
+		>&2 echo "Cannot find kernel config"
+		exit 1
+	fi
+
+	if [[ "${KERNEL_CONFIG_PATH}" == *.gz ]]; then
+		HASH=$(zcat "${KERNEL_CONFIG_PATH}" | md5sum - | cut -d' ' -f1)
+	else
+		HASH=$(md5sum "${KERNEL_CONFIG_PATH}" | cut -d' ' -f1)
+	fi
+}
+
+get_target_id() {
+	if [ -f "${HOST_ROOT}/etc/os-release" ]; then
+		# freedesktop.org and systemd
+		# shellcheck source=/dev/null
+		source "${HOST_ROOT}/etc/os-release"
+		OS_ID=$ID
+	elif [ -f "${HOST_ROOT}/etc/debian_version" ]; then
+		# Older debian distros
+		# fixme > Can this happen on older Ubuntu?
+		OS_ID=debian
+	elif [ -f "${HOST_ROOT}/etc/centos-release" ]; then
+		# Older CentOS distros
+		OS_ID=centos
+	elif [ -f "${HOST_ROOT}/etc/redhat-release" ]; then
+		# Older RHEL distros
+		OS_ID=rhel
+	else
+		# No target id can be determinand
+		TARGET_ID="undetermined"
+		return
+	fi
+
+	# Overwrite the OS_ID if /etc/VERSION file is present.
+	# Not sure if there is a better way to detect minikube.
+	if [ -f "${HOST_ROOT}/etc/VERSION" ]; then
+		OS_ID=minikube
+	fi
+
+	case "${OS_ID}" in
+	("amzn")
+		case "${VERSION_ID}" in
+		("2")
+			TARGET_ID="amazonlinux2"
+			;;
+		("2022")
+			TARGET_ID="amazonlinux2022"
+			;;
+		("2023")
+			TARGET_ID="amazonlinux2023"
+			;;
+		(*)
+			TARGET_ID="amazonlinux"
+			;;
+		esac
+		;;
+	("debian")
+		# Workaround: debian kernelreleases might now be actual kernel running;
+		# instead, they might be the Debian kernel package
+		# providing the compatible kernel ABI
+		# See https://lists.debian.org/debian-user/2017/03/msg00485.html
+		# Real kernel release is embedded inside the kernel version.
+		# Moreover, kernel arch, when present, is attached to the former,
+		# therefore make sure to properly take it and attach it to the latter.
+		# Moreover, we support 3 flavors for debian kernels: cloud, rt and normal.
+		# KERNEL-RELEASE will have a `-rt`, or `-cloud` if we are in one of these flavors.
+		# Manage it to download the correct driver.
+		#
+		# Example: KERNEL_RELEASE="5.10.0-0.deb10.22-rt-amd64" and `uname -v`="5.10.178-3"
+		# should lead to: KERNEL_RELEASE="5.10.178-3-rt-amd64"
+		TARGET_ID=$(echo "${OS_ID}" | tr '[:upper:]' '[:lower:]')
+		local ARCH_extra=""
+		if [[ $KERNEL_RELEASE =~ -?(rt-|cloud-|)(amd64|arm64) ]];
+		then
+			ARCH_extra="-${BASH_REMATCH[1]}${BASH_REMATCH[2]}"
+		fi
+		if [[ ${DRIVER_KERNEL_VERSION} =~ ([0-9]+\.[0-9]+\.[0-9]+\-[0-9]+) ]];
+		then
+			KERNEL_RELEASE="${BASH_REMATCH[1]}${ARCH_extra}"
+		fi
+		;;
+	("ubuntu")
+		# Extract the flavor from the kernelrelease
+		# Examples:
+		# 5.0.0-1028-aws-5.0 -> ubuntu-aws
+		# 5.15.0-1009-aws -> ubuntu-aws
+		if [[ $KERNEL_RELEASE =~ -([a-zA-Z]+)(-.*)?$ ]];
+		then
+			TARGET_ID="ubuntu-${BASH_REMATCH[1]}"
+		else
+			TARGET_ID="ubuntu-generic"
+		fi
+
+
+		# In the case that the kernelversion isn't just a number
+		# we keep also the remaining part excluding `-Ubuntu`.
+		# E.g.:
+		# from the following `uname -v` result
+		# `#26~22.04.1-Ubuntu SMP Mon Apr 24 01:58:15 UTC 2023`
+		# we obtain the kernelversion`26~22.04.1`
+		if [[ ${DRIVER_KERNEL_VERSION} =~ (^\#[0-9]+\~[^-]*-Ubuntu .*$) ]];
+		then
+			KERNEL_VERSION=$(echo "${DRIVER_KERNEL_VERSION}" | sed 's/#\([^-\\ ]*\).*/\1/g')
+		fi
+		;;
+	("flatcar")
+		KERNEL_RELEASE="${VERSION_ID}"
+		TARGET_ID=$(echo "${OS_ID}" | tr '[:upper:]' '[:lower:]')
+		;;
+	("minikube")
+		TARGET_ID=$(echo "${OS_ID}" | tr '[:upper:]' '[:lower:]')
+		# Extract the minikube version. Ex. With minikube version equal to "v1.26.0-1655407986-14197" the extracted version
+		# will be "1.26.0"
+		if [[ $(cat ${HOST_ROOT}/etc/VERSION) =~ ([0-9]+(\.[0-9]+){2}) ]]; then
+			# kernel version for minikube is always in "1_minikubeversion" format. Ex "1_1.26.0".
+			KERNEL_VERSION="1_${BASH_REMATCH[1]}"
+		else
+			echo "* Unable to extract minikube version from ${HOST_ROOT}/etc/VERSION"
+			exit 1
+		fi
+		;;
+	("bottlerocket")
+		TARGET_ID=$(echo "${OS_ID}" | tr '[:upper:]' '[:lower:]')
+		# variant_id has been sourced from os-release. Get only the first variant part
+		if [[ -n ${VARIANT_ID} ]];  then
+			# take just first part (eg: VARIANT_ID=aws-k8s-1.15 -> aws)
+			VARIANT_ID_CUT=${VARIANT_ID%%-*}
+		fi
+		# version_id has been sourced from os-release. Build a kernel version like: 1_1.11.0-aws
+		KERNEL_VERSION="1_${VERSION_ID}-${VARIANT_ID_CUT}"
+		;;
+	("talos")
+		TARGET_ID=$(echo "${OS_ID}" | tr '[:upper:]' '[:lower:]')
+		# version_id has been sourced from os-release. Build a kernel version like: 1_1.4.1
+		KERNEL_VERSION="1_${VERSION_ID}"
+		;;
+	(*)
+		TARGET_ID=$(echo "${OS_ID}" | tr '[:upper:]' '[:lower:]')
+		;;
+	esac
+}
+
+flatcar_relocate_tools() {
+	local -a tools=(
+		scripts/basic/fixdep
+		scripts/mod/modpost
+		tools/objtool/objtool
+	)
+	local -r hostld=$(ls /host/usr/lib64/ld-linux-*.so.*)
+	local -r kdir=/lib/modules/$(ls /lib/modules/)/build
+	echo "** Found host dl interpreter: ${hostld}"
+	for host_tool in ${tools[@]}; do
+		t=${host_tool}
+		tool=$(basename $t)
+		tool_dir=$(dirname $t)
+		host_tool=${kdir}/${host_tool}
+		if [ ! -f ${host_tool} ]; then
+			continue
+		fi
+		umount ${host_tool} 2>/dev/null || true
+		mkdir -p /tmp/${tool_dir}/
+		cp -a ${host_tool} /tmp/${tool_dir}/
+		echo "** Setting host dl interpreter for $host_tool"
+		patchelf --set-interpreter ${hostld} --set-rpath /host/usr/lib64 /tmp/${tool_dir}/${tool}
+		mount -o bind /tmp/${tool_dir}/${tool} ${host_tool}
+	done
+}
+
+load_kernel_module_compile() {
+	# Skip dkms on UEK hosts because it will always fail
+	if [[ ${DRIVER_KERNEL_RELEASE} == *uek* ]]; then
+		>&2 echo "Skipping because the dkms install always fail (on UEK hosts)"
+		return
+	fi
+
+	if ! hash dkms >/dev/null 2>&1; then
+		>&2 echo "This program requires dkms"
+		return
+	fi
+
+	if [ "${TARGET_ID}" == "flatcar" ]; then
+		KERNEL_RELEASE=${DRIVER_KERNEL_RELEASE}
+		echo "* Flatcar detected (version ${VERSION_ID}); relocating kernel tools"
+		flatcar_relocate_tools
+	fi
+
+	# Try to compile using all the available gcc versions
+	for CURRENT_GCC in $(ls "$(dirname "$(which gcc)")"/gcc*); do
+		# Filter away gcc-{ar,nm,...}
+		# Only gcc compiler has `-print-search-dirs` option.
+		${CURRENT_GCC} -print-search-dirs 2>&1 | grep "install:"
+		if [ "$?" -ne "0" ]; then
+			continue
+		fi
+		echo "* Trying to dkms install ${DRIVER_NAME} module with GCC ${CURRENT_GCC}"
+		echo "#!/usr/bin/env bash" > "${TMPDIR}/falco-dkms-make"
+		echo "make CC=${CURRENT_GCC} \$@" >> "${TMPDIR}/falco-dkms-make"
+		chmod +x "${TMPDIR}/falco-dkms-make"
+		if dkms install --directive="MAKE='${TMPDIR}/falco-dkms-make'" -m "${DRIVER_NAME}" -v "${DRIVER_VERSION}" -k "${KERNEL_RELEASE}" 2>/dev/null; then
+			echo "* ${DRIVER_NAME} module installed in dkms"
+			KO_FILE="/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}"
+			if [ -f "$KO_FILE.ko" ]; then
+				KO_FILE="$KO_FILE.ko"
+			elif [ -f "$KO_FILE.ko.gz" ]; then
+				KO_FILE="$KO_FILE.ko.gz"
+			elif [ -f "$KO_FILE.ko.xz" ]; then
+				KO_FILE="$KO_FILE.ko.xz"
+			elif [ -f "$KO_FILE.ko.zst" ]; then
+				KO_FILE="$KO_FILE.ko.zst"
+			else
+				>&2 echo "${DRIVER_NAME} module file not found"
+				return
+			fi
+			echo "* ${DRIVER_NAME} module found: ${KO_FILE}"
+			echo "* Trying to insmod"
+			chcon -t modules_object_t "$KO_FILE" > /dev/null 2>&1 || true
+			if insmod "$KO_FILE" > /dev/null 2>&1; then
+				echo "* Success: ${DRIVER_NAME} module found and loaded in dkms"
+				exit 0
+			fi
+			echo "* Unable to insmod ${DRIVER_NAME} module"
+		else
+			DKMS_LOG="/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/build/make.log"
+			if [ -f "${DKMS_LOG}" ]; then
+				echo "* Running dkms build failed, dumping ${DKMS_LOG} (with GCC ${CURRENT_GCC})"
+				cat "${DKMS_LOG}"
+			else
+				echo "* Running dkms build failed, couldn't find ${DKMS_LOG} (with GCC ${CURRENT_GCC})"
+			fi
+		fi
+	done
+}
+
+load_kernel_module_download() {
+	local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
+	local URL=$(echo "${1}/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" | sed s/+/%2B/g)
+
+	echo "* Trying to download a prebuilt ${DRIVER_NAME} module from ${URL}"
+	if curl -L --create-dirs ${FALCO_DRIVER_CURL_OPTIONS} -o "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" "${URL}"; then
+		echo "* Download succeeded"
+		chcon -t modules_object_t "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" > /dev/null 2>&1 || true
+		if insmod "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}"; then
+			echo "* Success: ${DRIVER_NAME} module found and inserted"
+			exit 0
+		fi
+		>&2 echo "Unable to insmod the prebuilt ${DRIVER_NAME} module"
+	else
+		>&2 echo "Unable to find a prebuilt ${DRIVER_NAME} module"
+		return
+	fi
+}
+
+print_clean_termination() {
+	echo
+	echo "[SUCCESS] Cleaning phase correctly terminated."
+	echo
+	echo "================ Cleaning phase ================"
+	echo
+}
+
+print_filename_components() {
+	echo " - driver name: ${DRIVER_NAME}"
+	echo " - target identifier: ${TARGET_ID}"
+	echo " - kernel release: ${KERNEL_RELEASE}"
+	echo " - kernel version: ${KERNEL_VERSION}"
+}
+
+print_as_env_vars() {
+	echo "ARCH=\"${ARCH}\""
+	echo "KERNEL_RELEASE=\"${KERNEL_RELEASE}\""
+	echo "KERNEL_VERSION=\"${KERNEL_VERSION}\""
+	echo "ENABLE_COMPILE=\"${ENABLE_COMPILE}\""
+	echo "ENABLE_DOWNLOAD=\"${ENABLE_DOWNLOAD}\""
+	echo "TARGET_ID=\"${TARGET_ID}\""
+	echo "DRIVER=\"${DRIVER}\""
+	echo "DRIVERS_REPO=\"${DRIVERS_REPO}\""
+	echo "DRIVER_VERSION=\"${DRIVER_VERSION}\""
+	echo "DRIVER_NAME=\"${DRIVER_NAME}\""
+	echo "FALCO_VERSION=\"${FALCO_VERSION}\""
+}
+
+clean_kernel_module() {
+	echo
+	echo "================ Cleaning phase ================"
+	echo
+
+	if ! hash lsmod > /dev/null 2>&1; then
+		>&2 echo "This program requires lsmod."
+		exit 1
+	fi
+
+	if ! hash rmmod > /dev/null 2>&1; then
+		>&2 echo "This program requires rmmod."
+		exit 1
+	fi
+
+	KMOD_NAME=$(echo "${DRIVER_NAME}" | tr "-" "_")
+	echo "* 1. Check if kernel module '${KMOD_NAME}' is still loaded:"
+
+	if ! lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}"; then
+		echo "- OK! There is no '${KMOD_NAME}' module loaded."
+		echo
+	fi
+
+	# Wait 50s = MAX_RMMOD_WAIT * 5s
+	MAX_RMMOD_WAIT=10
+	# Remove kernel module if is still loaded.
+	while lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}" && [ $MAX_RMMOD_WAIT -gt 0 ]; do
+		echo "- Kernel module '${KMOD_NAME}' is still loaded."
+		echo "- Trying to unload it with 'rmmod ${KMOD_NAME}'..."
+		if rmmod ${KMOD_NAME}; then
+			echo "- OK! Unloading '${KMOD_NAME}' module succeeded."
+			echo
+		else
+			echo "- Nothing to do...'falco-driver-loader' will wait until you remove the kernel module to have a clean termination."
+			echo "- Check that no process is using the kernel module with 'lsmod | grep ${KMOD_NAME}'."
+			echo "- Sleep 5 seconds..."
+			echo
+			((--MAX_RMMOD_WAIT))
+			sleep 5
+		fi
+	done
+
+	if [ ${MAX_RMMOD_WAIT} -eq 0 ]; then
+		echo "[WARNING] '${KMOD_NAME}' module is still loaded, you could have incompatibility issues."
+		echo
+	fi
+
+	if ! hash dkms >/dev/null 2>&1; then
+		echo "- Skipping dkms remove (dkms not found)."
+		print_clean_termination
+		return
+	fi
+
+	# Remove all versions of this module from dkms.
+	echo "* 2. Check all versions of kernel module '${KMOD_NAME}' in dkms:"
+	DRIVER_VERSIONS=$(dkms status -m "${KMOD_NAME}" | tr -d "," | tr -d ":" | tr "/" " " | cut -d' ' -f2)
+	if [ -z "${DRIVER_VERSIONS}" ]; then
+		echo "- OK! There are no '${KMOD_NAME}' module versions in dkms."
+	else
+		echo "- There are some versions of '${KMOD_NAME}' module in dkms."
+		echo
+		echo "* 3. Removing all the following versions from dkms:"
+		echo "${DRIVER_VERSIONS}"
+		echo
+	fi
+
+	for CURRENT_VER in ${DRIVER_VERSIONS}; do
+		echo "- Removing ${CURRENT_VER}..."
+		if dkms remove -m ${KMOD_NAME} -v "${CURRENT_VER}" --all; then
+			echo
+			echo "- OK! Removing '${CURRENT_VER}' succeeded."
+			echo
+		else
+			echo "[WARNING] Removing '${KMOD_NAME}' version '${CURRENT_VER}' failed."
+		fi
+	done
+
+	print_clean_termination
+}
+
+load_kernel_module() {
+	clean_kernel_module
+
+	echo "* Looking for a ${DRIVER_NAME} module locally (kernel ${KERNEL_RELEASE})"
+
+	local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
+	echo "* Filename '${FALCO_KERNEL_MODULE_FILENAME}' is composed of:"
+	print_filename_components
+
+	if [ -f "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" ]; then
+		echo "* Found a prebuilt ${DRIVER_NAME} module at ${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}, loading it"
+		chcon -t modules_object_t "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" > /dev/null 2>&1 || true
+		insmod "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module found and inserted"
+		exit $?
+	fi
+
+	if [ -n "$ENABLE_DOWNLOAD" ]; then
+		IFS=", " read -r -a urls <<< "${DRIVERS_REPO}"
+		for url in "${urls[@]}"; do
+			load_kernel_module_download $url
+		done
+	fi
+
+	if [ -n "$ENABLE_COMPILE" ]; then
+		load_kernel_module_compile
+	fi
+
+	# Last try (might load a previous driver version)
+	echo "* Trying to load a system ${DRIVER_NAME} module, if present"
+	if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then
+		echo "* Success: ${DRIVER_NAME} module found and loaded with modprobe"
+		exit 0
+	fi
+
+	# Not able to download a prebuilt module nor to compile one on-the-fly
+	>&2 echo "Consider compiling your own ${DRIVER_NAME} driver and loading it or getting in touch with the Falco community"
+	exit 1
+}
+
+load_bpf_probe_compile() {
+	local BPF_KERNEL_SOURCES_URL=""
+	local STRIP_COMPONENTS=1
+
+	customize_kernel_build() {
+		if [ -n "${KERNEL_EXTRA_VERSION}" ]; then
+			sed -i "s/LOCALVERSION=\"\"/LOCALVERSION=\"${KERNEL_EXTRA_VERSION}\"/" .config
+		fi
+		make olddefconfig > /dev/null
+		make modules_prepare > /dev/null
+	}
+
+	if [ "${TARGET_ID}" == "flatcar" ]; then
+		KERNEL_RELEASE=${DRIVER_KERNEL_RELEASE}
+		echo "* Flatcar detected (version ${VERSION_ID}); relocating kernel tools"
+		flatcar_relocate_tools
+	fi
+
+	if [ "${TARGET_ID}" == "cos" ]; then
+		echo "* COS detected (build ${BUILD_ID}), using COS kernel headers"
+
+		BPF_KERNEL_SOURCES_URL="https://storage.googleapis.com/cos-tools/${BUILD_ID}/kernel-headers.tgz"
+		KERNEL_EXTRA_VERSION="+"
+		STRIP_COMPONENTS=0
+
+		customize_kernel_build() {
+			pushd usr/src/* > /dev/null || exit
+
+			# Note: this overrides the KERNELDIR set while untarring the tarball
+			KERNELDIR=$(pwd)
+			export KERNELDIR
+
+			sed -i '/^#define randomized_struct_fields_start	struct {$/d' include/linux/compiler-clang.h
+			sed -i '/^#define randomized_struct_fields_end	};$/d' include/linux/compiler-clang.h
+
+			popd > /dev/null || exit
+
+			# Might need to configure our own sources depending on COS version
+			cos_ver=${BUILD_ID}
+			base_ver=11553.0.0
+
+			cos_version_greater
+			greater_ret=$?
+
+			if [[ greater_ret -eq 1 ]]; then
+			export KBUILD_EXTRA_CPPFLAGS=-DCOS_73_WORKAROUND
+			fi
+		}
+	fi
+
+	if [ "${TARGET_ID}" == "minikube" ]; then
+		MINIKUBE_VERSION="$(cat "${HOST_ROOT}/etc/VERSION")"
+		echo "* Minikube detected (${MINIKUBE_VERSION}), using linux kernel sources for minikube kernel"
+		local kernel_version
+		kernel_version=${DRIVER_KERNEL_RELEASE}
+		local -r kernel_version_major=$(echo "${kernel_version}" | cut -d. -f1)
+		local -r kernel_version_minor=$(echo "${kernel_version}" | cut -d. -f2)
+		local -r kernel_version_patch=$(echo "${kernel_version}" | cut -d. -f3)
+
+		if [ "${kernel_version_patch}" == "0" ]; then
+			kernel_version="${kernel_version_major}.${kernel_version_minor}"
+		fi
+
+		BPF_KERNEL_SOURCES_URL="http://mirrors.edge.kernel.org/pub/linux/kernel/v${kernel_version_major}.x/linux-${kernel_version}.tar.gz"
+	fi
+
+	if [ -n "${BPF_USE_LOCAL_KERNEL_SOURCES}" ]; then
+		local -r kernel_version_major=$(echo "${DRIVER_KERNEL_RELEASE}" | cut -d. -f1)
+		local -r kernel_version=$(echo "${DRIVER_KERNEL_RELEASE}" | cut -d- -f1)
+		KERNEL_EXTRA_VERSION="-$(echo "${DRIVER_KERNEL_RELEASE}" | cut -d- -f2)"
+
+		echo "* Using downloaded kernel sources for kernel version ${kernel_version}..."
+
+		BPF_KERNEL_SOURCES_URL="http://mirrors.edge.kernel.org/pub/linux/kernel/v${kernel_version_major}.x/linux-${kernel_version}.tar.gz"
+	fi
+
+	if [ -n "${BPF_KERNEL_SOURCES_URL}" ]; then
+		get_kernel_config
+
+		echo "* Downloading ${BPF_KERNEL_SOURCES_URL}"
+
+		mkdir -p /tmp/kernel
+		cd /tmp/kernel || exit
+		cd "$(mktemp -d -p /tmp/kernel)" || exit
+		if ! curl -L -o kernel-sources.tgz --create-dirs ${FALCO_DRIVER_CURL_OPTIONS} "${BPF_KERNEL_SOURCES_URL}"; then
+			>&2 echo "Unable to download the kernel sources"
+			return
+		fi
+
+		echo "* Extracting kernel sources"
+
+		mkdir kernel-sources && tar xf kernel-sources.tgz -C kernel-sources --strip-components "${STRIP_COMPONENTS}"
+
+		cd kernel-sources || exit
+		KERNELDIR=$(pwd)
+		export KERNELDIR
+
+		if [[ "${KERNEL_CONFIG_PATH}" == *.gz ]]; then
+			zcat "${KERNEL_CONFIG_PATH}" > .config
+		else
+			cat "${KERNEL_CONFIG_PATH}" > .config
+		fi
+
+		echo "* Configuring kernel"
+		customize_kernel_build
+	fi
+
+	echo "* Trying to compile the eBPF probe (${BPF_PROBE_FILENAME})"
+
+	make -C "/usr/src/${DRIVER_NAME}-${DRIVER_VERSION}/bpf" > /dev/null
+
+	mkdir -p "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}"
+	mv "/usr/src/${DRIVER_NAME}-${DRIVER_VERSION}/bpf/probe.o" "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${BPF_PROBE_FILENAME}"
+
+	if [ -n "${BPF_KERNEL_SOURCES_URL}" ]; then
+		rm -r /tmp/kernel
+	fi
+
+}
+
+load_bpf_probe_download() {
+	local URL
+	URL=$(echo "${1}/${DRIVER_VERSION}/${ARCH}/${BPF_PROBE_FILENAME}" | sed s/+/%2B/g)
+
+	echo "* Trying to download a prebuilt eBPF probe from ${URL}"
+
+	if ! curl -L --create-dirs ${FALCO_DRIVER_CURL_OPTIONS} -o "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${BPF_PROBE_FILENAME}" "${URL}"; then
+		>&2 echo "Unable to find a prebuilt ${DRIVER_NAME} eBPF probe"
+		return 1
+	fi
+	return 0
+}
+
+load_bpf_probe() {
+
+	if [ ! -d /sys/kernel/debug/tracing ]; then
+		echo "* Mounting debugfs"
+		mount -t debugfs nodev /sys/kernel/debug
+	fi
+
+	BPF_PROBE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.o"
+	echo "* Filename '${BPF_PROBE_FILENAME}' is composed of:"
+	print_filename_components
+
+	if [ -n "$ENABLE_DOWNLOAD" ]; then
+		if [ -f "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${BPF_PROBE_FILENAME}" ]; then
+			echo "* Skipping download, eBPF probe is already present in ${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${BPF_PROBE_FILENAME}"
+		else
+			IFS=", " read -r -a urls <<< "${DRIVERS_REPO}"
+			for url in "${urls[@]}"; do
+				load_bpf_probe_download $url
+				if [ $? -eq 0 ]; then
+                	break
+                fi
+			done
+		fi
+	fi
+
+	if [ -n "$ENABLE_COMPILE" ]; then
+		if [ -f "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${BPF_PROBE_FILENAME}" ]; then
+			echo "* Skipping compilation, eBPF probe is already present in ${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${BPF_PROBE_FILENAME}"
+		else
+			load_bpf_probe_compile
+		fi
+	fi
+
+	if [ -f "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${BPF_PROBE_FILENAME}" ]; then
+		echo "* eBPF probe located in ${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${BPF_PROBE_FILENAME}"
+
+		ln -sf "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${BPF_PROBE_FILENAME}" "${HOME}/.falco/${DRIVER_NAME}-bpf.o" \
+			&& echo "* Success: eBPF probe symlinked to ${HOME}/.falco/${DRIVER_NAME}-bpf.o"
+		exit $?
+	else
+		>&2 echo "Unable to load the ${DRIVER_NAME} eBPF probe"
+		exit 1
+	fi
+}
+
+print_usage() {
+	echo ""
+	echo "Usage:"
+	echo "  falco-driver-loader [driver] [options]"
+	echo ""
+	echo "Available drivers:"
+	echo "  module        kernel module (default)"
+	echo "  bpf           eBPF probe"
+	echo ""
+	echo "Options:"
+	echo "  --help         show brief help"
+	echo "  --clean        try to remove an already present driver installation"
+	echo "  --compile      try to compile the driver locally (default true)"
+	echo "  --download     try to download a prebuilt driver (default true)"
+	echo "  --source-only  skip execution and allow sourcing in another script using `. falco-driver-loader`"
+	echo "  --print-env    skip execution and print env variables for other tools to consume"
+	echo ""
+	echo "Environment variables:"
+	echo "  DRIVERS_REPO             specify different URL(s) where to look for prebuilt Falco drivers (comma separated)"
+	echo "  DRIVER_NAME              specify a different name for the driver"
+	echo "  DRIVER_INSECURE_DOWNLOAD whether you want to allow insecure downloads or not"
+	echo "  DRIVER_CURL_OPTIONS      specify additional options to be passed to curl command used to download Falco drivers"
+	echo "  DRIVER_KERNEL_RELEASE    specify the kernel release for which to download/build the driver in the same format used by 'uname -r' (e.g. '6.1.0-10-cloud-amd64')"
+	echo "  DRIVER_KERNEL_VERSION    specify the kernel version for which to download/build the driver in the same format used by 'uname -v' (e.g. '#1 SMP PREEMPT_DYNAMIC Debian 6.1.38-2 (2023-07-27)')"
+	echo ""
+	echo "Versions:"
+	echo "  Falco version  ${FALCO_VERSION}"
+	echo "  Driver version ${DRIVER_VERSION}"
+	echo ""
+}
+
+ARCH=$(uname -m)
+
+DRIVER_KERNEL_RELEASE=${DRIVER_KERNEL_RELEASE:-$(uname -r)}
+KERNEL_RELEASE=${DRIVER_KERNEL_RELEASE}
+
+if ! hash sed > /dev/null 2>&1; then
+	>&2 echo "This program requires sed"
+	exit 1
+fi
+
+DRIVER_KERNEL_VERSION=${DRIVER_KERNEL_VERSION:-$(uname -v)}
+KERNEL_VERSION=$(echo "${DRIVER_KERNEL_VERSION}" | sed 's/#\([[:digit:]]\+\).*/\1/')
+
+DRIVERS_REPO=${DRIVERS_REPO:-"@DRIVERS_REPO@"}
+
+FALCO_DRIVER_CURL_OPTIONS="-fsS --connect-timeout 5 --max-time 60 --retry 3 --retry-max-time 120"
+
+if [ -n "$DRIVER_INSECURE_DOWNLOAD" ]
+then
+	FALCO_DRIVER_CURL_OPTIONS+=" -k"
+fi
+
+FALCO_DRIVER_CURL_OPTIONS+=" "${DRIVER_CURL_OPTIONS}
+
+if [[ -z "$MAX_RMMOD_WAIT" ]]; then
+	MAX_RMMOD_WAIT=60
+fi
+
+DRIVER_VERSION=${DRIVER_VERSION:-"@DRIVER_VERSION@"}
+DRIVER_NAME=${DRIVER_NAME:-"@DRIVER_NAME@"}
+FALCO_VERSION="@FALCO_VERSION@"
+
+TARGET_ID=
+get_target_id
+
+DRIVER="module"
+if [ -v FALCO_BPF_PROBE ]; then
+	DRIVER="bpf"
+fi
+
+TMPDIR=${TMPDIR:-"/tmp"}
+
+ENABLE_COMPILE=
+ENABLE_DOWNLOAD=
+
+clean=
+has_args=
+has_opts=
+print_env=
+source_only=
+while test $# -gt 0; do
+	case "$1" in
+		module|bpf)
+			if [ -n "$has_args" ]; then
+				>&2 echo "Only one driver per invocation"
+				print_usage
+				exit 1
+			else
+				DRIVER="$1"
+				has_args="true"
+				shift
+			fi
+			;;
+		-h|--help)
+			print_usage
+			exit 0
+			;;
+		--clean)
+			clean="true"
+			shift
+			;;
+		--compile)
+			ENABLE_COMPILE="yes"
+			has_opts="true"
+			shift
+			;;
+		--download)
+			ENABLE_DOWNLOAD="yes"
+			has_opts="true"
+			shift
+			;;
+		--source-only)
+			source_only="true"
+			shift
+			;;
+		--print-env)
+			print_env="true"
+			shift
+			;;
+		--*)
+			>&2 echo "Unknown option: $1"
+			print_usage
+			exit 1
+			;;
+		*)
+			>&2 echo "Unknown driver: $1"
+			print_usage
+			exit 1
+			;;
+	esac
+done
+
+if [ -z "$has_opts" ]; then
+	ENABLE_COMPILE="yes"
+	ENABLE_DOWNLOAD="yes"
+fi
+
+if [ -n "$source_only" ]; then
+	# Return or exit, depending if we've been sourced.
+	(return 0 2>/dev/null) && return || exit 0
+fi
+
+if [ -n "$print_env" ]; then
+	print_as_env_vars
+	exit 0
+fi
+
+echo "* Running falco-driver-loader for: falco version=${FALCO_VERSION}, driver version=${DRIVER_VERSION}, arch=${ARCH}, kernel release=${KERNEL_RELEASE}, kernel version=${KERNEL_VERSION}"
+
+if [ "$(id -u)" != 0 ]; then
+	>&2 echo "This program must be run as root (or with sudo)"
+	exit 1
+fi
+
+if [ "$TARGET_ID" = "undetermined" ]; then
+	if [ -n "$ENABLE_COMPILE" ]; then
+		ENABLE_DOWNLOAD=
+		>&2 echo "Detected an unsupported target system, please get in touch with the Falco community. Trying to compile anyway."
+	else
+		>&2 echo "Detected an unsupported target system, please get in touch with the Falco community."
+		exit 1
+	fi
+fi
+
+if [ -n "$clean" ]; then
+	if [ -n "$has_opts" ]; then
+		>&2 echo "Cannot use --clean with other options"
+		exit 1
+	fi
+
+	echo "* Running falco-driver-loader with: driver=$DRIVER, clean=yes"
+	case $DRIVER in
+	module)
+		clean_kernel_module
+		;;
+	bpf)
+		>&2 echo "--clean not supported for driver=bpf"
+		exit 1
+	esac
+else
+	if ! hash curl > /dev/null 2>&1; then
+		>&2 echo "This program requires curl"
+		exit 1
+	fi
+
+	echo "* Running falco-driver-loader with: driver=$DRIVER, compile=${ENABLE_COMPILE:-"no"}, download=${ENABLE_DOWNLOAD:-"no"}"
+	case $DRIVER in
+		module)
+			load_kernel_module
+			;;
+		bpf)
+			load_bpf_probe
+			;;
+	esac
+fi

scripts/falcoctl/falcoctl.yaml

@@ -1,10 +1,3 @@
-driver:
-    type: "kmod"
-    name: "@DRIVER_NAME@"
-    repos:
-        - "@DRIVERS_REPO@"
-    version: "@DRIVER_VERSION@"
-    hostroot: "/"
 artifact:
   follow:
     every: 6h0m0s

scripts/rpm/postinstall.in

@@ -17,8 +17,6 @@
 #
 
 chosen_driver=
-chosen_unit=
-CHOICE=
 
 # Every time we call this script we want to stat from a clean state.
 echo "[POST-INSTALL] Disable all possible enabled 'falco' service:"
@@ -37,18 +35,7 @@ systemctl --system disable 'falcoctl-artifact-follow.service' || true
 systemctl --system unmask falcoctl-artifact-follow.service || true
 
 if [ $1 -ge 1 ]; then
-        case $FALCO_DRIVER_CHOICE in
-              kmod)
-                  CHOICE=2
-                  ;;
-              ebpf)
-                  CHOICE=3
-                  ;;
-              modern_ebpf)
-                  CHOICE=4
-                  ;;
-        esac     
-        if [ -z $CHOICE ] && [ -x /usr/bin/dialog ] && [ "${FALCO_FRONTEND}" != "noninteractive" ]; then          
+        if [ -x /usr/bin/dialog ] && [ "${FALCO_FRONTEND}" != "noninteractive" ]; then
             # If dialog is installed, create a dialog to let users choose the correct driver for them
             CHOICE=$(dialog --clear --title "Falco drivers" --menu "Choose your preferred driver:" 12 55 4 \
                     1 "Manual configuration (no unit is started)" \
@@ -56,44 +43,50 @@ if [ $1 -ge 1 ]; then
                     3 "eBPF" \
                     4 "Modern eBPF" \
                     2>&1 >/dev/tty)
-        fi         
-        case $CHOICE in
-            2)
-                chosen_driver="kmod"
-                chosen_unit="kmod"
-                ;;
-            3)
-                chosen_driver="ebpf"
-                chosen_unit="bpf"
-                ;;
-            4)
-                chosen_driver="modern_ebpf"
-                chosen_unit="modern-bpf"
-                ;;
-        esac
-        if [ -n "$CHOICE" ]; then
-            echo "[POST-INSTALL] Configure falcoctl driver type:"
-            falcoctl driver config --type $chosen_driver
-            CHOICE=
-            case $FALCOCTL_ENABLED in
-                no)
-                    CHOICE=2
-                    ;;
-            esac
-            if [ -z $CHOICE ] &&  [ -x /usr/bin/dialog ] && [ "${FALCO_FRONTEND}" != "noninteractive" ]; then
-                CHOICE=$(dialog --clear --title "Falcoctl" --menu "Do you want to follow automatic ruleset updates?" 10 40 2 \
-                        1 "Yes" \
-                        2 "No" \
-                        2>&1 >/dev/tty)
-            fi  
             case $CHOICE in
                 2)
-                    # we don't want falcoctl enabled, we mask it
-                    systemctl --system mask falcoctl-artifact-follow.service || true
-                ;;
+                    chosen_driver="kmod"
+                    ;;
+                3)
+                    chosen_driver="bpf"
+                    ;;
+                4)
+                    chosen_driver="modern-bpf"
+                    ;;
             esac
-        fi    
-        clear
+            if [ -n "$chosen_driver" ]; then
+              CHOICE=$(dialog --clear --title "Falcoctl" --menu "Do you want to follow automatic ruleset updates?" 10 40 2 \
+                      1 "Yes" \
+                      2 "No" \
+                      2>&1 >/dev/tty)
+              case $CHOICE in
+                  2)
+                      # we don't want falcoctl enabled, we mask it
+                      systemctl --system mask falcoctl-artifact-follow.service || true
+                  ;;
+              esac
+            fi
+            clear
+        else
+            case $FALCO_DRIVER_CHOICE in
+                module | kmod )
+                    chosen_driver="kmod"
+                    ;;
+                bpf | ebpf | eBPF )
+                    chosen_driver="bpf"
+                    ;;
+                modern-bpf | modern-ebpf | modern-eBPF )
+                    chosen_driver="modern-bpf"
+                    ;;
+            esac
+            case $FALCOCTL_ENABLED in
+                yes )
+                    ;;
+                no )
+                    systemctl --system mask falcoctl-artifact-follow.service || true
+                    ;;
+            esac
+        fi
 fi
 
 set -e
@@ -101,16 +94,16 @@ set -e
 echo "[POST-INSTALL] Trigger deamon-reload:"
 systemctl --system daemon-reload || true
 
-# If needed, try to load/compile the driver through falcoctl
+# If needed, try to load/compile the driver through falco-driver-loader
 case "$chosen_driver" in
     "kmod")
       # Only compile for kmod, in this way we use dkms
-       echo "[POST-INSTALL] Call 'falcoctl driver install for kmod:"
-       falcoctl driver install --download=false
+      echo "[POST-INSTALL] Call 'falco-driver-loader --compile module':"
+      falco-driver-loader --compile module
       ;;
-    "ebpf")
-      echo "[POST-INSTALL] Call 'falcoctl driver install for ebpf':"
-      falcoctl driver install
+    "bpf")
+      echo "[POST-INSTALL] Call 'falco-driver-loader bpf':"
+      falco-driver-loader bpf
       ;;
 esac
 
@@ -121,14 +114,14 @@ esac
 # systemd_post macro expands to
 # if postinst:
 #   `systemd-update-helper install-system-units <service>`
-%systemd_post "falco-$chosen_unit.service"
+%systemd_post "falco-$chosen_driver.service"
 
 # post install/upgrade mirrored from .deb
 if [ $1 -ge 1 ]; then
-        if [ -n "$chosen_unit" ]; then
-            echo "[POST-INSTALL] Enable 'falco-$chosen_unit.service':"
-            systemctl --system enable "falco-$chosen_unit.service" || true
-            echo "[POST-INSTALL] Start 'falco-$chosen_unit.service':"
-            systemctl --system start "falco-$chosen_unit.service" || true
+        if [ -n "$chosen_driver" ]; then
+            echo "[POST-INSTALL] Enable 'falco-$chosen_driver.service':"
+            systemctl --system enable "falco-$chosen_driver.service" || true
+            echo "[POST-INSTALL] Start 'falco-$chosen_driver.service':"
+            systemctl --system start "falco-$chosen_driver.service" || true
         fi
 fi

scripts/rpm/preuninstall.in

@@ -25,8 +25,8 @@ systemctl --system stop 'falco-modern-bpf.service' || true
 systemctl --system stop 'falco-custom.service' || true
 systemctl --system stop 'falcoctl-artifact-follow.service' || true
 
-echo "[PRE-REMOVE] Call 'falcoctl driver cleanup:'"
-falcoctl driver cleanup
+echo "[PRE-REMOVE] Call 'falco-driver-loader --clean:'"
+falco-driver-loader --clean
 
 # validate rpm macros by `rpm -qp --scripts <rpm>`
 # RPM scriptlets: https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd

scripts/systemd/falco-bpf.service

@@ -7,7 +7,8 @@ Wants=falcoctl-artifact-follow.service
 [Service]
 Type=simple
 User=root
-ExecStart=/usr/bin/falco -o engine.kind=ebpf
+Environment=FALCO_BPF_PROBE=
+ExecStart=/usr/bin/falco
 ExecReload=kill -1 $MAINPID
 UMask=0077
 TimeoutSec=30

scripts/systemd/falco-kmod.service

@@ -9,7 +9,7 @@ Wants=falcoctl-artifact-follow.service
 [Service]
 Type=simple
 User=root
-ExecStart=/usr/bin/falco -o engine.kind=kmod
+ExecStart=/usr/bin/falco
 ExecReload=kill -1 $MAINPID
 UMask=0077
 TimeoutSec=30

scripts/systemd/falco-modern-bpf.service

@@ -7,7 +7,7 @@ Wants=falcoctl-artifact-follow.service
 [Service]
 Type=simple
 User=root
-ExecStart=/usr/bin/falco -o engine.kind=modern_ebpf
+ExecStart=/usr/bin/falco --modern-bpf
 ExecReload=kill -1 $MAINPID
 UMask=0077
 TimeoutSec=30

unit_tests/engine/test_enable_rule.cpp

@@ -1,251 +0,0 @@
-// SPDX-License-Identifier: Apache-2.0
-/*
-Copyright (C) 2023 The Falco Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-#include <string>
-
-#include <gtest/gtest.h>
-
-#include <sinsp.h>
-#include <filter_check_list.h>
-#include <filter.h>
-
-#include <falco_engine.h>
-
-static std::string single_rule = R"END(
-- rule: test rule
-  desc: A test rule
-  condition: evt.type=execve
-  output: A test rule matched (evt.type=%evt.type)
-  priority: INFO
-  source: syscall
-  tags: [process]
-
-- rule: disabled rule
-  desc: A disabled rule
-  condition: evt.type=execve
-  output: A disabled rule matched (evt.type=%evt.type)
-  priority: INFO
-  source: syscall
-  enabled: false
-  tags: [exec process]
-)END";
-
-// This must be kept in line with the (private) falco_engine::s_default_ruleset
-static const std::string default_ruleset = "falco-default-ruleset";
-
-static const std::string ruleset_1 = "ruleset-1";
-static const std::string ruleset_2 = "ruleset-2";
-static const std::string ruleset_3 = "ruleset-3";
-static const std::string ruleset_4 = "ruleset-4";
-
-static void load_rules(falco_engine& engine, sinsp& inspector, sinsp_filter_check_list& filterchecks)
-{
-	std::unique_ptr<falco::load_result> res;
-
-	auto filter_factory = std::shared_ptr<gen_event_filter_factory>(
-		new sinsp_filter_factory(&inspector, filterchecks));
-	auto formatter_factory = std::shared_ptr<gen_event_formatter_factory>(
-		new sinsp_evt_formatter_factory(&inspector, filterchecks));
-
-	engine.add_source("syscall", filter_factory, formatter_factory);
-
-	res = engine.load_rules(single_rule, "single_rule.yaml");
-
-	EXPECT_TRUE(res->successful());
-}
-
-TEST(EnableRule, enable_rule_name)
-{
-	falco_engine engine;
-	sinsp inspector;
-	sinsp_filter_check_list filterchecks;
-
-	load_rules(engine, inspector, filterchecks);
-
-	// No rules should be enabled yet for any custom rulesets
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(default_ruleset));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3));
-
-	// Enable for first ruleset, only that ruleset should have an
-	// enabled rule afterward
-	engine.enable_rule("test", true, ruleset_1);
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3));
-
-	// Enable for second ruleset
-	engine.enable_rule("test", true, ruleset_2);
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_2));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3));
-
-	// When the substring is blank, all rules are enabled
-	// (including the disabled rule)
-	engine.enable_rule("", true, ruleset_3);
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_2));
-	EXPECT_EQ(2, engine.num_rules_for_ruleset(ruleset_3));
-
-	// Now disable for second ruleset
-	engine.enable_rule("test", false, ruleset_2);
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2));
-	EXPECT_EQ(2, engine.num_rules_for_ruleset(ruleset_3));
-}
-
-TEST(EnableRule, enable_rule_tags)
-{
-	falco_engine engine;
-	sinsp inspector;
-	sinsp_filter_check_list filterchecks;
-	std::set<std::string> process_tags = {"process"};
-
-	load_rules(engine, inspector, filterchecks);
-
-	// No rules should be enabled yet for any custom rulesets
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(default_ruleset));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2));
-
-	// Enable for first ruleset, only that ruleset should have an
-	// enabled rule afterward
-	engine.enable_rule_by_tag(process_tags, true, ruleset_1);
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2));
-
-	// Enable for second ruleset
-	engine.enable_rule_by_tag(process_tags, true, ruleset_2);
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_2));
-
-	// Now disable for second ruleset
-	engine.enable_rule_by_tag(process_tags, false, ruleset_2);
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2));
-}
-
-TEST(EnableRule, enable_disabled_rule_by_tag)
-{
-	falco_engine engine;
-	sinsp inspector;
-	sinsp_filter_check_list filterchecks;
-	std::set<std::string> exec_process_tags = {"exec process"};
-
-	load_rules(engine, inspector, filterchecks);
-
-	// Only the first rule should be enabled
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(default_ruleset));
-
-	// Enable the disabled rule by tag
-	engine.enable_rule_by_tag(exec_process_tags, true);
-
-	// Both rules should be enabled now
-	EXPECT_EQ(2, engine.num_rules_for_ruleset(default_ruleset));
-}
-
-TEST(EnableRule, enable_rule_id)
-{
-	falco_engine engine;
-	sinsp inspector;
-	sinsp_filter_check_list filterchecks;
-	uint16_t ruleset_1_id;
-	uint16_t ruleset_2_id;
-	uint16_t ruleset_3_id;
-
-	load_rules(engine, inspector, filterchecks);
-
-	// The cases are identical to above, just using ruleset ids
-	// instead of names.
-
-	ruleset_1_id = engine.find_ruleset_id(ruleset_1);
-	ruleset_2_id = engine.find_ruleset_id(ruleset_2);
-	ruleset_3_id = engine.find_ruleset_id(ruleset_3);
-
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(default_ruleset));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3));
-
-	engine.enable_rule("test rule", true, ruleset_1_id);
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3));
-
-	engine.enable_rule("test rule", true, ruleset_2_id);
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_2));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3));
-
-	engine.enable_rule("", true, ruleset_3_id);
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_2));
-	EXPECT_EQ(2, engine.num_rules_for_ruleset(ruleset_3));
-
-	engine.enable_rule("test", false, ruleset_2_id);
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2));
-	EXPECT_EQ(2, engine.num_rules_for_ruleset(ruleset_3));
-}
-
-TEST(EnableRule, enable_rule_name_exact)
-{
-	falco_engine engine;
-	sinsp inspector;
-	sinsp_filter_check_list filterchecks;
-
-	load_rules(engine, inspector, filterchecks);
-
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(default_ruleset));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_4));
-
-	engine.enable_rule_exact("test rule", true, ruleset_1);
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_4));
-
-	engine.enable_rule_exact("test rule", true, ruleset_2);
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_2));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_4));
-
-	// This should **not** enable as this is a substring and not
-	// an exact match.
-	engine.enable_rule_exact("test", true, ruleset_3);
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_2));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_4));
-
-	engine.enable_rule_exact("", true, ruleset_4);
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_2));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3));
-	EXPECT_EQ(2, engine.num_rules_for_ruleset(ruleset_4));
-
-	engine.enable_rule("test rule", false, ruleset_2);
-	EXPECT_EQ(1, engine.num_rules_for_ruleset(ruleset_1));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_2));
-	EXPECT_EQ(0, engine.num_rules_for_ruleset(ruleset_3));
-	EXPECT_EQ(2, engine.num_rules_for_ruleset(ruleset_4));
-}

unit_tests/falco/test_configuration.cpp

@@ -114,35 +114,17 @@ TEST(Configuration, configuration_environment_variables)
     // Set an environment variable for testing purposes
     std::string env_var_value = "envVarValue";
     std::string env_var_name = "ENV_VAR";
-    SET_ENV_VAR(env_var_name.c_str(), env_var_value.c_str());
-
-    std::string embedded_env_var_value = "${ENV_VAR}";
-    std::string embedded_env_var_name = "ENV_VAR_EMBEDDED";
-    SET_ENV_VAR(embedded_env_var_name.c_str(), embedded_env_var_value.c_str());
-
-    std::string bool_env_var_value = "true";
-    std::string bool_env_var_name = "ENV_VAR_BOOL";
-    SET_ENV_VAR(bool_env_var_name.c_str(), bool_env_var_value.c_str());
-
-    std::string int_env_var_value = "12";
-    std::string int_env_var_name = "ENV_VAR_INT";
-    SET_ENV_VAR(int_env_var_name.c_str(), int_env_var_value.c_str());
-
-    std::string empty_env_var_value = "";
-    std::string empty_env_var_name = "ENV_VAR_EMPTY";
-    SET_ENV_VAR(empty_env_var_name.c_str(), empty_env_var_value.c_str());
-
     std::string default_value = "default";
-    std::string env_var_sample_yaml =
+    SET_ENV_VAR(env_var_name.c_str(), env_var_value.c_str());
+    yaml_helper conf;
+
+    std::string sample_yaml =
         "base_value:\n"
         "    id: $ENV_VAR\n"
         "    name: '${ENV_VAR}'\n"
         "    string: my_string\n"
         "    invalid: $${ENV_VAR}\n"
-	"    invalid_env: $$ENV_VAR\n"
-	"    invalid_double_env: $${ENV_VAR}$${ENV_VAR}\n"
-	"    invalid_embedded_env: $${${ENV_VAR}}\n"
-	"    invalid_valid_env: $${ENV_VAR}${ENV_VAR}\n"
+		"    invalid_env: $$ENV_VAR\n"
         "    escaped: \"${ENV_VAR}\"\n"
         "    subvalue:\n"
         "        subvalue2:\n"
@@ -151,135 +133,52 @@ TEST(Configuration, configuration_environment_variables)
         "    sample_list:\n"
         "        - ${ENV_VAR}\n"
         "        - ' ${ENV_VAR}'\n"
-	"        - '${ENV_VAR} '\n"
-        "        - $UNSED_XX_X_X_VAR\n"
-        "paths:\n"
-	"    - ${ENV_VAR}/foo\n"
-	"    - $ENV_VAR/foo\n"
-	"    - /foo/${ENV_VAR}/\n"
-	"    - /${ENV_VAR}/${ENV_VAR}${ENV_VAR}/foo\n"
-	"    - ${ENV_VAR_EMBEDDED}/foo\n"
-	"is_test: ${ENV_VAR_BOOL}\n"
-	"num_test: ${ENV_VAR_INT}\n"
-	"empty_test: ${ENV_VAR_EMPTY}\n"
-	"plugins:\n"
-	"  - name: k8saudit\n"
-	"    library_path: /foo/${ENV_VAR}/libk8saudit.so\n"
-	"    open_params: ${ENV_VAR_INT}\n";
-
-    yaml_helper conf;
-    conf.load_from_string(env_var_sample_yaml);
+        "        - $UNSED_XX_X_X_VAR\n";
+    conf.load_from_string(sample_yaml);
 
     /* Check if the base values are defined */
     ASSERT_TRUE(conf.is_defined("base_value"));
     ASSERT_TRUE(conf.is_defined("base_value_2"));
-    ASSERT_TRUE(conf.is_defined("paths"));
     ASSERT_FALSE(conf.is_defined("unknown_base_value"));
 
     /* Test fetching of a regular string without any environment variable */
-    auto base_value_string = conf.get_scalar<std::string>("base_value.string", default_value);
+    std::string base_value_string = conf.get_scalar<std::string>("base_value.string", default_value);
     ASSERT_EQ(base_value_string, "my_string");
 
     /* Test fetching of escaped environment variable format. Should return the string as-is after stripping the leading `$` */
-    auto base_value_invalid = conf.get_scalar<std::string>("base_value.invalid", default_value);
+    std::string base_value_invalid = conf.get_scalar<std::string>("base_value.invalid", default_value);
     ASSERT_EQ(base_value_invalid, "${ENV_VAR}");
 
-    /* Test fetching of invalid escaped environment variable format. Should return the string as-is */
-    auto base_value_invalid_env = conf.get_scalar<std::string>("base_value.invalid_env", default_value);
+	/* Test fetching of invalid escaped environment variable format. Should return the string as-is */
+    std::string base_value_invalid_env = conf.get_scalar<std::string>("base_value.invalid_env", default_value);
     ASSERT_EQ(base_value_invalid_env, "$$ENV_VAR");
 
-    /* Test fetching of 2 escaped environment variables side by side. Should return the string as-is after stripping the leading `$` */
-    auto base_value_double_invalid = conf.get_scalar<std::string>("base_value.invalid_double_env", default_value);
-    ASSERT_EQ(base_value_double_invalid, "${ENV_VAR}${ENV_VAR}");
-
-    /*
-     * Test fetching of escaped environment variable format with inside an env variable.
-     * Should return the string as-is after stripping the leading `$` with the resolved env variable within
-     */
-    auto base_value_embedded_invalid = conf.get_scalar<std::string>("base_value.invalid_embedded_env", default_value);
-    ASSERT_EQ(base_value_embedded_invalid, "${" + env_var_value + "}");
-
-    /*
-     * Test fetching of an escaped env variable plus an env variable side by side.
-     * Should return the escaped one trimming the leading `$` plus the second one resolved.
-     */
-    auto base_value_valid_invalid = conf.get_scalar<std::string>("base_value.invalid_valid_env", default_value);
-    ASSERT_EQ(base_value_valid_invalid, "${ENV_VAR}" + env_var_value);
-
     /* Test fetching of strings that contain environment variables */
-    auto base_value_id = conf.get_scalar<std::string>("base_value.id", default_value);
+    std::string base_value_id = conf.get_scalar<std::string>("base_value.id", default_value);
     ASSERT_EQ(base_value_id, "$ENV_VAR"); // Does not follow the `${VAR}` format, so it should be treated as a regular string
 
-    auto base_value_name = conf.get_scalar<std::string>("base_value.name", default_value);
+    std::string base_value_name = conf.get_scalar<std::string>("base_value.name", default_value);
     ASSERT_EQ(base_value_name, env_var_value); // Proper environment variable format
 
-    auto base_value_escaped = conf.get_scalar<std::string>("base_value.escaped", default_value);
+    std::string base_value_escaped = conf.get_scalar<std::string>("base_value.escaped", default_value);
     ASSERT_EQ(base_value_escaped, env_var_value); // Environment variable within quotes
 
-    /* Test fetching of an undefined environment variable. Resolves to empty string. */
-    auto unknown_boolean = conf.get_scalar<std::string>("base_value.subvalue.subvalue2.boolean", default_value);
-    ASSERT_EQ(unknown_boolean, "");
+    /* Test fetching of an undefined environment variable. Expected to return the default value.*/
+    std::string unknown_boolean = conf.get_scalar<std::string>("base_value.subvalue.subvalue2.boolean", default_value);
+    ASSERT_EQ(unknown_boolean, default_value);
 
     /* Test fetching of environment variables from a list */
-    auto base_value_2_list_0 = conf.get_scalar<std::string>("base_value_2.sample_list[0]", default_value);
+    std::string base_value_2_list_0 = conf.get_scalar<std::string>("base_value_2.sample_list[0]", default_value);
     ASSERT_EQ(base_value_2_list_0, env_var_value); // Proper environment variable format
 
-    auto base_value_2_list_1 = conf.get_scalar<std::string>("base_value_2.sample_list[1]", default_value);
-    ASSERT_EQ(base_value_2_list_1, " " + env_var_value); // Environment variable preceded by a space, still extracted env var with leading space
+    std::string base_value_2_list_1 = conf.get_scalar<std::string>("base_value_2.sample_list[1]", default_value);
+    ASSERT_EQ(base_value_2_list_1, " ${ENV_VAR}"); // Environment variable preceded by a space, hence treated as a regular string
 
-    auto base_value_2_list_2 = conf.get_scalar<std::string>("base_value_2.sample_list[2]", default_value);
-    ASSERT_EQ(base_value_2_list_2, env_var_value + " "); // Environment variable followed by a space, still extracted env var with trailing space
+    std::string base_value_2_list_2 = conf.get_scalar<std::string>("base_value_2.sample_list[2]", default_value);
+    ASSERT_EQ(base_value_2_list_2, "$UNSED_XX_X_X_VAR"); // Does not follow the `${VAR}` format, so should be treated as a regular string
 
-    auto base_value_2_list_3 = conf.get_scalar<std::string>("base_value_2.sample_list[3]", default_value);
-    ASSERT_EQ(base_value_2_list_3, "$UNSED_XX_X_X_VAR"); // Does not follow the `${VAR}` format, so should be treated as a regular string
-
-    /* Test expansion of environment variables within strings */
-    auto path_list_0 = conf.get_scalar<std::string>("paths[0]", default_value);
-    ASSERT_EQ(path_list_0, env_var_value + "/foo"); // Even if env var is part of bigger string, it gets expanded
-
-    auto path_list_1 = conf.get_scalar<std::string>("paths[1]", default_value);
-    ASSERT_EQ(path_list_1, "$ENV_VAR/foo"); // Does not follow the `${VAR}` format, so should be treated as a regular string
-
-    auto path_list_2 = conf.get_scalar<std::string>("paths[2]", default_value);
-    ASSERT_EQ(path_list_2, "/foo/" + env_var_value + "/"); // Even when env var is in the middle of a string. it gets expanded
-
-    auto path_list_3 = conf.get_scalar<std::string>("paths[3]", default_value);
-    ASSERT_EQ(path_list_3, "/" + env_var_value + "/" + env_var_value + env_var_value + "/foo"); // Even when the string contains multiple env vars they are correctly expanded
-
-    auto path_list_4 = conf.get_scalar<std::string>("paths[4]", default_value);
-    ASSERT_EQ(path_list_4, env_var_value + "/foo"); // Even when the env var contains another env var, it gets correctly double-expanded
-
-    /* Check that variable expansion is type-aware */
-    auto boolean = conf.get_scalar<bool>("is_test", false);
-    ASSERT_EQ(boolean, true); // `true` can be parsed to bool.
-
-    auto boolean_as_str = conf.get_scalar<std::string>("is_test", "false");
-    ASSERT_EQ(boolean_as_str, "true"); // `true` can be parsed to string.
-
-    auto boolean_as_int = conf.get_scalar<int32_t>("is_test", 0);
-    ASSERT_EQ(boolean_as_int, 0); // `true` cannot be parsed to integer.
-
-    auto integer = conf.get_scalar<int32_t>("num_test", -1);
-    ASSERT_EQ(integer, 12);
-
-    // An env var that resolves to an empty string returns ""
-    auto empty_default_str = conf.get_scalar<std::string>("empty_test", default_value);
-    ASSERT_EQ(empty_default_str, "");
-
-    std::list<falco_configuration::plugin_config> plugins;
-    conf.get_sequence<std::list<falco_configuration::plugin_config>>(plugins, std::string("plugins"));
-    std::vector<falco_configuration::plugin_config> m_plugins{ std::make_move_iterator(std::begin(plugins)),
-							      std::make_move_iterator(std::end(plugins)) };
-    ASSERT_EQ(m_plugins[0].m_name, "k8saudit");
-    ASSERT_EQ(m_plugins[0].m_library_path, "/foo/" + env_var_value + "/libk8saudit.so");
-    ASSERT_EQ(m_plugins[0].m_open_params, "12");
-
-    /* Clear the set environment variables after testing */
-    SET_ENV_VAR(env_var_name.c_str(), "");
-    SET_ENV_VAR(embedded_env_var_name.c_str(), "");
-    SET_ENV_VAR(bool_env_var_name.c_str(), "");
-    SET_ENV_VAR(int_env_var_name.c_str(), "");
-    SET_ENV_VAR(empty_env_var_name.c_str(), "");
+    /* Clear the set environment variable after testing */
+    SET_ENV_VAR(env_var_name.c_str(), env_var_value.c_str());
 }
 
 TEST(Configuration, configuration_webserver_ip)

userspace/engine/CMakeLists.txt

@@ -11,7 +11,7 @@
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 
-add_library(falco_engine STATIC
+set(FALCO_ENGINE_SOURCE_FILES
     falco_common.cpp
     falco_engine.cpp
     falco_load_result.cpp
@@ -25,8 +25,9 @@ add_library(falco_engine STATIC
     rule_loader.cpp
     rule_loader_reader.cpp
     rule_loader_collector.cpp
-    rule_loader_compiler.cpp
-)
+    rule_loader_compiler.cpp)
+
+add_library(falco_engine STATIC ${FALCO_ENGINE_SOURCE_FILES})
 
 if (EMSCRIPTEN)
 	target_compile_options(falco_engine PRIVATE "-sDISABLE_EXCEPTION_CATCHING=0")
@@ -34,17 +35,14 @@ endif()
 
 add_dependencies(falco_engine yamlcpp njson)
 
-target_include_directories(falco_engine
-PUBLIC
-    ${LIBSCAP_INCLUDE_DIRS}
-    ${LIBSINSP_INCLUDE_DIRS}
-    ${PROJECT_BINARY_DIR}/userspace/engine
-    ${nlohmann_json_DIR}
-    ${TBB_INCLUDE_DIR}
-    ${YAMLCPP_INCLUDE_DIR}
-)
+target_include_directories(
+    falco_engine
+    PUBLIC
+      "${NJSON_INCLUDE}"
+      "${TBB_INCLUDE_DIR}"
+      "${LIBSCAP_INCLUDE_DIRS}"
+      "${LIBSINSP_INCLUDE_DIRS}"
+      "${YAMLCPP_INCLUDE_DIR}"
+      "${PROJECT_BINARY_DIR}/userspace/engine")
 
-target_link_libraries(falco_engine
-    ${FALCO_SINSP_LIBRARY}
-    ${YAMLCPP_LIB}
-)
+target_link_libraries(falco_engine "${FALCO_SINSP_LIBRARY}" "${YAMLCPP_LIB}")

userspace/engine/falco_engine.cpp

@@ -298,12 +298,6 @@ std::unique_ptr<load_result> falco_engine::load_rules_file(const std::string &ru
 void falco_engine::enable_rule(const std::string &substring, bool enabled, const std::string &ruleset)
 {
 	uint16_t ruleset_id = find_ruleset_id(ruleset);
-
-	enable_rule(substring, enabled, ruleset_id);
-}
-
-void falco_engine::enable_rule(const std::string &substring, bool enabled, const uint16_t ruleset_id)
-{
 	bool match_exact = false;
 
 	for(const auto &it : m_sources)
@@ -322,12 +316,6 @@ void falco_engine::enable_rule(const std::string &substring, bool enabled, const
 void falco_engine::enable_rule_exact(const std::string &rule_name, bool enabled, const std::string &ruleset)
 {
 	uint16_t ruleset_id = find_ruleset_id(ruleset);
-
-	enable_rule_exact(rule_name, enabled, ruleset_id);
-}
-
-void falco_engine::enable_rule_exact(const std::string &rule_name, bool enabled, const uint16_t ruleset_id)
-{
 	bool match_exact = true;
 
 	for(const auto &it : m_sources)
@@ -347,11 +335,6 @@ void falco_engine::enable_rule_by_tag(const std::set<std::string> &tags, bool en
 {
 	uint16_t ruleset_id = find_ruleset_id(ruleset);
 
-	enable_rule_by_tag(tags, enabled, ruleset_id);
-}
-
-void falco_engine::enable_rule_by_tag(const std::set<std::string> &tags, bool enabled, const uint16_t ruleset_id)
-{
 	for(const auto &it : m_sources)
 	{
 		if(enabled)

userspace/engine/falco_engine.h

@@ -96,23 +96,15 @@ public:
 	//
 	void enable_rule(const std::string &substring, bool enabled, const std::string &ruleset = s_default_ruleset);
 
-	// Same as above but providing a ruleset id instead
-	void enable_rule(const std::string &substring, bool enabled, const uint16_t ruleset_id);
 
 	// Like enable_rule, but the rule name must be an exact match.
 	void enable_rule_exact(const std::string &rule_name, bool enabled, const std::string &ruleset = s_default_ruleset);
 
-	// Same as above but providing a ruleset id instead
-	void enable_rule_exact(const std::string &rule_name, bool enabled, const uint16_t ruleset_id);
-
 	//
 	// Enable/Disable any rules with any of the provided tags (set, exact matches only)
 	//
 	void enable_rule_by_tag(const std::set<std::string> &tags, bool enabled, const std::string &ruleset = s_default_ruleset);
 
-	// Same as above but providing a ruleset id instead
-	void enable_rule_by_tag(const std::set<std::string> &tags, bool enabled, const uint16_t ruleset_id);
-
 	//
 	// Must be called after the engine has been configured and all rulesets
 	// have been loaded and enabled/disabled.

userspace/engine/falco_engine_version.h

@@ -20,7 +20,7 @@ limitations under the License.
 
 // The version of this Falco engine
 #define FALCO_ENGINE_VERSION_MAJOR 0
-#define FALCO_ENGINE_VERSION_MINOR 29
+#define FALCO_ENGINE_VERSION_MINOR 28
 #define FALCO_ENGINE_VERSION_PATCH 0
 
 #define FALCO_ENGINE_VERSION \
@@ -34,4 +34,4 @@ limitations under the License.
 // It represents the fields supported by this version of Falco,
 // the event types, and the underlying driverevent schema. It's used to
 // detetect changes in engine version in our CI jobs.
-#define FALCO_ENGINE_CHECKSUM "30bd8b1c09eab71e14416f04b617d4d20bc7c7358bce91748ce9bd8007786c4d"
+#define FALCO_ENGINE_CHECKSUM "5d488b68856d70300ae37453295383821822d8423af170eb28e1bef52042f0b3"

userspace/falco/app/restart_handler.cpp

@@ -60,7 +60,7 @@ bool falco::app::restart_handler::start(std::string& err)
 
     for (const auto& f : m_watched_files)
     {
-        auto wd = inotify_add_watch(m_inotify_fd, f.c_str(), IN_CLOSE_WRITE | IN_MOVE_SELF | IN_DELETE_SELF);
+        auto wd = inotify_add_watch(m_inotify_fd, f.c_str(), IN_CLOSE_WRITE);
         if (wd < 0)
         {
             err = "could not watch file: " + f;
@@ -71,7 +71,7 @@ bool falco::app::restart_handler::start(std::string& err)
 
     for (const auto &f : m_watched_dirs)
     {
-        auto wd = inotify_add_watch(m_inotify_fd, f.c_str(), IN_CREATE | IN_DELETE | IN_MOVE);
+        auto wd = inotify_add_watch(m_inotify_fd, f.c_str(), IN_CREATE | IN_DELETE);
         if (wd < 0)
         {
             err = "could not watch directory: " + f;

userspace/falco/configuration.cpp

@@ -309,14 +309,6 @@ void falco_configuration::load_yaml(const std::string& config_name, const yaml_h
 		client_key = config.get_scalar<std::string>("http_output.client_key", "/etc/ssl/certs/client.key");
 		http_output.options["client_key"] = client_key;
 
-		bool compress_uploads;
-		compress_uploads = config.get_scalar<bool>("http_output.compress_uploads", false);
-		http_output.options["compress_uploads"] = compress_uploads? std::string("true") : std::string("false");
-
-		bool keep_alive;
-		keep_alive = config.get_scalar<bool>("http_output.keep_alive", false);
-		http_output.options["keep_alive"] = keep_alive? std::string("true") : std::string("false");
-
 		m_outputs.push_back(http_output);
 	}
 

userspace/falco/outputs_http.cpp

@@ -97,16 +97,6 @@ bool falco::outputs::output_http::init(const config& oc, bool buffered, const st
 		CHECK_RES(curl_easy_setopt(m_curl, CURLOPT_WRITEFUNCTION, noop_write_callback));
 	}
 
-	if(m_oc.options["compress_uploads"] == std::string("true"))
-	{
-		CHECK_RES(curl_easy_setopt(m_curl, CURLOPT_TRANSFER_ENCODING, 1L));
-	}
-
-	if(m_oc.options["keep_alive"] == std::string("true"))
-	{
-		CHECK_RES(curl_easy_setopt(m_curl, CURLOPT_TCP_KEEPALIVE, 1L));
-	}
-
 	if(res != CURLE_OK)
 	{
 		err = "libcurl error: " + std::string(curl_easy_strerror(res));

userspace/falco/yaml_helper.h

@@ -37,40 +37,6 @@ limitations under the License.
 #include "event_drops.h"
 #include "falco_outputs.h"
 
-class yaml_helper;
-
-class yaml_visitor {
-private:
-	using Callback = std::function<void(YAML::Node&)>;
-	yaml_visitor(Callback cb): seen(), cb(std::move(cb)) {}
-
-	void operator()(YAML::Node &cur) {
-		seen.push_back(cur);
-		if (cur.IsMap()) {
-			for (YAML::detail::iterator_value pair : cur) {
-				descend(pair.second);
-			}
-		} else if (cur.IsSequence()) {
-			for (YAML::detail::iterator_value child : cur) {
-				descend(child);
-			}
-		} else if (cur.IsScalar()) {
-			cb(cur);
-		}
-	}
-
-	void descend(YAML::Node &target) {
-		if (std::find(seen.begin(), seen.end(), target) == seen.end()) {
-			(*this)(target);
-		}
-	}
-
-	std::vector<YAML::Node> seen;
-	Callback cb;
-
-	friend class yaml_helper;
-};
-
 /**
  * @brief An helper class for reading and editing YAML documents
  */
@@ -83,7 +49,6 @@ public:
 	void load_from_string(const std::string& input)
 	{
 		m_root = YAML::Load(input);
-		pre_process_env_vars();
 	}
 
 	/**
@@ -92,7 +57,6 @@ public:
 	void load_from_file(const std::string& path)
 	{
 		m_root = YAML::LoadFile(path);
-		pre_process_env_vars();
 	}
 
 	/**
@@ -113,8 +77,44 @@ public:
 		get_node(node, key);
 		if(node.IsDefined())
 		{
-			return node.as<T>(default_value);
+			std::string value = node.as<std::string>();
+
+			// Helper function to convert string to the desired type T
+			auto convert_str_to_t = [&default_value](const std::string& str) -> T {
+				std::stringstream ss(str);
+				T result;
+				if (ss >> result) return result;
+				return default_value;
+			};
+
+			// If the value starts with `$$`, check for a subsequent `{...}`
+			if (value.size() >= 3 && value[0] == '$' && value[1] == '$')
+			{
+				// If after stripping the first `$`, the string format is like `${VAR}`, treat it as a plain string and don't resolve.
+				if (value[2] == '{' && value[value.size() - 1] == '}')
+				{
+					value = value.substr(1);
+					return convert_str_to_t(value);
+				}
+				else return convert_str_to_t(value);
+			}
+
+			// Check if the value is an environment variable reference
+			if(value.size() >= 2 && value[0] == '$' && value[1] == '{' && value[value.size() - 1] == '}')
+			{
+				// Format: ${ENV_VAR_NAME}
+				std::string env_var = value.substr(2, value.size() - 3);
+
+				const char* env_value = std::getenv(env_var.c_str()); // Get the environment variable value
+				if(env_value) return convert_str_to_t(env_value);
+
+				return default_value;
+			}
+
+			// If it's not an environment variable reference, return the value as is
+			return node.as<T>();
 		}
+
 		return default_value;
 	}
 
@@ -153,71 +153,6 @@ public:
 private:
 	YAML::Node m_root;
 
-	/*
-	 * When loading a yaml file,
-	 * we immediately pre process all scalar values through a visitor private API,
-	 * and resolve any "${env_var}" to its value;
-	 * moreover, any "$${str}" is resolved to simply "${str}".
-	 */
-	void pre_process_env_vars()
-	{
-		yaml_visitor([](YAML::Node &scalar) {
-				auto value = scalar.as<std::string>();
-				auto start_pos = value.find('$');
-				while (start_pos != std::string::npos)
-				{
-					auto substr = value.substr(start_pos);
-					// Case 1 -> ${}
-					if (substr.rfind("${", 0) == 0)
-					{
-						auto end_pos = substr.find('}');
-						if (end_pos != std::string::npos)
-						{
-							// Eat "${" and "}" when getting the env var name
-							auto env_str = substr.substr(2, end_pos - 2);
-							const char* env_value = std::getenv(env_str.c_str()); // Get the environment variable value
-							if(env_value)
-							{
-								// env variable name + "${}"
-								value.replace(start_pos, env_str.length() + 3, env_value);
-							}
-							else
-							{
-								value.erase(start_pos, env_str.length() + 3);
-							}
-						}
-						else
-						{
-							// There are no "}" chars anymore; just break leaving rest of value untouched.
-							break;
-						}
-					}
-					// Case 2 -> $${}
-					else if (substr.rfind("$${", 0) == 0)
-					{
-						auto end_pos = substr.find('}');
-						if (end_pos != std::string::npos)
-						{
-							// Consume first "$" token
-							value.erase(start_pos, 1);
-						}
-						else
-						{
-							// There are no "}" chars anymore; just break leaving rest of value untouched.
-							break;
-						}
-						start_pos++; // consume the second '$' token
-					}
-					else
-					{
-						start_pos += substr.length();
-					}
-					start_pos = value.find("$", start_pos);
-				}
-				scalar = value;
-			})(m_root);
-	}
-
 	/**
 	 * Key is a string representing a node in the YAML document.
 	 * The provided key string can navigate the document in its