executable hashing integration in falco.yaml.

Signed-off-by: Loris Degioanni <loris@sysdig.com>

.circleci/config.yml

@@ -67,7 +67,7 @@ jobs:
           command: |
             mkdir -p /build-static/release
             cd /build-static/release
-            cmake -DCPACK_GENERATOR=TGZ -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco /source-static/falco
+            cmake -DCPACK_GENERATOR=TGZ -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco /source-static/falco
       - run:
           name: Build
           command: |
@@ -555,7 +555,7 @@ jobs:
           name: Build and publish no-driver
           command: |
             cd /source/falco
-            docker buildx build --push --build-arg VERSION_BUCKET=bin-dev --build-arg FALCO_VERSION=${CIRCLE_TAG} \
+            docker buildx build --push --build-arg VERSION_BUCKET=bin --build-arg FALCO_VERSION=${CIRCLE_TAG} \
               -t "falcosecurity/falco-no-driver:x86_64-${CIRCLE_TAG}" \
               -t falcosecurity/falco-no-driver:x86_64-latest \
               -t "falcosecurity/falco:x86_64-${CIRCLE_TAG}-slim" \
@@ -569,7 +569,7 @@ jobs:
           name: Build and publish falco
           command: |
             cd /source/falco
-            docker buildx build --push --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${CIRCLE_TAG} \
+            docker buildx build --push --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} \
               -t "falcosecurity/falco:x86_64-${CIRCLE_TAG}" \
               -t "falcosecurity/falco:x86_64-latest" \
               -t "public.ecr.aws/falcosecurity/falco:x86_64-${CIRCLE_TAG}" \
@@ -624,7 +624,7 @@ jobs:
           name: Build and publish falco
           command: |
             cd /tmp/source-arm64/falco
-            docker buildx build --push --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${CIRCLE_TAG} \
+            docker buildx build --push --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} \
               -t "falcosecurity/falco:aarch64-${CIRCLE_TAG}" \
               -t "falcosecurity/falco:aarch64-latest" \
               -t "public.ecr.aws/falcosecurity/falco:aarch64-${CIRCLE_TAG}" \

ADOPTERS.md

@@ -39,7 +39,7 @@ This is a list of production adopters of Falco (in alphabetical order):
 * [Logz.io](https://logz.io/) - Logz.io is a cloud observability platform for modern engineering teams. The Logz.io platform consists of three products — Log Management, Infrastructure Monitoring, and Cloud SIEM — that work together to unify the jobs of monitoring, troubleshooting, and security. We empower engineers to deliver better software by offering the world's most popular open source observability tools — the ELK Stack, Grafana, and Jaeger — in a single, easy to use, and powerful platform purpose-built for monitoring distributed cloud environments. Cloud SIEM supports data from multiple sources, including Falco's alerts, and offers useful rules and dashboards content to visualize and manage incidents across your systems in a unified UI.
   * https://logz.io/blog/k8s-security-with-falco-and-cloud-siem/
 
-* [MathWorks](https://mathworks.com) - MathWorks develops mathematical computing software for engineers and scientists. MathWorks uses Falco for Kubernetes threat detection, unexpected application behavior, and maps Falco rules to their cloud infrastructure's security kill chain model. MathWorks presented their Falco use case at [KubeCon + CloudNativeCon North America 2020](https://www.youtube.com/watch?v=L-5RYBTV010).  
+* [MathWorks](https://mathworks.com) - MathWorks develops mathematical computing software for engineers and scientists. MathWorks uses Falco for Kubernetes threat detection, unexpected application behavior, and maps Falco rules to their cloud infrastructure's security kill chain model. MathWorks presented their Falco use case at [KubeCon + CloudNativeCon North America 2020](https://www.youtube.com/watch?v=L-5RYBTV010).
 
 * [Pocteo](https://pocteo.co) - Pocteo helps with Kubernetes adoption in enterprises by providing a variety of services such as training, consulting, auditing and mentoring. We build CI/CD pipelines the GitOps way, as well as design and run k8s clusters. Pocteo uses Falco as a runtime monitoring system to secure clients' workloads against suspicious behavior and ensure k8s pods immutability. We also use Falco to collect, process and act on security events through a response engine and serverless functions.
 
@@ -70,6 +70,8 @@ This is a list of production adopters of Falco (in alphabetical order):
 
 * [Sysdig](https://www.sysdig.com/) Sysdig originally created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call driver. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended Falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-defined infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.
 
+* [Xenit AB](https://xenit.se/contact/) Xenit is a growth company with services within cloud and digital transformation. We provide an open-source Kubernetes framework that we leverage to help our customers get their applications to production as quickly and as securely as possible. We use Falco's detection capabilities to identify anomalous behaviour within our clusters in both Azure and AWS.
+
 ## Projects that use Falco libs
 
 * [R6/Phoenix](https://r6security.com/) is an attack surface protection company that uses moving target defense to provide fully automated, proactive and devops friendly security to its customers. There are a set of policies you can add to enable the moving target defense capabilities. Some of them are triggered by a combination of Falco's findings. You can kill, restart and rename pods according to the ever changing policies.

CHANGELOG.md

@@ -1,5 +1,14 @@
 # Change Log
 
+## v0.33.1
+
+Released on 2022-11-24
+
+### Minor Changes
+
+* update(falco): fix container-gvisor and kubernetes-gvisor print options [[#2288](https://github.com/falcosecurity/falco/pull/2288)]
+* Update libs to 0.9.2, fixing potential CLBO on gVisor+Kubernetes and crash with eBPF when some CPUs are offline [[#2299](https://github.com/falcosecurity/falco/pull/2299)] - [@LucaGuerra](https://github.com/LucaGuerra)
+
 ## v0.33.0
 
 Released on 2022-10-19

CMakeLists.txt

@@ -181,9 +181,6 @@ include(cxxopts)
 # One TBB
 include(tbb)
 
-#string-view-lite
-include(DownloadStringViewLite)
-
 if(NOT MINIMAL_BUILD)
   include(zlib)
   include(cares)

RELEASE.md

@@ -1,18 +1,77 @@
 # Falco Release Process
 
-Our release process is mostly automated, but we still need some manual steps to initiate and complete it.
 
-Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released.
+## Overview
+
+This document provides the process to create a new Falco release. In addition, it provides information about the versioning of the Falco components. At a high level each Falco release consists of the following main components:
+
+- Falco binary (userspace)
+- Falco kernel driver object files (kernel space)
+    - Option 1: Kernel module (`.ko` files)
+    - Option 2: eBPF (`.o` files)
+- Falco config and primary rules `.yaml` files (userspace)
+- Falco plugins (userspace - optional)
+
+One nice trait about releasing separate artifacts for userspace and kernel space is that Falco is amenable to supporting a large array of environments, that is, multiple kernel versions, distros and architectures (see `libs` [driver - kernel version support matrix](https://github.com/falcosecurity/libs#drivers-officially-supported-architectures)). The Falco project manages the release of both the Falco userspace binary and pre-compiled Falco kernel drivers for the most popular kernel versions and distros. The build and publish process is managed by the [test-infra](https://github.com/falcosecurity/test-infra) repo. The Falco userspace executable includes bundled dependencies, so that it can be run from anywhere.
+
+The Falco project also publishes all sources for each component. In fact, sources are included in the Falco release in the same way as some plugins (k8saudit and cloudtrail) as well as the rules that are shipped together with Falco. This empowers the end user to audit the integrity of the project as well as build kernel drivers for custom kernels or not officially supported kernels / distros (see [driverkit](https://github.com/falcosecurity/driverkit) for more information). While the Falco project is deeply embedded into an ecosystem of supporting [Falco sub-projects](https://github.com/falcosecurity/evolution) that aim to make the deployment of Falco easy, user-friendly, extendible and cloud-native, core Falco is split across two repos, [falco](https://github.com/falcosecurity/falco) (this repo) and [libs](https://github.com/falcosecurity/libs). The `libs` repo contains >90% of Falco's core features and is the home of each of the kernel drivers and engines. More details are provided in the [Falco Components Versioning](#falco-components-versioning) section.
+
+Finally, the release process follows a transparent process described in more detail in the following sections and the official [Falco docs](https://falco.org/) contain rich information around building, installing and using Falco.
+
+
+### Falco Binaries, Rules and Sources Artifacts - Quick Links
+
+The Falco project publishes all sources and the Falco userspace binaries as GitHub releases. Rules are also released in the GitHub tree Falco release tag.
+
+- [Falco Releases](https://github.com/falcosecurity/falco/releases)
+    - `tgz`, `rpm` and `deb` Falco binary packages (contains sources, including driver sources, Falco rules as well as k8saudit and cloudtrail plugins)
+    - `tgz`, `zip` source code
+- [Libs Releases](https://github.com/falcosecurity/libs/releases)
+    - `tgz`, `zip` source code
+- Falco Rules (GitHub tree approach)
+    - RELEASE="x.y.z", `https://github.com/falcosecurity/falco/tree/${RELEASE}/rules`
+
+
+Alternatively Falco binaries or plugins can be downloaded from the Falco Artifacts repo.
+
+- [Falco Artifacts Repo Packages Root](https://download.falco.org/?prefix=packages/)
+- [Falco Artifacts Repo Plugins Root](https://download.falco.org/?prefix=plugins/)
+
+
+### Falco Drivers Artifacts Repo - Quick Links
+
+
+The Falco project publishes all drivers for each release for all popular kernel versions / distros and `x86_64` and `aarch64` architectures to the Falco project managed Artifacts repo. The Artifacts repo follows standard directory level conventions. The respective driver object file is prefixed by distro and named / versioned by kernel release - `$(uname -r)`. Pre-compiled drivers are released with a [best effort](https://github.com/falcosecurity/falco/blob/master/proposals/20200818-artifacts-storage.md#notice) notice. This is because gcc (`kmod`) and clang (`bpf`) compilers or for example the eBPF verifier are not perfect. More details around driver versioning and driver compatibility are provided in the [Falco Components Versioning](#falco-components-versioning) section. Short preview: If you use the standard Falco setup leveraging driver-loader, [driver-loader script](https://github.com/falcosecurity/falco/blob/master/scripts/falco-driver-loader) will fetch the kernel space artifact (object file) corresponding to the default `DRIVER_VERSION` Falco was shipped with.
+
+- [Falco Artifacts Repo Drivers Root](https://download.falco.org/?prefix=driver/)
+    - Option 1: Kernel module (`.ko` files) - all under same driver version directory
+    - Option 2: eBPF (`.o` files) - all under same driver version directory
+
+
+### Timeline
 
 Falco releases are due to happen 3 times per year. Our current schedule sees a new release by the end of January, May, and September each year. Hotfix releases can happen whenever it's needed.
 
+Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released.
+
+
+### Procedures
+
+The release process is mostly automated requiring only a few manual steps to initiate and complete it.
+
 Moreover, we need to assign owners for each release (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the [weekly community call](https://github.com/falcosecurity/community).
 
+At a high level each Falco release needs to follow a pre-determined sequencing of releases and build order:
+
+- [1 - 3] `libs` (+ `driver`) and `plugins` components releases
+- [4] Falco driver pre-compiled object files push to Falco's Artifacts repo
+- [5] Falco userspace binary + rules release
+
 Finally, on the proposed due date the assignees for the upcoming release proceed with the processes described below.
 
 ## Pre-Release Checklist
 
-Before cutting a release we need to do some homework in the Falco repository. This should take 5 minutes using the GitHub UI.
+Prior to cutting a release the following preparatory steps should take 5 minutes using the GitHub UI.
 
 ### 1. Release notes
 - Find the previous release date (`YYYY-MM-DD`) by looking at the [Falco releases](https://github.com/falcosecurity/falco/releases)
@@ -121,3 +180,39 @@ Announce the new release to the world!
 - Send an announcement to cncf-falco-dev@lists.cncf.io (plain text, please)
 - Let folks in the slack #falco channel know about a new release came out
 - IFF the on going release introduces a **new minor version**, [archive a snapshot of the Falco website](https://github.com/falcosecurity/falco-website/blob/master/release.md#documentation-versioning)
+
+
+## Falco Components Versioning
+
+This section provides more details around the versioning of all components that make up core Falco. It can also be a useful guide for the uninitiated to be more informed about Falco's source. Because the `libs` repo contains >90% of Falco's core features and is the home of each of the kernel drivers and engines, the [libs release doc](https://github.com/falcosecurity/libs/blob/master/release.md) is an excellent additional resource. In addition, the [plugins release doc](https://github.com/falcosecurity/plugins/blob/master/release.md) provides similar details around Falco's plugins. `SHA256` checksums are provided throughout Falco's source code to empower the end user to perform integrity checks. All Falco releases also contain the sources as part of the packages.
+
+
+### Falco repo (this repo)
+- Falco version is a git tag (`x.y.z`), see [Procedures](#procedures) section. Note that the Falco version is a sem-ver-like schema, but not fully compatible with sem-ver.
+- [FALCO_ENGINE_VERSION](https://github.com/falcosecurity/falco/blob/master/userspace/engine/falco_engine_version.h) is not sem-ver and must be bumped either when a backward incompatible change has been introduced to the rules files syntax or `falco --list -N | sha256sum` has changed. Breaking changes introduced in the Falco engine are not necessarily tied to the drivers or libs versions. The primary idea behind the hash is that when new filter / display fields (see currently supported [Falco fields](https://falco.org/docs/rules/supported-fields/)) are introduced a version bump indicates that this field was not available in previous engine versions. In case a new Falco rule uses new fields, the [Falco rules](https://github.com/falcosecurity/falco/blob/master/rules/falco_rules.yaml) file needs to bump this version as well via setting `required_engine_version` to the new version.
+- During development and release preparation, libs and driver reference commits are often bumped in Falco's cmake setup ([falcosecurity-libs cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/falcosecurity-libs.cmake#L30) and [driver cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/driver.cmake#L29)) in order to merge new Falco features. In practice they are mostly bumped at the same time referencing the same `libs` commit. However, for the official Falco build `FALCOSECURITY_LIBS_VERSION` flag that references the stable Libs version is used (read below).
+- Similarly, Falco plugins versions are bumped in Falco's cmake setup ([plugins cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/plugins.cmake)) and those versions are the ones used for the Falco release.
+- At release time Plugin, Libs and Driver versions are compatible with Falco.
+- If you use the standard Falco setup leveraging driver-loader, [driver-loader script](https://github.com/falcosecurity/falco/blob/master/scripts/falco-driver-loader) will fetch the kernel space artifact (object file) corresponding to the default `DRIVER_VERSION` Falco was shipped with (read more below under Libs).
+
+
+```
+Falco version: x.y.z (sem-ver like)
+Libs version:  x.y.z (sem-ver like)
+Plugin API:    x.y.z (sem-ver like)
+Driver:
+  API version:    x.y.z (sem-ver)
+  Schema version: x.y.z (sem-ver)
+  Default driver: x.y.z+driver (sem-ver like, indirectly encodes compatibility range in addition to default version Falco is shipped with)
+```
+
+
+### Libs repo
+- Libs version is a git tag (`x.y.z`) and when building Falco the libs version is set via the `FALCOSECURITY_LIBS_VERSION` flag (see above).
+- Driver version in and of itself is not directly tied to the Falco binary as opposed to the libs version being part of the source code used to compile Falco's userspace binary. This is because of the strict separation between userspace and kernel space artifacts, so things become a bit more interesting here. This is why the concept of a `Default driver` has been introduced to still implicitly declare the compatible driver versions. For example, if the default driver version is `2.0.0+driver`, Falco works with all driver versions >= 2.0.0 and < 3.0.0. This is a consequence of how the driver version is constructed starting from the `Driver API version` and `Driver Schema version`. Driver API and Schema versions are explained in the respective [libs driver doc](https://github.com/falcosecurity/libs/blob/master/driver/README.VERSION.md) -> Falco's `driver-loader` will always fetch the default driver, therefore a Falco release is always "shipped" with the driver version corresponding to the default driver.
+- See [libs release doc](https://github.com/falcosecurity/libs/blob/master/release.md) for more information.
+
+### Plugins repo
+
+- Plugins version is a git tag (`x.y.z`)
+- See [plugins release doc](https://github.com/falcosecurity/plugins/blob/master/release.md) for more information.

cmake/modules/DownloadStringViewLite.cmake

@@ -1,30 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-include(ExternalProject)
-
-set(STRING_VIEW_LITE_PREFIX ${CMAKE_BINARY_DIR}/string-view-lite-prefix)
-set(STRING_VIEW_LITE_INCLUDE ${STRING_VIEW_LITE_PREFIX}/include)
-message(STATUS "Using bundled string-view-lite in ${STRING_VIEW_LITE_INCLUDE}")
-
-ExternalProject_Add(
-  string-view-lite
-  PREFIX ${STRING_VIEW_LITE_PREFIX}
-  GIT_REPOSITORY "https://github.com/martinmoene/string-view-lite.git"
-  GIT_TAG "v1.4.0"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  UPDATE_COMMAND ""
-  INSTALL_COMMAND
-    ${CMAKE_COMMAND} -E copy ${STRING_VIEW_LITE_PREFIX}/src/string-view-lite/include/nonstd/string_view.hpp
-    ${STRING_VIEW_LITE_INCLUDE}/nonstd/string_view.hpp)

cmake/modules/driver.cmake

@@ -26,8 +26,8 @@ else()
   # In case you want to test against another driver version (or branch, or commit) just pass the variable -
   # ie., `cmake -DDRIVER_VERSION=dev ..`
   if(NOT DRIVER_VERSION)
-    set(DRIVER_VERSION "3.0.1+driver")
-    set(DRIVER_CHECKSUM "SHA256=f50003043c804aa21990560de02db42e203ee09d050112a4a5dd2b05f22a8a6c")
+    set(DRIVER_VERSION "dd443b67c6b04464cb8ee2771af8ada8777e7fac")
+    set(DRIVER_CHECKSUM "SHA256=df373099d0f4cd4417a0103bb57f26c7412ffa86cde2bb2d579c6feba841626d")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

cmake/modules/falcosecurity-libs.cmake

@@ -27,8 +27,8 @@ else()
   # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
   # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..`
   if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "0.9.0")
-    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=5319a1b6a72eba3d9524cf084be5fc2ed81e3e90b3bee8edbe58b8646af0cbcb")
+    set(FALCOSECURITY_LIBS_VERSION "dd443b67c6b04464cb8ee2771af8ada8777e7fac")
+    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=df373099d0f4cd4417a0103bb57f26c7412ffa86cde2bb2d579c6feba841626d")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

docker/builder/Dockerfile

@@ -22,7 +22,7 @@ ENV CMAKE_VERSION=${CMAKE_VERSION}
 
 # build toolchain
 RUN yum -y install centos-release-scl && \
-    INSTALL_PKGS="devtoolset-7-gcc devtoolset-7-gcc-c++ devtoolset-7-toolchain devtoolset-7-libstdc++-devel devtoolset-7-elfutils-libelf-devel llvm-toolset-7.0 glibc-static autoconf automake libtool createrepo expect git which libcurl-devel zlib-devel rpm-build libyaml-devel" && \
+    INSTALL_PKGS="devtoolset-7-gcc devtoolset-7-gcc-c++ devtoolset-7-toolchain devtoolset-7-libstdc++-devel llvm-toolset-7.0 glibc-static autoconf automake libtool createrepo expect git which libcurl-devel rpm-build libyaml-devel" && \
     yum -y install --setopt=tsflags=nodocs $INSTALL_PKGS && \
     rpm -V $INSTALL_PKGS
 

falco.yaml

@@ -63,6 +63,16 @@ plugins:
 # load_plugins: [cloudtrail, json]
 load_plugins: []
 
+#
+# Enabling hashing instructs Falco to generate checksums of executable files,
+# which is used by malware detection rules.
+# Hashing can require substantial resources when many different files are executed, so
+# keep this disabled if performance is an issue.
+#
+hash_executables: false
+#hashing_checksum_files:
+#  - /etc/falco/malware_signatures.txt
+
 # Watch config file and rules files for modification.
 # When a file is modified, Falco will propagate new config,
 # by reloading itself.

scripts/falco-driver-loader

@@ -114,8 +114,7 @@ get_target_id() {
 		# Older CentOS distros
 		OS_ID=centos
 	else
-		>&2 echo "Detected an unsupported target system, please get in touch with the Falco community"
-		exit 1
+		return 1
 	fi
 
 	# Overwrite the OS_ID if /etc/VERSION file is present.
@@ -164,6 +163,7 @@ get_target_id() {
 		TARGET_ID=$(echo "${OS_ID}" | tr '[:upper:]' '[:lower:]')
 		;;
 	esac
+	return 0
 }
 
 flatcar_relocate_tools() {
@@ -253,8 +253,6 @@ load_kernel_module_compile() {
 }
 
 load_kernel_module_download() {
-	get_target_id
-
 	local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
 	local URL=$(echo "${1}/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" | sed s/+/%2B/g)
 
@@ -374,8 +372,6 @@ load_kernel_module() {
 
 	echo "* Looking for a ${DRIVER_NAME} module locally (kernel ${KERNEL_RELEASE})"
 
-	get_target_id
-
 	local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
 	echo "* Filename '${FALCO_KERNEL_MODULE_FILENAME}' is composed of:"
 	print_filename_components
@@ -544,8 +540,6 @@ load_bpf_probe() {
 		mount -t debugfs nodev /sys/kernel/debug
 	fi
 
-	get_target_id
-
 	BPF_PROBE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.o"
 	echo "* Filename '${BPF_PROBE_FILENAME}' is composed of:"
 	print_filename_components
@@ -638,6 +632,8 @@ DRIVER_VERSION=${DRIVER_VERSION:-"@DRIVER_VERSION@"}
 DRIVER_NAME=${DRIVER_NAME:-"@DRIVER_NAME@"}
 FALCO_VERSION="@FALCO_VERSION@"
 
+TARGET_ID="placeholder" # when no target id can be fetched, we try to build the driver from source anyway, using a placeholder name
+
 DRIVER="module"
 if [ -v FALCO_BPF_PROBE ]; then
 	DRIVER="bpf"
@@ -711,6 +707,18 @@ if [ -z "$source_only" ]; then
 		exit 1
 	fi
 
+	get_target_id
+	res=$?
+	if [ $res != 0 ]; then
+		if [ -n "$ENABLE_COMPILE" ]; then
+			ENABLE_DOWNLOAD=
+			>&2 echo "Detected an unsupported target system, please get in touch with the Falco community. Trying to compile anyway."
+		else
+			>&2 echo "Detected an unsupported target system, please get in touch with the Falco community."
+			exit 1
+		fi
+	fi
+
 	if [ -n "$clean" ]; then
 		if [ -n "$has_opts" ]; then
 			>&2 echo "Cannot use --clean with other options"

tests/engine/test_falco_utils.cpp

@@ -14,7 +14,6 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 #include "falco_utils.h"
-#include <nonstd/string_view.hpp>
 #include <catch.hpp>
 
 TEST_CASE("is_unix_scheme matches", "[utils]")

userspace/engine/CMakeLists.txt

@@ -28,7 +28,6 @@ set(FALCO_ENGINE_SOURCE_FILES
     rule_loader_compiler.cpp)
 
 add_library(falco_engine STATIC ${FALCO_ENGINE_SOURCE_FILES})
-add_dependencies(falco_engine njson string-view-lite)
 
 if(USE_BUNDLED_DEPS)
   add_dependencies(falco_engine yamlcpp)
@@ -40,7 +39,6 @@ if(MINIMAL_BUILD)
     PUBLIC
       "${NJSON_INCLUDE}"
       "${TBB_INCLUDE_DIR}"
-      "${STRING_VIEW_LITE_INCLUDE}"
       "${LIBSCAP_INCLUDE_DIRS}"
       "${LIBSINSP_INCLUDE_DIRS}"
       "${YAMLCPP_INCLUDE_DIR}"
@@ -51,7 +49,6 @@ else()
     PUBLIC
       "${NJSON_INCLUDE}"
       "${TBB_INCLUDE_DIR}"
-      "${STRING_VIEW_LITE_INCLUDE}"
       "${LIBSCAP_INCLUDE_DIRS}"
       "${LIBSINSP_INCLUDE_DIRS}"
       "${YAMLCPP_INCLUDE_DIR}"

userspace/engine/falco_engine.cpp

@@ -237,7 +237,7 @@ std::unique_ptr<load_result> falco_engine::load_rules_file(const string &rules_f
 
 		res->add_error(load_result::LOAD_ERR_FILE_READ, e.what(), ctx);
 
-		return std::move(res);
+		return res;
 	}
 
 	return load_rules(rules_content, rules_filename);
@@ -346,6 +346,11 @@ unique_ptr<falco_engine::rule_result> falco_engine::process_event(std::size_t so
 
 	if(source_idx == m_syscall_source_idx)
 	{
+		if(m_syscall_source == NULL)
+		{
+			m_syscall_source = find_source(m_syscall_source_idx);
+		}
+
 		source = m_syscall_source;
 	}
 	else
@@ -387,7 +392,6 @@ std::size_t falco_engine::add_source(const std::string &source,
 	if(source == falco_common::syscall_source)
 	{
 		m_syscall_source_idx = idx;
-		m_syscall_source = find_source(m_syscall_source_idx);
 	}
 
 	return idx;

userspace/engine/falco_engine_version.h

@@ -21,4 +21,4 @@ limitations under the License.
 // This is the result of running "falco --list -N | sha256sum" and
 // represents the fields supported by this version of Falco. It's used
 // at build time to detect a changed set of fields.
-#define FALCO_FIELDS_CHECKSUM "674c6cf2bc1c105038c8676f018fa3d1431d86597df428453441f5d859cad284"
+#define FALCO_FIELDS_CHECKSUM "7295abed12ed0f2fba58b10a383fbefb67741ef24d493233e056296350f1f288"

userspace/engine/falco_utils.cpp

@@ -20,6 +20,7 @@ limitations under the License.
 #include <iomanip>
 
 #include "falco_utils.h"
+#include "utils.h"
 #include "banned.h" // This raises a compilation error when certain functions are used
 
 namespace falco
@@ -75,9 +76,9 @@ void readfile(const std::string& filename, std::string& data)
 }
 namespace network
 {
-bool is_unix_scheme(nonstd::string_view url)
+bool is_unix_scheme(const std::string& url)
 {
-	return url.starts_with(UNIX_SCHEME);
+	return sinsp_utils::startswith(url, UNIX_SCHEME);
 }
 } // namespace network
 } // namespace utils

userspace/engine/falco_utils.h

@@ -24,7 +24,6 @@ limitations under the License.
 #include <iostream>
 #include <string>
 #include <thread>
-#include <nonstd/string_view.hpp>
 
 #ifdef __GNUC__
 #define likely(x) __builtin_expect(!!(x), 1)
@@ -49,7 +48,7 @@ uint32_t hardware_concurrency();
 namespace network
 {
 static const std::string UNIX_SCHEME("unix://");
-bool is_unix_scheme(nonstd::string_view url);
+bool is_unix_scheme(const std::string& url);
 } // namespace network
 } // namespace utils
 } // namespace falco

userspace/falco/CMakeLists.txt

@@ -62,7 +62,6 @@ set(
   "${PROJECT_SOURCE_DIR}/userspace/engine"
   "${PROJECT_BINARY_DIR}/userspace/falco"
   "${PROJECT_BINARY_DIR}/driver/src"
-  "${STRING_VIEW_LITE_INCLUDE}"
   "${CXXOPTS_INCLUDE_DIR}"
   "${YAMLCPP_INCLUDE_DIR}"
   "${CMAKE_CURRENT_BINARY_DIR}"
@@ -73,7 +72,6 @@ list(APPEND FALCO_INCLUDE_DIRECTORIES "${FALCO_EXTRA_INCLUDE_DIRS}")
 
 set(
   FALCO_DEPENDENCIES
-  string-view-lite
   b64
   cxxopts
 )

userspace/falco/app_actions/compute_syscall_buffer_size.cpp

@@ -28,7 +28,7 @@ application::run_result application::configure_syscall_buffer_size()
 	/* We don't need to compute the syscall buffer dimension if we are in capture mode or if the
 	 * the syscall source is not enabled.
 	 */
-	if(is_capture_mode() || m_state->enabled_sources.find(falco_common::syscall_source) == m_state->enabled_sources.end())
+	if(is_capture_mode() || m_state->enabled_sources.find(falco_common::syscall_source) == m_state->enabled_sources.end() || is_gvisor_enabled())
 	{
 		return run_result::ok();
 	}

userspace/falco/app_actions/init_falco_engine.cpp

@@ -29,11 +29,21 @@ void application::configure_output_format()
 		output_format = "container=%container.name (id=%container.id)";
 		replace_container_info = true;
 	}
+	else if(m_options.print_additional == "cg" || m_options.print_additional == "container-gvisor")
+	{
+		output_format = "container=%container.name (id=%container.id) vpid=%proc.vpid vtid=%thread.vtid";
+		replace_container_info = true;
+	}
 	else if(m_options.print_additional == "k" || m_options.print_additional == "kubernetes")
 	{
 		output_format = "k8s.ns=%k8s.ns.name k8s.pod=%k8s.pod.name container=%container.id";
 		replace_container_info = true;
 	}
+	else if(m_options.print_additional == "kg" || m_options.print_additional == "kubernetes-gvisor")
+	{
+		output_format = "k8s.ns=%k8s.ns.name k8s.pod=%k8s.pod.name container=%container.id vpid=%proc.vpid vtid=%thread.vtid";
+		replace_container_info = true;
+	}
 	else if(m_options.print_additional == "m" || m_options.print_additional == "mesos")
 	{
 		output_format = "task=%mesos.task.name container=%container.id";
@@ -44,11 +54,6 @@ void application::configure_output_format()
 		output_format = m_options.print_additional;
 		replace_container_info = false;
 	}
-	else if(m_options.gvisor_config != "")
-	{
-		output_format = "container=%container.name (id=%container.id) vpid=%proc.vpid vtid=%thread.vtid";
-		replace_container_info = true;
-	}
 
 	if(!output_format.empty())
 	{

userspace/falco/app_actions/init_inspectors.cpp

@@ -51,6 +51,11 @@ void application::init_syscall_inspector(
 		configure_interesting_sets();
 	}
 
+	if(m_state->config->m_hash_executables)
+	{
+		inspector->set_exec_hashing(true, m_state->config->m_hashing_checksum_files);
+	}
+
 	inspector->set_hostname_and_port_resolution_mode(false);
 }
 

userspace/falco/configuration.cpp

@@ -57,6 +57,7 @@ falco_configuration::falco_configuration():
 	m_metadata_download_chunk_wait_us(1000),
 	m_metadata_download_watch_freq_sec(1),
 	m_syscall_buf_size_preset(4),
+	m_hash_executables(false),
 	m_config(NULL)
 {
 }
@@ -338,6 +339,19 @@ void falco_configuration::init(const string& conf_filename, const vector<string>
 	}
 
 	m_watch_config_files = m_config->get_scalar<bool>("watch_config_files", true);
+
+	m_hash_executables = m_config->get_scalar<bool>("hash_executables", false);
+	m_config->get_sequence<vector<string>>(m_hashing_checksum_files, string("hashing_checksum_files"));
+	for(auto fname : m_hashing_checksum_files)
+	{
+		ifstream fs(fname);
+		if(!fs.good())
+		{
+			throw invalid_argument("Error reading config file(" + m_config_file + "): hashing file " + fname + " doesn not exist");
+		}
+		fs.close();
+	}
+
 }
 
 void falco_configuration::read_rules_file_directory(const string &path, list<string> &rules_filenames, list<string> &rules_folders)

userspace/falco/configuration.h

@@ -274,6 +274,9 @@ public:
 
 	std::vector<plugin_config> m_plugins;
 
+	bool m_hash_executables;
+	std::vector<string> m_hashing_checksum_files;
+
 private:
 	void init_cmdline_options(const std::vector<std::string>& cmdline_options);
 
@@ -400,7 +403,8 @@ namespace YAML {
 
 			if(node["open_params"] && !node["open_params"].IsNull())
 			{
-				rhs.m_open_params = node["open_params"].as<std::string>();
+				string open_params = node["open_params"].as<std::string>();
+				rhs.m_open_params = trim(open_params);
 			}
 
 			return true;

userspace/falco/verify_engine_fields.sh

@@ -4,7 +4,7 @@ set -euo pipefail
 
 SOURCE_DIR=$1
 
-NEW_CHECKSUM=$(./falco -c ${SOURCE_DIR}/falco.yaml --list -N | sha256sum | awk '{print $1}')
+NEW_CHECKSUM=$(./falco -c ${SOURCE_DIR}/falco.yaml --list=syscall -N | sha256sum | awk '{print $1}')
 CUR_CHECKSUM=$(grep FALCO_FIELDS_CHECKSUM "${SOURCE_DIR}/userspace/engine/falco_engine_version.h" | awk '{print $3}' | sed -e 's/"//g')
 
 if [ "$NEW_CHECKSUM" != "$CUR_CHECKSUM" ]; then