chore(ci): properly checkout pull request HEAD instead of merge commit in gh actions.

See https://github.com/actions/checkout#checkout-pull-request-head-commit-instead-of-merge-commit.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

.circleci/config.yml

@@ -67,7 +67,7 @@ jobs:
           command: |
             mkdir -p /build-static/release
             cd /build-static/release
-            cmake -DCPACK_GENERATOR=TGZ -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco /source-static/falco
+            cmake -DCPACK_GENERATOR=TGZ -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco /source-static/falco
       - run:
           name: Build
           command: |
@@ -555,7 +555,7 @@ jobs:
           name: Build and publish no-driver
           command: |
             cd /source/falco
-            docker buildx build --push --build-arg VERSION_BUCKET=bin-dev --build-arg FALCO_VERSION=${CIRCLE_TAG} \
+            docker buildx build --push --build-arg VERSION_BUCKET=bin --build-arg FALCO_VERSION=${CIRCLE_TAG} \
               -t "falcosecurity/falco-no-driver:x86_64-${CIRCLE_TAG}" \
               -t falcosecurity/falco-no-driver:x86_64-latest \
               -t "falcosecurity/falco:x86_64-${CIRCLE_TAG}-slim" \
@@ -569,7 +569,7 @@ jobs:
           name: Build and publish falco
           command: |
             cd /source/falco
-            docker buildx build --push --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${CIRCLE_TAG} \
+            docker buildx build --push --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} \
               -t "falcosecurity/falco:x86_64-${CIRCLE_TAG}" \
               -t "falcosecurity/falco:x86_64-latest" \
               -t "public.ecr.aws/falcosecurity/falco:x86_64-${CIRCLE_TAG}" \
@@ -624,7 +624,7 @@ jobs:
           name: Build and publish falco
           command: |
             cd /tmp/source-arm64/falco
-            docker buildx build --push --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${CIRCLE_TAG} \
+            docker buildx build --push --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} \
               -t "falcosecurity/falco:aarch64-${CIRCLE_TAG}" \
               -t "falcosecurity/falco:aarch64-latest" \
               -t "public.ecr.aws/falcosecurity/falco:aarch64-${CIRCLE_TAG}" \

.github/workflows/ci.yml

@@ -14,6 +14,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Update base image
         run: sudo apt update -y
@@ -47,6 +48,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Update base image
         run: sudo apt update -y
@@ -80,6 +82,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Update base image
         run: sudo apt update -y
@@ -113,6 +116,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Update base image
         run: sudo apt update -y
@@ -151,6 +155,7 @@ jobs:
         with:
           fetch-depth: 0
           path: falco
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Link falco repo to /source/falco
         run: |

ADOPTERS.md

@@ -39,7 +39,7 @@ This is a list of production adopters of Falco (in alphabetical order):
 * [Logz.io](https://logz.io/) - Logz.io is a cloud observability platform for modern engineering teams. The Logz.io platform consists of three products — Log Management, Infrastructure Monitoring, and Cloud SIEM — that work together to unify the jobs of monitoring, troubleshooting, and security. We empower engineers to deliver better software by offering the world's most popular open source observability tools — the ELK Stack, Grafana, and Jaeger — in a single, easy to use, and powerful platform purpose-built for monitoring distributed cloud environments. Cloud SIEM supports data from multiple sources, including Falco's alerts, and offers useful rules and dashboards content to visualize and manage incidents across your systems in a unified UI.
   * https://logz.io/blog/k8s-security-with-falco-and-cloud-siem/
 
-* [MathWorks](https://mathworks.com) - MathWorks develops mathematical computing software for engineers and scientists. MathWorks uses Falco for Kubernetes threat detection, unexpected application behavior, and maps Falco rules to their cloud infrastructure's security kill chain model. MathWorks presented their Falco use case at [KubeCon + CloudNativeCon North America 2020](https://www.youtube.com/watch?v=L-5RYBTV010).  
+* [MathWorks](https://mathworks.com) - MathWorks develops mathematical computing software for engineers and scientists. MathWorks uses Falco for Kubernetes threat detection, unexpected application behavior, and maps Falco rules to their cloud infrastructure's security kill chain model. MathWorks presented their Falco use case at [KubeCon + CloudNativeCon North America 2020](https://www.youtube.com/watch?v=L-5RYBTV010).
 
 * [Pocteo](https://pocteo.co) - Pocteo helps with Kubernetes adoption in enterprises by providing a variety of services such as training, consulting, auditing and mentoring. We build CI/CD pipelines the GitOps way, as well as design and run k8s clusters. Pocteo uses Falco as a runtime monitoring system to secure clients' workloads against suspicious behavior and ensure k8s pods immutability. We also use Falco to collect, process and act on security events through a response engine and serverless functions.
 
@@ -70,6 +70,8 @@ This is a list of production adopters of Falco (in alphabetical order):
 
 * [Sysdig](https://www.sysdig.com/) Sysdig originally created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call driver. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended Falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-defined infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.
 
+* [Xenit AB](https://xenit.se/contact/) Xenit is a growth company with services within cloud and digital transformation. We provide an open-source Kubernetes framework that we leverage to help our customers get their applications to production as quickly and as securely as possible. We use Falco's detection capabilities to identify anomalous behaviour within our clusters in both Azure and AWS.
+
 ## Projects that use Falco libs
 
 * [R6/Phoenix](https://r6security.com/) is an attack surface protection company that uses moving target defense to provide fully automated, proactive and devops friendly security to its customers. There are a set of policies you can add to enable the moving target defense capabilities. Some of them are triggered by a combination of Falco's findings. You can kill, restart and rename pods according to the ever changing policies.

CHANGELOG.md

@@ -1,5 +1,156 @@
 # Change Log
 
+## v0.33.1
+
+Released on 2022-11-24
+
+### Minor Changes
+
+* update(falco): fix container-gvisor and kubernetes-gvisor print options [[#2288](https://github.com/falcosecurity/falco/pull/2288)]
+* Update libs to 0.9.2, fixing potential CLBO on gVisor+Kubernetes and crash with eBPF when some CPUs are offline [[#2299](https://github.com/falcosecurity/falco/pull/2299)] - [@LucaGuerra](https://github.com/LucaGuerra)
+
+## v0.33.0
+
+Released on 2022-10-19
+
+### Major Changes
+
+
+* new: add a `drop_pct` referred to the global number of events [[#2130](https://github.com/falcosecurity/falco/pull/2130)] - [@Andreagit97](https://github.com/Andreagit97)
+* new: print some info about eBPF and enabled sources when Falco starts [[#2133](https://github.com/falcosecurity/falco/pull/2133)] - [@Andreagit97](https://github.com/Andreagit97)
+* new(userspace): print architecture information [[#2147](https://github.com/falcosecurity/falco/pull/2147)] - [@Andreagit97](https://github.com/Andreagit97)
+* new(CI): add CodeQL security scanning to Falco. [[#2171](https://github.com/falcosecurity/falco/pull/2171)] - [@Andreagit97](https://github.com/Andreagit97)
+* new: configure syscall buffer dimension from Falco [[#2214](https://github.com/falcosecurity/falco/pull/2214)] - [@Andreagit97](https://github.com/Andreagit97)
+* new(cmdline): add development support for modern BPF probe [[#2221](https://github.com/falcosecurity/falco/pull/2221)] - [@Andreagit97](https://github.com/Andreagit97)
+* new(falco-driver-loader): `DRIVERS_REPO` now supports the use of multiple download URLs (comma separated) [[#2165](https://github.com/falcosecurity/falco/pull/2165)] - [@IanRobertson-wpe](https://github.com/IanRobertson-wpe)
+* new(userspace/engine): support alternative plugin version requirements in checks [[#2190](https://github.com/falcosecurity/falco/pull/2190)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* new: support running multiple event sources in parallel [[#2182](https://github.com/falcosecurity/falco/pull/2182)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* new(userspace/falco): automatically create paths for grpc unix socket and gvisor endpoint. [[#2189](https://github.com/falcosecurity/falco/pull/2189)] - [@FedeDP](https://github.com/FedeDP)
+* new(scripts): allow falco-driver-loader to properly distinguish any ubuntu flavor [[#2178](https://github.com/falcosecurity/falco/pull/2178)] - [@FedeDP](https://github.com/FedeDP)
+* new: add option to enable event sources selectively [[#2085](https://github.com/falcosecurity/falco/pull/2085)] - [@jasondellaluce](https://github.com/jasondellaluce)
+
+
+### Minor Changes
+
+* docs(falco-driver-loader): add some comments in `falco-driver-loader` [[#2153](https://github.com/falcosecurity/falco/pull/2153)] - [@Andreagit97](https://github.com/Andreagit97)
+* update(cmake): use latest libs tag `0.9.0` [[#2257](https://github.com/falcosecurity/falco/pull/2257)] - [@Andreagit97](https://github.com/Andreagit97)
+* update(.circleci): re-enabled cppcheck [[#2186](https://github.com/falcosecurity/falco/pull/2186)] - [@leogr](https://github.com/leogr)
+* update(userspace/engine): improve falco files loading performance [[#2151](https://github.com/falcosecurity/falco/pull/2151)] - [@VadimZy](https://github.com/VadimZy)
+* update(cmake): use latest driver tag 3.0.1+driver [[#2251](https://github.com/falcosecurity/falco/pull/2251)] - [@Andreagit97](https://github.com/Andreagit97)
+* update(userspace/falco)!: adapt stats writer for multiple parallel event sources [[#2182](https://github.com/falcosecurity/falco/pull/2182)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* refactor(userspace/engine): remove falco engine APIs that returned a required_engine_version [[#2096](https://github.com/falcosecurity/falco/pull/2096)] - [@mstemm](https://github.com/mstemm)
+* update(userspace/engine): add some small changes to rules matching that reduce cpu usage with high event volumes (> 1M syscalls/sec) [[#2210](https://github.com/falcosecurity/falco/pull/2210)] - [@mstemm](https://github.com/mstemm)
+* rules: added process IDs to default rules [[#2211](https://github.com/falcosecurity/falco/pull/2211)] - [@spyder-kyle](https://github.com/spyder-kyle)
+* update(scripts/debian): falco.service systemd unit is now cleaned-up during (re)install and removal via the DEB and RPM packages [[#2138](https://github.com/falcosecurity/falco/pull/2138)] - [@Happy-Dude](https://github.com/Happy-Dude)
+* update(userspace/falco): move on from deprecated libs API for printing event list [[#2253](https://github.com/falcosecurity/falco/pull/2253)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* chore(userspace/falco): improve cli helper and log options with debug level [[#2252](https://github.com/falcosecurity/falco/pull/2252)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(userspace): minor pre-release improvements [[#2236](https://github.com/falcosecurity/falco/pull/2236)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update: bumped libs to fd46dd139a8e35692a7d40ab2f0ed2016df827cf. [[#2201](https://github.com/falcosecurity/falco/pull/2201)] - [@FedeDP](https://github.com/FedeDP)
+* update!: gVisor sock default path changed from `/tmp/gvisor.sock` to `/run/falco/gvisor.sock`  [[#2163](https://github.com/falcosecurity/falco/pull/2163)] - [@vjjmiras](https://github.com/vjjmiras)
+* update!: gRPC server sock default path changed from `/run/falco.sock.sock` to `/run/falco/falco.sock` [[#2163](https://github.com/falcosecurity/falco/pull/2163)] - [@vjjmiras](https://github.com/vjjmiras)
+* update(scripts/falco-driver-loader): minikube environment is now correctly detected [[#2191](https://github.com/falcosecurity/falco/pull/2191)] - [@alacuku](https://github.com/alacuku)
+* update(rules/falco_rules.yaml): `required_engine_version` changed to 13 [[#2179](https://github.com/falcosecurity/falco/pull/2179)] - [@incertum](https://github.com/incertum)
+* refactor(userspace/falco): re-design stats writer and make it thread-safe [[#2109](https://github.com/falcosecurity/falco/pull/2109)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* refactor(userspace/falco): make signal handlers thread safe [[#2091](https://github.com/falcosecurity/falco/pull/2091)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* refactor(userspace/engine): strengthen and document thread-safety guarantees of falco_engine::process_event [[#2082](https://github.com/falcosecurity/falco/pull/2082)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(userspace/falco): make webserver threadiness configurable [[#2090](https://github.com/falcosecurity/falco/pull/2090)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* refactor(userspace/falco): reduce app actions dependency on app state and inspector [[#2097](https://github.com/falcosecurity/falco/pull/2097)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(userspace/falco): use move semantics in falco logger [[#2095](https://github.com/falcosecurity/falco/pull/2095)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update: use `FALCO_HOSTNAME` env var to override the hostname value [[#2174](https://github.com/falcosecurity/falco/pull/2174)] - [@leogr](https://github.com/leogr)
+* update: bump libs and driver versions to 6599e2efebce30a95f27739d655d53f0d5f686e4 [[#2177](https://github.com/falcosecurity/falco/pull/2177)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* refactor(userspace/falco): make output rate limiter optional and output engine explicitly thread-safe [[#2139](https://github.com/falcosecurity/falco/pull/2139)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(falco.yaml)!: notification rate limiter disabled by default. [[#2139](https://github.com/falcosecurity/falco/pull/2139)] - [@jasondellaluce](https://github.com/jasondellaluce)
+
+
+### Bug Fixes
+
+* fix: compute the `drop ratio` in the right way [[#2128](https://github.com/falcosecurity/falco/pull/2128)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(falco_service): falco service needs to write under /sys/module/falco [[#2238](https://github.com/falcosecurity/falco/pull/2238)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(userspace): cleanup output of ruleset validation result [[#2248](https://github.com/falcosecurity/falco/pull/2248)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(userspace): properly print ignored syscalls messages when not in `-A` mode [[#2243](https://github.com/falcosecurity/falco/pull/2243)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(falco): clarify pid/tid and container info in gvisor [[#2223](https://github.com/falcosecurity/falco/pull/2223)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(userspace/engine): avoid reading duplicate exception values [[#2200](https://github.com/falcosecurity/falco/pull/2200)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix: hostname was not present when `json_output: true` [[#2174](https://github.com/falcosecurity/falco/pull/2174)] - [@leogr](https://github.com/leogr)
+
+
+### Rule Changes
+
+* rule(macro: known_gke_mount_in_privileged_containers): add new macro [[#2198](https://github.com/falcosecurity/falco/pull/2198)] - [@hi120ki](https://github.com/hi120ki)
+* rule(Mount Launched in Privileged Container): add GKE default pod into allowlist in Mount Launched of Privileged Container rule [[#2198](https://github.com/falcosecurity/falco/pull/2198)] - [@hi120ki](https://github.com/hi120ki)
+* rule(list: known_binaries_to_read_environment_variables_from_proc_files): add new list [[#2193](https://github.com/falcosecurity/falco/pull/2193)] - [@hi120ki](https://github.com/hi120ki)
+* rule(Read environment variable from /proc files): add rule to detect an attempt to read process environment variables from /proc files [[#2193](https://github.com/falcosecurity/falco/pull/2193)] - [@hi120ki](https://github.com/hi120ki)
+* rule(macro: k8s_containers): add falco no-driver images [[#2234](https://github.com/falcosecurity/falco/pull/2234)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* rule(macro: open_file_failed): add new macro [[#2118](https://github.com/falcosecurity/falco/pull/2118)] - [@incertum](https://github.com/incertum)
+* rule(macro: directory_traversal): add new macro [[#2118](https://github.com/falcosecurity/falco/pull/2118)] - [@incertum](https://github.com/incertum)
+* rule(Directory traversal monitored file read): add new rule [[#2118](https://github.com/falcosecurity/falco/pull/2118)] - [@incertum](https://github.com/incertum)
+* rule(Modify Container Entrypoint): new rule created to detect CVE-2019-5736 [[#2188](https://github.com/falcosecurity/falco/pull/2188)] - [@darryk10](https://github.com/darryk10)
+* rule(Program run with disallowed http proxy env)!: disabled by default [[#2179](https://github.com/falcosecurity/falco/pull/2179)] - [@incertum](https://github.com/incertum)
+* rule(Container Drift Detected (chmod))!: disabled by default [[#2179](https://github.com/falcosecurity/falco/pull/2179)] - [@incertum](https://github.com/incertum)
+* rule(Container Drift Detected (open+create))!: disabled by default [[#2179](https://github.com/falcosecurity/falco/pull/2179)] - [@incertum](https://github.com/incertum)
+* rule(Packet socket created in container)!: removed consider_packet_socket_communication macro [[#2179](https://github.com/falcosecurity/falco/pull/2179)] - [@incertum](https://github.com/incertum)
+* rule(macro: consider_packet_socket_communication)!: remove unused macro [[#2179](https://github.com/falcosecurity/falco/pull/2179)] - [@incertum](https://github.com/incertum)
+* rule(Interpreted procs outbound network activity)!: disabled by default [[#2166](https://github.com/falcosecurity/falco/pull/2166)] - [@incertum](https://github.com/incertum)
+* rule(Interpreted procs inbound network activity)!: disabled by default [[#2166](https://github.com/falcosecurity/falco/pull/2166)] - [@incertum](https://github.com/incertum)
+* rule(Contact cloud metadata service from container)!: disabled by default [[#2166](https://github.com/falcosecurity/falco/pull/2166)] - [@incertum](https://github.com/incertum)
+* rule(macro: consider_interpreted_outbound)!: remove unused macro [[#2166](https://github.com/falcosecurity/falco/pull/2166)] - [@incertum](https://github.com/incertum)
+* rule(macro: consider_interpreted_inbound)!: remove unused macro [[#2166](https://github.com/falcosecurity/falco/pull/2166)] - [@incertum](https://github.com/incertum)
+* rule(macro: consider_metadata_access)!: remove unused macro [[#2166](https://github.com/falcosecurity/falco/pull/2166)] - [@incertum](https://github.com/incertum)
+* rule(Unexpected outbound connection destination)!: disabled by default [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(Unexpected inbound connection source)!: disabled by default [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(Read Shell Configuration File)!: disabled by default [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(Schedule Cron Jobs)!: disabled by default [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(Launch Suspicious Network Tool on Host)!: disabled by default [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(Create Hidden Files or Directories)!: disabled by default [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(Outbound or Inbound Traffic not to Authorized Server Process and Port)!: disabled by default [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(Network Connection outside Local Subnet)!: disabled by default [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(macro: consider_all_outbound_conns)!: remove unused macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(macro: consider_all_inbound_conns)!: remove unused macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(macro: consider_shell_config_reads)!: remove unused macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(macro: consider_all_cron_jobs)!: remove unused macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(macro: consider_all_inbound_conns)!: remove unused macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(macro: consider_hidden_file_creation)!: remove unused macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(macro: allowed_port)!: remove unused macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(macro: enabled_rule_network_only_subnet)!: remove unused macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(macro: consider_userfaultfd_activities)!: remove unused macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(macro: consider_all_chmods)!: remove unused macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(Set Setuid or Setgid bit)!: removed consider_all_chmods macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(Container Drift Detected (chmod))!: removed consider_all_chmods macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(Unprivileged Delegation of Page Faults Handling to a Userspace Process)!: removed consider_userfaultfd_activities macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+
+
+### Non user-facing changes
+
+* new(userspace): support `SCAP_FILTERED_EVENT` return code [[#2148](https://github.com/falcosecurity/falco/pull/2148)] - [@Andreagit97](https://github.com/Andreagit97)
+* chore(test/utils): remove unused script [[#2157](https://github.com/falcosecurity/falco/pull/2157)] - [@Andreagit97](https://github.com/Andreagit97)
+* Enrich pull request template [[#2162](https://github.com/falcosecurity/falco/pull/2162)] - [@Andreagit97](https://github.com/Andreagit97)
+* vote: update(OWNERS): add Andrea Terzolo to owners [[#2185](https://github.com/falcosecurity/falco/pull/2185)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(CI): codespell should ignore `ro` word [[#2173](https://github.com/falcosecurity/falco/pull/2173)] - [@Andreagit97](https://github.com/Andreagit97)
+* chore: bump plugin version [[#2256](https://github.com/falcosecurity/falco/pull/2256)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(userspace/falco): avoid using CPU when main thread waits for parallel event sources [[#2255](https://github.com/falcosecurity/falco/pull/2255)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(scripts): inject kmod script fails with some systemd versions [[#2250](https://github.com/falcosecurity/falco/pull/2250)] - [@Andreagit97](https://github.com/Andreagit97)
+* chore(userspace/falco): make logging optional when terminating, restarting, and reopening outputs [[#2249](https://github.com/falcosecurity/falco/pull/2249)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* chore: bump libs version [[#2244](https://github.com/falcosecurity/falco/pull/2244)] - [@Andreagit97](https://github.com/Andreagit97)
+* update(userspace): solve warnings and performance tips from cppcheck [[#2247](https://github.com/falcosecurity/falco/pull/2247)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(userspace/falco): make signal termination more robust with multi-threading [[#2235](https://github.com/falcosecurity/falco/pull/2235)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(userspace/falco): make termination and signal handlers more stable [[#2239](https://github.com/falcosecurity/falco/pull/2239)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(userspace): safely check string bounded access [[#2237](https://github.com/falcosecurity/falco/pull/2237)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* chore: bump libs/driver to the latest release branch commit [[#2232](https://github.com/falcosecurity/falco/pull/2232)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(userspace/falco): check plugin requirements when validating rule files [[#2233](https://github.com/falcosecurity/falco/pull/2233)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(userspace): add explicit constructors and initializations [[#2229](https://github.com/falcosecurity/falco/pull/2229)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* Add StackRox to adopters [[#2187](https://github.com/falcosecurity/falco/pull/2187)] - [@Molter73](https://github.com/Molter73)
+* fix(process_events): check the return value of `open_live_inspector` [[#2215](https://github.com/falcosecurity/falco/pull/2215)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(userspace/engine): properly include stdexcept header to fix build. [[#2197](https://github.com/falcosecurity/falco/pull/2197)] - [@FedeDP](https://github.com/FedeDP)
+* refactor(userspace/engine): split rule loader classes for a more testable design [[#2206](https://github.com/falcosecurity/falco/pull/2206)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* chore(OWNERS): cleanup inactive reviewer [[#2204](https://github.com/falcosecurity/falco/pull/2204)] - [@leogr](https://github.com/leogr)
+* fix(circleci): falco-driver-loader image build must be done starting from just-pushed falco master image. [[#2194](https://github.com/falcosecurity/falco/pull/2194)] - [@FedeDP](https://github.com/FedeDP)
+* Support condition parse errors in rule loading results [[#2155](https://github.com/falcosecurity/falco/pull/2155)] - [@mstemm](https://github.com/mstemm)
+* docs: readme update [[#2183](https://github.com/falcosecurity/falco/pull/2183)] - [@leogr](https://github.com/leogr)
+* cleanup: rename legacy references [[#2180](https://github.com/falcosecurity/falco/pull/2180)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* refactor(userspace/engine): increase const coherence in falco engine [[#2081](https://github.com/falcosecurity/falco/pull/2081)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* Rules result handle multiple files [[#2158](https://github.com/falcosecurity/falco/pull/2158)] - [@mstemm](https://github.com/mstemm)
+* fix: print full rule load errors/warnings without verbose/-v [[#2156](https://github.com/falcosecurity/falco/pull/2156)] - [@mstemm](https://github.com/mstemm)
+
+
 ## v0.32.2
 
 Released on 2022-08-09

CMakeLists.txt

@@ -181,9 +181,6 @@ include(cxxopts)
 # One TBB
 include(tbb)
 
-#string-view-lite
-include(DownloadStringViewLite)
-
 if(NOT MINIMAL_BUILD)
   include(zlib)
   include(cares)

RELEASE.md

@@ -1,18 +1,77 @@
 # Falco Release Process
 
-Our release process is mostly automated, but we still need some manual steps to initiate and complete it.
 
-Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released.
+## Overview
+
+This document provides the process to create a new Falco release. In addition, it provides information about the versioning of the Falco components. At a high level each Falco release consists of the following main components:
+
+- Falco binary (userspace)
+- Falco kernel driver object files (kernel space)
+    - Option 1: Kernel module (`.ko` files)
+    - Option 2: eBPF (`.o` files)
+- Falco config and primary rules `.yaml` files (userspace)
+- Falco plugins (userspace - optional)
+
+One nice trait about releasing separate artifacts for userspace and kernel space is that Falco is amenable to supporting a large array of environments, that is, multiple kernel versions, distros and architectures (see `libs` [driver - kernel version support matrix](https://github.com/falcosecurity/libs#drivers-officially-supported-architectures)). The Falco project manages the release of both the Falco userspace binary and pre-compiled Falco kernel drivers for the most popular kernel versions and distros. The build and publish process is managed by the [test-infra](https://github.com/falcosecurity/test-infra) repo. The Falco userspace executable includes bundled dependencies, so that it can be run from anywhere.
+
+The Falco project also publishes all sources for each component. In fact, sources are included in the Falco release in the same way as some plugins (k8saudit and cloudtrail) as well as the rules that are shipped together with Falco. This empowers the end user to audit the integrity of the project as well as build kernel drivers for custom kernels or not officially supported kernels / distros (see [driverkit](https://github.com/falcosecurity/driverkit) for more information). While the Falco project is deeply embedded into an ecosystem of supporting [Falco sub-projects](https://github.com/falcosecurity/evolution) that aim to make the deployment of Falco easy, user-friendly, extendible and cloud-native, core Falco is split across two repos, [falco](https://github.com/falcosecurity/falco) (this repo) and [libs](https://github.com/falcosecurity/libs). The `libs` repo contains >90% of Falco's core features and is the home of each of the kernel drivers and engines. More details are provided in the [Falco Components Versioning](#falco-components-versioning) section.
+
+Finally, the release process follows a transparent process described in more detail in the following sections and the official [Falco docs](https://falco.org/) contain rich information around building, installing and using Falco.
+
+
+### Falco Binaries, Rules and Sources Artifacts - Quick Links
+
+The Falco project publishes all sources and the Falco userspace binaries as GitHub releases. Rules are also released in the GitHub tree Falco release tag.
+
+- [Falco Releases](https://github.com/falcosecurity/falco/releases)
+    - `tgz`, `rpm` and `deb` Falco binary packages (contains sources, including driver sources, Falco rules as well as k8saudit and cloudtrail plugins)
+    - `tgz`, `zip` source code
+- [Libs Releases](https://github.com/falcosecurity/libs/releases)
+    - `tgz`, `zip` source code
+- Falco Rules (GitHub tree approach)
+    - RELEASE="x.y.z", `https://github.com/falcosecurity/falco/tree/${RELEASE}/rules`
+
+
+Alternatively Falco binaries or plugins can be downloaded from the Falco Artifacts repo.
+
+- [Falco Artifacts Repo Packages Root](https://download.falco.org/?prefix=packages/)
+- [Falco Artifacts Repo Plugins Root](https://download.falco.org/?prefix=plugins/)
+
+
+### Falco Drivers Artifacts Repo - Quick Links
+
+
+The Falco project publishes all drivers for each release for all popular kernel versions / distros and `x86_64` and `aarch64` architectures to the Falco project managed Artifacts repo. The Artifacts repo follows standard directory level conventions. The respective driver object file is prefixed by distro and named / versioned by kernel release - `$(uname -r)`. Pre-compiled drivers are released with a [best effort](https://github.com/falcosecurity/falco/blob/master/proposals/20200818-artifacts-storage.md#notice) notice. This is because gcc (`kmod`) and clang (`bpf`) compilers or for example the eBPF verifier are not perfect. More details around driver versioning and driver compatibility are provided in the [Falco Components Versioning](#falco-components-versioning) section. Short preview: If you use the standard Falco setup leveraging driver-loader, [driver-loader script](https://github.com/falcosecurity/falco/blob/master/scripts/falco-driver-loader) will fetch the kernel space artifact (object file) corresponding to the default `DRIVER_VERSION` Falco was shipped with.
+
+- [Falco Artifacts Repo Drivers Root](https://download.falco.org/?prefix=driver/)
+    - Option 1: Kernel module (`.ko` files) - all under same driver version directory
+    - Option 2: eBPF (`.o` files) - all under same driver version directory
+
+
+### Timeline
 
 Falco releases are due to happen 3 times per year. Our current schedule sees a new release by the end of January, May, and September each year. Hotfix releases can happen whenever it's needed.
 
+Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released.
+
+
+### Procedures
+
+The release process is mostly automated requiring only a few manual steps to initiate and complete it.
+
 Moreover, we need to assign owners for each release (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the [weekly community call](https://github.com/falcosecurity/community).
 
+At a high level each Falco release needs to follow a pre-determined sequencing of releases and build order:
+
+- [1 - 3] `libs` (+ `driver`) and `plugins` components releases
+- [4] Falco driver pre-compiled object files push to Falco's Artifacts repo
+- [5] Falco userspace binary + rules release
+
 Finally, on the proposed due date the assignees for the upcoming release proceed with the processes described below.
 
 ## Pre-Release Checklist
 
-Before cutting a release we need to do some homework in the Falco repository. This should take 5 minutes using the GitHub UI.
+Prior to cutting a release the following preparatory steps should take 5 minutes using the GitHub UI.
 
 ### 1. Release notes
 - Find the previous release date (`YYYY-MM-DD`) by looking at the [Falco releases](https://github.com/falcosecurity/falco/releases)
@@ -121,3 +180,39 @@ Announce the new release to the world!
 - Send an announcement to cncf-falco-dev@lists.cncf.io (plain text, please)
 - Let folks in the slack #falco channel know about a new release came out
 - IFF the on going release introduces a **new minor version**, [archive a snapshot of the Falco website](https://github.com/falcosecurity/falco-website/blob/master/release.md#documentation-versioning)
+
+
+## Falco Components Versioning
+
+This section provides more details around the versioning of all components that make up core Falco. It can also be a useful guide for the uninitiated to be more informed about Falco's source. Because the `libs` repo contains >90% of Falco's core features and is the home of each of the kernel drivers and engines, the [libs release doc](https://github.com/falcosecurity/libs/blob/master/release.md) is an excellent additional resource. In addition, the [plugins release doc](https://github.com/falcosecurity/plugins/blob/master/release.md) provides similar details around Falco's plugins. `SHA256` checksums are provided throughout Falco's source code to empower the end user to perform integrity checks. All Falco releases also contain the sources as part of the packages.
+
+
+### Falco repo (this repo)
+- Falco version is a git tag (`x.y.z`), see [Procedures](#procedures) section. Note that the Falco version is a sem-ver-like schema, but not fully compatible with sem-ver.
+- [FALCO_ENGINE_VERSION](https://github.com/falcosecurity/falco/blob/master/userspace/engine/falco_engine_version.h) is not sem-ver and must be bumped either when a backward incompatible change has been introduced to the rules files syntax or `falco --list -N | sha256sum` has changed. Breaking changes introduced in the Falco engine are not necessarily tied to the drivers or libs versions. The primary idea behind the hash is that when new filter / display fields (see currently supported [Falco fields](https://falco.org/docs/rules/supported-fields/)) are introduced a version bump indicates that this field was not available in previous engine versions. In case a new Falco rule uses new fields, the [Falco rules](https://github.com/falcosecurity/falco/blob/master/rules/falco_rules.yaml) file needs to bump this version as well via setting `required_engine_version` to the new version.
+- During development and release preparation, libs and driver reference commits are often bumped in Falco's cmake setup ([falcosecurity-libs cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/falcosecurity-libs.cmake#L30) and [driver cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/driver.cmake#L29)) in order to merge new Falco features. In practice they are mostly bumped at the same time referencing the same `libs` commit. However, for the official Falco build `FALCOSECURITY_LIBS_VERSION` flag that references the stable Libs version is used (read below).
+- Similarly, Falco plugins versions are bumped in Falco's cmake setup ([plugins cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/plugins.cmake)) and those versions are the ones used for the Falco release.
+- At release time Plugin, Libs and Driver versions are compatible with Falco.
+- If you use the standard Falco setup leveraging driver-loader, [driver-loader script](https://github.com/falcosecurity/falco/blob/master/scripts/falco-driver-loader) will fetch the kernel space artifact (object file) corresponding to the default `DRIVER_VERSION` Falco was shipped with (read more below under Libs).
+
+
+```
+Falco version: x.y.z (sem-ver like)
+Libs version:  x.y.z (sem-ver like)
+Plugin API:    x.y.z (sem-ver like)
+Driver:
+  API version:    x.y.z (sem-ver)
+  Schema version: x.y.z (sem-ver)
+  Default driver: x.y.z+driver (sem-ver like, indirectly encodes compatibility range in addition to default version Falco is shipped with)
+```
+
+
+### Libs repo
+- Libs version is a git tag (`x.y.z`) and when building Falco the libs version is set via the `FALCOSECURITY_LIBS_VERSION` flag (see above).
+- Driver version in and of itself is not directly tied to the Falco binary as opposed to the libs version being part of the source code used to compile Falco's userspace binary. This is because of the strict separation between userspace and kernel space artifacts, so things become a bit more interesting here. This is why the concept of a `Default driver` has been introduced to still implicitly declare the compatible driver versions. For example, if the default driver version is `2.0.0+driver`, Falco works with all driver versions >= 2.0.0 and < 3.0.0. This is a consequence of how the driver version is constructed starting from the `Driver API version` and `Driver Schema version`. Driver API and Schema versions are explained in the respective [libs driver doc](https://github.com/falcosecurity/libs/blob/master/driver/README.VERSION.md) -> Falco's `driver-loader` will always fetch the default driver, therefore a Falco release is always "shipped" with the driver version corresponding to the default driver.
+- See [libs release doc](https://github.com/falcosecurity/libs/blob/master/release.md) for more information.
+
+### Plugins repo
+
+- Plugins version is a git tag (`x.y.z`)
+- See [plugins release doc](https://github.com/falcosecurity/plugins/blob/master/release.md) for more information.

cmake/cpack/CMakeCPackOptions.cmake

@@ -1,11 +1,13 @@
 if(CPACK_GENERATOR MATCHES "DEB")
 	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
 	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco_inject_kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
 endif()
 
 if(CPACK_GENERATOR MATCHES "RPM")
 	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
 	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco_inject_kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
 endif()
 
 if(CPACK_GENERATOR MATCHES "TGZ")

cmake/modules/DownloadStringViewLite.cmake

@@ -1,30 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-include(ExternalProject)
-
-set(STRING_VIEW_LITE_PREFIX ${CMAKE_BINARY_DIR}/string-view-lite-prefix)
-set(STRING_VIEW_LITE_INCLUDE ${STRING_VIEW_LITE_PREFIX}/include)
-message(STATUS "Using bundled string-view-lite in ${STRING_VIEW_LITE_INCLUDE}")
-
-ExternalProject_Add(
-  string-view-lite
-  PREFIX ${STRING_VIEW_LITE_PREFIX}
-  GIT_REPOSITORY "https://github.com/martinmoene/string-view-lite.git"
-  GIT_TAG "v1.4.0"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  UPDATE_COMMAND ""
-  INSTALL_COMMAND
-    ${CMAKE_COMMAND} -E copy ${STRING_VIEW_LITE_PREFIX}/src/string-view-lite/include/nonstd/string_view.hpp
-    ${STRING_VIEW_LITE_INCLUDE}/nonstd/string_view.hpp)

cmake/modules/GetFalcoVersion.cmake

@@ -16,18 +16,32 @@ include(GetGitRevisionDescription)
 
 # Create the falco version variable according to git index
 if(NOT FALCO_VERSION)
-  string(STRIP "${FALCO_HASH}" FALCO_HASH)
   # Try to obtain the exact git tag
   git_get_exact_tag(FALCO_TAG)
   if(NOT FALCO_TAG)
-    # Obtain the closest tag
-    git_describe(FALCO_VERSION "--always" "--tags" "--abbrev=7")
-    # Fallback version
-    if(FALCO_VERSION MATCHES "NOTFOUND$")
-      set(FALCO_VERSION "0.0.0")
-    endif()
-    # Format FALCO_VERSION to be semver with prerelease and build part
-    string(REPLACE "-g" "+" FALCO_VERSION "${FALCO_VERSION}")
+      # Fetch current hash
+      get_git_head_revision(refspec FALCO_HASH)
+      if(NOT FALCO_HASH OR FALCO_HASH MATCHES "NOTFOUND$")
+        set(FALCO_VERSION "0.0.0")
+      else()
+        # Obtain the closest tag
+        git_get_latest_tag(FALCO_LATEST_TAG)
+        if(NOT FALCO_LATEST_TAG OR FALCO_LATEST_TAG MATCHES "NOTFOUND$")
+          set(FALCO_VERSION "0.0.0")
+        else()
+          # Compute commit delta since tag
+          git_get_delta_from_tag(FALCO_DELTA ${FALCO_LATEST_TAG} ${FALCO_HASH})
+          if(NOT FALCO_DELTA OR FALCO_DELTA MATCHES "NOTFOUND$")
+            set(FALCO_VERSION "0.0.0")
+          else()
+            # Cut hash to 7 bytes
+            string(SUBSTRING ${FALCO_HASH} 0 7 FALCO_HASH)
+            # Format FALCO_VERSION to be semver with prerelease and build part
+            set(FALCO_VERSION
+                  "${FALCO_LATEST_TAG}-${FALCO_DELTA}+${FALCO_HASH}")
+           endif()
+        endif()
+      endif()
   else()
     # A tag has been found: use it as the Falco version
     set(FALCO_VERSION "${FALCO_TAG}")

cmake/modules/GetGitRevisionDescription.cmake

@@ -86,29 +86,36 @@ function(get_git_head_revision _refspecvar _hashvar)
       PARENT_SCOPE)
 endfunction()
 
-function(git_describe _var)
+function(git_get_latest_tag _var)
   if(NOT GIT_FOUND)
     find_package(Git QUIET)
   endif()
-  get_git_head_revision(refspec hash)
-  if(NOT GIT_FOUND)
-    set(${_var}
-        "GIT-NOTFOUND"
-        PARENT_SCOPE)
-    return()
-  endif()
-  if(NOT hash)
-    set(${_var}
-        "HEAD-HASH-NOTFOUND"
-        PARENT_SCOPE)
+
+  # We use git describe --tags `git rev-list --tags --max-count=1`
+  execute_process(COMMAND
+          "${GIT_EXECUTABLE}"
+          rev-list
+          --tags
+          --max-count=1
+          WORKING_DIRECTORY
+          "${CMAKE_CURRENT_SOURCE_DIR}"
+          COMMAND tail -n1
+          RESULT_VARIABLE
+          res
+          OUTPUT_VARIABLE
+          tag_hash
+          ERROR_QUIET
+          OUTPUT_STRIP_TRAILING_WHITESPACE)
+  if(NOT res EQUAL 0)
+    set(out "${tag_hash}-${res}-NOTFOUND" PARENT_SCOPE)
     return()
   endif()
 
   execute_process(COMMAND
     "${GIT_EXECUTABLE}"
     describe
-    ${hash}
-    ${ARGN}
+    --tags
+    ${tag_hash}
     WORKING_DIRECTORY
     "${CMAKE_CURRENT_SOURCE_DIR}"
     RESULT_VARIABLE
@@ -120,10 +127,108 @@ function(git_describe _var)
   if(NOT res EQUAL 0)
     set(out "${out}-${res}-NOTFOUND")
   endif()
+  set(${_var} "${out}" PARENT_SCOPE)
+endfunction()
+
+function(git_get_delta_from_tag _var tag hash)
+  if(NOT GIT_FOUND)
+    find_package(Git QUIET)
+  endif()
+
+  # Count commits in HEAD
+  execute_process(COMMAND
+    "${GIT_EXECUTABLE}"
+    rev-list
+    --count
+    ${hash}
+    WORKING_DIRECTORY
+    "${CMAKE_CURRENT_SOURCE_DIR}"
+    RESULT_VARIABLE
+    res
+    OUTPUT_VARIABLE
+    out_counter_head
+    ERROR_QUIET
+    OUTPUT_STRIP_TRAILING_WHITESPACE)
+  if(NOT res EQUAL 0)
+    set(${_var} "HEADCOUNT-NOTFOUND" PARENT_SCOPE)
+    return()
+  endif()
+
+  # Count commits in latest tag
+  execute_process(COMMAND
+    "${GIT_EXECUTABLE}"
+    rev-list
+    --count
+    ${tag}
+    WORKING_DIRECTORY
+    "${CMAKE_CURRENT_SOURCE_DIR}"
+    RESULT_VARIABLE
+    res
+    OUTPUT_VARIABLE
+    out_counter_tag
+    ERROR_QUIET
+    OUTPUT_STRIP_TRAILING_WHITESPACE)
+  if(NOT res EQUAL 0)
+    set(${_var} "TAGCOUNT-NOTFOUND" PARENT_SCOPE)
+    return()
+  endif()
+
+  execute_process(COMMAND
+    expr
+    ${out_counter_head} - ${out_counter_tag}
+    WORKING_DIRECTORY
+    "${CMAKE_CURRENT_SOURCE_DIR}"
+    RESULT_VARIABLE
+    res
+    OUTPUT_VARIABLE
+    out_delta
+    ERROR_QUIET
+    OUTPUT_STRIP_TRAILING_WHITESPACE)
+  if(NOT res EQUAL 0)
+    set(${_var} "DELTA-NOTFOUND" PARENT_SCOPE)
+    return()
+  endif()
+  set(${_var} "${out_delta}" PARENT_SCOPE)
+endfunction()
+
+function(git_describe _var)
+  if(NOT GIT_FOUND)
+    find_package(Git QUIET)
+  endif()
+  get_git_head_revision(refspec hash)
+  if(NOT GIT_FOUND)
+    set(${_var}
+            "GIT-NOTFOUND"
+            PARENT_SCOPE)
+    return()
+  endif()
+  if(NOT hash)
+    set(${_var}
+            "HEAD-HASH-NOTFOUND"
+            PARENT_SCOPE)
+    return()
+  endif()
+
+  execute_process(COMMAND
+          "${GIT_EXECUTABLE}"
+          describe
+          ${hash}
+          ${ARGN}
+          WORKING_DIRECTORY
+          "${CMAKE_CURRENT_SOURCE_DIR}"
+          RESULT_VARIABLE
+          res
+          OUTPUT_VARIABLE
+          out
+          ERROR_QUIET
+          OUTPUT_STRIP_TRAILING_WHITESPACE)
+  if(NOT res EQUAL 0)
+    set(out "${out}-${res}-NOTFOUND")
+  endif()
 
   set(${_var}
-      "${out}"
-      PARENT_SCOPE)
+          "${out}"
+          PARENT_SCOPE)
 endfunction()
 
 function(git_get_exact_tag _var)

cmake/modules/driver.cmake

@@ -26,8 +26,8 @@ else()
   # In case you want to test against another driver version (or branch, or commit) just pass the variable -
   # ie., `cmake -DDRIVER_VERSION=dev ..`
   if(NOT DRIVER_VERSION)
-    set(DRIVER_VERSION "9ec78ad55ff558f3381941111b6bf313e043b4b0")
-    set(DRIVER_CHECKSUM "SHA256=333a0aec05653ade6ff0dbdd057a8fe84abe32c07a22626288c2028b1ebc7d2e")
+    set(DRIVER_VERSION "dd443b67c6b04464cb8ee2771af8ada8777e7fac")
+    set(DRIVER_CHECKSUM "SHA256=df373099d0f4cd4417a0103bb57f26c7412ffa86cde2bb2d579c6feba841626d")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

cmake/modules/falcosecurity-libs.cmake

@@ -27,8 +27,8 @@ else()
   # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
   # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..`
   if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "9ec78ad55ff558f3381941111b6bf313e043b4b0")
-    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=333a0aec05653ade6ff0dbdd057a8fe84abe32c07a22626288c2028b1ebc7d2e")
+    set(FALCOSECURITY_LIBS_VERSION "dd443b67c6b04464cb8ee2771af8ada8777e7fac")
+    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=df373099d0f4cd4417a0103bb57f26c7412ffa86cde2bb2d579c6feba841626d")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

cmake/modules/plugins.cmake

@@ -19,11 +19,11 @@ if(NOT DEFINED PLUGINS_COMPONENT_NAME)
     set(PLUGINS_COMPONENT_NAME "${CMAKE_PROJECT_NAME}-plugins")
 endif()
 
-set(PLUGIN_K8S_AUDIT_VERSION "0.4.0-rc1")
+set(PLUGIN_K8S_AUDIT_VERSION "0.4.0")
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-    set(PLUGIN_K8S_AUDIT_HASH "9b77560861ae2b1539a32a542e0b282b4ae83e0a8c26aad7ecefd3e721e9eb99")
+    set(PLUGIN_K8S_AUDIT_HASH "ded0b5419f40084547620ccc48b19768e5e89457b85cfe8fbe496ca72267a3a4")
 else() # aarch64
-    set(PLUGIN_K8S_AUDIT_HASH "9c7de9a1213dc2e125f1ad2302818e5d34a7c95bfc67532b9d37395c60785d02")
+    set(PLUGIN_K8S_AUDIT_HASH "775cba666612114bc5b0c36f2e3c4557f5adbffcca2d77e72be87c6fcbf51ceb")
 endif()
 
 ExternalProject_Add(
@@ -39,18 +39,18 @@ install(FILES "${PROJECT_BINARY_DIR}/k8saudit-plugin-prefix/src/k8saudit-plugin/
 ExternalProject_Add(
   k8saudit-rules
   URL "https://download.falco.org/plugins/stable/k8saudit-rules-${PLUGIN_K8S_AUDIT_VERSION}.tar.gz"
-  URL_HASH "SHA256=f65982fd1c6bc12ae8db833c36127a70252464bd5983fd75c39b91d630eb7f40"
+  URL_HASH "SHA256=53948fac0345e718d673142a992ac820135f771141dfaa9719c7575ac8ae6878"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""
   INSTALL_COMMAND "")
 
 install(FILES "${PROJECT_BINARY_DIR}/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml" DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
 
-set(PLUGIN_CLOUDTRAIL_VERSION "0.6.0-rc1")
+set(PLUGIN_CLOUDTRAIL_VERSION "0.6.0")
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-    set(PLUGIN_CLOUDTRAIL_HASH "a6c6acf16f7b4acd2b836e2be514346ee15a1e5adce936bd97ab6338d16ad6f9")
+    set(PLUGIN_CLOUDTRAIL_HASH "80e0c33f30c01a90efb7e9a671d978ff9679c462e3105020238abf31230e49a9")
 else() # aarch64
-    set(PLUGIN_CLOUDTRAIL_HASH "a6105cb3864a613b3488c60c723163630484bc36b2aa219fb1c730c7735fb5fa")
+    set(PLUGIN_CLOUDTRAIL_HASH "a3e739932e66d44be848a68857fa15f56134d5246a1b9ab912c81f91b68fb23f")
 endif()
 
 ExternalProject_Add(
@@ -66,18 +66,18 @@ install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-plugin-prefix/src/cloudtrail-plu
 ExternalProject_Add(
   cloudtrail-rules
   URL "https://download.falco.org/plugins/stable/cloudtrail-rules-${PLUGIN_CLOUDTRAIL_VERSION}.tar.gz"
-  URL_HASH "SHA256=4df7a0d56300d6077807bc205a8ab7ab3b45c495adcc209c5cca1e8da6fc93c6"
+  URL_HASH "SHA256=e0dccb7b0f1d24b1e526a33ffd973ea5f2ac2879dbc999e119419ebfd24305ff"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""
   INSTALL_COMMAND "")
 
   install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-rules-prefix/src/cloudtrail-rules/aws_cloudtrail_rules.yaml" DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
 
-set(PLUGIN_JSON_VERSION "0.6.0-rc1")
+set(PLUGIN_JSON_VERSION "0.6.0")
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-    set(PLUGIN_JSON_HASH "7969e4731e529c5a9d9895ee52ec1845d4d1889cfa3562170288bb7a593bf6b9")
+    set(PLUGIN_JSON_HASH "15fb7eddd978e8bb03f05412e9446e264e4548d7423b3d724b99d6d87a8c1b27")
 else() # aarch64
-    set(PLUGIN_JSON_HASH "c19fd1b64228ff95b1dc88d441143017807aa59ba57ae868a5f7db85b93bff99")
+    set(PLUGIN_JSON_HASH "4db23f35a750e10a5b7b54c9aa469a7587705e7faa22927e941b41f3c5533e9f")
 endif()
 
 ExternalProject_Add(

docker/builder/Dockerfile

@@ -22,7 +22,7 @@ ENV CMAKE_VERSION=${CMAKE_VERSION}
 
 # build toolchain
 RUN yum -y install centos-release-scl && \
-    INSTALL_PKGS="devtoolset-7-gcc devtoolset-7-gcc-c++ devtoolset-7-toolchain devtoolset-7-libstdc++-devel devtoolset-7-elfutils-libelf-devel llvm-toolset-7.0 glibc-static autoconf automake libtool createrepo expect git which libcurl-devel zlib-devel rpm-build libyaml-devel" && \
+    INSTALL_PKGS="devtoolset-7-gcc devtoolset-7-gcc-c++ devtoolset-7-toolchain devtoolset-7-libstdc++-devel llvm-toolset-7.0 glibc-static autoconf automake libtool createrepo expect git which libcurl-devel rpm-build libyaml-devel" && \
     yum -y install --setopt=tsflags=nodocs $INSTALL_PKGS && \
     rpm -V $INSTALL_PKGS
 

falco.yaml

@@ -150,6 +150,7 @@ syscall_event_drops:
     - alert
   rate: .03333
   max_burst: 1
+  simulate_drops: false
 
 # Falco uses a shared buffer between the kernel and userspace to receive
 # the events (eg., system call information) in userspace.

rules/falco_rules.yaml

@@ -220,7 +220,7 @@
   items: [probe_rpminfo, probe_rpmverify, probe_rpmverifyfile, probe_rpmverifypackage]
 
 - macro: rpm_procs
-  condition: (proc.name in (rpm_binaries, openscap_rpm_binaries) or proc.name in (salt-minion))
+  condition: (proc.name in (rpm_binaries, openscap_rpm_binaries) or proc.name in (salt-call, salt-minion))
 
 - list: deb_binaries
   items: [dpkg, dpkg-preconfigu, dpkg-reconfigur, dpkg-divert, apt, apt-get, aptitude,
@@ -1441,7 +1441,7 @@
     and not proc.name in (user_mgmt_binaries, userexec_binaries, package_mgmt_binaries,
      cron_binaries, read_sensitive_file_binaries, shell_binaries, hids_binaries,
      vpn_binaries, mail_config_binaries, nomachine_binaries, sshkit_script_binaries,
-     in.proftpd, mandb, salt-minion, postgres_mgmt_binaries,
+     in.proftpd, mandb, salt-call, salt-minion, postgres_mgmt_binaries,
      google_oslogin_
      )
     and not cmp_cp_by_passwd
@@ -3064,7 +3064,7 @@
 
 - rule: Linux Kernel Module Injection Detected
   desc: Detect kernel module was injected (from container).
-  condition: spawned_process and container and proc.name=insmod and not proc.args in (white_listed_modules)
+  condition: spawned_process and container and proc.name=insmod and not proc.args in (white_listed_modules) and thread.cap_effective icontains sys_module
   output: Linux Kernel Module injection using insmod detected (user=%user.name user_loginuid=%user.loginuid parent_process=%proc.pname module=%proc.args %container.info image=%container.image.repository:%container.image.tag)
   priority: WARNING
   tags: [process]
@@ -3240,3 +3240,16 @@
     command=%proc.cmdline pid=%proc.pid file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository)
   priority: WARNING
   tags: [filesystem, mitre_credential_access, mitre_discovery]
+
+- list: known_ptrace_binaries
+  items: []
+
+- macro: known_ptrace_procs
+  condition: (proc.name in (known_ptrace_binaries))
+
+- rule: PTRACE attached to process
+  desc: "This rule detects an attempt to inject code into a process using PTRACE."
+  condition: evt.type=ptrace and evt.dir=> and evt.arg.request in (5, 6, 11, 20, 27) and proc_name_exists and not known_ptrace_procs
+  output: Detected ptrace PTRACE_ATTACH attempt (proc.cmdline=%proc.cmdline container=%container.info evt.type=%evt.type evt.arg.request=%evt.arg.request proc.pid=%proc.pid proc.cwd=%proc.cwd proc.ppid=%proc.ppid proc.pcmdline=%proc.pcmdline proc.sid=%proc.sid proc.exepath=%proc.exepath user.uid=%user.uid user.loginuid=%user.loginuid user.loginname=%user.loginname user.name=%user.name group.gid=%group.gid group.name=%group.name container.id=%container.id container.name=%container.name image=%container.image.repository)
+  priority: WARNING
+  tags: [process]

scripts/CMakeLists.txt

@@ -22,6 +22,9 @@ configure_file(debian/prerm.in debian/prerm)
 file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco.service"
 	DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")
 
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco_inject_kmod.service"
+	DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")
+
 configure_file(rpm/postinstall.in rpm/postinstall)
 configure_file(rpm/postuninstall.in rpm/postuninstall)
 configure_file(rpm/preuninstall.in rpm/preuninstall)
@@ -29,6 +32,9 @@ configure_file(rpm/preuninstall.in rpm/preuninstall)
 file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco.service"
 	DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")
 
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco_inject_kmod.service"
+	DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")
+
 configure_file(falco-driver-loader falco-driver-loader @ONLY)
 
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")

scripts/debian/falco.service

@@ -1,11 +1,12 @@
 [Unit]
 Description=Falco: Container Native Runtime Security
 Documentation=https://falco.org/docs/
+After=falco_inject_kmod.service
+Requires=falco_inject_kmod.service
 
 [Service]
 Type=simple
 User=root
-ExecStartPre=/sbin/modprobe falco
 ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
 ExecStopPost=/sbin/rmmod falco
 UMask=0077
@@ -17,6 +18,7 @@ NoNewPrivileges=yes
 ProtectHome=read-only
 ProtectSystem=full
 ProtectKernelTunables=true
+ReadWritePaths=/sys/module/falco
 RestrictRealtime=true
 RestrictAddressFamilies=~AF_PACKET
 

scripts/debian/falco_inject_kmod.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Falco: Container Native Runtime Security
+Documentation=https://falco.org/docs/
+Before=falco.service
+Wants=falco.service
+
+[Service]
+Type=oneshot
+User=root
+ExecStart=/sbin/modprobe falco
+
+[Install]
+WantedBy=multi-user.target

scripts/falco-driver-loader

@@ -114,8 +114,7 @@ get_target_id() {
 		# Older CentOS distros
 		OS_ID=centos
 	else
-		>&2 echo "Detected an unsupported target system, please get in touch with the Falco community"
-		exit 1
+		return 1
 	fi
 
 	# Overwrite the OS_ID if /etc/VERSION file is present.
@@ -164,6 +163,7 @@ get_target_id() {
 		TARGET_ID=$(echo "${OS_ID}" | tr '[:upper:]' '[:lower:]')
 		;;
 	esac
+	return 0
 }
 
 flatcar_relocate_tools() {
@@ -253,8 +253,6 @@ load_kernel_module_compile() {
 }
 
 load_kernel_module_download() {
-	get_target_id
-
 	local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
 	local URL=$(echo "${1}/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" | sed s/+/%2B/g)
 
@@ -374,8 +372,6 @@ load_kernel_module() {
 
 	echo "* Looking for a ${DRIVER_NAME} module locally (kernel ${KERNEL_RELEASE})"
 
-	get_target_id
-
 	local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
 	echo "* Filename '${FALCO_KERNEL_MODULE_FILENAME}' is composed of:"
 	print_filename_components
@@ -544,8 +540,6 @@ load_bpf_probe() {
 		mount -t debugfs nodev /sys/kernel/debug
 	fi
 
-	get_target_id
-
 	BPF_PROBE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.o"
 	echo "* Filename '${BPF_PROBE_FILENAME}' is composed of:"
 	print_filename_components
@@ -638,6 +632,8 @@ DRIVER_VERSION=${DRIVER_VERSION:-"@DRIVER_VERSION@"}
 DRIVER_NAME=${DRIVER_NAME:-"@DRIVER_NAME@"}
 FALCO_VERSION="@FALCO_VERSION@"
 
+TARGET_ID="placeholder" # when no target id can be fetched, we try to build the driver from source anyway, using a placeholder name
+
 DRIVER="module"
 if [ -v FALCO_BPF_PROBE ]; then
 	DRIVER="bpf"
@@ -711,6 +707,18 @@ if [ -z "$source_only" ]; then
 		exit 1
 	fi
 
+	get_target_id
+	res=$?
+	if [ $res != 0 ]; then
+		if [ -n "$ENABLE_COMPILE" ]; then
+			ENABLE_DOWNLOAD=
+			>&2 echo "Detected an unsupported target system, please get in touch with the Falco community. Trying to compile anyway."
+		else
+			>&2 echo "Detected an unsupported target system, please get in touch with the Falco community."
+			exit 1
+		fi
+	fi
+
 	if [ -n "$clean" ]; then
 		if [ -n "$has_opts" ]; then
 			>&2 echo "Cannot use --clean with other options"

scripts/rpm/falco.service

@@ -1,11 +1,12 @@
 [Unit]
 Description=Falco: Container Native Runtime Security
 Documentation=https://falco.org/docs/
+After=falco_inject_kmod.service
+Requires=falco_inject_kmod.service
 
 [Service]
 Type=simple
 User=root
-ExecStartPre=/sbin/modprobe falco
 ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
 ExecStopPost=/sbin/rmmod falco
 UMask=0077
@@ -17,6 +18,7 @@ NoNewPrivileges=yes
 ProtectHome=read-only
 ProtectSystem=full
 ProtectKernelTunables=true
+ReadWritePaths=/sys/module/falco
 RestrictRealtime=true
 RestrictAddressFamilies=~AF_PACKET
 StandardOutput=null

scripts/rpm/falco_inject_kmod.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Falco: Container Native Runtime Security
+Documentation=https://falco.org/docs/
+Before=falco.service
+Wants=falco.service
+
+[Service]
+Type=oneshot
+User=root
+ExecStart=/sbin/modprobe falco
+
+[Install]
+WantedBy=multi-user.target

test/falco_tests.yaml

@@ -457,11 +457,6 @@ trace_files: !mux
         item_name: some macro
         code: LOAD_ERR_VALIDATE
         message: "Undefined macro 'foo' used in filter."
-    validate_warnings:
-      - item_type: macro
-        item_name: some macro
-        code: LOAD_UNUSED_MACRO
-        message: "Macro not referred to by any other rule/macro"
     validate_rules_file:
       - rules/invalid_overwrite_macro_multiple_docs.yaml
     trace_file: trace_files/cat_write.scap

tests/engine/test_falco_utils.cpp

@@ -14,7 +14,6 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 #include "falco_utils.h"
-#include <nonstd/string_view.hpp>
 #include <catch.hpp>
 
 TEST_CASE("is_unix_scheme matches", "[utils]")

tests/engine/test_filter_evttype_resolver.cpp

@@ -73,13 +73,15 @@ TEST_CASE("Should find event types from filter", "[rule_loader]")
 	set<uint16_t> not_close;
 	set<uint16_t> all_events;
 	set<uint16_t> no_events;
+
     for(uint32_t i = 2; i < PPM_EVENT_MAX; i++)
     {
         // Skip events that are unused.
-        if(g_infotables.m_event_info[i].flags & EF_UNUSED)
+        if(sinsp::is_unused_event(i))
         {
             continue;
         }
+
         all_events.insert(i);
         if(openat_only.find(i) == openat_only.end())
         {

tests/engine/test_filter_macro_resolver.cpp

@@ -20,9 +20,27 @@ limitations under the License.
 using namespace std;
 using namespace libsinsp::filter::ast;
 
+static pos_info create_pos(uint32_t idx, uint32_t line, uint32_t col)
+{
+	pos_info ret;
+	ret.idx = idx;
+	ret.line = line;
+	ret.col = col;
+
+	return ret;
+}
+
+static bool operator==(const pos_info& p1, const pos_info& p2)
+{
+	return (p1.idx == p2.idx) &&
+		(p1.line == p2.line) &&
+		(p1.col == p2.col);
+}
+
 TEST_CASE("Should resolve macros on a filter AST", "[rule_loader]")
 {
 	string macro_name = "test_macro";
+	pos_info macro_pos = create_pos(12, 85, 27);
 
 	SECTION("in the general case")
 	{
@@ -31,7 +49,7 @@ TEST_CASE("Should resolve macros on a filter AST", "[rule_loader]")
 
 		std::vector<std::unique_ptr<expr>> filter_and;
 		filter_and.push_back(unary_check_expr::create("evt.name", "", "exists"));
-		filter_and.push_back(not_expr::create(value_expr::create(macro_name)));
+		filter_and.push_back(not_expr::create(value_expr::create(macro_name, macro_pos)));
 		std::shared_ptr<expr> filter = std::move(and_expr::create(filter_and));
 
 		std::vector<std::unique_ptr<expr>> expected_and;
@@ -45,7 +63,8 @@ TEST_CASE("Should resolve macros on a filter AST", "[rule_loader]")
 		// first run
 		REQUIRE(resolver.run(filter) == true);
 		REQUIRE(resolver.get_resolved_macros().size() == 1);
-		REQUIRE(*resolver.get_resolved_macros().begin() == macro_name);
+		REQUIRE(resolver.get_resolved_macros().begin()->first == macro_name);
+		REQUIRE(resolver.get_resolved_macros().begin()->second == macro_pos);
 		REQUIRE(resolver.get_unknown_macros().empty());
 		REQUIRE(filter->is_equal(expected.get()));
 
@@ -61,7 +80,7 @@ TEST_CASE("Should resolve macros on a filter AST", "[rule_loader]")
 		std::shared_ptr<expr> macro = std::move(
 			unary_check_expr::create("test.field", "", "exists"));
 
-		std::shared_ptr<expr> filter = std::move(value_expr::create(macro_name));
+		std::shared_ptr<expr> filter = std::move(value_expr::create(macro_name, macro_pos));
 
 		filter_macro_resolver resolver;
 		resolver.set_macro(macro_name, macro);
@@ -71,7 +90,8 @@ TEST_CASE("Should resolve macros on a filter AST", "[rule_loader]")
 		REQUIRE(resolver.run(filter) == true);
 		REQUIRE(filter.get() != old_filter_ptr);
 		REQUIRE(resolver.get_resolved_macros().size() == 1);
-		REQUIRE(*resolver.get_resolved_macros().begin() == macro_name);
+		REQUIRE(resolver.get_resolved_macros().begin()->first == macro_name);
+		REQUIRE(resolver.get_resolved_macros().begin()->second == macro_pos);
 		REQUIRE(resolver.get_unknown_macros().empty());
 		REQUIRE(filter->is_equal(macro.get()));
 
@@ -89,14 +109,17 @@ TEST_CASE("Should resolve macros on a filter AST", "[rule_loader]")
 		string a_macro_name = macro_name + "_1";
 		string b_macro_name = macro_name + "_2";
 
+		pos_info a_macro_pos = create_pos(11, 75, 43);
+		pos_info b_macro_pos = create_pos(91, 21, 9);
+
 		std::shared_ptr<expr> a_macro = std::move(
 			unary_check_expr::create("one.field", "", "exists"));
 		std::shared_ptr<expr> b_macro = std::move(
 			unary_check_expr::create("another.field", "", "exists"));
 
 		std::vector<std::unique_ptr<expr>> filter_or;
-		filter_or.push_back(value_expr::create(a_macro_name));
-		filter_or.push_back(value_expr::create(b_macro_name));
+		filter_or.push_back(value_expr::create(a_macro_name, a_macro_pos));
+		filter_or.push_back(value_expr::create(b_macro_name, b_macro_pos));
 		std::shared_ptr<expr> filter = std::move(or_expr::create(filter_or));
 
 		std::vector<std::unique_ptr<expr>> expected_or;
@@ -111,11 +134,16 @@ TEST_CASE("Should resolve macros on a filter AST", "[rule_loader]")
 		// first run
 		REQUIRE(resolver.run(filter) == true);
 		REQUIRE(resolver.get_resolved_macros().size() == 2);
-		REQUIRE(resolver.get_resolved_macros().find(a_macro_name)
-				!= resolver.get_resolved_macros().end());
-		REQUIRE(resolver.get_resolved_macros().find(b_macro_name)
-				!= resolver.get_resolved_macros().end());
+		auto a_resolved_itr = resolver.get_resolved_macros().find(a_macro_name);
+		REQUIRE(a_resolved_itr != resolver.get_resolved_macros().end());
+		REQUIRE(a_resolved_itr->first == a_macro_name);
+		REQUIRE(a_resolved_itr->second == a_macro_pos);
+
+		auto b_resolved_itr = resolver.get_resolved_macros().find(b_macro_name);
+		REQUIRE(b_resolved_itr != resolver.get_resolved_macros().end());
 		REQUIRE(resolver.get_unknown_macros().empty());
+		REQUIRE(b_resolved_itr->first == b_macro_name);
+		REQUIRE(b_resolved_itr->second == b_macro_pos);
 		REQUIRE(filter->is_equal(expected_filter.get()));
 
 		// second run
@@ -130,15 +158,18 @@ TEST_CASE("Should resolve macros on a filter AST", "[rule_loader]")
 		string a_macro_name = macro_name + "_1";
 		string b_macro_name = macro_name + "_2";
 
+		pos_info a_macro_pos = create_pos(47, 1, 76);
+		pos_info b_macro_pos = create_pos(111, 65, 2);
+
 		std::vector<std::unique_ptr<expr>> a_macro_and;
 		a_macro_and.push_back(unary_check_expr::create("one.field", "", "exists"));
-		a_macro_and.push_back(value_expr::create(b_macro_name));
+		a_macro_and.push_back(value_expr::create(b_macro_name, b_macro_pos));
 		std::shared_ptr<expr> a_macro = std::move(and_expr::create(a_macro_and));
 
 		std::shared_ptr<expr> b_macro = std::move(
 			unary_check_expr::create("another.field", "", "exists"));
 
-		std::shared_ptr<expr> filter = std::move(value_expr::create(a_macro_name));
+		std::shared_ptr<expr> filter = std::move(value_expr::create(a_macro_name, a_macro_pos));
 
 		std::vector<std::unique_ptr<expr>> expected_and;
 		expected_and.push_back(unary_check_expr::create("one.field", "", "exists"));
@@ -152,10 +183,17 @@ TEST_CASE("Should resolve macros on a filter AST", "[rule_loader]")
 		// first run
 		REQUIRE(resolver.run(filter) == true);
 		REQUIRE(resolver.get_resolved_macros().size() == 2);
-		REQUIRE(resolver.get_resolved_macros().find(a_macro_name)
-				!= resolver.get_resolved_macros().end());
-		REQUIRE(resolver.get_resolved_macros().find(b_macro_name)
-				!= resolver.get_resolved_macros().end());
+		auto a_resolved_itr = resolver.get_resolved_macros().find(a_macro_name);
+		REQUIRE(a_resolved_itr != resolver.get_resolved_macros().end());
+		REQUIRE(a_resolved_itr->first == a_macro_name);
+		REQUIRE(a_resolved_itr->second == a_macro_pos);
+
+		auto b_resolved_itr = resolver.get_resolved_macros().find(b_macro_name);
+		REQUIRE(b_resolved_itr != resolver.get_resolved_macros().end());
+		REQUIRE(resolver.get_unknown_macros().empty());
+		REQUIRE(b_resolved_itr->first == b_macro_name);
+		REQUIRE(b_resolved_itr->second == b_macro_pos);
+
 		REQUIRE(resolver.get_unknown_macros().empty());
 		REQUIRE(filter->is_equal(expected_filter.get()));
 
@@ -170,18 +208,20 @@ TEST_CASE("Should resolve macros on a filter AST", "[rule_loader]")
 TEST_CASE("Should find unknown macros", "[rule_loader]")
 {
 	string macro_name = "test_macro";
+	pos_info macro_pos = create_pos(9, 4, 2);
 
 	SECTION("in the general case")
 	{
 		std::vector<std::unique_ptr<expr>> filter_and;
 		filter_and.push_back(unary_check_expr::create("evt.name", "", "exists"));
-		filter_and.push_back(not_expr::create(value_expr::create(macro_name)));
+		filter_and.push_back(not_expr::create(value_expr::create(macro_name, macro_pos)));
 		std::shared_ptr<expr> filter = std::move(and_expr::create(filter_and));
 
 		filter_macro_resolver resolver;
 		REQUIRE(resolver.run(filter) == false);
 		REQUIRE(resolver.get_unknown_macros().size() == 1);
-		REQUIRE(*resolver.get_unknown_macros().begin() == macro_name);
+		REQUIRE(resolver.get_unknown_macros().begin()->first == macro_name);
+		REQUIRE(resolver.get_unknown_macros().begin()->second == macro_pos);
 		REQUIRE(resolver.get_resolved_macros().empty());
 	}
 
@@ -190,12 +230,15 @@ TEST_CASE("Should find unknown macros", "[rule_loader]")
 		string a_macro_name = macro_name + "_1";
 		string b_macro_name = macro_name + "_2";
 
+		pos_info a_macro_pos = create_pos(32, 84, 9);
+		pos_info b_macro_pos = create_pos(1, 0, 5);
+
 		std::vector<std::unique_ptr<expr>> a_macro_and;
 		a_macro_and.push_back(unary_check_expr::create("one.field", "", "exists"));
-		a_macro_and.push_back(value_expr::create(b_macro_name));
+		a_macro_and.push_back(value_expr::create(b_macro_name, b_macro_pos));
 		std::shared_ptr<expr> a_macro = std::move(and_expr::create(a_macro_and));
 
-		std::shared_ptr<expr> filter = std::move(value_expr::create(a_macro_name));
+		std::shared_ptr<expr> filter = std::move(value_expr::create(a_macro_name, a_macro_pos));
 		auto expected_filter = clone(a_macro.get());
 
 		filter_macro_resolver resolver;
@@ -204,9 +247,11 @@ TEST_CASE("Should find unknown macros", "[rule_loader]")
 		// first run
 		REQUIRE(resolver.run(filter) == true);
 		REQUIRE(resolver.get_resolved_macros().size() == 1);
-		REQUIRE(*resolver.get_resolved_macros().begin() == a_macro_name);
+		REQUIRE(resolver.get_resolved_macros().begin()->first == a_macro_name);
+		REQUIRE(resolver.get_resolved_macros().begin()->second == a_macro_pos);
 		REQUIRE(resolver.get_unknown_macros().size() == 1);
-		REQUIRE(*resolver.get_unknown_macros().begin() == b_macro_name);
+		REQUIRE(resolver.get_unknown_macros().begin()->first == b_macro_name);
+		REQUIRE(resolver.get_unknown_macros().begin()->second == b_macro_pos);
 		REQUIRE(filter->is_equal(expected_filter.get()));
 	}
 }
@@ -214,15 +259,19 @@ TEST_CASE("Should find unknown macros", "[rule_loader]")
 TEST_CASE("Should undefine macro", "[rule_loader]")
 {
 	string macro_name = "test_macro";
+	pos_info macro_pos_1 = create_pos(12, 9, 3);
+	pos_info macro_pos_2 = create_pos(9, 6, 3);
+
 	std::shared_ptr<expr> macro = std::move(unary_check_expr::create("test.field", "", "exists"));
-	std::shared_ptr<expr> a_filter = std::move(value_expr::create(macro_name));
-	std::shared_ptr<expr> b_filter = std::move(value_expr::create(macro_name));
+	std::shared_ptr<expr> a_filter = std::move(value_expr::create(macro_name, macro_pos_1));
+	std::shared_ptr<expr> b_filter = std::move(value_expr::create(macro_name, macro_pos_2));
 	filter_macro_resolver resolver;
 
 	resolver.set_macro(macro_name, macro);
 	REQUIRE(resolver.run(a_filter) == true);
 	REQUIRE(resolver.get_resolved_macros().size() == 1);
-	REQUIRE(*resolver.get_resolved_macros().begin() == macro_name);
+	REQUIRE(resolver.get_resolved_macros().begin()->first == macro_name);
+	REQUIRE(resolver.get_resolved_macros().begin()->second == macro_pos_1);
 	REQUIRE(resolver.get_unknown_macros().empty());
 	REQUIRE(a_filter->is_equal(macro.get()));
 
@@ -230,21 +279,24 @@ TEST_CASE("Should undefine macro", "[rule_loader]")
 	REQUIRE(resolver.run(b_filter) == false);
 	REQUIRE(resolver.get_resolved_macros().empty());
 	REQUIRE(resolver.get_unknown_macros().size() == 1);
-	REQUIRE(*resolver.get_unknown_macros().begin() == macro_name);
+	REQUIRE(resolver.get_unknown_macros().begin()->first == macro_name);
+	REQUIRE(resolver.get_unknown_macros().begin()->second == macro_pos_2);
 }
 
 // checks that the macro AST is cloned and not shared across resolved filters
 TEST_CASE("Should clone macro AST", "[rule_loader]")
 {
 	string macro_name = "test_macro";
+	pos_info macro_pos = create_pos(5, 2, 8888);
 	std::shared_ptr<unary_check_expr> macro = std::move(unary_check_expr::create("test.field", "", "exists"));
-	std::shared_ptr<expr> filter = std::move(value_expr::create(macro_name));
+	std::shared_ptr<expr> filter = std::move(value_expr::create(macro_name, macro_pos));
 	filter_macro_resolver resolver;
-	
+
 	resolver.set_macro(macro_name, macro);
 	REQUIRE(resolver.run(filter) == true);
 	REQUIRE(resolver.get_resolved_macros().size() == 1);
-	REQUIRE(*resolver.get_resolved_macros().begin() == macro_name);
+	REQUIRE(resolver.get_resolved_macros().begin()->first == macro_name);
+	REQUIRE(resolver.get_resolved_macros().begin()->second == macro_pos);
 	REQUIRE(resolver.get_unknown_macros().empty());
 	REQUIRE(filter->is_equal(macro.get()));
 

tests/engine/test_rulesets.cpp

@@ -27,30 +27,51 @@ static uint16_t other_non_default_ruleset = 2;
 static std::set<std::string> tags = {"some_tag", "some_other_tag"};
 static std::set<uint16_t> evttypes = { ppm_event_type::PPME_GENERIC_E };
 
-static std::shared_ptr<libsinsp::filter::ast::expr> create_filter()
+static std::shared_ptr<gen_event_filter_factory> create_factory()
 {
-	libsinsp::filter::parser parser("evt.type=open");
-	std::shared_ptr<libsinsp::filter::ast::expr> ret(parser.parse());
+	std::shared_ptr<gen_event_filter_factory> ret(new sinsp_filter_factory(NULL));
+
 	return ret;
 }
 
-static std::shared_ptr<filter_ruleset> create_ruleset()
+static std::shared_ptr<libsinsp::filter::ast::expr> create_ast(
+	std::shared_ptr<gen_event_filter_factory> f)
+{
+	libsinsp::filter::parser parser("evt.type=open");
+	std::shared_ptr<libsinsp::filter::ast::expr> ret(parser.parse());
+
+	return ret;
+}
+
+static std::shared_ptr<gen_event_filter> create_filter(
+	std::shared_ptr<gen_event_filter_factory> f,
+	std::shared_ptr<libsinsp::filter::ast::expr> ast)
+{
+	sinsp_filter_compiler compiler(f, ast.get());
+	std::shared_ptr<gen_event_filter> filter(compiler.compile());
+
+	return filter;
+}
+
+static std::shared_ptr<filter_ruleset> create_ruleset(
+	std::shared_ptr<gen_event_filter_factory> f)
 {
-	std::shared_ptr<gen_event_filter_factory> f(new sinsp_filter_factory(NULL));
 	std::shared_ptr<filter_ruleset> ret(new evttype_index_ruleset(f));
 	return ret;
 }
 
 TEST_CASE("Should enable/disable on ruleset", "[rulesets]")
 {
-	auto r = create_ruleset();
-	auto filter = create_filter();
+	auto f = create_factory();
+	auto r = create_ruleset(f);
+	auto ast = create_ast(f);
+	auto filter = create_filter(f, ast);
 	falco_rule rule;
 	rule.name = "one_rule";
 	rule.source = falco_common::syscall_source;
 	rule.tags = tags;
 
-	r->add(rule, filter);
+	r->add(rule, filter, ast);
 
 	SECTION("Should enable/disable for exact match w/ default ruleset")
 	{
@@ -184,21 +205,23 @@ TEST_CASE("Should enable/disable on ruleset", "[rulesets]")
 
 TEST_CASE("Should enable/disable on ruleset for incremental adding tags", "[rulesets]")
 {
-	auto r = create_ruleset();
+	auto f = create_factory();
+	auto r = create_ruleset(f);
+	auto ast = create_ast(f);
 
-	auto rule1_filter = create_filter();
+	auto rule1_filter = create_filter(f, ast);
 	falco_rule rule1;
 	rule1.name = "one_rule";
 	rule1.source = falco_common::syscall_source;
 	rule1.tags =  {"rule1_tag"};
-	r->add(rule1, rule1_filter);
+	r->add(rule1, rule1_filter, ast);
 
-	auto rule2_filter = create_filter();
+	auto rule2_filter = create_filter(f, ast);
 	falco_rule rule2;
 	rule2.name = "two_rule";
 	rule2.source = falco_common::syscall_source;
 	rule2.tags =  {"rule2_tag"};
-	r->add(rule2, rule2_filter);
+	r->add(rule2, rule2_filter, ast);
 
 	std::set<std::string> want_tags;
 

userspace/engine/CMakeLists.txt

@@ -28,7 +28,6 @@ set(FALCO_ENGINE_SOURCE_FILES
     rule_loader_compiler.cpp)
 
 add_library(falco_engine STATIC ${FALCO_ENGINE_SOURCE_FILES})
-add_dependencies(falco_engine njson string-view-lite)
 
 if(USE_BUNDLED_DEPS)
   add_dependencies(falco_engine yamlcpp)
@@ -40,7 +39,6 @@ if(MINIMAL_BUILD)
     PUBLIC
       "${NJSON_INCLUDE}"
       "${TBB_INCLUDE_DIR}"
-      "${STRING_VIEW_LITE_INCLUDE}"
       "${LIBSCAP_INCLUDE_DIRS}"
       "${LIBSINSP_INCLUDE_DIRS}"
       "${YAMLCPP_INCLUDE_DIR}"
@@ -51,7 +49,6 @@ else()
     PUBLIC
       "${NJSON_INCLUDE}"
       "${TBB_INCLUDE_DIR}"
-      "${STRING_VIEW_LITE_INCLUDE}"
       "${LIBSCAP_INCLUDE_DIRS}"
       "${LIBSINSP_INCLUDE_DIRS}"
       "${YAMLCPP_INCLUDE_DIR}"

userspace/engine/evttype_index_ruleset.cpp

@@ -153,12 +153,11 @@ void evttype_index_ruleset::ruleset_filters::evttypes_for_ruleset(std::set<uint1
 
 void evttype_index_ruleset::add(
 		const falco_rule& rule,
+		std::shared_ptr<gen_event_filter> filter,
 		std::shared_ptr<libsinsp::filter::ast::expr> condition)
 {
 	try
 	{
-		sinsp_filter_compiler compiler(m_filter_factory, condition.get());
-		shared_ptr<gen_event_filter> filter(compiler.compile());
 		std::shared_ptr<filter_wrapper> wrap(new filter_wrapper());
 		wrap->rule = rule;
 		wrap->filter = filter;

userspace/engine/evttype_index_ruleset.h

@@ -41,6 +41,7 @@ public:
 
 	void add(
 		const falco_rule& rule,
+		std::shared_ptr<gen_event_filter> filter,
 		std::shared_ptr<libsinsp::filter::ast::expr> condition) override;
 
 	void clear() override;

userspace/engine/falco_engine.cpp

@@ -237,7 +237,7 @@ std::unique_ptr<load_result> falco_engine::load_rules_file(const string &rules_f
 
 		res->add_error(load_result::LOAD_ERR_FILE_READ, e.what(), ctx);
 
-		return std::move(res);
+		return res;
 	}
 
 	return load_rules(rules_content, rules_filename);
@@ -346,6 +346,11 @@ unique_ptr<falco_engine::rule_result> falco_engine::process_event(std::size_t so
 
 	if(source_idx == m_syscall_source_idx)
 	{
+		if(m_syscall_source == NULL)
+		{
+			m_syscall_source = find_source(m_syscall_source_idx);
+		}
+
 		source = m_syscall_source;
 	}
 	else
@@ -387,7 +392,6 @@ std::size_t falco_engine::add_source(const std::string &source,
 	if(source == falco_common::syscall_source)
 	{
 		m_syscall_source_idx = idx;
-		m_syscall_source = find_source(m_syscall_source_idx);
 	}
 
 	return idx;

userspace/engine/falco_source.h

@@ -31,12 +31,14 @@ struct falco_source
 	falco_source& operator = (falco_source&&) = default;
 	falco_source(const falco_source& s):
 		name(s.name),
+		ruleset(s.ruleset),
 		ruleset_factory(s.ruleset_factory),
 		filter_factory(s.filter_factory),
 		formatter_factory(s.formatter_factory) { };
 	falco_source& operator = (const falco_source& s)
 	{
 		name = s.name;
+		ruleset = s.ruleset;
 		ruleset_factory = s.ruleset_factory;
 		filter_factory = s.filter_factory;
 		formatter_factory = s.formatter_factory;

userspace/engine/falco_utils.cpp

@@ -20,6 +20,7 @@ limitations under the License.
 #include <iomanip>
 
 #include "falco_utils.h"
+#include "utils.h"
 #include "banned.h" // This raises a compilation error when certain functions are used
 
 namespace falco
@@ -75,9 +76,9 @@ void readfile(const std::string& filename, std::string& data)
 }
 namespace network
 {
-bool is_unix_scheme(nonstd::string_view url)
+bool is_unix_scheme(const std::string& url)
 {
-	return url.starts_with(UNIX_SCHEME);
+	return sinsp_utils::startswith(url, UNIX_SCHEME);
 }
 } // namespace network
 } // namespace utils

userspace/engine/falco_utils.h

@@ -24,7 +24,6 @@ limitations under the License.
 #include <iostream>
 #include <string>
 #include <thread>
-#include <nonstd/string_view.hpp>
 
 #ifdef __GNUC__
 #define likely(x) __builtin_expect(!!(x), 1)
@@ -49,7 +48,7 @@ uint32_t hardware_concurrency();
 namespace network
 {
 static const std::string UNIX_SCHEME("unix://");
-bool is_unix_scheme(nonstd::string_view url);
+bool is_unix_scheme(const std::string& url);
 } // namespace network
 } // namespace utils
 } // namespace falco

userspace/engine/filter_evttype_resolver.cpp

@@ -32,7 +32,6 @@ size_t falco_event_types::get_ppm_event_max()
 	return PPM_EVENT_MAX;
 }
 
-
 void filter_evttype_resolver::visitor::inversion(falco_event_types& types)
 {
 	falco_event_types all_types;
@@ -51,8 +50,7 @@ void filter_evttype_resolver::visitor::evttypes(const std::string& evtname, falc
 	for(uint16_t i = 2; i < PPM_EVENT_MAX; i++)
 	{
 		// Skip unused events or events not matching the requested evtname
-		if(!(etable[i].flags & EF_UNUSED)
-			&& (evtname.empty() || std::string(etable[i].name) == evtname))
+		if(!sinsp::is_unused_event(i) && (evtname.empty() || std::string(etable[i].name) == evtname))
 		{
 			out.insert(i);
 		}

userspace/engine/filter_macro_resolver.cpp

@@ -21,12 +21,10 @@ using namespace libsinsp::filter;
 
 bool filter_macro_resolver::run(libsinsp::filter::ast::expr*& filter)
 {
-	visitor v;
 	m_unknown_macros.clear();
 	m_resolved_macros.clear();
-	v.m_unknown_macros = &m_unknown_macros;
-	v.m_resolved_macros = &m_resolved_macros;
-	v.m_macros = &m_macros;
+
+	visitor v(m_unknown_macros, m_resolved_macros, m_macros);
 	v.m_node_substitute = nullptr;
 	filter->accept(&v);
 	if (v.m_node_substitute)
@@ -39,12 +37,10 @@ bool filter_macro_resolver::run(libsinsp::filter::ast::expr*& filter)
 
 bool filter_macro_resolver::run(std::shared_ptr<libsinsp::filter::ast::expr>& filter)
 {
-	visitor v;
 	m_unknown_macros.clear();
 	m_resolved_macros.clear();
-	v.m_unknown_macros = &m_unknown_macros;
-	v.m_resolved_macros = &m_resolved_macros;
-	v.m_macros = &m_macros;
+
+	visitor v(m_unknown_macros, m_resolved_macros, m_macros);
 	v.m_node_substitute = nullptr;
 	filter->accept(&v);
 	if (v.m_node_substitute)
@@ -61,12 +57,12 @@ void filter_macro_resolver::set_macro(
 	m_macros[name] = macro;
 }
 
-const unordered_set<string>& filter_macro_resolver::get_unknown_macros() const
+const filter_macro_resolver::macro_info_map& filter_macro_resolver::get_unknown_macros() const
 {
 	return m_unknown_macros;
 }
 
-const unordered_set<string>& filter_macro_resolver::get_resolved_macros() const
+const filter_macro_resolver::macro_info_map& filter_macro_resolver::get_resolved_macros() const
 {
 	return m_resolved_macros;
 }
@@ -129,8 +125,8 @@ void filter_macro_resolver::visitor::visit(ast::value_expr* e)
 	// we are supposed to get here only in case
 	// of identier-only children from either a 'not',
 	// an 'and' or an 'or'.
-	auto macro = m_macros->find(e->value);
-	if (macro != m_macros->end() && macro->second) // skip null-ptr macros
+	auto macro = m_macros.find(e->value);
+	if (macro != m_macros.end() && macro->second) // skip null-ptr macros
 	{
 		m_node_substitute = nullptr;
 		auto new_node = ast::clone(macro->second.get());
@@ -141,11 +137,11 @@ void filter_macro_resolver::visitor::visit(ast::value_expr* e)
 		{
 			m_node_substitute = std::move(new_node);
 		}
-		m_resolved_macros->insert(e->value);
+		m_resolved_macros[e->value] = e->get_pos();
 	}
 	else
 	{
 		m_node_substitute = nullptr;
-		m_unknown_macros->insert(e->value);
+		m_unknown_macros[e->value] = e->get_pos();
 	}
 }

userspace/engine/filter_macro_resolver.h

@@ -40,7 +40,7 @@ class filter_macro_resolver
 			\return true if at least one of the defined macros is resolved
 		*/
 		bool run(libsinsp::filter::ast::expr*& filter);
-		
+
 		/*!
 			\brief Version of run() that works with shared pointers
 		*/
@@ -58,12 +58,17 @@ class filter_macro_resolver
 			std::string name,
 			std::shared_ptr<libsinsp::filter::ast::expr> macro);
 
+		/*!
+		        \brief used in get_{resolved,unknown}_macros
+		*/
+		typedef std::unordered_map<std::string,libsinsp::filter::ast::pos_info> macro_info_map;
+
 		/*!
 			\brief Returns a set containing the names of all the macros
 			substituted during the last invocation of run(). Should be
 			non-empty if the last invocation of run() returned true.
 		*/
-		const std::unordered_set<std::string>& get_resolved_macros() const;
+		const macro_info_map& get_resolved_macros() const;
 
 		/*!
 			\brief Returns a set containing the names of all the macros
@@ -71,8 +76,8 @@ class filter_macro_resolver
 			A macro remains unresolved if it is found inside the processed
 			filter but it was not defined with set_macro();
 		*/
-		const std::unordered_set<std::string>& get_unknown_macros() const;
-		
+		const macro_info_map& get_unknown_macros() const;
+
 	private:
 		typedef std::unordered_map<
 			std::string,
@@ -81,16 +86,18 @@ class filter_macro_resolver
 
 		struct visitor : public libsinsp::filter::ast::expr_visitor
 		{
-			visitor() = default;
+			visitor(macro_info_map& unknown_macros, macro_info_map& resolved_macros, macro_defs& macros)
+				: m_unknown_macros(unknown_macros), m_resolved_macros(resolved_macros), m_macros(macros) {}
 			visitor(visitor&&) = default;
 			visitor& operator = (visitor&&) = default;
 			visitor(const visitor&) = delete;
 			visitor& operator = (const visitor&) = delete;
 
 			std::unique_ptr<libsinsp::filter::ast::expr> m_node_substitute;
-			std::unordered_set<std::string>* m_unknown_macros;
-			std::unordered_set<std::string>* m_resolved_macros;
-			macro_defs* m_macros;
+			macro_info_map& m_unknown_macros;
+			macro_info_map& m_resolved_macros;
+
+			macro_defs& m_macros;
 
 			void visit(libsinsp::filter::ast::and_expr* e) override;
 			void visit(libsinsp::filter::ast::or_expr* e) override;
@@ -101,7 +108,7 @@ class filter_macro_resolver
 			void visit(libsinsp::filter::ast::binary_check_expr* e) override;
 		};
 
-		std::unordered_set<std::string> m_unknown_macros;
-		std::unordered_set<std::string> m_resolved_macros;
+		macro_info_map m_unknown_macros;
+		macro_info_map m_resolved_macros;
 		macro_defs m_macros;
 };

userspace/engine/filter_ruleset.h

@@ -32,16 +32,20 @@ public:
 	virtual ~filter_ruleset() = default;
 
 	/*!
-		\brief Adds a rule and its filtering condition inside the manager.
-		An exception is thrown is case of error. This method only adds the rule
-		inside the internal collection, but does not enable it for any ruleset.
-		The rule must be enabled for one or more rulesets with the enable() or
-		enable_tags() methods.
+		\brief Adds a rule and its filtering filter + condition inside the manager.
+	        This method only adds the rule inside the internal collection,
+		but does not enable it for any ruleset.	The rule must be enabled
+		for one or more rulesets with the enable() or enable_tags() methods.
+		The ast representation of the rule's condition is provided to allow
+		the filter_ruleset object to parse the ast to obtain event types
+		or do other analysis/indexing of the condition.
 		\param rule The rule to be added
+		\param the filter representing the rule's filtering condition.
 		\param condition The AST representing the rule's filtering condition
 	*/
 	virtual void add(
 		const falco_rule& rule,
+		std::shared_ptr<gen_event_filter> filter,
 		std::shared_ptr<libsinsp::filter::ast::expr> condition) = 0;
 
 	/*!

userspace/engine/filter_warning_resolver.h

@@ -48,7 +48,7 @@ public:
 private:
 	struct visitor : public libsinsp::filter::ast::base_expr_visitor
 	{
-		visitor(): m_is_equality_check(false) {}
+		visitor(): m_is_equality_check(false), m_warnings(nullptr) {}
 		visitor(visitor&&) = default;
 		visitor& operator = (visitor&&) = default;
 		visitor(const visitor&) = delete;

userspace/engine/rule_loader.cpp

@@ -58,7 +58,7 @@ rule_loader::context::context(const std::string& name)
 
 rule_loader::context::context(const YAML::Node &item,
 			      const item_type item_type,
-			      const std::string item_name,
+			      const std::string& item_name,
 			      const context& parent)
 {
 	init(parent.name(), position(item.Mark()), item_type, item_name, parent);
@@ -73,7 +73,10 @@ rule_loader::context::context(const libsinsp::filter::ast::pos_info& pos,
 	// Contexts based on conditions don't use the
 	// filename. Instead the "name" is just the condition, and
 	// uses a short prefix of the condition.
-	std::string name = "\"" + condition.substr(0, 20) + "...\"";
+	std::string name = "\"" + (
+		condition.length() > 20
+		? condition.substr(0, 20 - 3) + "...\""
+		: condition + "\"");
 	std::replace(name.begin(), name.end(), '\n', ' ');
 	std::replace(name.begin(), name.end(), '\r', ' ');
 
@@ -105,7 +108,7 @@ const std::string& rule_loader::context::name() const
 void rule_loader::context::init(const std::string& name,
 				const position& pos,
 				const item_type item_type,
-				const std::string item_name,
+				const std::string& item_name,
 				const context& parent)
 {
 	// Copy parent locations
@@ -207,13 +210,12 @@ std::string rule_loader::context::snippet(const falco::load_result::rules_conten
 		return "<No context available>\n";
 	}
 
-	size_t from = loc.pos.pos;
-
 	// In some cases like this, where the content ends with a
 	// dangling property value:
 	//   tags:
 	// The YAML::Mark position can be past the end of the file.
-	for(; from > 0 && from >= snip_content.size(); from--);
+	size_t pos = loc.pos.pos;
+	for(; pos > 0 && (pos >= snip_content.size() || snip_content.at(pos) == '\n'); pos--);
 
 	// The snippet is generally the line that contains the
 	// position. So walk backwards from pos to the preceding
@@ -223,36 +225,37 @@ std::string rule_loader::context::snippet(const falco::load_result::rules_conten
 	// However, some lines can be very very long, so the walk
 	// forwards/walk backwards is capped at a maximum of
 	// snippet_width/2 characters in either direction.
-	for(; from > 0 && snip_content.at(from) != '\n' && (loc.pos.pos - from) < (snippet_width/2); from--);
+	size_t from = pos;
+	for(; from > 0 && snip_content.at(from) != '\n' && (pos - from) < (snippet_width/2); from--);
 
-	size_t to = loc.pos.pos;
-	for(; to < snip_content.size()-1 && snip_content.at(to) != '\n' && (to - loc.pos.pos) < (snippet_width/2); to++);
+	size_t to = pos;
+	for(; to < snip_content.size()-1 && snip_content.at(to) != '\n' && (to - pos) < (snippet_width/2); to++);
 
 	// Don't include the newlines
-	if(snip_content.at(from) == '\n')
+	if(from < snip_content.size() && snip_content.at(from) == '\n')
 	{
 		from++;
 	}
-	if(snip_content.at(to) == '\n')
+	if(to < snip_content.size() && snip_content.at(to) == '\n')
 	{
 		to--;
 	}
 
 	std::string ret = snip_content.substr(from, to-from+1);
 
-	if(snip_content.empty())
+	if(ret.empty())
 	{
 		return "<No context available>\n";
 	}
 
 	// Replace the initial/end characters with '...' if the walk
 	// forwards/backwards was incomplete
-	if(loc.pos.pos - from >= (snippet_width/2))
+	if(pos - from >= (snippet_width/2))
 	{
 		ret.replace(0, 3, "...");
 	}
 
-	if(to - loc.pos.pos >= (snippet_width/2))
+	if(to - pos >= (snippet_width/2))
 	{
 		ret.replace(ret.size()-3, 3, "...");
 	}
@@ -260,7 +263,10 @@ std::string rule_loader::context::snippet(const falco::load_result::rules_conten
 	ret += "\n";
 
 	// Add a blank line with a marker at the position within the snippet
-	ret += std::string(loc.pos.pos-from, ' ') + '^' + "\n";
+	if(pos-from <= ret.size() - 1)
+	{
+		ret += std::string(pos-from, ' ') + '^' + "\n";
+	}
 
 	return ret;
 }
@@ -540,7 +546,7 @@ rule_loader::rule_info::rule_info(context &ctx)
 {
 }
 
-rule_loader::rule_load_exception::rule_load_exception(falco::load_result::error_code ec, std::string msg, const context& ctx)
+rule_loader::rule_load_exception::rule_load_exception(falco::load_result::error_code ec, const std::string& msg, const context& ctx)
 	: ec(ec), msg(msg), ctx(ctx)
 {
 }

userspace/engine/rule_loader.h

@@ -64,7 +64,7 @@ namespace rule_loader
 		struct position
 		{
 			position() : pos(0), line(0), column(0) {};
-			position(const YAML::Mark& mark) : pos(mark.pos), line(mark.line), column(mark.column) {};
+			explicit position(const YAML::Mark& mark) : pos(mark.pos), line(mark.line), column(mark.column) {};
 			~position() = default;
 			position(position&&) = default;
 			position& operator = (position&&) = default;
@@ -80,10 +80,10 @@ namespace rule_loader
 		{
 			location(): item_type(context::item_type::VALUE_FOR) {}
 			location(
-				const std::string n,
+				const std::string& n,
 				const position& p,
 				context::item_type i,
-				const std::string in):
+				const std::string& in):
 					name(n), pos(p), item_type(i), item_name(in) {}
 			location(location&&) = default;
 			location& operator = (location&&) = default;
@@ -108,10 +108,10 @@ namespace rule_loader
 			std::string item_name;
 		};
 
-		context(const std::string& name);
+		explicit context(const std::string& name);
 		context(const YAML::Node& item,
 			item_type item_type,
-			const std::string item_name,
+			const std::string& item_name,
 			const context& parent);
 
 		// Build a context from a condition expression +
@@ -152,7 +152,7 @@ namespace rule_loader
 		void init(const std::string& name,
 			  const position& pos,
 			  const item_type item_type,
-			  const std::string item_name,
+			  const std::string& item_name,
 			  const context& parent);
 
 		// A chain of locations from the current item, its
@@ -167,7 +167,7 @@ namespace rule_loader
 
 	struct warning
 	{
-		warning(): ctx("no-filename-given") {}
+		warning(): wc(falco::load_result::warning_code::LOAD_UNKNOWN_SOURCE), ctx("no-filename-given") {}
 		warning(
 			falco::load_result::warning_code w,
 			const std::string& m,
@@ -184,7 +184,7 @@ namespace rule_loader
 
 	struct error
 	{
-		error(): ctx("no-filename-given") {}
+		error(): ec(falco::load_result::error_code::LOAD_ERR_FILE_READ), ctx("no-filename-given") {}
 		error(
 			falco::load_result::error_code e,
 			const std::string& m,
@@ -202,7 +202,7 @@ namespace rule_loader
 	class rule_load_exception : public std::exception
 	{
 	public:
-		rule_load_exception(falco::load_result::error_code ec, std::string msg, const context& ctx);
+		rule_load_exception(falco::load_result::error_code ec, const std::string& msg, const context& ctx);
 		virtual ~rule_load_exception();
 		rule_load_exception(rule_load_exception&&) = default;
 		rule_load_exception& operator = (rule_load_exception&&) = default;
@@ -267,7 +267,7 @@ namespace rule_loader
 		explicit configuration(
 			const std::string& cont,
 			const indexed_vector<falco_source>& srcs,
-			std::string name)
+			const std::string& name)
 				: content(cont), sources(srcs), name(name),
 				  default_ruleset_id(0), replace_output_container_info(false),
 				  min_priority(falco_common::PRIORITY_DEBUG)
@@ -313,7 +313,7 @@ namespace rule_loader
 		struct requirement
 		{
 			requirement() = default;
-			requirement(const std::string n, const std::string v):
+			requirement(const std::string& n, const std::string& v):
 				name(n), version(v) { }
 			requirement(requirement&&) = default;
 			requirement& operator = (requirement&&) = default;

userspace/engine/rule_loader_compiler.cpp

@@ -234,6 +234,7 @@ static bool resolve_list(std::string& cnd, const rule_loader::list_info& list)
 static void resolve_macros(
 	indexed_vector<rule_loader::macro_info>& macros,
 	std::shared_ptr<ast::expr>& ast,
+	const std::string& condition,
 	uint32_t visibility,
 	const rule_loader::context &ctx)
 {
@@ -248,15 +249,22 @@ static void resolve_macros(
 	macro_resolver.run(ast);
 
 	// Note: only complaining about the first unknown macro
-	THROW(!macro_resolver.get_unknown_macros().empty(),
-	      std::string("Undefined macro '")
-	      + *macro_resolver.get_unknown_macros().begin()
-	      + "' used in filter.",
-	      ctx);
-
-	for (auto &m : macro_resolver.get_resolved_macros())
+	const filter_macro_resolver::macro_info_map& unresolved_macros = macro_resolver.get_unknown_macros();
+	if(!unresolved_macros.empty())
 	{
-		macros.at(m)->used = true;
+		auto it = unresolved_macros.begin();
+		const rule_loader::context cond_ctx(it->second, condition, ctx);
+
+		THROW(true,
+		      std::string("Undefined macro '")
+		                    + it->first
+		      + "' used in filter.",
+		      cond_ctx);
+	}
+
+	for (auto &it : macro_resolver.get_resolved_macros())
+	{
+		macros.at(it.first)->used = true;
 	}
 }
 
@@ -363,7 +371,7 @@ void rule_loader::compiler::compile_macros_infos(
 
 	for (auto &m : out)
 	{
-		resolve_macros(out, m.cond_ast, m.visibility, m.ctx);
+		resolve_macros(out, m.cond_ast, m.cond, m.visibility, m.ctx);
 	}
 }
 
@@ -404,7 +412,7 @@ void rule_loader::compiler::compile_rule_infos(
 				r.exceptions, rule.exception_fields, condition);
 		}
 		auto ast = parse_condition(condition, lists, r.cond_ctx);
-		resolve_macros(macros, ast, MAX_VISIBILITY, r.ctx);
+		resolve_macros(macros, ast, condition, MAX_VISIBILITY, r.ctx);
 
 		// check for warnings in the filtering condition
 		warn_codes.clear();
@@ -444,10 +452,12 @@ void rule_loader::compiler::compile_rule_infos(
 		// This also compiles the filter, and might throw a
 		// falco_exception with details on the compilation
 		// failure.
+		sinsp_filter_compiler compiler(cfg.sources.at(r.source)->filter_factory, ast.get());
 		try {
-			source->ruleset->add(*out.at(rule_id), ast);
+			shared_ptr<gen_event_filter> filter(compiler.compile());
+			source->ruleset->add(*out.at(rule_id), filter, ast);
 		}
-		catch (const falco_exception& e)
+		catch (const sinsp_exception& e)
 		{
 			// Allow errors containing "nonexistent field" if
 			// skip_if_unknown_filter is true
@@ -463,10 +473,14 @@ void rule_loader::compiler::compile_rule_infos(
 			}
 			else
 			{
+				rule_loader::context ctx(compiler.get_pos(),
+							 condition,
+							 r.cond_ctx);
+
 				throw rule_loader::rule_load_exception(
 					falco::load_result::load_result::LOAD_ERR_COMPILE_CONDITION,
 					e.what(),
-					r.cond_ctx);
+					ctx);
 			}
 		}
 
@@ -516,6 +530,7 @@ void rule_loader::compiler::compile(
 	catch(rule_load_exception &e)
 	{
 		cfg.res->add_error(e.ec, e.msg, e.ctx);
+		return;
 	}
 
 	// print info on any dangling lists or macros that were not used anywhere

userspace/falco/CMakeLists.txt

@@ -62,7 +62,6 @@ set(
   "${PROJECT_SOURCE_DIR}/userspace/engine"
   "${PROJECT_BINARY_DIR}/userspace/falco"
   "${PROJECT_BINARY_DIR}/driver/src"
-  "${STRING_VIEW_LITE_INCLUDE}"
   "${CXXOPTS_INCLUDE_DIR}"
   "${YAMLCPP_INCLUDE_DIR}"
   "${CMAKE_CURRENT_BINARY_DIR}"
@@ -73,7 +72,6 @@ list(APPEND FALCO_INCLUDE_DIRECTORIES "${FALCO_EXTRA_INCLUDE_DIRS}")
 
 set(
   FALCO_DEPENDENCIES
-  string-view-lite
   b64
   cxxopts
 )

userspace/falco/app_actions/compute_syscall_buffer_size.cpp

@@ -28,7 +28,7 @@ application::run_result application::configure_syscall_buffer_size()
 	/* We don't need to compute the syscall buffer dimension if we are in capture mode or if the
 	 * the syscall source is not enabled.
 	 */
-	if(is_capture_mode() || m_state->enabled_sources.find(falco_common::syscall_source) == m_state->enabled_sources.end())
+	if(is_capture_mode() || m_state->enabled_sources.find(falco_common::syscall_source) == m_state->enabled_sources.end() || is_gvisor_enabled())
 	{
 		return run_result::ok();
 	}

userspace/falco/app_actions/configure_interesting_sets.cpp

@@ -33,6 +33,24 @@ void application::configure_interesting_sets()
 	 * plus syscalls for Falco default rules.
 	 */
 	m_state->ppm_sc_of_interest = inspector->enforce_simple_ppm_sc_set();
+	m_state->ppm_event_info_of_interest = inspector->get_event_set_from_ppm_sc_set(m_state->ppm_sc_of_interest);
+
+	/* Fill-up the set of event infos of interest */
+	for (uint32_t ev = 2; ev < PPM_EVENT_MAX; ev++)
+	{
+		if (!sinsp::is_old_version_event(ev)
+				&& !sinsp::is_unused_event(ev)
+				&& !sinsp::is_unknown_event(ev))
+		{
+			/* So far we only covered syscalls, so we add other kinds of
+			interesting events. In this case, we are also interested in
+			metaevents and in the procexit tracepoint event. */
+			if (sinsp::is_metaevent(ev) || ev == PPME_PROCEXIT_1_E)
+			{
+				m_state->ppm_event_info_of_interest.insert(ev);
+			}
+		}
+	}
 
 	/* In this case we get the tracepoints for the `libsinsp` state and we remove
 	 * the `sched_switch` tracepoint since it is highly noisy and not so useful

userspace/falco/app_actions/create_signal_handlers.cpp

@@ -30,26 +30,24 @@ using namespace falco::app;
 // provided application, and in unregister_signal_handlers it will be
 // rebound back to the dummy application.
 
-static application dummy;
-static std::reference_wrapper<application> s_app = dummy;
 static int inot_fd;
 
-static void signal_callback(int signal)
+static void terminate_signal_handler(int signal)
 {
-	falco_logger::log(LOG_INFO, "SIGINT received, exiting...\n");
-	s_app.get().terminate();
+	ASSERT(falco::app::g_terminate.is_lock_free());
+	falco::app::g_terminate.store(APP_SIGNAL_SET, std::memory_order_seq_cst);
 }
 
-static void reopen_outputs(int signal)
+static void reopen_outputs_signal_handler(int signal)
 {
-	falco_logger::log(LOG_INFO, "SIGUSR1 received, reopening outputs...\n");
-	s_app.get().reopen_outputs();
+	ASSERT(falco::app::g_reopen_outputs.is_lock_free());
+	falco::app::g_reopen_outputs.store(APP_SIGNAL_SET, std::memory_order_seq_cst);
 }
 
-static void restart_falco(int signal)
+static void restart_signal_handler(int signal)
 {
-	falco_logger::log(LOG_INFO, "SIGHUP received, restarting...\n");
-	s_app.get().restart();
+	ASSERT(falco::app::g_restart.is_lock_free());
+	falco::app::g_restart.store(APP_SIGNAL_SET, std::memory_order_seq_cst);
 }
 
 bool application::create_handler(int sig, void (*func)(int), run_result &ret)
@@ -74,21 +72,32 @@ bool application::create_handler(int sig, void (*func)(int), run_result &ret)
 
 application::run_result application::create_signal_handlers()
 {
-	run_result ret;
-	s_app = *this;
-	if(! create_handler(SIGINT, ::signal_callback, ret) ||
-	   ! create_handler(SIGTERM, ::signal_callback, ret) ||
-	   ! create_handler(SIGUSR1, ::reopen_outputs, ret) ||
-	   ! create_handler(SIGHUP, ::restart_falco, ret))
+	falco::app::g_terminate.store(APP_SIGNAL_NOT_SET, std::memory_order_seq_cst);
+	falco::app::g_restart.store(APP_SIGNAL_NOT_SET, std::memory_order_seq_cst);
+	falco::app::g_reopen_outputs.store(APP_SIGNAL_NOT_SET, std::memory_order_seq_cst);
+
+	if (!g_terminate.is_lock_free()
+		|| !g_restart.is_lock_free()
+		|| !g_reopen_outputs.is_lock_free())
 	{
-		s_app = dummy;
+		falco_logger::log(LOG_WARNING, "Bundled atomics implementation is not lock-free, signal handlers may be unstable\n");
 	}
+
+	run_result ret;
+	if(! create_handler(SIGINT, ::terminate_signal_handler, ret) ||
+	   ! create_handler(SIGTERM, ::terminate_signal_handler, ret) ||
+	   ! create_handler(SIGUSR1, ::reopen_outputs_signal_handler, ret) ||
+	   ! create_handler(SIGHUP, ::restart_signal_handler, ret))
+	{
+		// we use the if just to make sure we return at the first failed statement
+	}
+
 	return ret;
 }
 
 application::run_result application::attach_inotify_signals()
 {
-        if (m_state->config->m_watch_config_files)
+    if (m_state->config->m_watch_config_files)
 	{
 		inot_fd = inotify_init();
 		if (inot_fd == -1)
@@ -99,7 +108,7 @@ application::run_result application::attach_inotify_signals()
 		struct sigaction sa;
 		sigemptyset(&sa.sa_mask);
 		sa.sa_flags = SA_RESTART;
-		sa.sa_handler = restart_falco;
+		sa.sa_handler = restart_signal_handler;
 		if (sigaction(SIGIO, &sa, NULL) == -1)
 		{
 			return run_result::fatal("Failed to link SIGIO to inotify handler");
@@ -169,7 +178,5 @@ bool application::unregister_signal_handlers(std::string &errstr)
 		errstr = ret.errstr;
 		return false;
 	}
-
-	s_app = dummy;
 	return true;
 }

userspace/falco/app_actions/init_falco_engine.cpp

@@ -29,11 +29,21 @@ void application::configure_output_format()
 		output_format = "container=%container.name (id=%container.id)";
 		replace_container_info = true;
 	}
+	else if(m_options.print_additional == "cg" || m_options.print_additional == "container-gvisor")
+	{
+		output_format = "container=%container.name (id=%container.id) vpid=%proc.vpid vtid=%thread.vtid";
+		replace_container_info = true;
+	}
 	else if(m_options.print_additional == "k" || m_options.print_additional == "kubernetes")
 	{
 		output_format = "k8s.ns=%k8s.ns.name k8s.pod=%k8s.pod.name container=%container.id";
 		replace_container_info = true;
 	}
+	else if(m_options.print_additional == "kg" || m_options.print_additional == "kubernetes-gvisor")
+	{
+		output_format = "k8s.ns=%k8s.ns.name k8s.pod=%k8s.pod.name container=%container.id vpid=%proc.vpid vtid=%thread.vtid";
+		replace_container_info = true;
+	}
 	else if(m_options.print_additional == "m" || m_options.print_additional == "mesos")
 	{
 		output_format = "task=%mesos.task.name container=%container.id";
@@ -44,11 +54,6 @@ void application::configure_output_format()
 		output_format = m_options.print_additional;
 		replace_container_info = false;
 	}
-	else if(m_options.gvisor_config != "")
-	{
-		output_format = "container=%container.name (id=%container.id) vpid=%proc.vpid vtid=%thread.vtid";
-		replace_container_info = true;
-	}
 
 	if(!output_format.empty())
 	{

userspace/falco/app_actions/load_config.cpp

@@ -27,6 +27,10 @@ application::run_result application::load_config()
 
 		// log after config init because config determines where logs go
 		falco_logger::log(LOG_INFO, "Falco version: " + std::string(FALCO_VERSION) + " (" + std::string(FALCO_TARGET_ARCH) + ")\n");
+		if (!m_state->cmdline.empty())
+		{
+			falco_logger::log(LOG_DEBUG, "CLI args: " + m_state->cmdline);
+		}
 		falco_logger::log(LOG_INFO, "Falco initialized with configuration file: " + m_options.conf_filename + "\n");
 	}
 	else

userspace/falco/app_actions/load_rules_files.cpp

@@ -17,6 +17,8 @@ limitations under the License.
 #include "application.h"
 #include <plugin_manager.h>
 
+#include <unordered_set>
+
 using namespace falco::app;
 
 bool application::check_rules_plugin_requirements(std::string& err)
@@ -43,59 +45,29 @@ void application::check_for_ignored_events()
 
 	/* Get the events we consider interesting from the application state `ppm_sc` codes. */
 	std::unique_ptr<sinsp> inspector(new sinsp());
-	auto interesting_events = inspector->get_event_set_from_ppm_sc_set(m_state->ppm_sc_of_interest);
-	std::unordered_set<uint32_t> ignored_events;
+	std::unordered_set<uint32_t> events(rule_events.begin(), rule_events.end());
 
-	for(const auto& it : rule_events)
+	auto event_names = inspector->get_events_names(events);
+	for (const auto& n : inspector->get_events_names(m_state->ppm_event_info_of_interest))
 	{
-		/* If we have the old version of the event we will have also the recent one
-		 * so we can avoid analyzing the presence of old events.
-		 */
-		if(sinsp::is_old_version_event(it))
-		{
-			continue;
-		}
-
-		/* Here we are interested only in syscall events the internal events are not
-		 * altered without the `-A` flag.
-		 *
-		 * TODO: We could consider also the tracepoint events here but right now we don't have
-		 * the support from the libraries.
-		 */
-		if(!sinsp::is_syscall_event(it))
-		{
-			continue;
-		}
-
-		/* If the event is not generated by the running system we don't print
-		 * any warning right now.
-		 */
-		if(!sinsp::is_generable_event(it))
-		{
-			continue;
-		}
-
-		/* If the event is not in this set it is not considered by Falco. */
-		if(interesting_events.find(it) == interesting_events.end())
-		{
-			ignored_events.insert(it);
-		}
+		event_names.erase(n);
 	}
 
-	if(ignored_events.empty())
+	if(event_names.empty())
 	{
 		return;
 	}
 
 	/* Get the names of the ignored events and print them. */
-	auto event_names = inspector->get_events_names(ignored_events);
-	std::cerr << std::endl << "Rules match ignored syscall: warning (ignored-evttype):" << std::endl;
-	std::cerr << "Loaded rules match the following events:" << std::endl;
+	std::cerr << "Rules match ignored syscall: warning (ignored-evttype):" << std::endl;
+	std::cerr << "Loaded rules match the following events: ";
+	bool first = true;
 	for(const auto& it : event_names)
 	{
-		std::cerr << "\t- " << it.c_str() << std::endl;
+		std::cerr << (first ? "" : ", ") << it.c_str();
+		first = false;
 	}
-	std::cerr << "But these events are not returned unless running falco with -A" << std::endl << std::endl;
+	std::cerr << std::endl << "But these events are not returned unless running falco with -A" << std::endl;
 }
 
 application::run_result application::load_rules_files()

userspace/falco/app_actions/print_ignored_events.cpp

@@ -39,25 +39,26 @@ application::run_result application::print_ignored_events()
 	configure_interesting_sets();
 
 	/* Search for all the ignored syscalls. */
-	std::unique_ptr<sinsp> inspector(new sinsp());
-	std::unordered_set<uint32_t> all_ppm_sc = inspector->get_all_ppm_sc();
-	std::unordered_set<uint32_t> ignored_ppm_sc;
-
-	for(const auto& it : all_ppm_sc)
+	std::unordered_set<uint32_t> all_events;
+	for (uint32_t j = 0; j < PPM_EVENT_MAX; j++)
 	{
-		/* If the syscall is not in this set we ignore it. */
-		if(m_state->ppm_sc_of_interest.find(it) == m_state->ppm_sc_of_interest.end())
+		if (!sinsp::is_old_version_event(j)
+				&& !sinsp::is_unused_event(j)
+				&& !sinsp::is_unknown_event(j))
 		{
-			ignored_ppm_sc.insert(it);
+			all_events.insert(j);
 		}
 	}
 
-	/* Obtain the ignored events names from the ignored syscalls. */
-	auto ignored_events = inspector->get_event_set_from_ppm_sc_set(ignored_ppm_sc);
-	auto event_names = inspector->get_events_names(ignored_events);
+	std::unique_ptr<sinsp> inspector(new sinsp());
+	auto ignored_event_names = inspector->get_events_names(all_events);
+	for (const auto &n : inspector->get_events_names(m_state->ppm_event_info_of_interest))
+	{
+		ignored_event_names.erase(n);
+	}
 
 	std::cout << "Ignored Event(s):" << std::endl;
-	for(const auto& it : event_names)
+	for(const auto& it : ignored_event_names)
 	{
 		std::cout << "- " << it.c_str() << std::endl;
 	}

userspace/falco/app_actions/print_syscall_events.cpp

@@ -16,17 +16,97 @@ limitations under the License.
 
 #include "application.h"
 
-#include <fields_info.h>
-
 using namespace falco::app;
 
+struct event_entry
+{
+	bool is_enter;
+	bool available;
+	std::string name;
+	struct ppm_event_info info;
+};
+
+static std::vector<event_entry> get_event_entries(bool include_generics, const std::unordered_set<uint32_t>& available)
+{
+	event_entry entry;
+	std::vector<event_entry> events;
+	std::unique_ptr<sinsp> inspector(new sinsp());
+	const struct ppm_event_info* etable = inspector->get_event_info_tables()->m_event_info;
+
+	// skip generic events
+	for(uint32_t evt = PPME_GENERIC_X + 1; evt < PPM_EVENT_MAX; evt++)
+	{
+		if (!sinsp::is_old_version_event(evt)
+				&& !sinsp::is_unused_event(evt)
+				&& !sinsp::is_unknown_event(evt))
+		{
+			entry.is_enter = PPME_IS_ENTER(evt);
+			entry.available = available.find(evt) != available.end();
+			entry.name = etable[evt].name;
+			entry.info = etable[evt];
+			events.push_back(entry);
+		}
+	}
+
+	if (include_generics)
+	{
+		// append generic events
+		const auto generic_syscalls = inspector->get_events_names({PPME_GENERIC_E});
+		for (const auto& name : generic_syscalls)
+		{
+			for(uint32_t evt = PPME_GENERIC_E; evt <= PPME_GENERIC_X; evt++)
+			{
+				entry.is_enter = PPME_IS_ENTER(evt);
+				entry.available = available.find(evt) != available.end();
+				entry.name = name;
+				entry.info = etable[evt];
+				events.push_back(entry);
+			}
+		}
+	}
+
+	return events;
+}
+
 application::run_result application::print_syscall_events()
 {
 	if(m_options.list_syscall_events)
 	{
-		// We know this function doesn't hold into the raw pointer value
-		std::unique_ptr<sinsp> inspector(new sinsp());
-		list_events(inspector.get(), m_options.markdown);
+		configure_interesting_sets();
+		const auto events = get_event_entries(false, m_state->ppm_event_info_of_interest);
+
+		if(m_options.markdown)
+		{
+			printf("Falco | Dir | Event\n");
+			printf(":-----|:----|:-----\n");
+		}
+
+		for (const auto& e : events)
+		{
+			char dir = e.is_enter ? '>' : '<';
+			if (m_options.markdown)
+			{
+				printf(e.available ? "Yes" : "No");
+				printf(" | %c | **%s**(", dir, e.name.c_str());
+			}
+			else
+			{
+				printf("%c %s(", dir, e.name.c_str());
+			}
+
+			for(uint32_t k = 0; k < e.info.nparams; k++)
+			{
+				if(k != 0)
+				{
+					printf(", ");
+				}
+
+				printf("%s %s", param_type_to_string(e.info.params[k].type),
+					e.info.params[k].name);
+			}
+			printf(")\n");
+		}
+
 		return run_result::exit();
 	}
 

userspace/falco/app_actions/print_version.cpp

@@ -38,8 +38,8 @@ application::run_result application::print_version()
 		unsigned long driver_schema_minor = PPM_API_VERSION_MINOR(driver_schema_version);
 		unsigned long driver_schema_patch = PPM_API_VERSION_PATCH(driver_schema_version);
 		printf("Driver:\n");
-		printf("  API version:    %ld.%ld.%ld\n", driver_api_major, driver_api_minor, driver_api_patch);
-		printf("  Schema version: %ld.%ld.%ld\n", driver_schema_major, driver_schema_minor, driver_schema_patch);
+		printf("  API version:    %lu.%lu.%lu\n", driver_api_major, driver_api_minor, driver_api_patch);
+		printf("  Schema version: %lu.%lu.%lu\n", driver_schema_major, driver_schema_minor, driver_schema_patch);
 		printf("  Default driver: %s\n", DRIVER_VERSION);
 
 		return run_result::exit();

userspace/falco/app_actions/process_events.cpp

@@ -20,6 +20,7 @@ limitations under the License.
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <fcntl.h>
+#include <atomic>
 #include <unordered_map>
 
 #include "falco_utils.h"
@@ -97,9 +98,19 @@ application::run_result application::do_inspect(
 	{
 		rc = inspector->next(&ev);
 
-		if(m_state->terminate.load(std::memory_order_seq_cst)
-			|| m_state->restart.load(std::memory_order_seq_cst))
+		if (should_reopen_outputs())
 		{
+			reopen_outputs();
+		}
+
+		if(should_terminate())
+		{
+			terminate();
+			break;
+		}
+		else if(should_restart())
+		{
+			restart();
 			break;
 		}
 		else if(rc == SCAP_TIMEOUT)
@@ -217,6 +228,7 @@ void application::process_inspector_events(
 		std::shared_ptr<sinsp> inspector,
 		std::shared_ptr<stats_writer> statsw,
 		std::string source, // an empty source represents capture mode
+		application::source_sync_context* sync,
 		application::run_result* res) noexcept
 {
 	try
@@ -264,6 +276,11 @@ void application::process_inspector_events(
 	{
 		*res = run_result::fatal(e.what());
 	}
+
+	if (sync)
+	{
+		sync->finish();
+	}
 }
 
 static std::shared_ptr<stats_writer> init_stats_writer(const cmdline_options& opts)
@@ -301,7 +318,7 @@ application::run_result application::process_events()
 			return res;
 		}
 
-		process_inspector_events(m_state->offline_inspector, statsw, "", &res);
+		process_inspector_events(m_state->offline_inspector, statsw, "", nullptr, &res);
 		m_state->offline_inspector->close();
 
 		// Honor -M also when using a trace file.
@@ -328,11 +345,14 @@ application::run_result application::process_events()
 			application::run_result res;
 			// if non-null, the thread on which events are processed
 			std::unique_ptr<std::thread> thread;
+			// used for thread synchronization purposes
+			std::unique_ptr<application::source_sync_context> sync;
 		};
 
 		print_enabled_event_sources();
 
 		// start event processing for all enabled sources
+		falco::semaphore termination_sem(m_state->enabled_sources.size());
 		std::vector<live_context> ctxs;
 		ctxs.reserve(m_state->enabled_sources.size());
 		for (const auto& source : m_state->enabled_sources)
@@ -340,30 +360,33 @@ application::run_result application::process_events()
 			ctxs.emplace_back();
 			auto& ctx = ctxs[ctxs.size() - 1];
 			ctx.source = source;
+			ctx.sync.reset(new application::source_sync_context(termination_sem));
 			auto src_info = m_state->source_infos.at(source);
 
 			try
 			{
 				falco_logger::log(LOG_DEBUG, "Opening event source '" + source + "'\n");
+				termination_sem.acquire();
 				res = open_live_inspector(src_info->inspector, source);
 				if (!res.success)
 				{
 					// note: we don't return here because we need to reach
 					// the thread termination loop below to make sure all
 					// already-spawned threads get terminated gracefully
+					ctx.sync->finish();
 					break;
 				}
 
 				if (m_state->enabled_sources.size() == 1)
 				{
 					// optimization: with only one source we don't spawn additional threads
-					process_inspector_events(src_info->inspector, statsw, source, &ctx.res);
+					process_inspector_events(src_info->inspector, statsw, source, ctx.sync.get(), &ctx.res);
 				}
 				else
 				{
 					ctx.thread.reset(new std::thread(
 						&application::process_inspector_events,
-						this, src_info->inspector, statsw, source, &ctx.res));
+						this, src_info->inspector, statsw, source, ctx.sync.get(), &ctx.res));
 				}
 			}
 			catch (std::exception &e)
@@ -372,6 +395,7 @@ application::run_result application::process_events()
 				// the thread termination loop below to make sure all
 				// already-spawned threads get terminated gracefully
 				ctx.res = run_result::fatal(e.what());
+				ctx.sync->finish();
 				break;
 			}
 		}
@@ -383,26 +407,45 @@ application::run_result application::process_events()
 		size_t closed_count = 0;
 		while (closed_count < ctxs.size())
 		{
+			// This is shared across all running event source threads an
+			// keeps the main thread sleepy until one of the parallel
+			// threads terminates and invokes release(). At that point,
+			// we know that at least one thread finished running and we can
+			// attempt joining it. Not that this also works when only one
+			// event source is enabled, in which we have no additional threads.
+			termination_sem.acquire();
+
 			if (!res.success && !termination_forced)
 			{
-				terminate();
+				falco_logger::log(LOG_INFO, "An error occurred in an event source, forcing termination...\n");
+				terminate(false);
 				termination_forced = true;
 			}
+
 			for (auto &ctx : ctxs)
 			{
-				if (ctx.thread)
+				if (ctx.sync->finished() && !ctx.sync->joined())
 				{
-					if (!ctx.thread->joinable())
+					if (ctx.thread)
 					{
-						continue;
+						if (!ctx.thread->joinable())
+						{
+							// thread has finished executing but
+							// we already joined it, so we skip to the next one.
+							// technically, we should never get here because
+							// ctx.joined should already be true at this point
+							continue;
+						}
+						ctx.thread->join();
 					}
-					ctx.thread->join();
-					ctx.thread = nullptr;
+
+					falco_logger::log(LOG_DEBUG, "Closing event source '" + ctx.source + "'\n");
+					m_state->source_infos.at(ctx.source)->inspector->close();
+
+					res = run_result::merge(res, ctx.res);
+					ctx.sync->join();
+					closed_count++;
 				}
-				falco_logger::log(LOG_DEBUG, "Closing event source '" + ctx.source + "'\n");
-				m_state->source_infos.at(ctx.source)->inspector->close();
-				res = run_result::merge(res, ctx.res);
-				closed_count++;
 			}
 		}
 	}

userspace/falco/app_actions/validate_rules_files.cpp

@@ -89,33 +89,30 @@ application::run_result application::validate_rules_files()
 			{
 				results.push_back(res->as_json(rc));
 			}
+			
+			if(summary != "")
+			{
+				summary += "\n";
+			}
+
+			// Add to the summary if not successful, or successful
+			// with no warnings.
+			if(!res->successful() || (res->successful() && !res->has_warnings()))
+			{
+				summary += res->as_string(true, rc);
+			}
 			else
 			{
-				if(summary != "")
-				{
-					summary += "\n";
-				}
+				// If here, there must be only warnings.
+				// Add a line to the summary noting that the
+				// file was ok with warnings, without actually
+				// printing the warnings.
+				summary += filename + ": Ok, with warnings";
 
-				// Add to the summary if not successful, or successful
-				// with no warnings.
-				if(!res->successful() ||
-				   (res->successful() && !res->has_warnings()))
+				// If verbose is true, print the warnings now.
+				if(m_options.verbose)
 				{
-					summary += res->as_string(true, rc);
-				}
-				else
-				{
-					// If here, there must be only warnings.
-					// Add a line to the summary noting that the
-					// file was ok with warnings, without actually
-					// printing the warnings.
-					summary += filename + ": Ok, with warnings";
-
-					// If verbose is true, print the warnings now.
-					if(m_options.verbose)
-					{
-						fprintf(stderr, "%s\n", res->as_string(true, rc).c_str());
-					}
+					fprintf(stderr, "%s\n", res->as_string(true, rc).c_str());
 				}
 			}
 		}

userspace/falco/app_cmdline_options.cpp

@@ -30,7 +30,10 @@ namespace app {
 cmdline_options::cmdline_options()
 	: event_buffer_format(sinsp_evt::PF_NORMAL),
 	  gvisor_config(""),	
+	  list_fields(false),
 	  list_plugins(false),
+	  list_syscall_events(false),
+	  markdown(false),
 	  modern_bpf(false),
 	  m_cmdline_opts("falco", "Falco - Cloud Native Runtime Security")
 {
@@ -156,15 +159,15 @@ void cmdline_options::define()
 #else
 		("c",                             "Configuration file. If not specified tries " FALCO_SOURCE_CONF_FILE ", " FALCO_INSTALL_CONF_FILE ".", cxxopts::value(conf_filename), "<path>")
 #endif
-		("A",                             "Monitor all events, including not interesting ones. Please use the `-i` command line option to see the ignored events. This option is implicit when the capture is not live.", cxxopts::value(all_events)->default_value("false"))
+		("A",                             "Monitor all events, including those not interesting to Falco. Please use the -i option to list all ignored events. This option has effect only on live captures.", cxxopts::value(all_events)->default_value("false"))
 		("b,print-base64",                "Print data buffers in base64. This is useful for encoding binary data that needs to be used over media designed to consume this format.")
-		("cri",                           "Path to CRI socket for container metadata. Use the specified socket to fetch data from a CRI-compatible runtime. If not specified, uses libs default. It can be passed multiple times to specify socket to be tried until a successful one is found.", cxxopts::value(cri_socket_paths), "<path>")
+		("cri",                           "Path to CRI socket for container metadata. Use the specified socket to fetch data from a CRI-compatible runtime. If not specified, uses the libs default. This option can be passed multiple times to specify socket to be tried until a successful one is found.", cxxopts::value(cri_socket_paths), "<path>")
 		("d,daemon",                      "Run as a daemon.", cxxopts::value(daemon)->default_value("false"))
 		("disable-cri-async",             "Disable asynchronous CRI metadata fetching. This is useful to let the input event wait for the container metadata fetch to finish before moving forward. Async fetching, in some environments leads to empty fields for container metadata when the fetch is not fast enough to be completed asynchronously. This can have a performance penalty on your environment depending on the number of containers and the frequency at which they are created/started/stopped.", cxxopts::value(disable_cri_async)->default_value("false"))
-		("disable-source",                "Disable a specific event source. Available event sources are: syscall or any source from a configured plugin with event sourcing capability. It can be passed multiple times. It has no offect when reading events from a trace file. Can not disable all event sources. Can not be mixed with enable-source.", cxxopts::value(disable_sources), "<event_source>")
-		("D",                             "Disable any rules with names having the substring <substring>. Can be specified multiple times. Can not be specified with -t.", cxxopts::value(disabled_rule_substrings), "<substring>")
+		("disable-source",                "Disable a specific event source. By default, all loaded sources get enabled. Available sources are 'syscall' and all sources defined by loaded plugins supporting the event sourcing capability. This option can be passed multiple times. This has no offect when reading events from a trace file. Can not disable all event sources. Can not be mixed with --enable-source.", cxxopts::value(disable_sources), "<event_source>")
+		("D",                             "Disable any rules with names having the substring <substring>. This option can be passed multiple times. Can not be mixed with -t.", cxxopts::value(disabled_rule_substrings), "<substring>")
 		("e",                             "Read the events from a trace file <events_file> in .scap format instead of tapping into live.", cxxopts::value(trace_filename), "<events_file>")
-		("enable-source",                 "Enable a specific event source. If used, only event sources passed with this options get enabled. Available event sources are: syscall or any source from a configured plugin with event sourcing capability. It can be passed multiple times. It has no offect when reading events from a trace file. Can not be mixed with disable-source.", cxxopts::value(enable_sources), "<event_source>")
+		("enable-source",                 "Enable a specific event source. If used, all loaded sources get disabled by default and only the ones passed with this option get enabled. Available sources are 'syscall' and all sources defined by loaded plugins supporting the event sourcing capability. This option can be passed multiple times. This has no offect when reading events from a trace file. Can not be mixed with --disable-source.", cxxopts::value(enable_sources), "<event_source>")
 #ifdef HAS_GVISOR
 		("g,gvisor-config",				  "Parse events from gVisor using the specified configuration file. A falco-compatible configuration file can be generated with --gvisor-generate-config and can be used for both runsc and Falco.", cxxopts::value(gvisor_config), "<gvisor_config>")
 		("gvisor-generate-config",		  "Generate a configuration file that can be used for gVisor.", cxxopts::value<std::string>(gvisor_generate_config_with_socket)->implicit_value("/run/falco/gvisor.sock"), "<socket_path>")
@@ -177,7 +180,7 @@ void cmdline_options::define()
 #ifndef MINIMAL_BUILD
 		("k,k8s-api",                     "Enable Kubernetes support by connecting to the API server specified as argument. E.g. \"http://admin:password@127.0.0.1:8080\". The API server can also be specified via the environment variable FALCO_K8S_API.", cxxopts::value(k8s_api), "<url>")
 		("K,k8s-api-cert",                "Use the provided files names to authenticate user and (optionally) verify the K8S API server identity. Each entry must specify full (absolute, or relative to the current directory) path to the respective file. Private key password is optional (needed only if key is password protected). CA certificate is optional. For all files, only PEM file format is supported. Specifying CA certificate only is obsoleted - when single entry is provided for this option, it will be interpreted as the name of a file containing bearer token. Note that the format of this command-line option prohibits use of files whose names contain ':' or '#' characters in the file name.", cxxopts::value(k8s_api_cert), "(<bt_file> | <cert_file>:<key_file[#password]>[:<ca_cert_file>])")
-		("k8s-node",                      "The node name will be used as a filter when requesting metadata of pods to the API server. Usually, it should be set to the current node on which Falco is running. If empty, no filter is set, which may have a performance penalty on large clusters.", cxxopts::value(k8s_node_name), "<node_name>")
+		("k8s-node",                      "The node name will be used as a filter when requesting metadata of pods to the API server. Usually, this should be set to the current node on which Falco is running. If empty, no filter is set, which may have a performance penalty on large clusters.", cxxopts::value(k8s_node_name), "<node_name>")
 #endif
 		("L",                             "Show the name and description of all rules and exit.", cxxopts::value(describe_all_rules)->default_value("false"))
 		("l",                             "Show the name and description of the rule with name <rule> and exit.", cxxopts::value(describe_rule), "<rule>")
@@ -196,19 +199,19 @@ void cmdline_options::define()
 		("plugin-info",                   "Print info for a single plugin and exit.\nThis includes all descriptivo info like name and author, along with the\nschema format for the init configuration and a list of suggested open parameters.\n<plugin_name> can be the name of the plugin or its configured library_path.", cxxopts::value(print_plugin_info), "<plugin_name>")
 		("p,print",                       "Add additional information to each falco notification's output.\nWith -pc or -pcontainer will use a container-friendly format.\nWith -pk or -pkubernetes will use a kubernetes-friendly format.\nWith -pm or -pmesos will use a mesos-friendly format.\nAdditionally, specifying -pc/-pk/-pm will change the interpretation of %container.info in rule output fields.", cxxopts::value(print_additional), "<output_format>")
 		("P,pidfile",                     "When run as a daemon, write pid to specified file", cxxopts::value(pidfilename)->default_value("/var/run/falco.pid"), "<pid_file>")
-		("r",                             "Rules file/directory (defaults to value set in configuration file, or /etc/falco_rules.yaml). Can be specified multiple times to read from multiple files/directories.", cxxopts::value<std::vector<std::string>>(), "<rules_file>")
+		("r",                             "Rules file/directory (defaults to value set in configuration file, or /etc/falco_rules.yaml). This option can be passed multiple times to read from multiple files/directories.", cxxopts::value<std::vector<std::string>>(), "<rules_file>")
 		("s",                             "If specified, append statistics related to Falco's reading/processing of events to this file (only useful in live mode).", cxxopts::value(stats_filename), "<stats_file>")
 		("stats-interval",                "When using -s <stats_file>, write statistics every <msec> ms. This uses signals, so don't recommend intervals below 200 ms. Defaults to 5000 (5 seconds).", cxxopts::value(stats_interval)->default_value("5000"),  "<msec>")
 		("S,snaplen",                     "Capture the first <len> bytes of each I/O buffer. By default, the first 80 bytes are captured. Use this option with caution, it can generate huge trace files.", cxxopts::value(snaplen)->default_value("0"), "<len>")
 		("support",                       "Print support information including version, rules files used, etc. and exit.", cxxopts::value(print_support)->default_value("false"))
-		("T",                             "Disable any rules with a tag=<tag>. Can be specified multiple times. Can not be specified with -t", cxxopts::value<std::vector<std::string>>(), "<tag>")
-		("t",                             "Only run those rules with a tag=<tag>. Can be specified multiple times. Can not be specified with -T/-D.", cxxopts::value<std::vector<std::string>>(), "<tag>")
+		("T",                             "Disable any rules with a tag=<tag>. This option can be passed multiple times. Can not be mized with -t", cxxopts::value<std::vector<std::string>>(), "<tag>")
+		("t",                             "Only run those rules with a tag=<tag>. This option can be passed multiple times. Can not be mixed with -T/-D.", cxxopts::value<std::vector<std::string>>(), "<tag>")
 		("U,unbuffered",                  "Turn off output buffering to configured outputs. This causes every single line emitted by falco to be flushed which generates higher CPU usage but is useful when piping those outputs into another process or into a script.", cxxopts::value(unbuffered_outputs)->default_value("false"))
 		("u,userspace",                   "Parse events from userspace. To be used in conjunction with the ptrace(2) based driver (pdig)", cxxopts::value(userspace)->default_value("false"))
-		("V,validate",                    "Read the contents of the specified rules(s) file and exit. Can be specified multiple times to validate multiple files.", cxxopts::value(validate_rules_filenames), "<rules_file>")
+		("V,validate",                    "Read the contents of the specified rules(s) file and exit. This option can be passed multiple times to validate multiple files.", cxxopts::value(validate_rules_filenames), "<rules_file>")
 		("v",                             "Verbose output.", cxxopts::value(verbose)->default_value("false"))
 		("version",                       "Print version number.", cxxopts::value(print_version_info)->default_value("false"))
-		("page-size",                     "Print the system page size (may help you to choose the right syscall buffer size).", cxxopts::value(print_page_size)->default_value("false"));
+		("page-size",                     "Print the system page size (may help you to choose the right syscall ring-buffer size).", cxxopts::value(print_page_size)->default_value("false"));
 
 
 	m_cmdline_opts.set_width(140);

userspace/falco/application.cpp

@@ -26,9 +26,41 @@ limitations under the License.
 
 using namespace std::placeholders;
 
+static inline bool should_take_action_to_signal(std::atomic<int>& v)
+{
+	// we expected the signal to be received, and we try to set action-taken flag
+	int value = APP_SIGNAL_SET;
+	while (!v.compare_exchange_weak(
+			value,
+			APP_SIGNAL_ACTION_TAKEN,
+			std::memory_order_seq_cst,
+			std::memory_order_seq_cst))
+	{
+		// application already took action, there's no need to do it twice
+		if (value == APP_SIGNAL_ACTION_TAKEN)
+		{
+			return false;
+		}
+
+		// signal did was not really received, so we "fake" receiving it
+		if (value == APP_SIGNAL_NOT_SET)
+		{
+			v.store(APP_SIGNAL_SET, std::memory_order_seq_cst);
+		}
+
+		// reset "expected" CAS variable and keep looping until we succeed
+		value = APP_SIGNAL_SET;
+	}
+	return true;
+}
+
 namespace falco {
 namespace app {
 
+std::atomic<int> g_terminate(APP_SIGNAL_NOT_SET);
+std::atomic<int> g_restart(APP_SIGNAL_NOT_SET);
+std::atomic<int> g_reopen_outputs(APP_SIGNAL_NOT_SET);
+
 application::run_result::run_result()
 	: success(true), errstr(""), proceed(true)
 {
@@ -39,9 +71,7 @@ application::run_result::~run_result()
 }
 
 application::state::state()
-	: restart(false),
-	  terminate(false),
-	  loaded_sources(),
+	: loaded_sources(),
 	  enabled_sources(),
 	  source_infos(),
 	  plugin_configs(),
@@ -68,29 +98,41 @@ application::~application()
 {
 }
 
-void application::terminate()
+void application::terminate(bool verbose)
 {
-	if(m_state != nullptr)
+	if (should_take_action_to_signal(falco::app::g_terminate))
 	{
-		m_state->terminate.store(true, std::memory_order_seq_cst);
+		if (verbose)
+		{
+			falco_logger::log(LOG_INFO, "SIGINT received, exiting...\n");
+		}
 	}
 }
 
-void application::reopen_outputs()
+void application::reopen_outputs(bool verbose)
 {
-	if(m_state != nullptr && m_state->outputs != nullptr)
+	if (should_take_action_to_signal(falco::app::g_reopen_outputs))
 	{
-		// note: it is ok to do this inside the signal handler because
-		// in the current falco_outputs implementation this is non-blocking
-		m_state->outputs->reopen_outputs();
+		if (verbose)
+		{
+			falco_logger::log(LOG_INFO, "SIGUSR1 received, reopening outputs...\n");
+		}
+		if(m_state != nullptr && m_state->outputs != nullptr)
+		{
+			m_state->outputs->reopen_outputs();
+		}
+		falco::app::g_reopen_outputs.store(APP_SIGNAL_NOT_SET);
 	}
 }
 
-void application::restart()
+void application::restart(bool verbose)
 {
-	if(m_state != nullptr)
+	if (should_take_action_to_signal(falco::app::g_restart))
 	{
-		m_state->restart.store(true, std::memory_order_seq_cst);
+		if (verbose)
+		{
+			falco_logger::log(LOG_INFO, "SIGHUP received, restarting...\n");
+		}
 	}
 }
 
@@ -196,7 +238,7 @@ bool application::run(std::string &errstr, bool &restart)
 		errstr = res.errstr;
 	}
 
-	restart = m_state->restart;
+	restart = should_restart();
 
 	return res.success;
 }

userspace/falco/application.h

@@ -16,6 +16,7 @@ limitations under the License.
 
 #pragma once
 
+#include "semaphore.h"
 #include "configuration.h"
 #include "stats_writer.h"
 #ifndef MINIMAL_BUILD
@@ -30,9 +31,19 @@ limitations under the License.
 #include <atomic>
 #include <unordered_set>
 
+#define APP_SIGNAL_NOT_SET          0   // The signal flag is not set
+#define APP_SIGNAL_SET              1   // The signal flag has been set
+#define APP_SIGNAL_ACTION_TAKEN     2   // The signal flag has been set and the application took action
+
 namespace falco {
 namespace app {
 
+// these are used to control the lifecycle of the application
+// through signal handlers or internal calls
+extern std::atomic<int> g_terminate;
+extern std::atomic<int> g_restart;
+extern std::atomic<int> g_reopen_outputs;
+
 class application {
 public:
 	application();
@@ -42,13 +53,6 @@ public:
 	application(const application&) = delete;
 	application& operator = (const application&) = delete;
 
-	// These are only used in signal handlers. Other than there,
-	// the control flow of the application should not be changed
-	// from the outside.
-	void terminate();
-	void reopen_outputs();
-	void restart();
-
 	bool init(int argc, char **argv, std::string &errstr);
 
 	// Returns whether the application completed with errors or
@@ -86,9 +90,6 @@ private:
 		state();
 		virtual ~state();
 
-		std::atomic<bool> restart;
-		std::atomic<bool> terminate;
-
 		std::shared_ptr<falco_configuration> config;
 		std::shared_ptr<falco_outputs> outputs;
 		std::shared_ptr<falco_engine> engine;
@@ -115,6 +116,9 @@ private:
 
 		std::string cmdline;
 
+		// Set of events we want the driver to capture
+		std::unordered_set<uint32_t> ppm_event_info_of_interest;
+
 		// Set of syscalls we want the driver to capture
 		std::unordered_set<uint32_t> ppm_sc_of_interest;
 
@@ -195,6 +199,67 @@ private:
 		bool proceed;
 	};
 
+	// used to synchronize different event source running in parallel
+	class source_sync_context
+	{
+	public:
+		source_sync_context(falco::semaphore& s)
+			: m_finished(false), m_joined(false), m_semaphore(s) { }
+		source_sync_context(source_sync_context&&) = default;
+		source_sync_context& operator = (source_sync_context&&) = default;
+		source_sync_context(const source_sync_context&) = delete;
+		source_sync_context& operator = (const source_sync_context&) = delete;
+
+		inline void finish()
+		{
+			bool v = false;
+			while (!m_finished.compare_exchange_weak(
+					v, true, 
+					std::memory_order_seq_cst,
+					std::memory_order_seq_cst))
+			{
+				if (v)
+				{
+					throw falco_exception("source_sync_context has been finished twice");
+				}
+			}
+			m_semaphore.release();
+		}
+
+		inline void join()
+		{
+			bool v = false;
+			while (!m_joined.compare_exchange_weak(
+					v, true, 
+					std::memory_order_seq_cst,
+					std::memory_order_seq_cst))
+			{
+				if (v)
+				{
+					throw falco_exception("source_sync_context has been joined twice");
+				}
+			}
+		}
+
+		inline bool joined()
+		{
+			return m_joined.load(std::memory_order_seq_cst);
+		}
+
+		inline bool finished()
+		{
+			return m_finished.load(std::memory_order_seq_cst);
+		}
+		
+	private:
+		// set to true when the event processing loop finishes
+		std::atomic<bool> m_finished;
+		// set to true when the result has been collected after finishing
+		std::atomic<bool> m_joined;
+		// used to notify the waiting thread when finished gets set to true
+		falco::semaphore& m_semaphore;
+	};
+
 	// Convenience method. Read a sequence of filenames and fill
 	// in a vector of rules contents.
         // Also fill in the provided rules_contents_t with a mapping from
@@ -304,6 +369,7 @@ private:
 		std::shared_ptr<sinsp> inspector,
 		std::shared_ptr<stats_writer> statsw,
 		std::string source, // an empty source represents capture mode
+		application::source_sync_context* sync,
 		run_result* res) noexcept;
 
 	/* Returns true if we are in capture mode. */
@@ -317,6 +383,23 @@ private:
 		return !m_options.gvisor_config.empty();
 	}
 
+	// used in signal handlers to control the flow of the application
+	void terminate(bool verbose=true);
+	void restart(bool verbose=true);
+	void reopen_outputs(bool verbose=true);
+	inline bool should_terminate()
+	{
+		return g_terminate.load(std::memory_order_seq_cst) != APP_SIGNAL_NOT_SET;
+	}
+	inline bool should_restart()
+	{
+		return g_restart.load(std::memory_order_seq_cst) != APP_SIGNAL_NOT_SET;
+	}
+	inline bool should_reopen_outputs()
+	{
+		return g_reopen_outputs.load(std::memory_order_seq_cst) != APP_SIGNAL_NOT_SET;
+	}
+
 	std::unique_ptr<state> m_state;
 	cmdline_options m_options;
 	bool m_initialized;

userspace/falco/config_falco.h.in

@@ -16,8 +16,6 @@ limitations under the License.
 
 #pragma once
 
-#define FALCO_BRANCH "@FALCO_REF@"
-#define FALCO_HASH "@FALCO_HASH@"
 #define FALCO_VERSION "@FALCO_VERSION@"
 #define FALCO_VERSION_MAJOR @FALCO_VERSION_MAJOR@
 #define FALCO_VERSION_MINOR @FALCO_VERSION_MINOR@

userspace/falco/configuration.cpp

@@ -32,13 +32,31 @@ limitations under the License.
 using namespace std;
 
 falco_configuration::falco_configuration():
+	m_json_output(false),
+	m_json_include_output_property(true),
+	m_json_include_tags_property(true),
+	m_notifications_rate(0),
+	m_notifications_max_burst(1000),
+	m_watch_config_files(true),
 	m_buffered_outputs(false),
 	m_time_format_iso_8601(false),
+	m_output_timeout(2000),
+	m_grpc_enabled(false),
+	m_grpc_threadiness(0),
 	m_webserver_enabled(false),
 	m_webserver_threadiness(0),
 	m_webserver_listen_port(8765),
 	m_webserver_k8s_healthz_endpoint("/healthz"),
 	m_webserver_ssl_enabled(false),
+	m_syscall_evt_drop_threshold(.1),
+	m_syscall_evt_drop_rate(.03333),
+	m_syscall_evt_drop_max_burst(1),
+	m_syscall_evt_simulate_drops(false),
+	m_syscall_evt_timeout_max_consecutives(1000),
+	m_metadata_download_max_mb(100),
+	m_metadata_download_chunk_wait_us(1000),
+	m_metadata_download_watch_freq_sec(1),
+	m_syscall_buf_size_preset(4),
 	m_config(NULL)
 {
 }
@@ -51,7 +69,7 @@ falco_configuration::~falco_configuration()
 	}
 }
 
-void falco_configuration::init(string conf_filename, const vector<string> &cmdline_options)
+void falco_configuration::init(const string& conf_filename, const vector<string> &cmdline_options)
 {
 	string m_config_file = conf_filename;
 	m_config = new yaml_configuration();

userspace/falco/configuration.h

@@ -216,7 +216,7 @@ public:
 	falco_configuration();
 	virtual ~falco_configuration();
 
-	void init(std::string conf_filename, const std::vector<std::string>& cmdline_options);
+	void init(const std::string& conf_filename, const std::vector<std::string>& cmdline_options);
 	void init(const std::vector<std::string>& cmdline_options);
 
 	static void read_rules_file_directory(const string& path, list<string>& rules_filenames, list<string> &rules_folders);
@@ -371,7 +371,7 @@ namespace YAML {
 				return false;
 			}
 			rhs.m_library_path = node["library_path"].as<std::string>();
-			if(rhs.m_library_path.at(0) != '/')
+			if(!rhs.m_library_path.empty() && rhs.m_library_path.at(0) != '/')
 			{
 				// prepend share dir if path is not absolute
 				rhs.m_library_path = string(FALCO_ENGINE_PLUGINS_DIR) + rhs.m_library_path;
@@ -400,7 +400,8 @@ namespace YAML {
 
 			if(node["open_params"] && !node["open_params"].IsNull())
 			{
-				rhs.m_open_params = node["open_params"].as<std::string>();
+				string open_params = node["open_params"].as<std::string>();
+				rhs.m_open_params = trim(open_params);
 			}
 
 			return true;

userspace/falco/event_drops.cpp

@@ -24,7 +24,8 @@ syscall_evt_drop_mgr::syscall_evt_drop_mgr():
 	m_inspector(NULL),
 	m_outputs(NULL),
 	m_next_check_ts(0),
-	m_simulate_drops(false)
+	m_simulate_drops(false),
+	m_threshold(0)
 {
 }
 

userspace/falco/falco_outputs.cpp

@@ -50,7 +50,7 @@ falco_outputs::falco_outputs(
 	uint32_t timeout,
 	bool buffered,
 	bool time_format_iso_8601,
-	std::string hostname)
+	const std::string& hostname)
 {
 	m_formats.reset(new falco_formats(engine, json_include_output_property, json_include_tags_property));
 
@@ -271,7 +271,7 @@ inline void falco_outputs::push(const ctrl_msg& cmsg)
 void falco_outputs::worker() noexcept
 {
 	watchdog<std::string> wd;
-	wd.start([&](std::string payload) -> void {
+	wd.start([&](const std::string& payload) -> void {
 		falco_logger::log(LOG_CRIT, "\"" + payload + "\" output timeout, all output channels are blocked\n");
 	});
 

userspace/falco/falco_outputs.h

@@ -47,7 +47,7 @@ public:
 		uint32_t timeout,
 		bool buffered,
 		bool time_format_iso_8601,
-		std::string hostname);
+		const std::string& hostname);
 
 	virtual ~falco_outputs();
 

userspace/falco/grpc_server.cpp

@@ -128,12 +128,12 @@ void falco::grpc::server::thread_process(int thread_index)
 }
 
 void falco::grpc::server::init(
-	std::string server_addr,
+	const std::string& server_addr,
 	int threadiness,
-	std::string private_key,
-	std::string cert_chain,
-	std::string root_certs,
-	std::string log_level)
+	const std::string& private_key,
+	const std::string& cert_chain,
+	const std::string& root_certs,
+	const std::string& log_level)
 {
 	m_server_addr = server_addr;
 	m_threadiness = threadiness;

userspace/falco/grpc_server.h

@@ -33,12 +33,12 @@ public:
 	virtual ~server() = default;
 
 	void init(
-		std::string server_addr,
+		const std::string& server_addr,
 		int threadiness,
-		std::string private_key,
-		std::string cert_chain,
-		std::string root_certs,
-		std::string log_level
+		const std::string& private_key,
+		const std::string& cert_chain,
+		const std::string& root_certs,
+		const std::string& log_level
 	);
 	void thread_process(int thread_index);
 	void run();

userspace/falco/outputs.h

@@ -63,7 +63,7 @@ class abstract_output
 public:
 	virtual ~abstract_output() {}
 
-	void init(config oc, bool buffered, std::string hostname, bool json_output)
+	void init(const config& oc, bool buffered, const std::string& hostname, bool json_output)
 	{
 		m_oc = oc;
 		m_buffered = buffered;

userspace/falco/semaphore.h

@@ -0,0 +1,62 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <mutex>
+#include <condition_variable>
+
+namespace falco
+{
+    /**
+     * @brief A simple semaphore implementation. Unfortunately, a standard
+     * semaphore is only available since C++20, which currently we don't target.
+     */
+    class semaphore
+    {
+    public:
+        /**
+         * @brief Creates a semaphore with the given initial counter value
+         */
+        semaphore(int c = 0): count(c) {}
+
+        /**
+         * @brief Increments the internal counter and unblocks acquirers
+         */
+        inline void release()
+        {
+            std::unique_lock<std::mutex> lock(mtx);
+            count++;
+            cv.notify_one();
+        }
+
+        /**
+         * @brief Decrements the internal counter or blocks until it can
+         */
+        inline void acquire()
+        {
+            std::unique_lock<std::mutex> lock(mtx);
+            while (count == 0)
+            {
+                cv.wait(lock);
+            }
+            count--;
+        }
+
+    private:
+        std::mutex mtx;
+        std::condition_variable cv;
+        int count;
+    };
+};

userspace/falco/verify_engine_fields.sh

@@ -4,7 +4,7 @@ set -euo pipefail
 
 SOURCE_DIR=$1
 
-NEW_CHECKSUM=$(./falco -c ${SOURCE_DIR}/falco.yaml --list -N | sha256sum | awk '{print $1}')
+NEW_CHECKSUM=$(./falco -c ${SOURCE_DIR}/falco.yaml --list=syscall -N | sha256sum | awk '{print $1}')
 CUR_CHECKSUM=$(grep FALCO_FIELDS_CHECKSUM "${SOURCE_DIR}/userspace/engine/falco_engine_version.h" | awk '{print $3}' | sed -e 's/"//g')
 
 if [ "$NEW_CHECKSUM" != "$CUR_CHECKSUM" ]; then

userspace/falco/webserver.h

@@ -16,6 +16,7 @@ limitations under the License.
 #pragma once
 
 #define CPPHTTPLIB_OPENSSL_SUPPORT
+#define CPPHTTPLIB_ZLIB_SUPPORT
 #include <httplib.h>
 #include <thread>
 #include "configuration.h"