fix(userspace/falco): correct default duration calculation

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>

cmake/modules/CompilerFlags.cmake

@@ -59,10 +59,6 @@ if(NOT MSVC)
 	if(USE_ASAN)
 		set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -fsanitize=address")
 	endif()
-	# todo(leogr): this should be passed down to libs cmake modules RTLD_DEEPBIND flag is
-	# incompatible with sanitizer runtime (see https://github.com/google/sanitizers/issues/611 for
-	# details)
-	add_compile_definitions(DISABLE_RTLD_DEEPBIND=$<IF:$<BOOL:${USE_ASAN}>,1,0>)
 
 	if(USE_UBSAN)
 		set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -fsanitize=undefined")

cmake/modules/driver.cmake

@@ -35,9 +35,9 @@ else()
 	# FALCOSECURITY_LIBS_VERSION. In case you want to test against another driver version (or
 	# branch, or commit) just pass the variable - ie., `cmake -DDRIVER_VERSION=dev ..`
 	if(NOT DRIVER_VERSION)
-		set(DRIVER_VERSION "1de61cd2b7abcfbb492b5da7fbeaef5b0a5c0f20")
+		set(DRIVER_VERSION "9.0.0+driver")
 		set(DRIVER_CHECKSUM
-			"SHA256=fe98c0343954a7789c6cef692480905a60d943de657385d109b537e23689146e"
+			"SHA256=ef563fe19f9cdbdfcf17cee3e83c79e8387b78a87e0593eb3e2787c9b8540113"
 		)
 	endif()
 

cmake/modules/falcosecurity-libs.cmake

@@ -42,9 +42,9 @@ else()
 	# version (or branch, or commit) just pass the variable - ie., `cmake
 	# -DFALCOSECURITY_LIBS_VERSION=dev ..`
 	if(NOT FALCOSECURITY_LIBS_VERSION)
-		set(FALCOSECURITY_LIBS_VERSION "1de61cd2b7abcfbb492b5da7fbeaef5b0a5c0f20")
+		set(FALCOSECURITY_LIBS_VERSION "0.22.1")
 		set(FALCOSECURITY_LIBS_CHECKSUM
-			"SHA256=fe98c0343954a7789c6cef692480905a60d943de657385d109b537e23689146e"
+			"SHA256=12fe0a85c77eecda8b3cd8e192fe4c0dde37e4d9b938d27e9d3433728beca67b"
 		)
 	endif()
 

cmake/modules/rules.cmake

@@ -18,9 +18,9 @@ include(ExternalProject)
 
 if(NOT DEFINED FALCOSECURITY_RULES_FALCO_PATH)
 	# falco_rules.yaml
-	set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-5.0.0-rc1")
+	set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-5.0.0")
 	set(FALCOSECURITY_RULES_FALCO_CHECKSUM
-		"SHA256=0dd309a8d6ef2e98600da117a958c399d8c682ca7b27883528ccf5ed39867545"
+		"SHA256=ca87d972e102a9f960fed41f90d2736a73079fcc7e787187028f455ad58b1637"
 	)
 	set(FALCOSECURITY_RULES_FALCO_PATH
 		"${PROJECT_BINARY_DIR}/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml"

scripts/falcoctl/falcoctl.yaml.in

@@ -10,7 +10,7 @@ artifact:
     every: 6h0m0s
     falcoVersions: http://localhost:8765/versions
     refs:
-    - falco-rules:4
+    - falco-rules:5
 indexes:
 - name: falcosecurity
   url: https://falcosecurity.github.io/falcoctl/index.yaml

userspace/engine/falco_engine_version.h

@@ -36,4 +36,4 @@ limitations under the License.
 // It represents the fields supported by this version of Falco,
 // the event types, and the underlying driverevent schema. It's used to
 // detetect changes in engine version in our CI jobs.
-#define FALCO_ENGINE_CHECKSUM "a9787fa5f87bfec984774540fa9c0282c06ea04696625c3a90898bb108c5cb16"
+#define FALCO_ENGINE_CHECKSUM "fc2c6a925b4f7d59efd79f752ff5db2460e778ec00788213c5b7292e0a80586f"

userspace/falco/app/actions/process_events.cpp

@@ -320,9 +320,16 @@ static falco::app::run_result do_inspect(
 					if(capture_mode_t::RULES == s.config->m_capture_mode && rule_res.capture) {
 						capture = true;
 					}
-					// Extend deadline if defined by the rule
-					if((rule_res.capture_duration_ns + ev->get_ts()) > dump_deadline_ts) {
-						dump_deadline_ts = ev->get_ts() + rule_res.capture_duration_ns;
+					// Compute the capture deadline for this event,
+					// based on the rule’s duration or the default one if unspecified
+					auto evt_deadline_ts =
+					        ev->get_ts() + (rule_res.capture_duration_ns > 0
+					                                ? rule_res.capture_duration_ns
+					                                : s.config->m_capture_default_duration_ns);
+					// Update the capture deadline if this event needs to extend it beyond the
+					// current deadline or if no deadline is currently set
+					if(evt_deadline_ts > dump_deadline_ts) {
+						dump_deadline_ts = evt_deadline_ts;
 					}
 				}
 			}
@@ -336,10 +343,6 @@ static falco::app::run_result do_inspect(
 				                                     ev->get_num()),
 				             true);  // Enable compression
 				dump_started_ts = ev->get_ts();
-				// If no rule has set a deadline, use the default one
-				if(dump_deadline_ts == 0) {
-					dump_deadline_ts = dump_started_ts + s.config->m_capture_default_duration_ns;
-				}
 			}
 		}