new(docker): introduce a new development docker image

Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>

CMakeLists.txt

@@ -233,3 +233,5 @@ endif()
 
 # Packages configuration
 include(CPackConfig)
+
+add_subdirectory(docker/dev)

cmake/cpack/CMakeCPackOptions.cmake

@@ -1,10 +1,13 @@
-if(CPACK_GENERATOR MATCHES "DEB" OR CPACK_GENERATOR MATCHES "RPM")
+if(CPACK_GENERATOR MATCHES "DEB")
 	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod-inject.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-modern-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-plugin.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco_inject_kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+endif()
+
+if(CPACK_GENERATOR MATCHES "RPM")
+	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco_inject_kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
 endif()
 
 if(CPACK_GENERATOR MATCHES "TGZ")

cmake/modules/driver.cmake

@@ -26,8 +26,8 @@ else()
   # In case you want to test against another driver version (or branch, or commit) just pass the variable -
   # ie., `cmake -DDRIVER_VERSION=dev ..`
   if(NOT DRIVER_VERSION)
-    set(DRIVER_VERSION "bb9702d5d3d3358804b1d483e7648dc55a2b7826")
-    set(DRIVER_CHECKSUM "SHA256=447aa085ccedcd649e91f68aefff13d4ca2a9ddc0faa5c4e30dd76d45ae47267")
+    set(DRIVER_VERSION "3.0.1+driver")
+    set(DRIVER_CHECKSUM "SHA256=f50003043c804aa21990560de02db42e203ee09d050112a4a5dd2b05f22a8a6c")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

cmake/modules/falcosecurity-libs-repo/CMakeLists.txt

@@ -19,7 +19,7 @@ message(STATUS "Libs version: ${FALCOSECURITY_LIBS_VERSION}")
 
 ExternalProject_Add(
   falcosecurity-libs
-  URL "https://github.com/Andreagit97/libs/archive/${FALCOSECURITY_LIBS_VERSION}.tar.gz"
+  URL "https://github.com/falcosecurity/libs/archive/${FALCOSECURITY_LIBS_VERSION}.tar.gz"
   URL_HASH "${FALCOSECURITY_LIBS_CHECKSUM}"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""

cmake/modules/falcosecurity-libs.cmake

@@ -27,8 +27,8 @@ else()
   # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
   # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..`
   if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "bb9702d5d3d3358804b1d483e7648dc55a2b7826")
-    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=447aa085ccedcd649e91f68aefff13d4ca2a9ddc0faa5c4e30dd76d45ae47267")
+    set(FALCOSECURITY_LIBS_VERSION "0.9.0")
+    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=5319a1b6a72eba3d9524cf084be5fc2ed81e3e90b3bee8edbe58b8646af0cbcb")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

docker/README.md

@@ -13,5 +13,6 @@ This directory contains various ways to package Falco as a container and related
 | [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/getting-started/source/) for more details on building from source. Used to build Falco (CI). |
 | [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). |
 | _not to be published_ | docker/local | Built on-the-fly and used by falco-tester. |
+| _not to be published_ | docker/dev | Built on-the-fly to test local Falco development. |
 
-> Note: `falco-builder`, `falco-tester` (and the `docker/local` image that it's built on the fly) are not integrated into the release process because they are development and CI tools that need to be manually pushed only when updated.
+> Note: `falco-builder`, `falco-tester`, `docker/local`, `docker/dev` images are not integrated into the release process because they are development and CI tools that need to be manually pushed only when updated.

docker/dev/CMakeLists.txt

@@ -0,0 +1,20 @@
+# Build a docker container for local development
+if(CMAKE_SYSTEM_NAME MATCHES "Linux")
+  set(DEV_DOCKER_CXT ${CMAKE_BINARY_DIR}/docker/dev-docker-ctx)
+
+  # This target prepares the `tar.gz` artifact that will be passed to the dockerfile.
+  add_custom_target(dev-docker-prepare
+    COMMAND mkdir -p ${DEV_DOCKER_CXT}
+    COMMAND "${CMAKE_COMMAND}" --build . --target package
+    COMMAND ${CMAKE_COMMAND} -E copy_if_different ${CMAKE_BINARY_DIR}/falco-${FALCO_VERSION}-${FALCO_TARGET_ARCH}.tar.gz ${DEV_DOCKER_CXT}/falco.tar.gz
+    DEPENDS falco
+  )
+
+  add_custom_target(dev-docker
+    COMMAND docker build
+      --tag falco-nodriver-dev
+      -f ${CMAKE_SOURCE_DIR}/docker/dev/nodriver.Dockerfile
+      ${DEV_DOCKER_CXT}
+    DEPENDS dev-docker-prepare
+  )
+endif()

docker/dev/README.md

@@ -0,0 +1,59 @@
+# Falco development image
+
+This docker image can be easily generated starting from a clean Falco build.
+
+## 1. Clone the Falco repo ⬇️
+
+```bash
+git clone https://github.com/falcosecurity/falco.git
+```
+
+## 2. Prepare the build directory 🏗️
+
+### `falco-runner-image` tag
+
+The CMake command that we will see in the next section builds Falco locally on your machine, and push it into a docker image, so as you may imagine the final image that will run Falco must have a similar `GLIBC` version to your local one. For this reason, you have to use docker tags.
+
+The `nodriver.Dockerfile` will use the `falco-runner-image` tag to build the final image as you can see here:
+
+```dockerfile
+FROM falco-runner-image AS runner
+
+...
+```
+
+For example, if I build Falco locally on a un `ubuntu:22-04` machine I will instruct docker to use `ubuntu:22-04` as a final running image.
+
+```bash
+docker tag ubuntu:22.04 falco-runner-image
+```
+
+In this way the `nodriver.Dockerfile` will use `ubuntu:22-04` during the building phase.
+
+### Cmake command
+
+Now that we set the `falco-runner-image` tag, we are ready to build our Falco image. Starting from the project root:
+
+```bash
+mkdir build && cd build
+cmake -DUSE_BUNDLED_DEPS=On -DCREATE_TEST_TARGETS=Off -DCPACK_GENERATOR=TGZ -DFALCO_ETC_DIR=/etc/falco ..
+make dev-docker
+```
+> __Please note__: These cmake options `-DUSE_BUNDLED_DEPS=On -DCREATE_TEST_TARGETS=Off -DCPACK_GENERATOR=TGZ -DFALCO_ETC_DIR=/etc/falco` are the required ones but you can provide additional options to build the image according to your needs (for example you can pass `-DMINIMAL_BUILD=On` if you want a minimal build image or `-DBUILD_FALCO_MODERN_BPF=ON` if you want to include the modern bpf probe inside the image)
+
+## 3. Run the docker image locally 🏎️
+
+```bash
+docker run --rm -i -t \
+           --privileged \
+           -v /var/run/docker.sock:/host/var/run/docker.sock \
+           -v /dev:/host/dev \
+           -v /proc:/host/proc:ro \
+           falco-nodriver-dev
+```
+
+If you change something in the Falco source code you can simply rebuild the image with:
+
+```bash
+make dev-docker
+```

docker/dev/nodriver.Dockerfile

@@ -0,0 +1,33 @@
+FROM ubuntu:22.04 AS builder
+
+COPY ./falco.tar.gz /
+
+WORKDIR /
+
+# 1. We remove the Falco directory with the name related to the version and the arch
+# 2. We remove the source folder
+# 3. We remove the `falco-driver-loader` binary
+RUN mkdir falco; \
+    tar -xzf falco.tar.gz -C falco --strip-component 1; \
+    rm -rf /falco/usr/src; \
+    rm /falco/usr/bin/falco-driver-loader
+
+# the time displayed in log messages and output messages will be in ISO 8601.
+RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new; \
+    mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml
+
+# Please note: it could be necessary to change this base image according
+# to the `glibc` version of the machine where you build the tar.gz package
+# use `docker tag ubuntu:22.04 falco-runner-image` for example
+FROM falco-runner-image AS runner
+
+LABEL name="falcosecurity/falco-nodriver-dev"
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL usage="docker run -it --rm --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
+
+COPY --from=builder /falco /
+
+ENV HOST_ROOT /host
+ENV HOME /root
+
+CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/tester/Dockerfile

@@ -15,7 +15,7 @@ RUN if [ "$TARGETARCH" = "amd64" ] ; then curl -L -o grpcurl.tar.gz \
     https://github.com/fullstorydev/grpcurl/releases/download/v1.8.6/grpcurl_1.8.6_linux_arm64.tar.gz; \
     fi;
 
-RUN dnf install -y python-pip python docker findutils jq unzip sed curl && dnf clean all
+RUN dnf install -y python-pip python docker findutils jq unzip && dnf clean all
 ENV PATH="/root/.local/bin/:${PATH}"
 RUN pip install --user avocado-framework==69.0
 RUN pip install --user avocado-framework-plugin-varianter-yaml-to-mux==69.0

scripts/CMakeLists.txt

@@ -15,28 +15,26 @@
 # limitations under the License.
 #
 
-# Systemd
-file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod-inject.service"
-		DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
-file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod.service"
-		DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
-file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-bpf.service"
-		DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
-file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-modern-bpf.service"
-		DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
-file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-plugin.service"
-		DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
-
-# Debian
 configure_file(debian/postinst.in debian/postinst)
 configure_file(debian/postrm.in debian/postrm)
 configure_file(debian/prerm.in debian/prerm)
 
-# Rpm
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco.service"
+	DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")
+
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco_inject_kmod.service"
+	DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")
+
 configure_file(rpm/postinstall.in rpm/postinstall)
 configure_file(rpm/postuninstall.in rpm/postuninstall)
 configure_file(rpm/preuninstall.in rpm/preuninstall)
 
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco.service"
+	DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")
+
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco_inject_kmod.service"
+	DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")
+
 configure_file(falco-driver-loader falco-driver-loader @ONLY)
 
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")

scripts/debian/falco.service

@@ -1,14 +1,14 @@
 [Unit]
-Description=Falco: Container Native Runtime Security with plugin
+Description=Falco: Container Native Runtime Security
 Documentation=https://falco.org/docs/
-Conflicts=falco-kmod.service
-Conflicts=falco-bpf.service
-Conflicts=falco-modern-bpf.service
+After=falco_inject_kmod.service
+Requires=falco_inject_kmod.service
 
 [Service]
 Type=simple
-User=%u
+User=root
 ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
+ExecStopPost=/sbin/rmmod falco
 UMask=0077
 TimeoutSec=30
 RestartSec=15s
@@ -18,9 +18,9 @@ NoNewPrivileges=yes
 ProtectHome=read-only
 ProtectSystem=full
 ProtectKernelTunables=true
+ReadWritePaths=/sys/module/falco
 RestrictRealtime=true
 RestrictAddressFamilies=~AF_PACKET
-StandardOutput=null
 
 [Install]
 WantedBy=multi-user.target

scripts/debian/falco_inject_kmod.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Falco: Container Native Runtime Security
+Documentation=https://falco.org/docs/
+Before=falco.service
+Wants=falco.service
+
+[Service]
+Type=oneshot
+User=root
+ExecStart=/sbin/modprobe falco
+
+[Install]
+WantedBy=multi-user.target

scripts/debian/postinst.in

@@ -17,65 +17,58 @@
 #
 set -e
 
-chosen_driver=
+DKMS_PACKAGE_NAME="@PACKAGE_NAME@"
+DKMS_VERSION="@DRIVER_VERSION@"
+NAME="@PACKAGE_NAME@"
 
-if [ "$1" = "configure" ]; then
-        if [ -x /usr/bin/dialog ]; then
-          # If dialog is installed, create a dialog to let users choose the correct driver for them
-          CHOICE=$(dialog --clear --backtitle "Choose your preferred driver" --title "Falco driver" --menu "Choose one of the following options:" 15 40 4 \
-                1 "Don't start" \
-                2 "Kmod" \
-                3 "eBPF" \
-                4 "Modern eBPF" \
-                5 "Plugin" \
-                2>&1 >/dev/tty)
-            clear
-            case $CHOICE in
-                2)
-                    chosen_driver="kmod"
-                    ;;
-                3)
-                    chosen_driver="bpf"
-                    ;;
-                4)
-                    chosen_driver="modern-bpf"
-                    ;;
-                5)
-                    chosen_driver="plugin"
-                    ;;
-            esac
-        fi
-fi
+postinst_found=0
 
-# If needed, try to load/compile the driver through falco-driver-loader
-case "$chosen_driver" in
-    "kmod")
-      echo "[POST-INSTALL] Call falco-driver-loader module:\n"
-      falco-driver-loader module
-      ;;
-    "bpf")
-      echo "[POST-INSTALL] Call falco-driver-loader bpf:\n"
-      falco-driver-loader bpf
-      ;;
+case "$1" in
+	configure)
+		for DKMS_POSTINST in /usr/lib/dkms/common.postinst /usr/share/$DKMS_PACKAGE_NAME/postinst; do
+			if [ -f $DKMS_POSTINST ]; then
+				$DKMS_POSTINST $DKMS_PACKAGE_NAME $DKMS_VERSION /usr/share/$DKMS_PACKAGE_NAME "" $2
+				postinst_found=1
+				break
+			fi
+		done
+		if [ "$postinst_found" -eq 0 ]; then
+			echo "ERROR: DKMS version is too old and $DKMS_PACKAGE_NAME was not"
+			echo "built with legacy DKMS support."
+			echo "You must either rebuild $DKMS_PACKAGE_NAME with legacy postinst"
+			echo "support or upgrade DKMS to a more current version."
+			exit 1
+		fi
+	;;
 esac
 
+# Based off what debhelper dh_systemd_enable/13.3.4 would have added
+# ref: https://www.debian.org/doc/manuals/debmake-doc/ch05.en.html#debhelper
+
 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
-        if [ -n "$chosen_driver" ]; then
-            echo "[POST-INSTALL] enable falco-$chosen_driver.service:\n"
-            systemctl --system enable "falco-$chosen_driver.service" || true
-            echo "[POST-INSTALL] start falco-$chosen_driver.service:\n"
-            systemctl --system start "falco-$chosen_driver.service" || true
+        # This will only remove masks created by d-s-h on package removal.
+        deb-systemd-helper unmask 'falco.service' >/dev/null || true
+
+        # was-enabled defaults to true, so new installations run enable.
+        if deb-systemd-helper --quiet was-enabled 'falco.service'; then
+                # Enables the unit on first installation, creates new
+                # symlinks on upgrades if the unit file has changed.
+                deb-systemd-helper enable 'falco.service' >/dev/null || true
+        else
+                # Update the statefile to add new symlinks (if any), which need to be
+                # cleaned up on purge. Also remove old symlinks.
+                deb-systemd-helper update-state 'falco.service' >/dev/null || true
         fi
 fi
 
 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
-    if [ -d /run/systemd/system ]; then
-      echo "[POST-INSTALL] trigger deamon-reload:\n"
-      systemctl --system daemon-reload || true
-      if [ -n "$chosen_driver" ]; then
-        echo "[POST-INSTALL] trigger condrestart:\n"
-        # restart falco on upgrade if service is already running
-        systemctl --system condrestart "falco-$chosen_driver.service" || true
-      fi
-    fi
+        if [ -d /run/systemd/system ]; then
+                systemctl --system daemon-reload >/dev/null || true
+                if [ -n "$2" ]; then
+                        _dh_action=restart
+                else
+                        _dh_action=start
+                fi
+                deb-systemd-invoke $_dh_action 'falco.service' >/dev/null || true
+        fi
 fi

scripts/debian/postrm.in

@@ -22,11 +22,18 @@
 set -e
 
 if [ -d /run/systemd/system ] && [ "$1" = remove ]; then
-        echo "[POST-REMOVE] disable falco services:\n"
-        systemctl --system disable 'falco-kmod.service' || true
-        systemctl --system disable 'falco-bpf.service' || true
-        systemctl --system disable 'falco-modern-bpf.service' || true
-        systemctl --system disable 'falco-plugin.service' || true
-        echo "[POST-REMOVE] trigger deamon-reload:\n"
-        systemctl --system daemon-reload || true
+        systemctl --system daemon-reload >/dev/null || true
+fi
+
+if [ "$1" = "remove" ]; then
+        if [ -x "/usr/bin/deb-systemd-helper" ]; then
+                deb-systemd-helper mask 'falco.service' >/dev/null || true
+        fi
+fi
+
+if [ "$1" = "purge" ]; then
+        if [ -x "/usr/bin/deb-systemd-helper" ]; then
+                deb-systemd-helper purge 'falco.service' >/dev/null || true
+                deb-systemd-helper unmask 'falco.service' >/dev/null || true
+        fi
 fi

scripts/debian/prerm.in

@@ -22,16 +22,11 @@ set -e
 # Currently running falco service uses the driver, so stop it before driver cleanup
 
 if [ -d /run/systemd/system ] && [ "$1" = remove ]; then
-        echo "[POST-REMOVE] stop falco services:\n"
-        systemctl --system stop 'falco-kmod.service' || true
-        systemctl --system stop 'falco-bpf.service' || true
-        systemctl --system stop 'falco-modern-bpf.service' || true
-        systemctl --system stop 'falco-plugin.service' || true
+        deb-systemd-invoke stop 'falco.service' >/dev/null || true
 fi
 
 case "$1" in
 	remove|upgrade|deconfigure)
-                echo "[POST-REMOVE] call falco-driver-loader --clean:\n"
-		falco-driver-loader --clean
+		/usr/bin/falco-driver-loader --clean
 	;;
 esac

scripts/falco-driver-loader

@@ -114,7 +114,8 @@ get_target_id() {
 		# Older CentOS distros
 		OS_ID=centos
 	else
-		return 1
+		>&2 echo "Detected an unsupported target system, please get in touch with the Falco community"
+		exit 1
 	fi
 
 	# Overwrite the OS_ID if /etc/VERSION file is present.
@@ -163,7 +164,6 @@ get_target_id() {
 		TARGET_ID=$(echo "${OS_ID}" | tr '[:upper:]' '[:lower:]')
 		;;
 	esac
-	return 0
 }
 
 flatcar_relocate_tools() {
@@ -211,13 +211,7 @@ load_kernel_module_compile() {
 	fi
 
 	# Try to compile using all the available gcc versions
-	for CURRENT_GCC in $(ls "$(dirname "$(which gcc)")"/gcc*); do
-		# Filter away gcc-{ar,nm,...}
-		# Only gcc compiler has `-print-search-dirs` option.
-		${CURRENT_GCC} -print-search-dirs 2>&1 | grep "install:"
-		if [ "$?" -ne "0" ]; then
-			continue
-		fi
+	for CURRENT_GCC in $(which gcc) $(ls "$(dirname "$(which gcc)")"/gcc-* | grep 'gcc-[0-9]\+' | sort -n -r -k 2 -t -); do
 		echo "* Trying to dkms install ${DRIVER_NAME} module with GCC ${CURRENT_GCC}"
 		echo "#!/usr/bin/env bash" > /tmp/falco-dkms-make
 		echo "make CC=${CURRENT_GCC} \$@" >> /tmp/falco-dkms-make
@@ -238,14 +232,13 @@ load_kernel_module_compile() {
 				return
 			fi
 			echo "* ${DRIVER_NAME} module found: ${KO_FILE}"
-			echo "* Trying to modprobe"
+			echo "* Trying insmod"
 			chcon -t modules_object_t "$KO_FILE" > /dev/null 2>&1 || true
-			depmod ${KERNEL_RELEASE}
-			if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then
+			if insmod "$KO_FILE" > /dev/null 2>&1; then
 				echo "* Success: ${DRIVER_NAME} module found and loaded in dkms"
 				exit 0
 			else
-				echo "* Unable to load ${DRIVER_NAME} module"
+				echo "* Unable to insmod ${DRIVER_NAME} module"
 			fi
 		else
 			DKMS_LOG="/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/build/make.log"
@@ -260,6 +253,8 @@ load_kernel_module_compile() {
 }
 
 load_kernel_module_download() {
+	get_target_id
+
 	local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
 	local URL=$(echo "${1}/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" | sed s/+/%2B/g)
 
@@ -267,14 +262,11 @@ load_kernel_module_download() {
 	if curl -L --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" "${URL}"; then
 		echo "* Download succeeded"
 		chcon -t modules_object_t "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" > /dev/null 2>&1 || true
-		mkdir -p /lib/modules/${KERNEL_RELEASE}/kernel/drivers/falco/
-		cp ${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME} /lib/modules/${KERNEL_RELEASE}/kernel/drivers/falco/falco.ko
-		depmod ${KERNEL_RELEASE}
-		if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then
-			echo "* Success: ${DRIVER_NAME} module found and loaded with modprobe"
+		if insmod "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}"; then
+			echo "* Success: ${DRIVER_NAME} module found and inserted"
 			exit 0
 		else
-			>&2 echo "Unable to load the prebuilt ${DRIVER_NAME} module"
+			>&2 echo "Unable to insmod the prebuilt ${DRIVER_NAME} module"
 		fi	
 	else
 		>&2 echo "Unable to find a prebuilt ${DRIVER_NAME} module"
@@ -382,6 +374,8 @@ load_kernel_module() {
 
 	echo "* Looking for a ${DRIVER_NAME} module locally (kernel ${KERNEL_RELEASE})"
 
+	get_target_id
+
 	local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
 	echo "* Filename '${FALCO_KERNEL_MODULE_FILENAME}' is composed of:"
 	print_filename_components
@@ -389,10 +383,7 @@ load_kernel_module() {
 	if [ -f "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" ]; then
 		echo "* Found a prebuilt ${DRIVER_NAME} module at ${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}, loading it"
 		chcon -t modules_object_t "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" > /dev/null 2>&1 || true
-		mkdir -p /lib/modules/${KERNEL_RELEASE}/kernel/drivers/falco/
-		cp ${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME} /lib/modules/${KERNEL_RELEASE}/kernel/drivers/falco/falco.ko
-		depmod ${KERNEL_RELEASE}
-		modprobe "${DRIVER_NAME}" && echo "* Success: ${DRIVER_NAME} module found and loaded"
+		insmod "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module found and inserted"
 		exit $?
 	fi
 
@@ -553,6 +544,8 @@ load_bpf_probe() {
 		mount -t debugfs nodev /sys/kernel/debug
 	fi
 
+	get_target_id
+
 	BPF_PROBE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.o"
 	echo "* Filename '${BPF_PROBE_FILENAME}' is composed of:"
 	print_filename_components
@@ -645,8 +638,6 @@ DRIVER_VERSION=${DRIVER_VERSION:-"@DRIVER_VERSION@"}
 DRIVER_NAME=${DRIVER_NAME:-"@DRIVER_NAME@"}
 FALCO_VERSION="@FALCO_VERSION@"
 
-TARGET_ID="placeholder" # when no target id can be fetched, we try to build the driver from source anyway, using a placeholder name
-
 DRIVER="module"
 if [ -v FALCO_BPF_PROBE ]; then
 	DRIVER="bpf"
@@ -720,18 +711,6 @@ if [ -z "$source_only" ]; then
 		exit 1
 	fi
 
-	get_target_id
-	res=$?
-	if [ $res != 0 ]; then
-		if [ -n "$ENABLE_COMPILE" ]; then
-			ENABLE_DOWNLOAD=
-			>&2 echo "Detected an unsupported target system, please get in touch with the Falco community. Trying to compile anyway."
-		else
-			>&2 echo "Detected an unsupported target system, please get in touch with the Falco community."
-			exit 1
-		fi
-	fi
-
 	if [ -n "$clean" ]; then
 		if [ -n "$has_opts" ]; then
 			>&2 echo "Cannot use --clean with other options"

scripts/rpm/falco.service

@@ -1,15 +1,14 @@
 [Unit]
-Description=Falco: Container Native Runtime Security with ebpf
+Description=Falco: Container Native Runtime Security
 Documentation=https://falco.org/docs/
-Conflicts=falco-kmod.service
-Conflicts=falco-modern-bpf.service
-Conflicts=falco-plugin.service
+After=falco_inject_kmod.service
+Requires=falco_inject_kmod.service
 
 [Service]
 Type=simple
 User=root
-Environment=FALCO_BPF_PROBE=
 ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
+ExecStopPost=/sbin/rmmod falco
 UMask=0077
 TimeoutSec=30
 RestartSec=15s
@@ -19,6 +18,7 @@ NoNewPrivileges=yes
 ProtectHome=read-only
 ProtectSystem=full
 ProtectKernelTunables=true
+ReadWritePaths=/sys/module/falco
 RestrictRealtime=true
 RestrictAddressFamilies=~AF_PACKET
 StandardOutput=null

scripts/rpm/falco_inject_kmod.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Falco: Container Native Runtime Security
+Documentation=https://falco.org/docs/
+Before=falco.service
+Wants=falco.service
+
+[Service]
+Type=oneshot
+User=root
+ExecStart=/sbin/modprobe falco
+
+[Install]
+WantedBy=multi-user.target

scripts/rpm/postinstall.in

@@ -16,46 +16,21 @@
 #
 set -e
 
-chosen_driver=
-
-if [ $1 -eq 1 ]; then
-        if [ -x /usr/bin/dialog ]; then
-            # If dialog is installed, create a dialog to let users choose the correct driver for them
-            CHOICE=$(dialog --clear --backtitle "Choose your preferred driver" --title "Falco driver" --menu "Choose one of the following options:" 15 40 4 \
-                    1 "Don't start" \
-                    2 "Kmod" \
-                    3 "eBPF" \
-                    4 "Modern eBPF" \
-                    5 "Plugin" \
-                    2>&1 >/dev/tty)
-                clear
-                case $CHOICE in
-                    2)
-                        chosen_driver="kmod"
-                        ;;
-                    3)
-                        chosen_driver="bpf"
-                        ;;
-                    4)
-                        chosen_driver="modern-bpf"
-                        ;;
-                    5)
-                        chosen_driver="plugin"
-                        ;;
-                esac
-        fi
+mod_version="@DRIVER_VERSION@"
+dkms add -m falco -v $mod_version --rpm_safe_upgrade
+if [ `uname -r | grep -c "BOOT"` -eq 0 ] && [ -e /lib/modules/`uname -r`/build/include ]; then
+	dkms build -m falco -v $mod_version
+	dkms install --force -m falco -v $mod_version
+elif [ `uname -r | grep -c "BOOT"` -gt 0 ]; then
+	echo -e ""
+	echo -e "Module build for the currently running kernel was skipped since you"
+	echo -e "are running a BOOT variant of the kernel."
+else
+	echo -e ""
+	echo -e "Module build for the currently running kernel was skipped since the"
+	echo -e "kernel source for this kernel does not seem to be installed."
 fi
 
-# If needed, try to load/compile the driver through falco-driver-loader
-case "$chosen_driver" in
-    "kmod")
-      falco-driver-loader module
-      ;;
-    "bpf")
-      falco-driver-loader bpf
-      ;;
-esac
-
 # validate rpm macros by `rpm -qp --scripts <rpm>`
 # RPM scriptlets: https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd
 #                 https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
@@ -63,23 +38,27 @@ esac
 # systemd_post macro expands to
 # if postinst:
 #   `systemd-update-helper install-system-units <service>`
-%systemd_post "falco-$chosen_driver.service"
+%systemd_post 'falco.service'
 
 # post install mirrored from .deb
 if [ $1 -eq 1 ]; then
-        if [ -n "$chosen_driver" ]; then
-            systemctl --system enable "falco-$chosen_driver.service" || true
-            systemctl --system start "falco-$chosen_driver.service" || true
-        fi
+        # This will only remove masks created on package removal.
+        /usr/bin/systemctl --system unmask 'falco.service' >/dev/null || true
+
+        # enable falco on installation
+        # note: DEB postinstall script checks for changed symlinks
+        /usr/bin/systemctl --system enable 'falco.service' >/dev/null || true
+
+        # start falco on installation
+        /usr/bin/systemctl --system start 'falco.service' >/dev/null || true
 fi
 
 # post upgrade mirrored from .deb
 if [ $1 -gt 1 ]; then
     if [ -d /run/systemd/system ]; then
-        systemctl --system daemon-reload || true
-        if [ -n "$chosen_driver" ]; then
-          # restart falco on upgrade if service is already running
-          systemctl --system condrestart "falco-$chosen_driver.service" || true
-        fi
+        /usr/bin/systemctl --system daemon-reload >/dev/null || true
+
+        # restart falco on upgrade if service is already running
+        /usr/bin/systemctl --system condrestart 'falco.service' >/dev/null || true
     fi
 fi

scripts/rpm/postuninstall.in

@@ -17,10 +17,17 @@
 
 set -e
 
-if [ -d /run/systemd/system ] && [ $1 -eq 0 ]; then
-        systemctl --system disable 'falco-kmod.service'|| true
-        systemctl --system disable 'falco-bpf.service' || true
-        systemctl --system disable 'falco-modern-bpf.service' || true
-        systemctl --system disable 'falco-plugin.service' || true
-        systemctl --system daemon-reload || true
+# post uninstall mirrored from .deb
+if [ -d /run/systemd/system ] && [ "$1" = 0 ]; then
+        /usr/bin/systemctl --system daemon-reload >/dev/null || true
+        /usr/bin/systemctl --system mask 'falco.service' >/dev/null || true
 fi
+
+# validate rpm macros by `rpm -qp --scripts <rpm>`
+# RPM scriptlets: https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd
+#                 https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
+
+# systemd_postun_with_restart macro expands to
+# if package upgrade, not uninstall:
+#   `systemd-update-helper mark-restart-system-units <service>`
+%systemd_postun_with_restart 'falco.service'

scripts/rpm/preuninstall.in

@@ -19,13 +19,11 @@ set -e
 # pre uninstall mirrored from .deb
 # Currently running falco service uses the driver, so stop it before driver cleanup
 if [ -d /run/systemd/system ] && [ $1 -eq 0 ]; then
-        systemctl --system stop 'falco-kmod.service' || true
-        systemctl --system stop 'falco-bpf.service' || true
-        systemctl --system stop 'falco-modern-bpf.service' || true
-        systemctl --system stop 'falco-plugin.service' || true
+        # stop falco service before uninstall
+        /usr/bin/systemctl --system stop 'falco.service' >/dev/null || true
 fi
 
-falco-driver-loader --clean
+/usr/bin/falco-driver-loader --clean
 
 # validate rpm macros by `rpm -qp --scripts <rpm>`
 # RPM scriptlets: https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd
@@ -34,7 +32,4 @@ falco-driver-loader --clean
 # systemd_preun macro expands to
 # if preuninstall:
 #  `systemd-update-helper remove-system-units <service>`
-%systemd_preun 'falco-kmod.service'
-%systemd_preun 'falco-bpf.service'
-%systemd_preun 'falco-modern-bpf.service'
-%systemd_preun 'falco-plugin.service'
+%systemd_preun 'falco.service'

scripts/systemd/falco-kmod-inject.service

@@ -1,10 +0,0 @@
-[Unit]
-Description=Falco: Container Native Runtime Security with kmod, inject.
-Documentation=https://falco.org/docs/
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-User=root
-ExecStart=/sbin/modprobe falco
-ExecStop=/sbin/rmmod falco

scripts/systemd/falco-kmod.service

@@ -1,29 +0,0 @@
-[Unit]
-Description=Falco: Container Native Runtime Security with kmod
-Documentation=https://falco.org/docs/
-After=falco-kmod-inject.service
-Requires=falco-kmod-inject.service
-Conflicts=falco-bpf.service
-Conflicts=falco-modern-bpf.service
-Conflicts=falco-plugin.service
-
-[Service]
-Type=simple
-User=root
-ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
-UMask=0077
-TimeoutSec=30
-RestartSec=15s
-Restart=on-failure
-PrivateTmp=true
-NoNewPrivileges=yes
-ProtectHome=read-only
-ProtectSystem=full
-ProtectKernelTunables=true
-ReadWritePaths=/sys/module/falco
-RestrictRealtime=true
-RestrictAddressFamilies=~AF_PACKET
-StandardOutput=null
-
-[Install]
-WantedBy=multi-user.target

scripts/systemd/falco-modern-bpf.service

@@ -1,26 +0,0 @@
-[Unit]
-Description=Falco: Container Native Runtime Security with modern ebpf
-Documentation=https://falco.org/docs/
-Conflicts=falco-kmod.service
-Conflicts=falco-bpf.service
-Conflicts=falco-plugin.service
-
-[Service]
-Type=simple
-User=root
-ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid --modern-bpf
-UMask=0077
-TimeoutSec=30
-RestartSec=15s
-Restart=on-failure
-PrivateTmp=true
-NoNewPrivileges=yes
-ProtectHome=read-only
-ProtectSystem=full
-ProtectKernelTunables=true
-RestrictRealtime=true
-RestrictAddressFamilies=~AF_PACKET
-StandardOutput=null
-
-[Install]
-WantedBy=multi-user.target

userspace/engine/falco_engine.cpp

@@ -346,11 +346,6 @@ unique_ptr<falco_engine::rule_result> falco_engine::process_event(std::size_t so
 
 	if(source_idx == m_syscall_source_idx)
 	{
-		if(m_syscall_source == NULL)
-		{
-			m_syscall_source = find_source(m_syscall_source_idx);
-		}
-
 		source = m_syscall_source;
 	}
 	else
@@ -392,6 +387,7 @@ std::size_t falco_engine::add_source(const std::string &source,
 	if(source == falco_common::syscall_source)
 	{
 		m_syscall_source_idx = idx;
+		m_syscall_source = find_source(m_syscall_source_idx);
 	}
 
 	return idx;

userspace/falco/configuration.h

@@ -400,8 +400,7 @@ namespace YAML {
 
 			if(node["open_params"] && !node["open_params"].IsNull())
 			{
-				string open_params = node["open_params"].as<std::string>();
-				rhs.m_open_params = trim(open_params);
+				rhs.m_open_params = node["open_params"].as<std::string>();
 			}
 
 			return true;