github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-03-20 19:52:08 +00:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: github:update/libs
Branches Tags
github:master github:fix/buffered_outputs github:fix/http-output-on-non-linux-platforms github:dependabot/submodules/submodules/falcosecurity-rules-048d2f8 github:feat/capture-events-filesize-limits github:update/libs github:3485_webserver_with_own_uid_gid github:release/0.43.x github:ekoops-patch-1 github:release/0.42.x github:release/0.41.x github:test/wip github:new/musl_static_aarch64 github:release/0.40.x github:release/0.39.x github:wip/test_libs_master github:release/0.38.x github:generalize-indexable-ruleset-polymorphic github:chore/test_pr1803 github:LucaGuerra-patch-1 github:release/0.37.x github:fix_CI_5 github:chore/use_actuated_helper github:fix_CI_4 github:bump_falco_latest_libs github:new/static_aarch64 github:fix/use_plugin_name github:new/mode-in-config github:release/0.36.x github:test_filterchecks github:test_release_0.36.0 github:fix/workaround_glibc_bug_timer_delete github:wip/test github:add-load-files-method github:test/ci github:update/pidfile-usage-doc github:bump_libs_andrea github:release/0.35.x github:remove-source-ruleset-overwrite-when-loading github:mstemm-works-with-latest-libs github:test/PR546 github:test/PR959 github:libs_bump github:release/0.34.x github:release/0.34.0 github:fix/kmod_cleanup github:chore/move-rules-to-their-repo github:enable_maintainers_gh_jobs github:dev_docker github:fix/dev_version github:exec-hashes github:falco_modern_probe github:release/0.33.1 github:test_modern_probe github:fix/docker_img_host_root_runtime github:release/0.33.0 github:test_falco_bump github:chore/falco_lock_file github:fix_falco_service github:test_deb_rpm github:buffer_dimension github:testing/falco-0-32-3/issue/1909 github:test/libs/pr/567 github:test/new_libs github:release/0.32.2 github:update/remove-mesos-support github:remove-fntlnz github:test/libs/pr/213 github:leogr-patch-1 github:build/fix-conffiles github:add-app-actions github:add-app-actions-prerebase-2 github:add-grpc-rules-loading github:fix-plugins-issue-56 github:field-properties-changes github:embed-lua-scripts github:new/plugin-system-api-additions-prerebase github:embeddable-falco-engine github:build/apply-libs-pr-41 github:build/upgrade-driver-version-mid2021 github:build/upgrade-driver-version-for-0-29-0 github:build/update-driver-version-wip github:hotfix/grpc-in-packages github:use-url-safe-chars-version github:rules-fp-fixes-2021-02 github:allow-unknown-sources github:libhawk-rules github:build/docs github:update/cli github:update/logo github:caniszczyk-patch-1 github:new/logger github:new/inspect-per-cpu github:new/ci-build-aarch64 github:release/0.26.2 github:temporary/test-ci-broken-tests github:libhawk github:add-exceptions-support-copy2 github:add-exceptions-support-copy github:chore/remove-time-macrodefs github:update/release-drivers github:rules-bash-history-top-only github:fix/scripts-modprobe github:perf-experiments github:fix/1272 github:fix/1272-test github:readme-update github:proposal/rules-engine-version-scope github:nova-debug github:falco-driver-loader-dockerfile github:chore/integration-grpc-with-event-generator github:feat/grpc-integration-tests github:new/profiler github:falco-arm-support github:falco-on-arm github:feature/inputs-mvp github:adding-install-script github:feat/modulecheck github:falco-release-0-17-0 github:falco-release-0-17-1 github:add-addl-pst-owners github:683-handle-sinsp-errors github:allow-regex-chars-rule-names github:backup-master github:add-context-to-rules-errors
github:0.43.0 github:0.43.0-rc4 github:0.43.0-rc3 github:0.43.0-rc2 github:0.43.0-rc1 github:0.42.1 github:0.42.0 github:0.42.0-rc4 github:0.42.0-rc3 github:0.42.0-rc2 github:0.42.0-rc1 github:0.41.3 github:0.41.2 github:0.41.1 github:0.41.1-rc1 github:0.41.0 github:0.41.0-rc2 github:0.41.0-rc1 github:0.40.0 github:0.40.0-rc1 github:0.39.2 github:0.39.1 github:0.39.1-rc1 github:0.39.0 github:0.39.0-rc3 github:0.39.0-rc2 github:0.39.0-rc1 github:0.38.2 github:0.38.2-rc2 github:0.38.2-rc1 github:0.38.1 github:0.38.1-rc1 github:0.38.0 github:0.38.0-rc5 github:0.38.0-rc4 github:0.38.0-rc3 github:0.38.0-rc2 github:0.38.0-rc1 github:0.37.1 github:0.37.1-rc1 github:0.37.0 github:0.37.0-rc3 github:0.37.0-rc2 github:0.37.0-rc1 github:0.36.2 github:0.36.2-rc1 github:0.36.1 github:0.36.1-rc1 github:0.36.0 github:0.36.0-rc3 github:0.36.0-rc2 github:0.36.0-rc1 github:0.35.1 github:0.35.0 github:0.35.0-rc2 github:0.35.0-rc1 github:0.35.0-alpha5 github:0.35.0-alpha4 github:0.35.0-alpha3 github:0.35.0-alpha2 github:0.35.0-alpha1 github:0.34.1 github:0.34.0 github:0.33.1 github:0.33.0 github:0.32.2 github:0.32.1 github:0.32.0 github:0.31.1 github:0.31.0 github:0.30.0 github:0.29.1 github:0.29.0 github:0.28.1 github:0.28.0 github:0.27.0 github:0.26.2 github:0.26.1 github:0.26.0 github:0.25.0 github:0.24.0 github:0.23.0 github:0.22.1 github:0.22.0 github:0.21.0 github:0.20.0 github:0.19.0 github:0.18.0 github:0.17.1 github:0.17.0 github:0.16.0 github:0.15.3 github:0.15.2 github:0.15.1 github:0.15.0 github:0.14.0 github:0.13.1 github:0.13.0 github:agent/0.85.1 github:0.12.1 github:0.12.0 github:agent/0.85.0 github:agent/0.84.2 github:agent/0.84.3 github:agent/0.84.1 github:agent/0.84.0 github:0.11.1 github:0.11.0 github:agent/0.83.1 github:agent/0.83.0 github:agent/0.81.0 github:agent/0.82.0 github:agent/0.80.2 github:agent/0.80.1 github:0.10.0 github:agent/0.80.0 github:agent/0.79.0 github:agent/0.79.1 github:agent/0.78.0 github:agent/0.78.1 github:agent/0.76.4 github:agent/0.77.0 github:agent/0.76.3 github:0.9.0 github:agent/0.76.0 github:agent/0.76.1 github:agent/0.76.2 github:agent/0.75.0 github:agent/0.74.0 github:agent/0.73.2 github:agent/0.73.1 github:agent/0.73.0 github:agent/0.72.4 github:agent/0.72.0 github:agent/0.72.1 github:agent/0.72.2 github:agent/0.72.3 github:agent/0.71.0 github:agent/0.70.0 github:0.8.1 github:0.8.0 github:agent/0.69.0 github:agent/0.68.0 github:agent/0.66.0 github:agent/0.67.0 github:agent/0.65.0 github:agent/0.65.1 github:agent/0.63.0 github:agent/0.63.1 github:agent/0.64.0 github:agent/0.61.0 github:agent/0.62.0 github:0.7.0 github:0.6.1 github:agent/0.60.0 github:agent/0.59.0 github:agent/0.58.0 github:agent/0.57.0 github:agent/0.56.0 github:0.6.0 github:0.6.0-test github:agent/0.55.0 github:agent/0.54.0 github:agent/0.53.0 github:agent/0.52.0 github:agent/0.51.0 github:agent/0.50.1 github:agent/0.50.0 github:0.5.0 github:agent/0.49.1 github:agent/0.49.0 github:agent/0.48.0 github:agent/0.47.0 github:agent/0.46.0 github:agent/0.45.0 github:agent/0.44.0 github:agent/0.43.0 github:0.4.0 github:agent/0.42.0 github:agent/0.40.0 github:agent/0.41.0 github:0.3.0 github:v0.2.0 github:v0.1.0
..
compare: github:0.39.2
Branches Tags
github:fix/buffered_outputs github:fix/http-output-on-non-linux-platforms github:dependabot/submodules/submodules/falcosecurity-rules-048d2f8 github:master github:feat/capture-events-filesize-limits github:update/libs github:3485_webserver_with_own_uid_gid github:release/0.43.x github:ekoops-patch-1 github:release/0.42.x github:release/0.41.x github:test/wip github:new/musl_static_aarch64 github:release/0.40.x github:release/0.39.x github:wip/test_libs_master github:release/0.38.x github:generalize-indexable-ruleset-polymorphic github:chore/test_pr1803 github:LucaGuerra-patch-1 github:release/0.37.x github:fix_CI_5 github:chore/use_actuated_helper github:fix_CI_4 github:bump_falco_latest_libs github:new/static_aarch64 github:fix/use_plugin_name github:new/mode-in-config github:release/0.36.x github:test_filterchecks github:test_release_0.36.0 github:fix/workaround_glibc_bug_timer_delete github:wip/test github:add-load-files-method github:test/ci github:update/pidfile-usage-doc github:bump_libs_andrea github:release/0.35.x github:remove-source-ruleset-overwrite-when-loading github:mstemm-works-with-latest-libs github:test/PR546 github:test/PR959 github:libs_bump github:release/0.34.x github:release/0.34.0 github:fix/kmod_cleanup github:chore/move-rules-to-their-repo github:enable_maintainers_gh_jobs github:dev_docker github:fix/dev_version github:exec-hashes github:falco_modern_probe github:release/0.33.1 github:test_modern_probe github:fix/docker_img_host_root_runtime github:release/0.33.0 github:test_falco_bump github:chore/falco_lock_file github:fix_falco_service github:test_deb_rpm github:buffer_dimension github:testing/falco-0-32-3/issue/1909 github:test/libs/pr/567 github:test/new_libs github:release/0.32.2 github:update/remove-mesos-support github:remove-fntlnz github:test/libs/pr/213 github:leogr-patch-1 github:build/fix-conffiles github:add-app-actions github:add-app-actions-prerebase-2 github:add-grpc-rules-loading github:fix-plugins-issue-56 github:field-properties-changes github:embed-lua-scripts github:new/plugin-system-api-additions-prerebase github:embeddable-falco-engine github:build/apply-libs-pr-41 github:build/upgrade-driver-version-mid2021 github:build/upgrade-driver-version-for-0-29-0 github:build/update-driver-version-wip github:hotfix/grpc-in-packages github:use-url-safe-chars-version github:rules-fp-fixes-2021-02 github:allow-unknown-sources github:libhawk-rules github:build/docs github:update/cli github:update/logo github:caniszczyk-patch-1 github:new/logger github:new/inspect-per-cpu github:new/ci-build-aarch64 github:release/0.26.2 github:temporary/test-ci-broken-tests github:libhawk github:add-exceptions-support-copy2 github:add-exceptions-support-copy github:chore/remove-time-macrodefs github:update/release-drivers github:rules-bash-history-top-only github:fix/scripts-modprobe github:perf-experiments github:fix/1272 github:fix/1272-test github:readme-update github:proposal/rules-engine-version-scope github:nova-debug github:falco-driver-loader-dockerfile github:chore/integration-grpc-with-event-generator github:feat/grpc-integration-tests github:new/profiler github:falco-arm-support github:falco-on-arm github:feature/inputs-mvp github:adding-install-script github:feat/modulecheck github:falco-release-0-17-0 github:falco-release-0-17-1 github:add-addl-pst-owners github:683-handle-sinsp-errors github:allow-regex-chars-rule-names github:backup-master github:add-context-to-rules-errors
github:0.43.0 github:0.43.0-rc4 github:0.43.0-rc3 github:0.43.0-rc2 github:0.43.0-rc1 github:0.42.1 github:0.42.0 github:0.42.0-rc4 github:0.42.0-rc3 github:0.42.0-rc2 github:0.42.0-rc1 github:0.41.3 github:0.41.2 github:0.41.1 github:0.41.1-rc1 github:0.41.0 github:0.41.0-rc2 github:0.41.0-rc1 github:0.40.0 github:0.40.0-rc1 github:0.39.2 github:0.39.1 github:0.39.1-rc1 github:0.39.0 github:0.39.0-rc3 github:0.39.0-rc2 github:0.39.0-rc1 github:0.38.2 github:0.38.2-rc2 github:0.38.2-rc1 github:0.38.1 github:0.38.1-rc1 github:0.38.0 github:0.38.0-rc5 github:0.38.0-rc4 github:0.38.0-rc3 github:0.38.0-rc2 github:0.38.0-rc1 github:0.37.1 github:0.37.1-rc1 github:0.37.0 github:0.37.0-rc3 github:0.37.0-rc2 github:0.37.0-rc1 github:0.36.2 github:0.36.2-rc1 github:0.36.1 github:0.36.1-rc1 github:0.36.0 github:0.36.0-rc3 github:0.36.0-rc2 github:0.36.0-rc1 github:0.35.1 github:0.35.0 github:0.35.0-rc2 github:0.35.0-rc1 github:0.35.0-alpha5 github:0.35.0-alpha4 github:0.35.0-alpha3 github:0.35.0-alpha2 github:0.35.0-alpha1 github:0.34.1 github:0.34.0 github:0.33.1 github:0.33.0 github:0.32.2 github:0.32.1 github:0.32.0 github:0.31.1 github:0.31.0 github:0.30.0 github:0.29.1 github:0.29.0 github:0.28.1 github:0.28.0 github:0.27.0 github:0.26.2 github:0.26.1 github:0.26.0 github:0.25.0 github:0.24.0 github:0.23.0 github:0.22.1 github:0.22.0 github:0.21.0 github:0.20.0 github:0.19.0 github:0.18.0 github:0.17.1 github:0.17.0 github:0.16.0 github:0.15.3 github:0.15.2 github:0.15.1 github:0.15.0 github:0.14.0 github:0.13.1 github:0.13.0 github:agent/0.85.1 github:0.12.1 github:0.12.0 github:agent/0.85.0 github:agent/0.84.2 github:agent/0.84.3 github:agent/0.84.1 github:agent/0.84.0 github:0.11.1 github:0.11.0 github:agent/0.83.1 github:agent/0.83.0 github:agent/0.81.0 github:agent/0.82.0 github:agent/0.80.2 github:agent/0.80.1 github:0.10.0 github:agent/0.80.0 github:agent/0.79.0 github:agent/0.79.1 github:agent/0.78.0 github:agent/0.78.1 github:agent/0.76.4 github:agent/0.77.0 github:agent/0.76.3 github:0.9.0 github:agent/0.76.0 github:agent/0.76.1 github:agent/0.76.2 github:agent/0.75.0 github:agent/0.74.0 github:agent/0.73.2 github:agent/0.73.1 github:agent/0.73.0 github:agent/0.72.4 github:agent/0.72.0 github:agent/0.72.1 github:agent/0.72.2 github:agent/0.72.3 github:agent/0.71.0 github:agent/0.70.0 github:0.8.1 github:0.8.0 github:agent/0.69.0 github:agent/0.68.0 github:agent/0.66.0 github:agent/0.67.0 github:agent/0.65.0 github:agent/0.65.1 github:agent/0.63.0 github:agent/0.63.1 github:agent/0.64.0 github:agent/0.61.0 github:agent/0.62.0 github:0.7.0 github:0.6.1 github:agent/0.60.0 github:agent/0.59.0 github:agent/0.58.0 github:agent/0.57.0 github:agent/0.56.0 github:0.6.0 github:0.6.0-test github:agent/0.55.0 github:agent/0.54.0 github:agent/0.53.0 github:agent/0.52.0 github:agent/0.51.0 github:agent/0.50.1 github:agent/0.50.0 github:0.5.0 github:agent/0.49.1 github:agent/0.49.0 github:agent/0.48.0 github:agent/0.47.0 github:agent/0.46.0 github:agent/0.45.0 github:agent/0.44.0 github:agent/0.43.0 github:0.4.0 github:agent/0.42.0 github:agent/0.40.0 github:agent/0.41.0 github:0.3.0 github:v0.2.0 github:v0.1.0

27 Commits
update/lib ... 0.39.2

Author SHA1 Message Date
Federico Di Pierro
89a024bfdf update(cmake): bumped falcoctl to v0.10.1. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-11-21 10:56:21 +01:00
Luca Guerra
3bc95a290a update(ci): replace aarch64 actuated runners with oracle 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-11-21 10:56:21 +01:00
Federico Di Pierro
c20907332d chore(cmake): bump libs to 0.18.2. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-11-21 10:56:21 +01:00
Federico Di Pierro
2804d60bd2 update(changelog): updated changelog for 0.39.1. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-10-08 12:54:09 +02:00
Luca Guerra
7c8209ed8e update(tests): add tests for plugin init_config 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-10-08 12:54:09 +02:00
Luca Guerra
3c4b315ff2 fix(engine): allow null init_config for plugin info 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-10-08 12:54:09 +02:00
Luca Guerra
92d6c4bab6 fix(engine): disable comma separated vectors in cxxopts 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-10-08 12:54:09 +02:00
Federico Di Pierro
51a19ea6cb fix(userspace/falco): fix event set selection for plugin with parsing capability. 
In live mode we need to use the source_info inspectors instead of the offline inspector.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-10-08 12:54:09 +02:00
Aldo Lacuku
88d73505b0 update(changelog): add changelog for falco 0.39.0 
Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
 2024-10-01 09:58:36 +02:00
Luca Guerra
f2d23af415 fix(falco): allow disable_cri_async from both CLI and config 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-09-30 16:10:32 +02:00
Luca Guerra
10f87e515e cleanup(falco): ignore lint commit 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-09-30 16:10:32 +02:00
Poiana
82016080d0 chore(falco): apply code formatting 
Signed-off-by: Poiana <poiana.bot@gmail.com>
 2024-09-30 16:10:32 +02:00
Andrea Terzolo
bbb4d6e9b6 update: ignore_some_files 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
 2024-09-30 16:10:32 +02:00
Leonardo Di Giovanna
e34507c739 feat(stats): add host_netinfo networking information stats family 
Introduce host_netinfo stats family to hold information regarding host
networking. At the moment, it only provides ipv4 and ipv6 addresses
list for each interface available on the host. The naming schema for
the introduced stats is
falco.host_netinfo.interfaces.<ifname>.protocols.<ipv4|ipv6>.addresses.

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
 2024-09-27 11:56:20 +02:00
Luca Guerra
ff32882a7f chore(build): update libs to 0.18.1 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-09-26 08:18:14 +02:00
Luca Guerra
f1b208f8fb fix(engine): sync outputs before printing stats at shutdown 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-09-24 10:15:05 +02:00
Leonardo Di Giovanna
ff65dc75ae cleanup(falco_metrics): remove unused falco_utils import 
Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
 2024-09-24 10:15:05 +02:00
Leonardo Di Giovanna
a1ff7c7384 fix(falco_metrics): remove ifinfo_json stat/metric 
Using JSON as value prevents any meaningful aggregation for the stats.
Splitting these information into multiple labels can drastically
increase the number of dimensions, as the number of interfaces and
addresses can be high in some environment. Moreover, these information
are not currently refreshed, even if they can frequently change. Given
these reasons, remove ifinfo_json from stats and metrics.

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
 2024-09-24 10:15:05 +02:00
Leonardo Di Giovanna
fb47e816ae fix(falco_metrics)!: use full name for configs and rules files 
Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
 2024-09-24 10:15:05 +02:00
Leonardo Di Giovanna
39dfd6765a fix(falco_metrics)!: split tags label into multiple tag_ labels 
Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
 2024-09-24 10:15:05 +02:00
Luca Guerra
f4477f1ac2 update(tests): add test for plugin init_config map 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-09-24 10:15:05 +02:00
Luca Guerra
92fa3b5347 fix(falco): allow plugin init_config map in json schema 
Signed-off-by: Luca Guerra <luca@guerra.sh>
 2024-09-24 10:15:05 +02:00
Federico Di Pierro
fad91ea080 fix(userspace/falco): properly account for plugin with CAP_PARSING when computing interesting sc set. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-09-24 10:15:05 +02:00
Leonardo Di Giovanna
5e9a8fd665 update(systemd): add falco.service alias to all systemd units 
Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
 2024-09-24 10:15:05 +02:00
Federico Di Pierro
241f620956 update(cmake): bump libs to 0.18.0 and driver to 7.3.0+driver. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-09-18 11:11:52 +02:00
Federico Di Pierro
80816e67d6 chore(userspace/falco): deprecate cri related CLI options. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-09-18 11:11:52 +02:00
Federico Di Pierro
5874dc1f95 fix(userspace/engine): improve rule json schema to account for source and required_plugin_versions. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2024-09-18 11:11:52 +02:00
183 changed files with 4493 additions and 5410 deletions
Expand all files Collapse all files

3
.dockerignore
View File

@@ -1,3 +0,0 @@
*
!config/
!docker/

16
.github/release_template.md vendored
View File

@@ -6,16 +6,16 @@
| rpm-x86_64 | [![rpm](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpmFALCOBUCKET/falco-FALCOVER-x86_64.rpm) |
| deb-x86_64 | [![deb](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/debFALCOBUCKET/stable/falco-FALCOVER-x86_64.deb) |
| tgz-x86_64 | [![tgz](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/binFALCOBUCKET/x86_64/falco-FALCOVER-x86_64.tar.gz) |
| tgz-static-x86_64 | [![tgz-static](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/binFALCOBUCKET/x86_64/falco-FALCOVER-static-x86_64.tar.gz) |
| rpm-aarch64 | [![rpm](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpmFALCOBUCKET/falco-FALCOVER-aarch64.rpm) |
| deb-aarch64 | [![deb](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/debFALCOBUCKET/stable/falco-FALCOVER-aarch64.deb) |
| tgz-aarch64 | [![tgz](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/binFALCOBUCKET/aarch64/falco-FALCOVER-aarch64.tar.gz) |
| Images |
|---------------------------------------------------------------------------|
| `docker pull docker.io/falcosecurity/falco:FALCOVER` |
| `docker pull public.ecr.aws/falcosecurity/falco:FALCOVER` |
| `docker pull docker.io/falcosecurity/falco-driver-loader:FALCOVER` |
| `docker pull docker.io/falcosecurity/falco-driver-loader:FALCOVER-buster` |
| `docker pull docker.io/falcosecurity/falco:FALCOVER-debian` |
| Images |
| --------------------------------------------------------------------------- |
| `docker pull docker.io/falcosecurity/falco:FALCOVER` |
| `docker pull public.ecr.aws/falcosecurity/falco:FALCOVER` |
| `docker pull docker.io/falcosecurity/falco-driver-loader:FALCOVER` |
| `docker pull docker.io/falcosecurity/falco-driver-loader-legacy:FALCOVER` |
| `docker pull docker.io/falcosecurity/falco-no-driver:FALCOVER` |
| `docker pull docker.io/falcosecurity/falco-distroless:FALCOVER` |

66
.github/workflows/bump-libs.yaml vendored
View File

@@ -1,66 +0,0 @@
---
name: Bump Libs
on:
workflow_dispatch:
schedule:
- cron: '30 6 * * 1' # on each monday 6:30
permissions:
contents: read
# Checks if any concurrent jobs is running for kernels CI and eventually cancel it.
concurrency:
group: bump-libs-ci
cancel-in-progress: true
jobs:
bump-libs:
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
steps:
- name: Download libs master tar.gz
run: |
wget https://github.com/falcosecurity/libs/archive/refs/heads/master.tar.gz
- name: Store libs hash and shasum
id: store
run: |
gunzip -c master.tar.gz > master.tar
commit=$(cat master.tar | git get-tar-commit-id)
echo "COMMIT=$commit" >> "$GITHUB_OUTPUT"
wget https://github.com/falcosecurity/libs/archive/$commit.tar.gz
echo "SHASUM=$(sha256sum $commit.tar.gz | awk '{print $1}')" >> "$GITHUB_OUTPUT"
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
path: falco
- name: Bump libs version and hash
run: |
cd falco
sed -i -E '45s/FALCOSECURITY_LIBS_VERSION "(.+)"/FALCOSECURITY_LIBS_VERSION "${{ steps.store.outputs.COMMIT }}"/' cmake/modules/falcosecurity-libs.cmake
sed -i -E '47s/"SHA256=(.+)"/"SHA256=${{ steps.store.outputs.SHASUM }}"/' cmake/modules/falcosecurity-libs.cmake
sed -i -E '38s/DRIVER_VERSION "(.+)"/DRIVER_VERSION "${{ steps.store.outputs.COMMIT }}"/' cmake/modules/driver.cmake
sed -i -E '40s/"SHA256=(.+)"/"SHA256=${{ steps.store.outputs.SHASUM }}"/' cmake/modules/driver.cmake
- name: Create Pull Request
uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
with:
path: falco
signoff: true
base: master
branch: update/libs
title: 'update(cmake): update libs and driver to latest master'
body: |
This PR updates libs and driver to latest commit.
/kind release
/area build
```release-note
NONE
```
commit-message: 'update(cmake): update libs and driver to latest master.'
token: ${{ secrets.GITHUB_TOKEN }}

39
.github/workflows/ci.yml vendored
View File

@@ -19,15 +19,22 @@ jobs:
fetch-version:
uses: ./.github/workflows/reusable_fetch_version.yaml
build-dev-packages-sanitizers-x86_64:
needs: [fetch-version]
uses: ./.github/workflows/reusable_build_packages.yaml
with:
arch: x86_64
version: ${{ needs.fetch-version.outputs.version }}
build_type: Debug
sanitizers: true
build-dev-packages-x86_64:
needs: [fetch-version]
uses: ./.github/workflows/reusable_build_packages.yaml
with:
arch: x86_64
version: ${{ needs.fetch-version.outputs.version }}
enable_debug: true
enable_sanitizers: true
use_mimalloc: true
build_type: Release
build-dev-packages-arm64:
needs: [fetch-version]
@@ -35,32 +42,32 @@ jobs:
with:
arch: aarch64
version: ${{ needs.fetch-version.outputs.version }}
enable_debug: true
use_mimalloc: true
build_type: Debug
sanitizers: false
test-dev-packages:
needs: [fetch-version, build-dev-packages-x86_64]
needs: [fetch-version, build-dev-packages-sanitizers-x86_64]
uses: ./.github/workflows/reusable_test_packages.yaml
# See https://github.com/falcosecurity/falco/pull/3482
# Since musl build does not support dynamically loaded plugins,
# many tests would fail (the ones using `container.foo` fields).
# Disable tests on static builds for now.
# strategy:
# fail-fast: false
# matrix:
# static: ["static", ""]
# The musl build job is currently disabled because we link libelf dynamically and it is
# not possible to dynamically link with musl
# strategy:
# fail-fast: false
# matrix:
# static: ["static", ""]
with:
arch: x86_64
# sanitizers: ${{ matrix.static == '' && true || false }}
sanitizers: true
# static: ${{ matrix.static != '' && true || false }}
# static: ${{ matrix.static != '' && true || false }}
version: ${{ needs.fetch-version.outputs.version }}
test-dev-packages-arm64:
needs: [fetch-version, build-dev-packages-arm64]
uses: ./.github/workflows/reusable_test_packages.yaml
strategy:
fail-fast: false
with:
arch: aarch64
static: ${{ matrix.static != '' && true || false }}
version: ${{ needs.fetch-version.outputs.version }}
build-dev-minimal:

4
.github/workflows/codeql.yaml vendored
View File

@@ -59,11 +59,11 @@ jobs:
run: sudo apt update -y
- name: Install build dependencies
run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libc-ares-dev libyaml-cpp-dev rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm git -y
run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libc-ares-dev libprotobuf-dev protobuf-compiler libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm git -y
- name: Prepare project
run: |
cmake -B build -S . -DBUILD_FALCO_MODERN_BPF=Off -DUSE_BUNDLED_DEPS=Off -DUSE_BUNDLED_NLOHMANN_JSON=On -DUSE_BUNDLED_CXXOPTS=On -DUSE_BUNDLED_CPPHTTPLIB=On
cmake -B build -S . -DBUILD_BPF=On -DBUILD_FALCO_MODERN_BPF=Off -DUSE_BUNDLED_DEPS=Off -DUSE_BUNDLED_NLOHMANN_JSON=On -DUSE_BUNDLED_CXXOPTS=On -DUSE_BUNDLED_CPPHTTPLIB=On
- name: Build
run: |

5
.github/workflows/format.yaml vendored
View File

@@ -6,9 +6,6 @@ on:
- master
- "release/**"
permissions:
contents: read
jobs:
format:
name: format code 🐲
@@ -35,7 +32,7 @@ jobs:
- name: Upload the git diff artifact 📦
if: failure()
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: format_diff.patch
path: ./format_diff.patch

19
.github/workflows/master.yaml vendored
View File

@@ -3,9 +3,6 @@ on:
push:
branches: [master]
permissions:
contents: read
# Checks if any concurrent jobs is running for master CI and eventually cancel it
concurrency:
group: ci-master
@@ -34,17 +31,15 @@ jobs:
test-dev-packages:
needs: [fetch-version, build-dev-packages]
uses: ./.github/workflows/reusable_test_packages.yaml
# See https://github.com/falcosecurity/falco/pull/3482
# Since musl build does not support dynamically loaded plugins,
# many tests would fail (the ones using `container.foo` fields).
# Disable tests on static builds for now.
# strategy:
# fail-fast: false
# matrix:
# static: ["static", ""]
# The musl build job is currently disabled because we link libelf dynamically and it is
# not possible to dynamically link with musl
# strategy:
# fail-fast: false
# matrix:
# static: ["static", ""]
with:
arch: x86_64
# static: ${{ matrix.static != '' && true || false }}
# static: ${{ matrix.static != '' && true || false }}
version: ${{ needs.fetch-version.outputs.version }}
test-dev-packages-arm64:

69
.github/workflows/release.yaml vendored
View File

@@ -3,19 +3,16 @@ on:
release:
types: [published]
permissions:
contents: read
# Checks if any concurrent jobs is running for release CI and eventually cancel it.
concurrency:
group: ci-release
cancel-in-progress: true
cancel-in-progress: true
jobs:
release-settings:
runs-on: ubuntu-latest
outputs:
is_latest: ${{ steps.get_settings.outputs.is_latest }}
is_latest: ${{ steps.get_settings.outputs.is_latest }}
bucket_suffix: ${{ steps.get_settings.outputs.bucket_suffix }}
steps:
- name: Get latest release
@@ -59,7 +56,6 @@ jobs:
with:
arch: x86_64
version: ${{ github.event.release.tag_name }}
use_jemalloc: true
secrets: inherit
build-packages-arm64:
@@ -68,32 +64,30 @@ jobs:
with:
arch: aarch64
version: ${{ github.event.release.tag_name }}
use_jemalloc: true
secrets: inherit
test-packages:
needs: [release-settings, build-packages]
uses: ./.github/workflows/reusable_test_packages.yaml
# See https://github.com/falcosecurity/falco/pull/3482
# Since musl build does not support dynamically loaded plugins,
# many tests would fail (the ones using `container.foo` fields).
# Disable tests on static builds for now.
# strategy:
# fail-fast: false
# matrix:
# static: ["static", ""]
# The musl build job is currently disabled because we link libelf dynamically and it is
# not possible to dynamically link with musl
# strategy:
# fail-fast: false
# matrix:
# static: ["static", ""]
with:
arch: x86_64
# static: ${{ matrix.static != '' && true || false }}
# static: ${{ matrix.static != '' && true || false }}
version: ${{ github.event.release.tag_name }}
test-packages-arm64:
needs: [release-settings, build-packages-arm64]
uses: ./.github/workflows/reusable_test_packages.yaml
with:
arch: aarch64
version: ${{ github.event.release.tag_name }}
publish-packages:
needs: [release-settings, test-packages, test-packages-arm64]
uses: ./.github/workflows/reusable_publish_packages.yaml
@@ -101,7 +95,7 @@ jobs:
bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }}
version: ${{ github.event.release.tag_name }}
secrets: inherit
# Both build-docker and its arm64 counterpart require build-packages because they use its output
build-docker:
needs: [release-settings, build-packages, publish-packages]
@@ -112,7 +106,7 @@ jobs:
version: ${{ github.event.release.tag_name }}
tag: ${{ github.event.release.tag_name }}
secrets: inherit
build-docker-arm64:
needs: [release-settings, build-packages, publish-packages]
uses: ./.github/workflows/reusable_build_docker.yaml
@@ -131,7 +125,7 @@ jobs:
is_latest: ${{ needs.release-settings.outputs.is_latest == 'true' }}
tag: ${{ github.event.release.tag_name }}
sign: true
release-body:
needs: [release-settings, publish-docker]
if: ${{ needs.release-settings.outputs.is_latest == 'true' }} # only for latest releases
@@ -141,7 +135,7 @@ jobs:
steps:
- name: Clone repo
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Extract LIBS and DRIVER versions
run: |
cp .github/release_template.md release-body.md
@@ -149,48 +143,29 @@ jobs:
DRIVER_VERS=$(cat cmake/modules/driver.cmake | grep 'set(DRIVER_VERSION' | tail -n1 | grep -o '[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*+driver')
sed -i s/LIBSVER/$LIBS_VERS/g release-body.md
sed -i s/DRIVERVER/$DRIVER_VERS/g release-body.md
- name: Append release matrixes
run: |
sed -i s/FALCOBUCKET/${{ needs.release-settings.outputs.bucket_suffix }}/g release-body.md
sed -i s/FALCOVER/${{ github.event.release.tag_name }}/g release-body.md
- name: Generate release notes
uses: leodido/rn2md@9c351d81278644c0e17b1ca68edbdba305276c73
with:
milestone: ${{ github.event.release.tag_name }}
output: ./notes.md
- name: Merge release notes to pre existent body
run: cat notes.md >> release-body.md
- name: Attach release creator to release body
run: |
echo "" >> release-body.md
echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md
- name: Download debug symbols for Falco x86_64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: falco-${{ github.event.release.tag_name }}-x86_64.debug
- name: Rename x86_64 debug symbols
run: mv falco.debug falco-x86_64.debug
- name: Download debug symbols for Falco aarch64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: falco-${{ github.event.release.tag_name }}-aarch64.debug
- name: Rename aarch64 debug symbols
run: mv falco.debug falco-aarch64.debug
- name: Release
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
with:
body_path: ./release-body.md
tag_name: ${{ github.event.release.tag_name }}
name: ${{ github.event.release.name }}
files: |
falco-x86_64.debug
falco-aarch64.debug

5
.github/workflows/reusable_build_dev.yaml vendored
View File

@@ -39,7 +39,7 @@ permissions:
jobs:
build-and-test:
# See https://github.com/actions/runner/issues/409#issuecomment-1158849936
runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
runs-on: ${{ (inputs.arch == 'aarch64' && 'oracle-aarch64-4cpu-16gb') || 'ubuntu-22.04' }}
outputs:
cmdout: ${{ steps.run_cmd.outputs.out }}
steps:
@@ -57,7 +57,7 @@ jobs:
- name: Install build dependencies (non-minimal)
if: inputs.minimal != true
run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libc-ares-dev rpm libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm -y
run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libc-ares-dev libprotobuf-dev protobuf-compiler libgrpc++-dev protobuf-compiler-grpc rpm libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm -y
- name: Prepare project
run: |
@@ -65,6 +65,7 @@ jobs:
-DBUILD_FALCO_UNIT_TESTS=On \
-DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \
-DBUILD_FALCO_MODERN_BPF=Off \
-DBUILD_BPF=${{ inputs.minimal == true && 'OFF' || 'ON' }} \
-DBUILD_DRIVER=${{ inputs.minimal == true && 'OFF' || 'ON' }} \
-DMINIMAL_BUILD=${{ inputs.minimal == true && 'ON' || 'OFF' }} \
-DUSE_ASAN=${{ inputs.sanitizers == true && 'ON' || 'OFF' }} \

65
.github/workflows/reusable_build_docker.yaml vendored
View File

@@ -20,70 +20,79 @@ on:
required: true
type: string
# Here we just build all docker images as tarballs,
# Here we just build all docker images as tarballs,
# then we upload all the tarballs to be later downloaded by reusable_publish_docker workflow.
# In this way, we don't need to publish any arch specific image,
# In this way, we don't need to publish any arch specific image,
# and this "build" workflow is actually only building images.
permissions:
permissions:
contents: read
jobs:
build-docker:
# See https://github.com/actions/runner/issues/409#issuecomment-1158849936
runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-latest' }}
runs-on: ${{ (inputs.arch == 'aarch64' && 'oracle-aarch64-4cpu-16gb') || 'ubuntu-latest' }}
env:
TARGETARCH: ${{ (inputs.arch == 'aarch64' && 'arm64') || 'amd64' }}
steps:
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
- name: Build falco image
- name: Build no-driver image
run: |
docker build -f docker/falco/Dockerfile -t docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }} \
cd ${{ github.workspace }}/docker/no-driver/
docker build -t docker.io/falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ inputs.tag }} \
--build-arg VERSION_BUCKET=bin${{ inputs.bucket_suffix }} \
--build-arg FALCO_VERSION=${{ inputs.version }} \
--build-arg FALCO_COMMIT_SHA=${{ github.sha }} \
--build-arg TARGETARCH=${TARGETARCH} \
.
docker save docker.io/falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-no-driver-${{ inputs.arch }}.tar
- name: Build distroless image
run: |
cd ${{ github.workspace }}/docker/no-driver/
docker build -f Dockerfile.distroless -t docker.io/falcosecurity/falco-distroless:${{ inputs.arch }}-${{ inputs.tag }} \
--build-arg VERSION_BUCKET=bin${{ inputs.bucket_suffix }} \
--build-arg FALCO_VERSION=${{ inputs.version }} \
--build-arg TARGETARCH=${TARGETARCH} \
.
docker save docker.io/falcosecurity/falco-distroless:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-distroless-${{ inputs.arch }}.tar
- name: Build falco image
run: |
cd ${{ github.workspace }}/docker/falco/
docker build -t docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }} \
--build-arg VERSION_BUCKET=deb${{ inputs.bucket_suffix }} \
--build-arg FALCO_VERSION=${{ inputs.version }} \
--build-arg TARGETARCH=${TARGETARCH} \
.
docker save docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-${{ inputs.arch }}.tar
- name: Build falco-debian image
run: |
docker build -f docker/falco-debian/Dockerfile -t docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }}-debian \
--build-arg VERSION_BUCKET=deb${{ inputs.bucket_suffix }} \
--build-arg FALCO_VERSION=${{ inputs.version }} \
--build-arg FALCO_COMMIT_SHA=${{ github.sha }} \
--build-arg TARGETARCH=${TARGETARCH} \
.
docker save docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }}-debian --output /tmp/falco-${{ inputs.arch }}-debian.tar
- name: Build falco-driver-loader image
run: |
docker build -f docker/driver-loader/Dockerfile -t docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }} \
cd ${{ github.workspace }}/docker/driver-loader/
docker build -t docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }} \
--build-arg FALCO_IMAGE_TAG=${{ inputs.arch }}-${{ inputs.tag }} \
--build-arg FALCO_VERSION=${{ inputs.version }} \
--build-arg FALCO_COMMIT_SHA=${{ github.sha }} \
--build-arg TARGETARCH=${TARGETARCH} \
.
docker save docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-driver-loader-${{ inputs.arch }}.tar
- name: Build falco-driver-loader-buster image
- name: Build falco-driver-loader-legacy image
run: |
docker build -f docker/driver-loader-buster/Dockerfile -t docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }}-buster \
cd ${{ github.workspace }}/docker/driver-loader-legacy/
docker build -t docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.arch }}-${{ inputs.tag }} \
--build-arg VERSION_BUCKET=deb${{ inputs.bucket_suffix }} \
--build-arg FALCO_VERSION=${{ inputs.version }} \
--build-arg FALCO_COMMIT_SHA=${{ github.sha }} \
--build-arg TARGETARCH=${TARGETARCH} \
.
docker save docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }}-buster --output /tmp/falco-driver-loader-${{ inputs.arch }}-buster.tar
docker save docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-driver-loader-legacy-${{ inputs.arch }}.tar
- name: Upload images tarballs
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: falco-images-${{ inputs.arch }}
name: falco-images
path: /tmp/falco-*.tar
retention-days: 1

263
.github/workflows/reusable_build_packages.yaml vendored
View File

@@ -10,40 +10,30 @@ on:
description: The Falco version to use when building packages
required: true
type: string
enable_debug:
description: Also create a debug build
build_type:
description: The build type
required: false
type: boolean
default: false
enable_sanitizers:
description: Also create a sanitizer build
required: false
type: boolean
default: false
use_jemalloc:
description: Use jemalloc memory allocator
required: false
type: boolean
default: false
use_mimalloc:
description: Use mimalloc memory allocator
type: string
default: 'Release'
sanitizers:
description: enable sanitizer support
required: false
type: boolean
default: false
permissions:
permissions:
contents: read
jobs:
build-modern-bpf-skeleton:
# See https://github.com/actions/runner/issues/409#issuecomment-1158849936
runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-latest' }}
container: fedora:41
runs-on: ${{ (inputs.arch == 'aarch64' && 'oracle-aarch64-4cpu-16gb') || 'ubuntu-latest' }}
container: fedora:latest
steps:
# Always install deps before invoking checkout action, to properly perform a full clone.
- name: Install build dependencies
run: |
dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake
dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake libbpf-devel elfutils-libelf-devel
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
@@ -55,202 +45,120 @@ jobs:
cmake --build skeleton-build --target ProbeSkeleton -j6
- name: Upload skeleton
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: bpf_probe_${{ inputs.arch }}.skel.h
path: skeleton-build/skel_dir/bpf_probe.skel.h
retention-days: 1
build-packages-release:
build-packages:
env:
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
# See https://github.com/actions/runner/issues/409#issuecomment-1158849936
runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-latest' }}
runs-on: ${{ (inputs.arch == 'aarch64' && 'oracle-aarch64-4cpu-16gb') || 'ubuntu-latest' }}
needs: [build-modern-bpf-skeleton]
container: centos:7
steps:
# Always install deps before invoking checkout action, to properly perform a full clone.
- name: Fix mirrors to use vault.centos.org
run: |
sed -i s/mirror.centos.org/vault.centos.org/g /etc/yum.repos.d/*.repo
sed -i s/^#.*baseurl=http/baseurl=https/g /etc/yum.repos.d/*.repo
sed -i s/^mirrorlist=http/#mirrorlist=https/g /etc/yum.repos.d/*.repo
- name: Install scl repos
run: |
yum -y install centos-release-scl
- name: Fix new mirrors to use vault.centos.org
run: |
sed -i s/mirror.centos.org/vault.centos.org/g /etc/yum.repos.d/*.repo
sed -i s/^#.*baseurl=http/baseurl=https/g /etc/yum.repos.d/*.repo
sed -i s/^mirrorlist=http/#mirrorlist=https/g /etc/yum.repos.d/*.repo
- name: Fix arm64 scl repos to use correct mirror
if: inputs.arch == 'aarch64'
run: |
sed -i 's/vault.centos.org\/centos/vault.centos.org\/altarch/g' /etc/yum.repos.d/CentOS-SCLo-scl*.repo
- name: Install build deps
run: |
sudo apt update && sudo apt install -y --no-install-recommends ca-certificates cmake curl wget build-essential git pkg-config autoconf automake libtool m4 rpm alien
- name: Install systemd rpm macros
run: |
wget https://www.rpmfind.net/linux/centos-stream/9-stream/BaseOS/${{ inputs.arch }}/os/Packages/systemd-rpm-macros-252-59.el9.noarch.rpm
sudo alien -d -i systemd-rpm-macros-252-59.el9.noarch.rpm
yum -y install devtoolset-9-gcc devtoolset-9-gcc-c++
source /opt/rh/devtoolset-9/enable
yum install -y wget git make m4 rpm-build elfutils-libelf-devel perl-IPC-Cmd devtoolset-9-libasan-devel devtoolset-9-libubsan-devel
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
# It is not possible to upgrade the checkout action to versions >= v4.0.0 because of incompatibilities with centos 7's libc.
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: Download skeleton
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: bpf_probe_${{ inputs.arch }}.skel.h
path: /tmp
- name: Install zig
if: inputs.sanitizers == false
uses: falcosecurity/libs/.github/actions/install-zig@master
- name: Install updated cmake
run: |
curl -L https://github.com/Kitware/CMake/releases/download/v3.22.5/cmake-3.22.5-linux-$(uname -m).tar.gz \
| tar --directory=/usr --strip-components=1 -xzp
- name: Prepare project
run: |
source /opt/rh/devtoolset-9/enable
cmake -B build -S . \
-DCMAKE_BUILD_TYPE=RelWithDebInfo \
-DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \
-DUSE_BUNDLED_DEPS=On \
-DFALCO_ETC_DIR=/etc/falco \
-DMODERN_BPF_SKEL_DIR=/tmp \
-DBUILD_DRIVER=Off \
-DUSE_JEMALLOC=${{ inputs.use_jemalloc }} \
-DUSE_MIMALLOC=${{ inputs.use_mimalloc }} \
-DBUILD_BPF=Off \
-DUSE_ASAN=${{ (inputs.sanitizers == true && inputs.arch == 'x86_64' && 'ON') || 'OFF' }} \
-DFALCO_VERSION=${{ inputs.version }}
- name: Build project
run: |
source /opt/rh/devtoolset-9/enable
cmake --build build --target falco -j6
- name: Build packages
run: |
source /opt/rh/devtoolset-9/enable
cmake --build build --target package
- name: Upload Falco tar.gz package
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: falco-${{ inputs.version }}-${{ inputs.arch }}.tar.gz
name: falco-${{ inputs.version }}-${{ inputs.arch }}${{ inputs.sanitizers == true && '-sanitizers' || '' }}.tar.gz
path: |
${{ github.workspace }}/build/falco-*.tar.gz
- name: Upload Falco deb package
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: falco-${{ inputs.version }}-${{ inputs.arch }}.deb
name: falco-${{ inputs.version }}-${{ inputs.arch }}${{ inputs.sanitizers == true && '-sanitizers' || '' }}.deb
path: |
${{ github.workspace }}/build/falco-*.deb
- name: Upload Falco rpm package
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: falco-${{ inputs.version }}-${{ inputs.arch }}.rpm
name: falco-${{ inputs.version }}-${{ inputs.arch }}${{ inputs.sanitizers == true && '-sanitizers' || '' }}.rpm
path: |
${{ github.workspace }}/build/falco-*.rpm
- name: Upload Falco debug symbols
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: falco-${{ inputs.version }}-${{ inputs.arch }}.debug
path: |
${{ github.workspace }}/build/userspace/falco/falco.debug
build-packages-debug:
# See https://github.com/actions/runner/issues/409#issuecomment-1158849936
runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
if: ${{ inputs.enable_debug == true }}
needs: [build-modern-bpf-skeleton]
steps:
# Always install deps before invoking checkout action, to properly perform a full clone.
- name: Install build deps
run: |
sudo apt update && sudo apt install -y --no-install-recommends ca-certificates cmake curl wget build-essential git pkg-config autoconf automake libtool m4 rpm
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Download skeleton
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: bpf_probe_${{ inputs.arch }}.skel.h
path: /tmp
- name: Install zig
if: inputs.sanitizers == false
uses: falcosecurity/libs/.github/actions/install-zig@master
- name: Prepare project
run: |
cmake -B build -S . \
-DCMAKE_BUILD_TYPE=Debug \
-DUSE_BUNDLED_DEPS=On \
-DFALCO_ETC_DIR=/etc/falco \
-DMODERN_BPF_SKEL_DIR=/tmp \
-DBUILD_DRIVER=Off \
-DUSE_JEMALLOC=${{ inputs.use_jemalloc }} \
-DUSE_MIMALLOC=${{ inputs.use_mimalloc }} \
-DFALCO_VERSION=${{ inputs.version }}
- name: Build project
run: |
cmake --build build --target falco -j6
- name: Build packages
run: |
cmake --build build --target package
- name: Upload Falco tar.gz package
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: falco-${{ inputs.version }}-${{ inputs.arch }}-debug.tar.gz
path: |
${{ github.workspace }}/build/falco-*.tar.gz
build-packages-sanitizers:
# See https://github.com/actions/runner/issues/409#issuecomment-1158849936
runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-latest' }}
if: ${{ inputs.enable_sanitizers == true }}
needs: [build-modern-bpf-skeleton]
steps:
# Always install deps before invoking checkout action, to properly perform a full clone.
- name: Install build deps
run: |
sudo apt update && sudo apt install -y --no-install-recommends ca-certificates cmake curl wget build-essential git pkg-config autoconf automake libtool m4 rpm
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Download skeleton
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: bpf_probe_${{ inputs.arch }}.skel.h
path: /tmp
- name: Prepare project
# Jemalloc and ASAN don't play very well together.
run: |
cmake -B build -S . \
-DCMAKE_BUILD_TYPE=Debug \
-DUSE_BUNDLED_DEPS=On \
-DFALCO_ETC_DIR=/etc/falco \
-DMODERN_BPF_SKEL_DIR=/tmp \
-DBUILD_DRIVER=Off \
-DUSE_JEMALLOC=Off \
-DUSE_MIMALLOC=Off \
-DUSE_ASAN=On \
-DFALCO_VERSION=${{ inputs.version }}
- name: Build project
run: |
cmake --build build --target falco -j6
- name: Build packages
run: |
cmake --build build --target package
- name: Upload Falco tar.gz package
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: falco-${{ inputs.version }}-${{ inputs.arch }}-sanitizers.tar.gz
path: |
${{ github.workspace }}/build/falco-*.tar.gz
# The musl build job is currently disabled because we link libelf dynamically and it is
# not possible to dynamically link with musl
build-musl-package:
# x86_64 only for now
if: ${{ inputs.arch == 'x86_64' }}
# if: ${{ inputs.arch == 'x86_64' }}
if: false
runs-on: ubuntu-latest
container: alpine:3.17
steps:
# Always install deps before invoking checkout action, to properly perform a full clone.
- name: Install build dependencies
run: |
apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils clang llvm
git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
cd bpftool
git submodule update --init
cd src && make install
apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils bpftool clang
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
@@ -260,15 +168,10 @@ jobs:
- name: Prepare project
run: |
cmake -B build -S . \
-DCMAKE_BUILD_TYPE=Release \
-DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \
-DCPACK_GENERATOR=TGZ \
-DBUILD_DRIVER=Off \
-DUSE_JEMALLOC=${{ inputs.use_jemalloc }} \
-DUSE_MIMALLOC=${{ inputs.use_mimalloc }} \
-DUSE_BUNDLED_DEPS=On \
-DMUSL_OPTIMIZED_BUILD=On \
-DFALCO_ETC_DIR=/etc/falco \
-DFALCO_VERSION=${{ inputs.version }}
-DBUILD_BPF=Off -DBUILD_DRIVER=Off \
-DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco -DFALCO_VERSION=${{ inputs.version }}
- name: Build project
run: |
@@ -284,7 +187,7 @@ jobs:
mv falco-${{ inputs.version }}-x86_64.tar.gz falco-${{ inputs.version }}-static-x86_64.tar.gz
- name: Upload Falco static package
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: falco-${{ inputs.version }}-static-x86_64.tar.gz
path: |
@@ -292,7 +195,7 @@ jobs:
build-wasm-package:
if: ${{ inputs.arch == 'x86_64' }}
runs-on: ubuntu-22.04
runs-on: ubuntu-latest
steps:
# Always install deps before invoking checkout action, to properly perform a full clone.
- name: Install build dependencies
@@ -313,7 +216,10 @@ jobs:
- name: Prepare project
run: |
emcmake cmake -B build -S . \
-DCMAKE_BUILD_TYPE=Release \
-DBUILD_BPF=Off \
-DBUILD_DRIVER=Off \
-DBUILD_FALCO_MODERN_BPF=Off \
-DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \
-DUSE_BUNDLED_DEPS=On \
-DFALCO_ETC_DIR=/etc/falco \
-DBUILD_FALCO_UNIT_TESTS=On \
@@ -335,7 +241,7 @@ jobs:
emmake make -j6 package
- name: Upload Falco WASM package
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: falco-${{ inputs.version }}-wasm.tar.gz
path: |
@@ -350,34 +256,31 @@ jobs:
with:
fetch-depth: 0
- name: Install NSIS
run: choco install nsis -y
# NOTE: Backslash doesn't work as line continuation on Windows.
- name: Prepare project
run: |
cmake -B build -S . -DCMAKE_BUILD_TYPE=Release -DMINIMAL_BUILD=On -DUSE_BUNDLED_DEPS=On -DBUILD_FALCO_UNIT_TESTS=On -DFALCO_VERSION=${{ inputs.version }}
cmake -B build -S . -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} -DMINIMAL_BUILD=On -DUSE_BUNDLED_DEPS=On -DBUILD_FALCO_UNIT_TESTS=On -DFALCO_VERSION=${{ inputs.version }}
- name: Build project
run: |
cmake --build build --target package --config Release
cmake --build build --target package --config ${{ inputs.build_type }}
- name: Run unit Tests
run: |
build/unit_tests/Release/falco_unit_tests.exe
build/unit_tests/${{ inputs.build_type }}/falco_unit_tests.exe
- name: Upload Falco win32 installer
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: falco-installer-Release-win32.exe
name: falco-installer-${{ inputs.version }}-win32.exe
path: build/falco-*.exe
- name: Upload Falco win32 package
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: falco-Release-win32.exe
name: falco-${{ inputs.version }}-win32.exe
path: |
${{ github.workspace }}/build/userspace/falco/Release/falco.exe
${{ github.workspace }}/build/userspace/falco/${{ inputs.build_type }}/falco.exe
build-macos-package:
if: ${{ inputs.arch == 'x86_64' }}
@@ -402,7 +305,7 @@ jobs:
sudo build/unit_tests/falco_unit_tests
- name: Upload Falco macos package
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: falco-${{ inputs.version }}-macos
path: |

133
.github/workflows/reusable_publish_docker.yaml vendored
View File

@@ -18,55 +18,44 @@ on:
default: false
permissions:
id-token: write
contents: read
jobs:
publish-docker:
runs-on: ubuntu-latest
permissions:
attestations: write
id-token: write
contents: read
steps:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
- name: Download x86_64 images tarballs
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
- name: Download images tarballs
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: falco-images-x86_64
name: falco-images
path: /tmp/falco-images
- name: Download aarch64 images tarballs
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: falco-images-aarch64
path: /tmp/falco-images
- name: Load all images
run: |
for img in /tmp/falco-images/falco-*.tar; do docker load --input $img; done
- name: Login to Docker Hub
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_SECRET }}
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
role-to-assume: "arn:aws:iam::292999226676:role/github_actions-falco-ecr"
aws-region: us-east-1 # The region must be set to us-east-1 in order to access ECR Public.
- name: Login to Amazon ECR
id: login-ecr-public
uses: aws-actions/amazon-ecr-login@2f9f10ea3fa2eed41ac443fee8bfbd059af2d0a4 # v1.6.0
with:
registry-type: public
registry-type: public
- name: Setup Crane
uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.3
with:
@@ -75,29 +64,42 @@ jobs:
# We're pushing the arch-specific manifests to Docker Hub so that we'll be able to easily create the index/multiarch later
- name: Push arch-specific images to Docker Hub
run: |
docker push docker.io/falcosecurity/falco-no-driver:aarch64-${{ inputs.tag }}
docker push docker.io/falcosecurity/falco-no-driver:x86_64-${{ inputs.tag }}
docker push docker.io/falcosecurity/falco-distroless:aarch64-${{ inputs.tag }}
docker push docker.io/falcosecurity/falco-distroless:x86_64-${{ inputs.tag }}
docker push docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }}
docker push docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}
docker push docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }}-debian
docker push docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}-debian
docker push docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }}
docker push docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}
docker push docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }}-buster
docker push docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}-buster
docker push docker.io/falcosecurity/falco-driver-loader-legacy:aarch64-${{ inputs.tag }}
docker push docker.io/falcosecurity/falco-driver-loader-legacy:x86_64-${{ inputs.tag }}
- name: Create Falco manifest on Docker Hub
- name: Create no-driver manifest on Docker Hub
uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
with:
inputs: docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }}
images: docker.io/falcosecurity/falco-no-driver:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-no-driver:x86_64-${{ inputs.tag }}
push: true
- name: Create distroless manifest on Docker Hub
uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
with:
inputs: docker.io/falcosecurity/falco-distroless:${{ inputs.tag }}
images: docker.io/falcosecurity/falco-distroless:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-distroless:x86_64-${{ inputs.tag }}
push: true
- name: Tag slim manifest on Docker Hub
run: |
crane copy docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} docker.io/falcosecurity/falco:${{ inputs.tag }}-slim
- name: Create falco manifest on Docker Hub
uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
with:
inputs: docker.io/falcosecurity/falco:${{ inputs.tag }}
images: docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}
push: true
- name: Create falco-debian manifest on Docker Hub
uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
with:
inputs: docker.io/falcosecurity/falco:${{ inputs.tag }}-debian
images: docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }}-debian,docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}-debian
push: true
- name: Create falco-driver-loader manifest on Docker Hub
uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
with:
@@ -105,41 +107,48 @@ jobs:
images: docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}
push: true
- name: Create falco-driver-loader-buster manifest on Docker Hub
- name: Create falco-driver-loader-legacy manifest on Docker Hub
uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
with:
inputs: docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster
images: docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }}-buster,docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}-buster
inputs: docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }}
images: docker.io/falcosecurity/falco-driver-loader-legacy:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-driver-loader-legacy:x86_64-${{ inputs.tag }}
push: true
- name: Get Digests for images
id: digests
# We could probably use the docker-manifest-action output instead of recomputing those with crane
run: |
echo "falco-no-driver=$(crane digest docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }})" >> $GITHUB_OUTPUT
echo "falco-distroless=$(crane digest docker.io/falcosecurity/falco-distroless:${{ inputs.tag }})" >> $GITHUB_OUTPUT
echo "falco=$(crane digest docker.io/falcosecurity/falco:${{ inputs.tag }})" >> $GITHUB_OUTPUT
echo "falco-debian=$(crane digest docker.io/falcosecurity/falco:${{ inputs.tag }}-debian)" >> $GITHUB_OUTPUT
echo "falco-driver-loader=$(crane digest docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }})" >> $GITHUB_OUTPUT
echo "falco-driver-loader-buster=$(crane digest docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster)" >> $GITHUB_OUTPUT
echo "falco-driver-loader-legacy=$(crane digest docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }})" >> $GITHUB_OUTPUT
- name: Publish images to ECR
run: |
crane copy docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }}
crane copy docker.io/falcosecurity/falco-distroless:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-distroless:${{ inputs.tag }}
crane copy docker.io/falcosecurity/falco:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}
crane copy docker.io/falcosecurity/falco:${{ inputs.tag }}-debian public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-debian
crane copy docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }}
crane copy docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster
crane copy docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }}
crane copy public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-slim
- name: Tag latest on Docker Hub and ECR
if: inputs.is_latest
run: |
crane tag docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} latest
crane tag docker.io/falcosecurity/falco-distroless:${{ inputs.tag }} latest
crane tag docker.io/falcosecurity/falco:${{ inputs.tag }} latest
crane tag docker.io/falcosecurity/falco:${{ inputs.tag }}-debian latest-debian
crane tag docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }} latest
crane tag docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster latest-buster
crane tag docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }} latest
crane tag docker.io/falcosecurity/falco:${{ inputs.tag }}-slim latest-slim
crane tag public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }} latest
crane tag public.ecr.aws/falcosecurity/falco-distroless:${{ inputs.tag }} latest
crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }} latest
crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-debian latest-debian
crane tag public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }} latest
crane tag public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster latest-buster
crane tag public.ecr.aws/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }} latest
crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-slim latest-slim
- name: Setup Cosign
if: inputs.sign
@@ -151,24 +160,14 @@ jobs:
COSIGN_EXPERIMENTAL: "true"
COSIGN_YES: "true"
run: |
cosign sign docker.io/falcosecurity/falco:latest@${{ steps.digests.outputs.falco }}
cosign sign docker.io/falcosecurity/falco:latest-debian@${{ steps.digests.outputs.falco-debian }}
cosign sign docker.io/falcosecurity/falco-driver-loader:latest@${{ steps.digests.outputs.falco-driver-loader }}
cosign sign docker.io/falcosecurity/falco-driver-loader:latest-buster@${{ steps.digests.outputs.falco-driver-loader-buster }}
cosign sign docker.io/falcosecurity/falco-no-driver@${{ steps.digests.outputs.falco-no-driver }}
cosign sign docker.io/falcosecurity/falco-distroless@${{ steps.digests.outputs.falco-distroless }}
cosign sign docker.io/falcosecurity/falco@${{ steps.digests.outputs.falco }}
cosign sign docker.io/falcosecurity/falco-driver-loader@${{ steps.digests.outputs.falco-driver-loader }}
cosign sign docker.io/falcosecurity/falco-driver-loader-legacy@${{ steps.digests.outputs.falco-driver-loader-legacy }}
cosign sign public.ecr.aws/falcosecurity/falco:latest@${{ steps.digests.outputs.falco }}
cosign sign public.ecr.aws/falcosecurity/falco:latest-debian@${{ steps.digests.outputs.falco-debian }}
cosign sign public.ecr.aws/falcosecurity/falco-driver-loader:latest@${{ steps.digests.outputs.falco-driver-loader }}
cosign sign public.ecr.aws/falcosecurity/falco-driver-loader:latest-buster@${{ steps.digests.outputs.falco-driver-loader-buster }}
- uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
with:
subject-name: docker.io/falcosecurity/falco
subject-digest: ${{ steps.digests.outputs.falco }}
push-to-registry: true
- uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
with:
subject-name: docker.io/falcosecurity/falco-driver-loader
subject-digest: ${{ steps.digests.outputs.falco-driver-loader }}
push-to-registry: true
cosign sign public.ecr.aws/falcosecurity/falco-no-driver@${{ steps.digests.outputs.falco-no-driver }}
cosign sign public.ecr.aws/falcosecurity/falco-distroless@${{ steps.digests.outputs.falco-distroless }}
cosign sign public.ecr.aws/falcosecurity/falco@${{ steps.digests.outputs.falco }}
cosign sign public.ecr.aws/falcosecurity/falco-driver-loader@${{ steps.digests.outputs.falco-driver-loader }}
cosign sign public.ecr.aws/falcosecurity/falco-driver-loader-legacy@${{ steps.digests.outputs.falco-driver-loader-legacy }}

29
.github/workflows/reusable_publish_packages.yaml vendored
View File

@@ -42,37 +42,40 @@ jobs:
aws-region: ${{ env.AWS_S3_REGION }}
- name: Download RPM x86_64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: falco-${{ inputs.version }}-x86_64.rpm
path: /tmp/falco-build-rpm
- name: Download RPM aarch64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: falco-${{ inputs.version }}-aarch64.rpm
path: /tmp/falco-build-rpm
- name: Download binary x86_64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: falco-${{ inputs.version }}-x86_64.tar.gz
path: /tmp/falco-build-bin
- name: Download binary aarch64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: falco-${{ inputs.version }}-aarch64.tar.gz
path: /tmp/falco-build-bin
# The musl build job is currently disabled because we link libelf dynamically and it is
# not possible to dynamically link with musl
- name: Download static binary x86_64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
if: false
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: falco-${{ inputs.version }}-static-x86_64.tar.gz
path: /tmp/falco-build-bin-static
- name: Download WASM package
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: falco-${{ inputs.version }}-wasm.tar.gz
path: /tmp/falco-wasm
@@ -82,6 +85,11 @@ jobs:
GPG_KEY: ${{ secrets.GPG_KEY }}
run: printenv GPG_KEY | gpg --import -
- name: Sign rpms
run: |
rpmsign --define '_gpg_name Falcosecurity Package Signing' --addsign /tmp/falco-build-rpm/falco-*.rpm
rpm --qf %{SIGPGP:pgpsig} -qp /tmp/falco-build-rpm/falco-*.rpm | grep SHA256
- name: Publish wasm
run: |
./scripts/publish-wasm -f /tmp/falco-wasm/falco-${{ inputs.version }}-wasm.tar.gz
@@ -94,8 +102,11 @@ jobs:
run: |
./scripts/publish-bin -f /tmp/falco-build-bin/falco-${{ inputs.version }}-x86_64.tar.gz -r bin${{ inputs.bucket_suffix }} -a x86_64
./scripts/publish-bin -f /tmp/falco-build-bin/falco-${{ inputs.version }}-aarch64.tar.gz -r bin${{ inputs.bucket_suffix }} -a aarch64
# The musl build job is currently disabled because we link libelf dynamically and it is
# not possible to dynamically link with musl
- name: Publish static
if: false
run: |
./scripts/publish-bin -f /tmp/falco-build-bin-static/falco-${{ inputs.version }}-static-x86_64.tar.gz -r bin${{ inputs.bucket_suffix }} -a x86_64
@@ -120,13 +131,13 @@ jobs:
aws-region: ${{ env.AWS_S3_REGION }}
- name: Download deb x86_64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: falco-${{ inputs.version }}-x86_64.deb
path: /tmp/falco-build-deb
- name: Download deb aarch64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: falco-${{ inputs.version }}-aarch64.deb
path: /tmp/falco-build-deb

14
.github/workflows/reusable_test_packages.yaml vendored
View File

@@ -27,10 +27,10 @@ permissions:
jobs:
test-packages:
# See https://github.com/actions/runner/issues/409#issuecomment-1158849936
runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-latest' }}
runs-on: ${{ (inputs.arch == 'aarch64' && 'oracle-aarch64-4cpu-16gb') || 'ubuntu-latest' }}
steps:
- name: Download binary
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: falco-${{ inputs.version }}${{ inputs.static && '-static' || '' }}-${{ inputs.arch }}${{ inputs.sanitizers == true && '-sanitizers' || '' }}.tar.gz
@@ -40,15 +40,16 @@ jobs:
tar -xvf $(ls falco-*.tar.gz)
cd falco-${{ inputs.version }}-${{ inputs.arch }}
sudo cp -r * /
# We only run driver loader tests on x86_64
- name: Install kernel headers for falco-driver-loader tests
if: ${{ inputs.arch == 'x86_64' }}
run: |
sudo apt update -y
sudo apt install -y --no-install-recommends linux-headers-$(uname -r)
# Some builds use sanitizers, we always install support for them so they can run
- name: Install sanitizer support
if: inputs.sanitizers
run: |
sudo apt update -y
sudo apt install -y libasan5 libubsan1
@@ -56,13 +57,12 @@ jobs:
- name: Run tests
env:
LSAN_OPTIONS: "intercept_tls_get_addr=0"
uses: falcosecurity/testing@main
uses: falcosecurity/testing@main
with:
test-falco: 'true'
test-falcoctl: 'true'
test-k8saudit: 'true'
test-dummy: 'true'
static: ${{ inputs.static && 'true' || 'false' }}
test-drivers: 'true'
test-drivers: ${{ inputs.arch == 'x86_64' && 'true' || 'false' }}
show-all: 'true'
report-name-suffix: ${{ inputs.static && '-static' || '' }}${{ inputs.sanitizers && '-sanitizers' || '' }}

2
.github/workflows/scorecard.yaml vendored
View File

@@ -65,7 +65,7 @@ jobs:
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
with:
name: SARIF file
path: results.sarif

4
.github/workflows/staticanalysis.yaml vendored
View File

@@ -24,12 +24,12 @@ jobs:
run: |
cmake -B build -S . \
-DCMAKE_BUILD_TYPE="release" \
-DUSE_BUNDLED_DEPS=On -DUSE_DYNAMIC_LIBELF=Off -DBUILD_WARNINGS_AS_ERRORS=ON -DCREATE_TEST_TARGETS=Off -DBUILD_DRIVER=Off
-DUSE_BUNDLED_DEPS=On -DUSE_DYNAMIC_LIBELF=Off -DBUILD_WARNINGS_AS_ERRORS=ON -DCREATE_TEST_TARGETS=Off -DBUILD_BPF=Off -DBUILD_DRIVER=Off
cmake --build build -j4 --target cppcheck
cmake --build build -j4 --target cppcheck_htmlreport
- name: Upload reports ⬆️
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: static-analysis-reports
path: ./build/static-analysis-reports

4
ADOPTERS.md
View File

@@ -43,8 +43,6 @@ This is a list of production adopters of Falco (in alphabetical order):
* [MathWorks](https://mathworks.com) - MathWorks develops mathematical computing software for engineers and scientists. MathWorks uses Falco for Kubernetes threat detection, unexpected application behavior, and maps Falco rules to their cloud infrastructure's security kill chain model. MathWorks presented their Falco use case at [KubeCon + CloudNativeCon North America 2020](https://www.youtube.com/watch?v=L-5RYBTV010).
* [NETWAYS Web Services](https://nws.netways.de/en/) - NETWAYS Web Services provides cloud and managed services tailored to their customers needs. From VPCs to managed databases and Kubernetes clusters, NETWAYS Web Services enables their customers to run infrastructure and applications without worries. Falco plays its part for NETWAYS Managed Services to ensure their platform conforms to ISO 27001 at all times and that their clients' workloads behave as expected by detecting anomalies in real-time.
* [Pocteo](https://pocteo.co) - Pocteo helps with Kubernetes adoption in enterprises by providing a variety of services such as training, consulting, auditing and mentoring. We build CI/CD pipelines the GitOps way, as well as design and run k8s clusters. Pocteo uses Falco as a runtime monitoring system to secure clients' workloads against suspicious behavior and ensure k8s pods immutability. We also use Falco to collect, process and act on security events through a response engine and serverless functions.
* [Preferral](https://www.preferral.com) - Preferral is a HIPAA-compliant platform for Referral Management and Online Referral Forms. Preferral streamlines the referral process for patients, specialists and their referral partners. By automating the referral process, referring practices spend less time on the phone, manual efforts are eliminated, and patients get the right care from the right specialist. Preferral leverages Falco to provide a Host Intrusion Detection System to meet their HIPAA compliance requirements.
@@ -60,8 +58,6 @@ This is a list of production adopters of Falco (in alphabetical order):
* [Shopify](https://www.shopify.com) - Shopify is the leading multi-channel commerce platform. Merchants use Shopify to design, set up, and manage their stores across multiple sales channels, including mobile, web, social media, marketplaces, brick-and-mortar locations, and pop-up shops. The platform also provides merchants with a powerful back-office and a single view of their business, from payments to shipping. The Shopify platform was engineered for reliability and scale, making enterprise-level technology available to businesses of all sizes. Shopify uses Falco to complement its Host and Network Intrusion Detection Systems.
* [SafeDep](https://safedep.io/) - SafeDep is a open source software supply chain security platform that helps organizations identify and mitigate risks in their dependencies. At its core, SafeDep offers [`vet`](https://github.com/safedep/vet) a free and open source tool for detecting vulnerabilities, malicious code, and quality issues in open source components, while the enterprise offering, SafeDep Cloud, provides centralized control, data aggregation, and advanced features like malware analysis for large-scale deployments across thousands of repositories.
* [Sight Machine](https://www.sightmachine.com) - Sight Machine is the category leader for manufacturing analytics and used by Global 500 companies to make better, faster decisions about their operations. Sight Machine uses Falco to help enforce SOC2 compliance as well as a tool for real time security monitoring and alerting in Kubernetes.
* [Skyscanner](https://www.skyscanner.net) - Skyscanner is the world's travel search engine for flights, hotels and car rentals. Most of our infrastructure is based on Kubernetes, and our Security team is using Falco to monitor anomalies at runtime, integrating Falco's findings with our internal ChatOps tooling to provide insight on the behavior of our machines in production. We also postprocess and store Falco's results to generate dashboards for auditing purposes.

387
CHANGELOG.md
View File

@@ -1,392 +1,5 @@
# Change Log
## v0.43.0
Released on 2026-01-28
### Breaking Changes :warning:
* fix(userspace)!: show source config path only in debug builds [[#3787](https://github.com/falcosecurity/falco/pull/3787)] - [@leogr](https://github.com/leogr)
### Minor Changes
* chore(userspace): deprecate `--gvisor-generate-config` CLI option [[#3784](https://github.com/falcosecurity/falco/pull/3784)] - [@ekoops](https://github.com/ekoops)
* docs: add deprecation notice for legacy eBPF in pkg install dialog [[#3786](https://github.com/falcosecurity/falco/pull/3786)] - [@ekoops](https://github.com/ekoops)
* chore: [NOTICE] The GPG key used to sign DEB/RPM packages has been rotated, and all existing packages have been re-signed. New key fingerprint: `478B2FBBC75F4237B731DA4365106822B35B1B1F` [[#3753](https://github.com/falcosecurity/falco/pull/3753)] - [@leogr](https://github.com/leogr)
* chore(scripts/falcoctl): increase follow interval to 1 week [[#3757](https://github.com/falcosecurity/falco/pull/3757)] - [@leogr](https://github.com/leogr)
* docs: add deprecation notice for legacy eBPF, gVisor and gRPC usage [[#3763](https://github.com/falcosecurity/falco/pull/3763)] - [@ekoops](https://github.com/ekoops)
* chore(userspace): deprecate legacy eBPF probe, gVisor engine and gRPC [[#3763](https://github.com/falcosecurity/falco/pull/3763)] - [@ekoops](https://github.com/ekoops)
* chore(engine): emit warning when the deprecated `evt.latency` field family is used in a rule condition or output [[#3744](https://github.com/falcosecurity/falco/pull/3744)] - [@irozzo-1A](https://github.com/irozzo-1A)
### Bug Fixes
* fix: prevent null pointer crash on `popen()` failure in output_program [[#3722](https://github.com/falcosecurity/falco/pull/3722)] - [@vietcgi](https://github.com/vietcgi)
* fix: correct falcoctl.yaml path in debian conffiles [[#3745](https://github.com/falcosecurity/falco/pull/3745)] - [@leogr](https://github.com/leogr)
### Non user-facing changes
* chore(cmake): bump falcoctl dependency version to `0.12.2` [[#3790](https://github.com/falcosecurity/falco/pull/3790)] - [@ekoops](https://github.com/ekoops)
* chore(cmake): bump falcoctl dependency version to `0.12.1` [[#3777](https://github.com/falcosecurity/falco/pull/3777)] - [@ekoops](https://github.com/ekoops)
* chore(cmake): bump container plugin version to `0.6.1` [[#3780](https://github.com/falcosecurity/falco/pull/3780)] - [@ekoops](https://github.com/ekoops)
* fix(userspace/engine): missing closing quote in deprecated field warning [[#3779](https://github.com/falcosecurity/falco/pull/3779)] - [@leogr](https://github.com/leogr)
* chore(.github): Put back gpg key rotation workflow [[#3772](https://github.com/falcosecurity/falco/pull/3772)] - [@irozzo-1A](https://github.com/irozzo-1A)
* chore(cmake): bump libs/drivers to `0.23.1`/`9.1.0+driver` [[#3769](https://github.com/falcosecurity/falco/pull/3769)] - [@ekoops](https://github.com/ekoops)
* revert: chore(.github): temporary action for GPG key rotation [[#3766](https://github.com/falcosecurity/falco/pull/3766)] - [@leogr](https://github.com/leogr)
* chore(cmake): bump container plugin version to 0.6.0 [[#3768](https://github.com/falcosecurity/falco/pull/3768)] - [@irozzo-1A](https://github.com/irozzo-1A)
* docs(proposals): add proposal for legacy probe, gVisor engine and gRPC output deprecation [[#3755](https://github.com/falcosecurity/falco/pull/3755)] - [@ekoops](https://github.com/ekoops)
* chore(cmake): bump libs/drivers to `0.23.0`/`9.1.0+driver` [[#3760](https://github.com/falcosecurity/falco/pull/3760)] - [@ekoops](https://github.com/ekoops)
* update(cmake): update libs and driver to latest master [[#3754](https://github.com/falcosecurity/falco/pull/3754)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* fix(metrics): Add null check for state.outputs in metrics collection [[#3740](https://github.com/falcosecurity/falco/pull/3740)] - [@adduali1310](https://github.com/adduali1310)
* chore(cmake): bump libs to `0.23.0-rc2` [[#3759](https://github.com/falcosecurity/falco/pull/3759)] - [@ekoops](https://github.com/ekoops)
* chore(cmake): bump libs/drivers to `0.23.0-rc1`/`9.1.0-rc1+driver` [[#3758](https://github.com/falcosecurity/falco/pull/3758)] - [@ekoops](https://github.com/ekoops)
* fix(ci): revert changes to mitigate rate-limitar change [[#3752](https://github.com/falcosecurity/falco/pull/3752)] - [@irozzo-1A](https://github.com/irozzo-1A)
* update(cmake): update libs and driver to latest master [[#3723](https://github.com/falcosecurity/falco/pull/3723)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* Reduce image size [[#3746](https://github.com/falcosecurity/falco/pull/3746)] - [@jfcoz](https://github.com/jfcoz)
* docs(RELEASE.md): specify target branch association upon release creation [[#3717](https://github.com/falcosecurity/falco/pull/3717)] - [@ekoops](https://github.com/ekoops)
* docs(RELEASE.md): fix `rn2md` cmd generating changelogs [[#3709](https://github.com/falcosecurity/falco/pull/3709)] - [@ekoops](https://github.com/ekoops)
* docs(RELEASE.md): fix PRs filtering expr for checking release notes [[#3708](https://github.com/falcosecurity/falco/pull/3708)] - [@ekoops](https://github.com/ekoops)
* docs(RELEASE.md): fix PRs filtering expression text [[#3707](https://github.com/falcosecurity/falco/pull/3707)] - [@ekoops](https://github.com/ekoops)
### Statistics
| MERGED PRS | NUMBER |
|-----------------|--------|
| Not user-facing | 21 |
| Release note | 11 |
| Total | 32 |
## v0.42.0
Released on 2025-10-22
### Major Changes
* feat: add `falco_libs.thread_table_auto_purging_interval_s` and `thread_table_auto_purging_thread_timeout_s` configuration options [[#3670](https://github.com/falcosecurity/falco/pull/3670)] - [@ekoops](https://github.com/ekoops)
* feat: log plugin version info at loading time [[#3657](https://github.com/falcosecurity/falco/pull/3657)] - [@FedeDP](https://github.com/FedeDP)
* feat: ability to add statically defined fields via `static_fields` configuration [[#3557](https://github.com/falcosecurity/falco/pull/3557)] - [@FedeDP](https://github.com/FedeDP)
* feat(engine): emit warning when a rule containing the `evt.dir` field in output is encountered [[#3697](https://github.com/falcosecurity/falco/pull/3697)] - [@irozzo-1A](https://github.com/irozzo-1A)
* feat(engine): emit warning when a rule containing a condition on the deprecated `evt.dir` field is encountered [[#3690](https://github.com/falcosecurity/falco/pull/3690)] - [@irozzo-1A](https://github.com/irozzo-1A)
* new: ability to record `.scap` files (capture feature) [[#3645](https://github.com/falcosecurity/falco/pull/3645)] - [@leogr](https://github.com/leogr)
* new(docker): includes sha on the image labels [[#3658](https://github.com/falcosecurity/falco/pull/3658)] - [@jcchavezs](https://github.com/jcchavezs)
* new(cmake,userspace,ci): add mimalloc support [[#3616](https://github.com/falcosecurity/falco/pull/3616)] - [@FedeDP](https://github.com/FedeDP)
### Minor Changes
* docs(falco.yaml): refactor config documentation [[#3685](https://github.com/falcosecurity/falco/pull/3685)] - [@leogr](https://github.com/leogr)
* build: fix `debian:buster` apt debian repo URL in `:driver-loader-buster` container image [[#3644](https://github.com/falcosecurity/falco/pull/3644)] - [@ekoops](https://github.com/ekoops)
* build: updagrade libs to version 0.22.1 [[#3705](https://github.com/falcosecurity/falco/pull/3705)] - [@irozzo-1A](https://github.com/irozzo-1A)
* build: upgrade drivers to v9.0.0+driver [[#3701](https://github.com/falcosecurity/falco/pull/3701)] - [@irozzo-1A](https://github.com/irozzo-1A)
* build: upgrade cpp-httplib to v0.23.1 [[#3647](https://github.com/falcosecurity/falco/pull/3647)] - [@FedeDP](https://github.com/FedeDP)
* update: upgrade default ruleset to v5.0.0 [[#3700](https://github.com/falcosecurity/falco/pull/3700)] - [@leogr](https://github.com/leogr)
* build: upgrade `falcoctl` to v0.11.4 [[#3694](https://github.com/falcosecurity/falco/pull/3694)] - [@leogr](https://github.com/leogr)
* chore(prometheus): deprecate enter events drop stats [[#3675](https://github.com/falcosecurity/falco/pull/3675)] - [@irozzo-1A](https://github.com/irozzo-1A)
### Bug Fixes
* fix(cmake): correct abseil-cpp for alpine build [[#3598](https://github.com/falcosecurity/falco/pull/3598)] - [@RomanenkoDenys](https://github.com/RomanenkoDenys)
* fix: enable handling of multiple actions configured with `syscall_event_drops.actions` [[#3676](https://github.com/falcosecurity/falco/pull/3676)] - [@terror96](https://github.com/terror96)
* fix: disable dry-run restarts when Falco runs with config-watching disabled [[#3640](https://github.com/falcosecurity/falco/pull/3640)] - [@Proximyst](https://github.com/Proximyst)
### Non user-facing changes
* fix(userspace/falco): correct default duration calculation [[#3715](https://github.com/falcosecurity/falco/pull/3715)] - [@leogr](https://github.com/leogr)
* chore(falcoctl): update falco rules to version 5 [[#3712](https://github.com/falcosecurity/falco/pull/3712)] - [@irozzo-1A](https://github.com/irozzo-1A)
* doc(OWNERS): move incertum (Melissa Kilby) to emeritus_approvers [[#3605](https://github.com/falcosecurity/falco/pull/3605)] - [@incertum](https://github.com/incertum)
* update(cmake): update libs and driver to latest master [[#3689](https://github.com/falcosecurity/falco/pull/3689)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* chore(docker): use new `ENV` syntax in place of deprecated one [[#3696](https://github.com/falcosecurity/falco/pull/3696)] - [@ekoops](https://github.com/ekoops)
* chore(cmake/modules): update rules to 5.0.0-rc1 [[#3698](https://github.com/falcosecurity/falco/pull/3698)] - [@leogr](https://github.com/leogr)
* fix(userspace/engine): fix logger date format [[#3672](https://github.com/falcosecurity/falco/pull/3672)] - [@ekoops](https://github.com/ekoops)
* docs(OWNERS): add `ekoops`(Leonardo Di Giovanna) as approver [[#3688](https://github.com/falcosecurity/falco/pull/3688)] - [@ekoops](https://github.com/ekoops)
* update(cmake): update libs and driver to latest master [[#3665](https://github.com/falcosecurity/falco/pull/3665)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* Refactor: cppcheck cleanups [[#3649](https://github.com/falcosecurity/falco/pull/3649)] - [@sgaist](https://github.com/sgaist)
* update(userspace/engine): update falco engine version and checksum [[#3648](https://github.com/falcosecurity/falco/pull/3648)] - [@ekoops](https://github.com/ekoops)
* update(cmake): update libs and driver to latest master [[#3662](https://github.com/falcosecurity/falco/pull/3662)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* update(cmake): update libs and driver to latest master [[#3661](https://github.com/falcosecurity/falco/pull/3661)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* update(cmake): update libs and driver to latest master [[#3653](https://github.com/falcosecurity/falco/pull/3653)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* chore(ci): disable mimalloc for master builds. [[#3655](https://github.com/falcosecurity/falco/pull/3655)] - [@FedeDP](https://github.com/FedeDP)
* chore(deps): Bump submodules/falcosecurity-rules from `1208816` to `be38001` [[#3651](https://github.com/falcosecurity/falco/pull/3651)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* docs(falco.yaml): avoid out-of-sync config options for `container` pl… [[#3650](https://github.com/falcosecurity/falco/pull/3650)] - [@leogr](https://github.com/leogr)
* update(cmake): update libs and driver to latest master [[#3636](https://github.com/falcosecurity/falco/pull/3636)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* update(CHANGELOG.md): release 0.41.3 (cherry-pick) [[#3634](https://github.com/falcosecurity/falco/pull/3634)] - [@ekoops](https://github.com/ekoops)
* update(cmake): update libs and driver to latest master [[#3628](https://github.com/falcosecurity/falco/pull/3628)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* update(CHANGELOG.md): release 0.41.2 (cherry-pick) [[#3623](https://github.com/falcosecurity/falco/pull/3623)] - [@ekoops](https://github.com/ekoops)
* update(cmake): update libs and driver to latest master [[#3618](https://github.com/falcosecurity/falco/pull/3618)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* update(cmake): update libs and driver to latest master [[#3602](https://github.com/falcosecurity/falco/pull/3602)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* chore(falco.yaml): clean up plugins config leftover [[#3596](https://github.com/falcosecurity/falco/pull/3596)] - [@leogr](https://github.com/leogr)
* chore(deps): Bump submodules/falcosecurity-rules from `b4437c4` to `4d51b18` [[#3607](https://github.com/falcosecurity/falco/pull/3607)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* update(docs): cherry pick CHANGELOG. [[#3600](https://github.com/falcosecurity/falco/pull/3600)] - [@FedeDP](https://github.com/FedeDP)
* update(cmake): update libs and driver to latest master [[#3592](https://github.com/falcosecurity/falco/pull/3592)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* update(docs): bumped changelog for release 0.41.0, master sync [[#3586](https://github.com/falcosecurity/falco/pull/3586)] - [@FedeDP](https://github.com/FedeDP)
* chore(deps): Bump submodules/falcosecurity-rules from `cb17833` to `b4437c4` [[#3578](https://github.com/falcosecurity/falco/pull/3578)] - [@dependabot[bot]](https://github.com/apps/dependabot)
### Statistics
| MERGED PRS | NUMBER |
|-----------------|--------|
| Not user-facing | 29 |
| Release note | 23 |
| Total | 52 |
## v0.41.3
Released on 2025-07-01
### Minor Changes
* update: bump container plugin to v0.3.1 [[#3629](https://github.com/falcosecurity/falco/pull/3629)] - [@FedeDP](https://github.com/FedeDP)
### Statistics
| MERGED PRS | NUMBER |
|-----------------|--------|
| Not user-facing | 0 |
| Release note | 1 |
| Total | 1 |
## v0.41.2
Released on 2025-06-17
### Minor Changes
* update(build): update container plugin to 0.3.0 [[#3619](https://github.com/falcosecurity/falco/pull/3619)] - [@ekoops](https://github.com/ekoops)
### Non user-facing changes
* update(build): update container plugin to 0.2.6 [[#3611](https://github.com/falcosecurity/falco/pull/3611)] - [@leogr](https://github.com/leogr)
### Statistics
| MERGED PRS | NUMBER |
|-----------------|--------|
| Not user-facing | 1 |
| Release note | 1 |
| Total | 2 |
## v0.41.1
Released on 2025-06-05
### Bug Fixes
* fix(userspace/falco): when collecting metrics for stats_writer, create a `libs_metrics_collector` for each source [[#3585](https://github.com/falcosecurity/falco/pull/3585)] - [@FedeDP](https://github.com/FedeDP)
* fix(userspace/falco): only enable prometheus metrics once all inspectors have been opened [[#3588](https://github.com/falcosecurity/falco/pull/3588)] - [@FedeDP](https://github.com/FedeDP)
### Statistics
| MERGED PRS | NUMBER |
|-----------------|--------|
| Not user-facing | 0 |
| Release note | 2 |
| Total | 2 |
## v0.41.0
Released on 2025-05-29
### Breaking Changes :warning:
* cleanup(engine)!: only consider .yaml/.yml rule files [[#3551](https://github.com/falcosecurity/falco/pull/3551)] - [@LucaGuerra](https://github.com/LucaGuerra)
* cleanup(userspace)!: deprecate print of `container.info` [[#3543](https://github.com/falcosecurity/falco/pull/3543)] - [@FedeDP](https://github.com/FedeDP)
* cleanup(userspace/falco)!: drop deprecated in 0.40.0 CLI flags. [[#3496](https://github.com/falcosecurity/falco/pull/3496)] - [@FedeDP](https://github.com/FedeDP)
### Major Changes
* new(falco): add json_include_output_fields option [[#3527](https://github.com/falcosecurity/falco/pull/3527)] - [@LucaGuerra](https://github.com/LucaGuerra)
* new(build,userspace): switch to use container plugin [[#3482](https://github.com/falcosecurity/falco/pull/3482)] - [@FedeDP](https://github.com/FedeDP)
* new(docker,scripts,ci): use an override config file to enable ISO 8601 output timeformat on docker images [[#3488](https://github.com/falcosecurity/falco/pull/3488)] - [@FedeDP](https://github.com/FedeDP)
### Minor Changes
* chore(build): update falcoctl to v0.11.2, rules for artifact follow to v4 [[#3580](https://github.com/falcosecurity/falco/pull/3580)] - [@LucaGuerra](https://github.com/LucaGuerra)
* update(cmake): bumped falcoctl to 0.11.1 and rules to 4.0.0. [[#3577](https://github.com/falcosecurity/falco/pull/3577)] - [@FedeDP](https://github.com/FedeDP)
* update(containers): update opencontainers labels [[#3575](https://github.com/falcosecurity/falco/pull/3575)] - [@LucaGuerra](https://github.com/LucaGuerra)
* update(metrics): improve restart/hot_reload conditions inspection [[#3562](https://github.com/falcosecurity/falco/pull/3562)] - [@incertum](https://github.com/incertum)
* update: empty `values` in `exceptions` won't emit a warning anymore [[#3529](https://github.com/falcosecurity/falco/pull/3529)] - [@leogr](https://github.com/leogr)
* chore(falco.yaml): enable libs_logger by default with info level [[#3507](https://github.com/falcosecurity/falco/pull/3507)] - [@FedeDP](https://github.com/FedeDP)
### Bug Fixes
* fix(metrics/prometheus): gracefully handle multiple event sources, avoid erroneous duplicate metrics [[#3563](https://github.com/falcosecurity/falco/pull/3563)] - [@incertum](https://github.com/incertum)
* fix(ci): properly install rpm systemd-rpm-macro package on building packages pipeline [[#3521](https://github.com/falcosecurity/falco/pull/3521)] - [@FedeDP](https://github.com/FedeDP)
* fix(userspace/falco): init cmdline options after loading all config files [[#3493](https://github.com/falcosecurity/falco/pull/3493)] - [@FedeDP](https://github.com/FedeDP)
* fix(cmake): add support for 16K kernel page to jemalloc [[#3490](https://github.com/falcosecurity/falco/pull/3490)] - [@Darkness4](https://github.com/Darkness4)
* fix(userspace/falco): fix jemalloc enabled in minimal build. [[#3478](https://github.com/falcosecurity/falco/pull/3478)] - [@FedeDP](https://github.com/FedeDP)
### Non user-facing changes
* chore(deps): Bump submodules/falcosecurity-rules from `4ccf111` to `cb17833` [[#3572](https://github.com/falcosecurity/falco/pull/3572)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* update(cmake/rules): bump to falco-rules-4.0.0-rc1 [[#3567](https://github.com/falcosecurity/falco/pull/3567)] - [@leogr](https://github.com/leogr)
* cleanup(userspace/falco): drop unused `libs_metrics_collector` variable. [[#3566](https://github.com/falcosecurity/falco/pull/3566)] - [@FedeDP](https://github.com/FedeDP)
* update(cmake): update libs and driver to latest master [[#3564](https://github.com/falcosecurity/falco/pull/3564)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* fix(build): fixed container custom_target `sed` command. [[#3556](https://github.com/falcosecurity/falco/pull/3556)] - [@FedeDP](https://github.com/FedeDP)
* chore(deps): Bump submodules/falcosecurity-rules from `ae6ed41` to `4ccf111` [[#3555](https://github.com/falcosecurity/falco/pull/3555)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* fix(cmake): fix bundled c-ares cmake issue with e.g. SLES [[#3559](https://github.com/falcosecurity/falco/pull/3559)] - [@terror96](https://github.com/terror96)
* chore(deps): Bump submodules/falcosecurity-rules from `1d2c6b1` to `ae6ed41` [[#3553](https://github.com/falcosecurity/falco/pull/3553)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* chore: revert "chore(deps): Bump submodules/falcosecurity-rules from `1d2c6b1` to `371e431`" [[#3552](https://github.com/falcosecurity/falco/pull/3552)] - [@FedeDP](https://github.com/FedeDP)
* update(cmake): update libs and driver to latest master [[#3550](https://github.com/falcosecurity/falco/pull/3550)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* update(cmake): update libs and driver to latest master [[#3549](https://github.com/falcosecurity/falco/pull/3549)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* update(adopters): added SafeDep as adopter [[#3548](https://github.com/falcosecurity/falco/pull/3548)] - [@KunalSin9h](https://github.com/KunalSin9h)
* update(cmake): update libs and driver to latest master [[#3547](https://github.com/falcosecurity/falco/pull/3547)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* update(cmake): update libs and driver to latest master [[#3541](https://github.com/falcosecurity/falco/pull/3541)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* fix(userspace): fixed engine `openssl` dep. [[#3535](https://github.com/falcosecurity/falco/pull/3535)] - [@FedeDP](https://github.com/FedeDP)
* fix(userspace/falco): fix outputs_http timeout [[#3523](https://github.com/falcosecurity/falco/pull/3523)] - [@benierc](https://github.com/benierc)
* fix(ci): use clang-19 to build modern_ebpf skeleton. [[#3537](https://github.com/falcosecurity/falco/pull/3537)] - [@FedeDP](https://github.com/FedeDP)
* update(cmake): update libs and driver to latest master [[#3531](https://github.com/falcosecurity/falco/pull/3531)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* update(cmake): update libs and driver to latest master [[#3530](https://github.com/falcosecurity/falco/pull/3530)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* update(cmake): update libs and driver to latest master [[#3525](https://github.com/falcosecurity/falco/pull/3525)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* update(cmake): update libs and driver to latest master [[#3520](https://github.com/falcosecurity/falco/pull/3520)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* update(cmake): update libs and driver to latest master [[#3516](https://github.com/falcosecurity/falco/pull/3516)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* docs(README.md): cleanups and enhancements [[#3514](https://github.com/falcosecurity/falco/pull/3514)] - [@leogr](https://github.com/leogr)
* update(cmake): update libs and driver to latest master [[#3511](https://github.com/falcosecurity/falco/pull/3511)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* chore(deps): Bump submodules/falcosecurity-rules from `1d2c6b1` to `371e431` [[#3510](https://github.com/falcosecurity/falco/pull/3510)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* update(cmake): update libs and driver to latest master [[#3508](https://github.com/falcosecurity/falco/pull/3508)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* update(cmake): update libs and driver to latest master [[#3506](https://github.com/falcosecurity/falco/pull/3506)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* fix(userspace/falco): when counting `-M` timeout, do not account for async events [[#3505](https://github.com/falcosecurity/falco/pull/3505)] - [@FedeDP](https://github.com/FedeDP)
* chore(deps): Bump submodules/falcosecurity-rules from `d8415c1` to `1d2c6b1` [[#3504](https://github.com/falcosecurity/falco/pull/3504)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* docs(proposals): correct typo in example [[#3499](https://github.com/falcosecurity/falco/pull/3499)] - [@leogr](https://github.com/leogr)
* fix(docker): fixed entrypoints paths with new docker context. [[#3492](https://github.com/falcosecurity/falco/pull/3492)] - [@FedeDP](https://github.com/FedeDP)
* feat(falco/app): move actions not using config before `load_config` [[#3483](https://github.com/falcosecurity/falco/pull/3483)] - [@ekoops](https://github.com/ekoops)
* refactor(falco/app): apply early return pattern in actions code [[#3484](https://github.com/falcosecurity/falco/pull/3484)] - [@ekoops](https://github.com/ekoops)
* chore(deps): Bump submodules/falcosecurity-rules from `abf6637` to `d8415c1` [[#3489](https://github.com/falcosecurity/falco/pull/3489)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* Add NETWAYS Web Services to ADOPTERS.md [[#3487](https://github.com/falcosecurity/falco/pull/3487)] - [@mocdaniel](https://github.com/mocdaniel)
* chore: add back Falco static package to the release template. [[#3472](https://github.com/falcosecurity/falco/pull/3472)] - [@FedeDP](https://github.com/FedeDP)
### Statistics
| MERGED PRS | NUMBER |
|-----------------|--------|
| Not user-facing | 36 |
| Release note | 17 |
| Total | 53 |
## v0.40.0
Released on 2025-01-28
### Breaking Changes :warning:
* cleanup(userspac/falco)!: drop deprecated options. [[#3361](https://github.com/falcosecurity/falco/pull/3361)] - [@FedeDP](https://github.com/FedeDP)
### Major Changes
* new(docker): streamline docker images [[#3273](https://github.com/falcosecurity/falco/pull/3273)] - [@FedeDP](https://github.com/FedeDP)
* new(build): reintroduce static build [[#3428](https://github.com/falcosecurity/falco/pull/3428)] - [@LucaGuerra](https://github.com/LucaGuerra)
* new(cmake,ci): added support for using jemalloc allocator instead of glibc one and use it by default for release artifacts [[#3406](https://github.com/falcosecurity/falco/pull/3406)] - [@FedeDP](https://github.com/FedeDP)
* new(userspace,cmake): honor new plugins exposed suggested output formats [[#3388](https://github.com/falcosecurity/falco/pull/3388)] - [@FedeDP](https://github.com/FedeDP)
* new(userspace/falco): allow entirely disabling plugin hostinfo support. [[#3412](https://github.com/falcosecurity/falco/pull/3412)] - [@FedeDP](https://github.com/FedeDP)
* new(ci): use `zig` compiler instead of relying on centos7. [[#3307](https://github.com/falcosecurity/falco/pull/3307)] - [@FedeDP](https://github.com/FedeDP)
* new(falco): add buffer_format_base64 option, deprecate -b [[#3358](https://github.com/falcosecurity/falco/pull/3358)] - [@LucaGuerra](https://github.com/LucaGuerra)
* new(falco): add base_syscalls.all option to falco.yaml, deprecate -A [[#3352](https://github.com/falcosecurity/falco/pull/3352)] - [@LucaGuerra](https://github.com/LucaGuerra)
* new(falco): add falco_libs.snaplen option, deprecate -S / --snaplen [[#3362](https://github.com/falcosecurity/falco/pull/3362)] - [@LucaGuerra](https://github.com/LucaGuerra)
### Minor Changes
* update(cmake): bump falcoctl to v0.11.0 [[#3467](https://github.com/falcosecurity/falco/pull/3467)] - [@alacuku](https://github.com/alacuku)
* chore(ci): add attestation for falco [[#3216](https://github.com/falcosecurity/falco/pull/3216)] - [@cpanato](https://github.com/cpanato)
* chore(ci): build Falco in RelWithDebInfo, and upload Falco debug symbols as github artifacts [[#3452](https://github.com/falcosecurity/falco/pull/3452)] - [@FedeDP](https://github.com/FedeDP)
* update(build): DEB and RPM package requirements for dkms and kernel-devel are now suggestions [[#3450](https://github.com/falcosecurity/falco/pull/3450)] - [@jthiltges](https://github.com/jthiltges)
### Bug Fixes
* fix(userspace/falco): fix container_engines.cri.sockets not loading from config file [[#3453](https://github.com/falcosecurity/falco/pull/3453)] - [@zayaanmoez](https://github.com/zayaanmoez)
* fix(docker): /usr/src/'*' no longer created if $HOST_PATH/usr/src didn't exist at startup [[#3434](https://github.com/falcosecurity/falco/pull/3434)] - [@shane-lawrence](https://github.com/shane-lawrence)
* fix(docker): add brotli to the Falco image [[#3399](https://github.com/falcosecurity/falco/pull/3399)] - [@LucaGuerra](https://github.com/LucaGuerra)
* fix(userspace/engine): explicitly disallow appending/modifying a rule with different sources [[#3383](https://github.com/falcosecurity/falco/pull/3383)] - [@mstemm](https://github.com/mstemm)
### Non user-facing changes
* chore(falco.yaml): remove comments about cri cli arguments [[#3458](https://github.com/falcosecurity/falco/pull/3458)] - [@alacuku](https://github.com/alacuku)
* fix(ci): fixed reusable_build/publish_docker workflows. [[#3459](https://github.com/falcosecurity/falco/pull/3459)] - [@FedeDP](https://github.com/FedeDP)
* update(cmake): update libs and driver to latest master [[#3455](https://github.com/falcosecurity/falco/pull/3455)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* chore(ci): bumped actions/upload-download-artifact. [[#3454](https://github.com/falcosecurity/falco/pull/3454)] - [@FedeDP](https://github.com/FedeDP)
* chore(docker): drop unused libelf dep from container images [[#3451](https://github.com/falcosecurity/falco/pull/3451)] - [@leogr](https://github.com/leogr)
* chore(docs): update `plugins_hostinfo` config file comment. [[#3449](https://github.com/falcosecurity/falco/pull/3449)] - [@FedeDP](https://github.com/FedeDP)
* new(build): add RelWithDebInfo target [[#3440](https://github.com/falcosecurity/falco/pull/3440)] - [@shane-lawrence](https://github.com/shane-lawrence)
* chore(deps): Bump submodules/falcosecurity-rules from `283a62f` to `abf6637` [[#3448](https://github.com/falcosecurity/falco/pull/3448)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* update(ci): use 4cpu-16gb arm runners [[#3447](https://github.com/falcosecurity/falco/pull/3447)] - [@LucaGuerra](https://github.com/LucaGuerra)
* update(cmake): update libs and driver to latest master [[#3439](https://github.com/falcosecurity/falco/pull/3439)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* chore: avoid deprecated funcs to calculate sha256 [[#3442](https://github.com/falcosecurity/falco/pull/3442)] - [@federico-sysdig](https://github.com/federico-sysdig)
* chore(ci): enable jemalloc in musl build. [[#3436](https://github.com/falcosecurity/falco/pull/3436)] - [@FedeDP](https://github.com/FedeDP)
* docs(falco.yaml): correct `buffered_outputs` description [[#3427](https://github.com/falcosecurity/falco/pull/3427)] - [@leogr](https://github.com/leogr)
* fix(userspace/falco): use correct filtercheck_field_info. [[#3426](https://github.com/falcosecurity/falco/pull/3426)] - [@FedeDP](https://github.com/FedeDP)
* update(cmake): update libs and driver to latest master [[#3421](https://github.com/falcosecurity/falco/pull/3421)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* fix: update the url for the docs about the concurrent queue classes [[#3415](https://github.com/falcosecurity/falco/pull/3415)] - [@Issif](https://github.com/Issif)
* update(changelog): updated changelog for 0.39.2. [[#3410](https://github.com/falcosecurity/falco/pull/3410)] - [@FedeDP](https://github.com/FedeDP)
* update(cmake): update libs and driver to latest master [[#3392](https://github.com/falcosecurity/falco/pull/3392)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* fix(cmake,docker): avoid cpp-httplib requiring brotli. [[#3400](https://github.com/falcosecurity/falco/pull/3400)] - [@FedeDP](https://github.com/FedeDP)
* chore(deps): Bump submodules/falcosecurity-rules from `407e997` to `283a62f` [[#3391](https://github.com/falcosecurity/falco/pull/3391)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* update(cmake): bump libs to latest master. [[#3389](https://github.com/falcosecurity/falco/pull/3389)] - [@FedeDP](https://github.com/FedeDP)
* update(cmake): update libs and driver to latest master [[#3385](https://github.com/falcosecurity/falco/pull/3385)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* Make enable()/disable() virtual so they can be overridden [[#3375](https://github.com/falcosecurity/falco/pull/3375)] - [@mstemm](https://github.com/mstemm)
* fix(ci): fixed shasum computation for bump-libs CI. [[#3379](https://github.com/falcosecurity/falco/pull/3379)] - [@FedeDP](https://github.com/FedeDP)
* chore(ci): use redhat advised method to check rpmsign success. [[#3376](https://github.com/falcosecurity/falco/pull/3376)] - [@FedeDP](https://github.com/FedeDP)
* chore(deps): Bump submodules/falcosecurity-rules from `e38fb3f` to `407e997` [[#3374](https://github.com/falcosecurity/falco/pull/3374)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* Compile output clone [[#3364](https://github.com/falcosecurity/falco/pull/3364)] - [@mstemm](https://github.com/mstemm)
* fix(ci): fixed bump-libs workflow syntax. [[#3369](https://github.com/falcosecurity/falco/pull/3369)] - [@FedeDP](https://github.com/FedeDP)
* new(ci): add a workflow to automatically bump libs on each monday. [[#3360](https://github.com/falcosecurity/falco/pull/3360)] - [@FedeDP](https://github.com/FedeDP)
* chore(deps): Bump submodules/falcosecurity-rules from `b6ad373` to `e38fb3f` [[#3365](https://github.com/falcosecurity/falco/pull/3365)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* cleanup(falco): reformat options::define [[#3356](https://github.com/falcosecurity/falco/pull/3356)] - [@LucaGuerra](https://github.com/LucaGuerra)
### Statistics
| MERGED PRS | NUMBER |
|-----------------|--------|
| Not user-facing | 31 |
| Release note | 18 |
| Total | 49 |
## v0.39.2
Released on 2024-11-21
### Minor Changes
* update(cmake): bumped falcoctl to v0.10.1. [[#3408](https://github.com/falcosecurity/falco/pull/3408)] - [@FedeDP](https://github.com/FedeDP)
* update(cmake): bump yaml-cpp to latest master. [[#3394](https://github.com/falcosecurity/falco/pull/3394)] - [@FedeDP](https://github.com/FedeDP)
### Non user-facing changes
* update(ci): use arm64 CNCF runners for GH actions [[#3386](https://github.com/falcosecurity/falco/pull/3386)] - [@LucaGuerra](https://github.com/LucaGuerra)
### Statistics
| MERGED PRS | NUMBER |
|-----------------|--------|
| Not user-facing | 1 |
| Release note | 2 |
| Total | 3 |
## v0.39.1
Released on 2024-10-09

109
CMakeLists.txt
View File

@@ -17,7 +17,7 @@ cmake_minimum_required(VERSION 3.5.1)
project(falco)
option(USE_BUNDLED_DEPS "Bundle hard to find dependencies into the Falco binary" ON)
option(USE_DYNAMIC_LIBELF "Dynamically link libelf" OFF)
option(USE_DYNAMIC_LIBELF "Dynamically link libelf" ON)
option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags" OFF)
option(
MINIMAL_BUILD
@@ -29,29 +29,6 @@ option(BUILD_FALCO_UNIT_TESTS "Build falco unit tests" OFF)
option(USE_ASAN "Build with AddressSanitizer" OFF)
option(USE_UBSAN "Build with UndefinedBehaviorSanitizer" OFF)
option(UBSAN_HALT_ON_ERROR "Halt on error when building with UBSan" ON)
option(USE_GPERFTOOLS "Build with gperftools CPU profiler support" OFF)
option(USE_FRAME_POINTER "Build with frame pointers for accurate profiling" OFF)
# Enable frame pointers by default when using gperftools for accurate stack traces
if(USE_GPERFTOOLS AND NOT USE_FRAME_POINTER)
set(USE_FRAME_POINTER
ON
CACHE BOOL "Build with frame pointers for accurate profiling" FORCE
)
message(STATUS "Enabling USE_FRAME_POINTER since USE_GPERFTOOLS is enabled")
endif()
# Mem allocators - linux only for now
if(NOT WIN32
AND NOT APPLE
AND NOT MINIMAL_BUILD
AND NOT EMSCRIPTEN
)
# If one enables multiple allocators, cmake will fail since all of the allocators cmake modules
# create a `malloc` target.
option(USE_JEMALLOC "Use jemalloc allocator, linux only" OFF)
option(USE_MIMALLOC "Use mimalloc (microsoft) allocator, linux only" OFF)
endif()
if(WIN32)
if(POLICY CMP0091)
@@ -75,12 +52,27 @@ elseif(EMSCRIPTEN)
OFF
CACHE BOOL "" FORCE
)
set(BUILD_BPF
OFF
CACHE BOOL "" FORCE
)
set(CPACK_GENERATOR
TGZ
CACHE BOOL "" FORCE
)
endif()
# gVisor is currently only supported on Linux x86_64
if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64"
AND CMAKE_SYSTEM_NAME MATCHES "Linux"
AND NOT MINIMAL_BUILD
)
option(BUILD_FALCO_GVISOR "Build gVisor support for Falco" ON)
if(BUILD_FALCO_GVISOR)
add_definitions(-DHAS_GVISOR)
endif()
endif()
# Modern BPF is not supported on not Linux systems and in MINIMAL_BUILD
if(CMAKE_SYSTEM_NAME MATCHES "Linux" AND NOT MINIMAL_BUILD)
option(BUILD_FALCO_MODERN_BPF "Build modern BPF support for Falco" ON)
@@ -129,6 +121,11 @@ set(DRIVER_NAME "falco")
set(DRIVER_DEVICE_NAME "falco")
set(DRIVERS_REPO "https://download.falco.org/driver")
# If no path is provided, try to search the BPF probe in: `home/.falco/falco-bpf.o` This is the same
# fallback that we had in the libraries: `SCAP_PROBE_BPF_FILEPATH`.
set(FALCO_PROBE_BPF_FILEPATH ".${DRIVER_NAME}/${DRIVER_NAME}-bpf.o")
add_definitions(-DFALCO_PROBE_BPF_FILEPATH="${FALCO_PROBE_BPF_FILEPATH}")
if(NOT DEFINED FALCO_COMPONENT_NAME)
set(FALCO_COMPONENT_NAME "${CMAKE_PROJECT_NAME}")
endif()
@@ -144,31 +141,12 @@ set(CMD_MAKE make)
include(ExternalProject)
include(cxxopts)
# libs
include(falcosecurity-libs)
# compute FALCO_VERSION (depends on libs)
include(falco-version)
# Mem allocators - linux only for now
if(NOT WIN32
AND NOT APPLE
AND NOT MINIMAL_BUILD
AND NOT EMSCRIPTEN
)
if(USE_JEMALLOC)
include(jemalloc)
endif()
if(USE_MIMALLOC)
include(mimalloc)
endif()
message(STATUS "Will use mem allocator library: ${MALLOC_LIB}")
endif()
# nlohmann-json
include(njson)
@@ -190,6 +168,8 @@ if(NOT WIN32
include(cpp-httplib)
endif()
include(cxxopts)
# One TBB
if(NOT EMSCRIPTEN)
include(tbb)
@@ -197,17 +177,15 @@ endif()
include(zlib)
include(valijson)
# CPU Profiling with gperftools
if(USE_GPERFTOOLS)
include(gperftools)
endif()
if(NOT MINIMAL_BUILD)
if(NOT WIN32
AND NOT APPLE
AND NOT EMSCRIPTEN
)
include(cares)
include(protobuf)
# gRPC
include(grpc)
endif()
endif()
@@ -281,41 +259,6 @@ if(NOT WIN32
AND NOT MUSL_OPTIMIZED_BUILD
)
include(falcoctl)
set(CONTAINER_VERSION "0.6.1")
if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
set(CONTAINER_HASH "008989992ed1f31b3ffb94ba6b64ca5a8e2f91611a10c9d6213c5c0a499d0679")
else() # arm64
set(CONTAINER_HASH "f90a700b4c2b411b23e7cc461b61a316b242994aad853c3e6baf12481fb6f6c9")
endif()
include(container_plugin)
# Generate a binary_dir/falco.yaml that automatically enables the plugin to be used for local
# testing.
configure_file(${CMAKE_SOURCE_DIR}/falco.yaml ${CMAKE_BINARY_DIR} COPYONLY)
# The custom target configures the plugin and set its path
add_custom_target(
container
COMMAND sed -i 's,^load_plugins: .*,load_plugins: [container],g'
${CMAKE_BINARY_DIR}/falco.yaml
COMMAND sed -i 's,library_path: libcontainer.so,library_path: ${CONTAINER_LIBRARY},g'
${CMAKE_BINARY_DIR}/falco.yaml
DEPENDS container_plugin
)
# Let `make falco` also download container plugin
add_dependencies(falco container)
# Install the plugin
install(
FILES "${CONTAINER_LIBRARY}"
DESTINATION "${FALCO_ABSOLUTE_SHARE_DIR}/plugins"
COMPONENT "${FALCO_COMPONENT_NAME}"
)
# Install additional config override file to enable the container plugin
install(
FILES "${PROJECT_SOURCE_DIR}/config/falco.container_plugin.yaml"
DESTINATION "${FALCO_ETC_DIR}/config.d"
COMPONENT "${FALCO_COMPONENT_NAME}"
)
endif()
# Packages configuration

8
Contributing.md
View File

@@ -27,7 +27,7 @@ The `pre-commit` framework allows you to automatically install different `git-ho
1. The `clang-format` hook: this is a `pre-commit` git hook that runs `clang-format` on your staged changes.
2. The `cmake-format` hook: this is a `pre-commit` git hook that runs `cmake-format` on your staged changes.
3. The `DCO signed-off` hook: this is a `pre-commit-msg` git hook that adds the `DCO` on your commit if not present. This hook is not strictly related to the coding style so we will talk about it in a separate section: [Add DCO signed-off to your commits](#add-dco-signed-off-to-your-commits-).
3. The `DCO signed-off` hook: this is a `pre-commit-msg` git hook that adds the `DCO` on your commit if not present. This hook is not strictly related to the coding style so we will talk about it in a separate section: [Add DCO signed-off to your commits](#add-dco-signed-off-to-your-commits).
Now let's see what we need to use `pre-commit` framework.
@@ -47,7 +47,7 @@ This simple command allows you to install the two `pre-commit` git hooks, `clang
pre-commit install --install-hooks --hook-type pre-commit --overwrite
```
If you want to install also the `pre-commit-msg` git hook for the DCO you have to type the following command, but be sure to have configured all you need as said in the [dedicated section](#add-dco-signed-off-to-your-commits-)
If you want to install also the `pre-commit-msg` git hook for the DCO you have to type the following command, but be sure to have configured all you need as said in the [dedicated section]((#add-dco-signed-off-to-your-commits))
```bash
pre-commit install --install-hooks --hook-type prepare-commit-msg --overwrite
@@ -81,7 +81,7 @@ To install `cmake-format` you can follow the official documentation [here](https
##### Step 2
Once you have installed the __right__ versions of the 2 tools, you can simply type `make format-all` from the root directory of the project to format all your code according to the coding style.
Once you have installed the __right__ versions of the 2 tools, you can simply type `make format-all` from the root directory of the project (`/libs`) to format all your code according to the coding style.
Remember to do that before submitting a new patch upstream! 😁
@@ -93,7 +93,7 @@ Obviously, you can also install the 2 tools locally and enable some extension of
### Introduction
Another requirement for contributing to the `falco` repository, is applying the [DCO](https://cert-manager.io/docs/contributing/sign-off/) to every commit you want to push upstream.
Another requirement for contributing to the `libs` repository, is applying the [DCO](https://cert-manager.io/docs/contributing/sign-off/) to every commit you want to push upstream.
Before doing this you have to configure your git user `name` and `email` if you haven't already done it. To check your actual `name` and `email` type:
```bash

4
OWNERS
View File

@@ -4,14 +4,12 @@ approvers:
- jasondellaluce
- fededp
- andreagit97
- incertum
- LucaGuerra
- sgaist
- ekoops
reviewers:
- kaizhe
- irozzo-1A
emeritus_approvers:
- fntlnz
- kris-nova
- leodido
- incertum

70
README.md
View File

@@ -2,7 +2,7 @@
[![Latest release](https://img.shields.io/github/v/release/falcosecurity/falco?style=for-the-badge)](https://github.com/falcosecurity/falco/releases/latest) [![Supported Architectures](https://img.shields.io/badge/ARCHS-x86__64%7Caarch64-blueviolet?style=for-the-badge)](https://github.com/falcosecurity/falco/releases/latest) [![License](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING) [![Docs](https://img.shields.io/badge/docs-latest-green.svg?style=for-the-badge)](https://falco.org/docs)
[![Falco Core Repository](https://github.com/falcosecurity/evolution/blob/main/repos/badges/falco-core-blue.svg)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#core-scope) [![Stable](https://img.shields.io/badge/status-stable-brightgreen?style=for-the-badge)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#stable) [![OpenSSF Scorecard](https://img.shields.io/ossf-scorecard/github.com/falcosecurity/falco?label=openssf%20scorecard&style=for-the-badge)](https://scorecard.dev/viewer/?uri=github.com/falcosecurity/falco) [![OpenSSF Best Practices](https://img.shields.io/cii/summary/2317?label=OpenSSF%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317)
[![Falco Core Repository](https://github.com/falcosecurity/evolution/blob/main/repos/badges/falco-core-blue.svg)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#core-scope) [![Stable](https://img.shields.io/badge/status-stable-brightgreen?style=for-the-badge)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#stable) [![OpenSSF Scorecard](https://img.shields.io/ossf-scorecard/github.com/falcosecurity/falco?label=openssf%20scorecard&style=for-the-badge)](https://scorecard.dev/viewer/?uri=github.com/falcosecurity/falco) [![OpenSSF Best Practices](https://img.shields.io/cii/summary/2317?label=OpenSSF%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) <a href="https://actuated.dev/"><img alt="Arm CI sponsored by Actuated" src="https://docs.actuated.dev/images/actuated-badge.png" width="120px"></img></a>
[![Falco](https://falco.org/img/brand/falco-horizontal-color.svg)](https://falco.org)
@@ -14,30 +14,43 @@ Falco, originally created by [Sysdig](https://sysdig.com), is a **graduated proj
For detailed technical information and insights into the cyber threats that Falco can detect, visit the official [Falco](https://falco.org/) website.
For comprehensive information on the latest updates and changes to the project, please refer to the [Change Log](CHANGELOG.md).
For comprehensive information on the latest updates and changes to the project, please refer to the [Change Log](CHANGELOG.md). Additionally, we have documented the [Release Process](RELEASE.md) for delivering new versions of Falco.
## The Falco Project
## Falco Repo: Powering the Core of The Falco Project
The Falco Project codebase is maintained under the [falcosecurity GitHub organization](https://github.com/falcosecurity). The primary repository, [falcosecurity/falco](https://github.com/falcosecurity/falco), holds the source code for the Falco binary, while other sub-projects are hosted in dedicated repositories. This approach of isolating components into specialized repositories enhances modularity and focused development. Notable [core repositories](https://github.com/falcosecurity/evolution?tab=readme-ov-file#core) include:
This is the main Falco repository which contains the source code for building the Falco binary. By utilizing its [libs](https://github.com/falcosecurity/libs) and the [falco.yaml](falco.yaml) configuration file, this repository forms the foundation of Falco's functionality. The Falco repository is closely interconnected with the following *core* repositories:
- [falcosecurity/libs](https://github.com/falcosecurity/libs): This repository hosts Falco's core libraries, which constitute the majority of the binarys source code and provide essential features, such as kernel drivers.
- [falcosecurity/rules](https://github.com/falcosecurity/rules): It contains the official ruleset for Falco, offering pre-defined detection rules for various security threats and abnormal behaviors.
- [falcosecurity/plugins](https://github.com/falcosecurity/plugins): This repository supports integration with external services through plugins that extend Falco's capabilities beyond syscalls and container events, with plans for evolving specialized functionalities in future releases.
- [falcosecurity/falcoctl](https://github.com/falcosecurity/falcoctl): A command-line utility designed for managing and interacting with Falco.
- [falcosecurity/charts](https://github.com/falcosecurity/charts): This repository provides Helm charts for deploying Falco and its ecosystem, simplifying the installation and management process.
- [falcosecurity/libs](https://github.com/falcosecurity/libs): Falco's libraries are key to its fundamental operations, making up the greater portion of the source code of the Falco binary and providing essential features such as kernel drivers.
- [falcosecurity/rules](https://github.com/falcosecurity/rules): Contains the official ruleset for Falco, providing pre-defined detection rules for various security threats and abnormal behaviors.
- [falcosecurity/plugins](https://github.com/falcosecurity/plugins/): Falco plugins facilitate integration with external services, expand Falco's capabilities beyond syscalls and container events, and are designed to evolve with specialized functionality in future releases.
- [falcosecurity/falcoctl](https://github.com/falcosecurity/falcoctl): Command-line utility for managing and interacting with Falco.
For further insights into our repositories and additional details about our governance model, please visit the official hub of The Falco Project: [falcosecurity/evolution](https://github.com/falcosecurity/evolution).
For more information, visit the official hub of The Falco Project: [falcosecurity/evolution](https://github.com/falcosecurity/evolution). It provides valuable insights and information about the project's repositories.
## Getting Started with Falco
If you're new to Falco, begin your journey with our [Getting Started](https://falco.org/docs/getting-started/) guide. For production deployments, please refer to our comprehensive [Setup](https://falco.org/docs/setup/) documentation.
Carefully review and follow the [Official Documentation](https://falco.org/docs/install-operate/).
As final recommendations before deploying Falco, verify environment compatibility, define your detection goals, optimize performance, choose the appropriate build, and plan for SIEM or data lake integration to ensure effective incident response.
Considerations and guidance for Falco adopters:
1. Understand dependencies: Assess the environment where you'll run Falco and consider kernel versions and architectures.
2. Define threat detection objectives: Clearly identify the threats you want to detect and evaluate Falco's strengths and limitations.
3. Consider performance and cost: Assess compute performance overhead and align with system administrators or SREs. Budget accordingly.
4. Choose build and customization approach: Decide between the open source Falco build or creating a custom build pipeline. Customize the build and deployment process as necessary, including incorporating unique tests or approaches, to ensure a resilient deployment with fast deployment cycles.
5. Integrate with output destinations: Integrate Falco with SIEM, data lake systems, or other preferred output destinations to establish a robust foundation for comprehensive data analysis and enable effective incident response workflows.
### Demo Environment
A demo environment is provided via a docker-compose file that can be started on a docker host which includes falco, falcosidekick, falcosidekick-ui and its required redis database. For more information see the [docker-compose section](docker/docker-compose/)
## How to Contribute
Please refer to the [Contributing](https://github.com/falcosecurity/.github/blob/main/CONTRIBUTING.md) guide and the [Code of Conduct](https://github.com/falcosecurity/evolution/blob/main/CODE_OF_CONDUCT.md) for more information on how to contribute.
## Join the Community
To get involved with the Falco Project please visit the [Community](https://github.com/falcosecurity/community) repository to find more information and ways to get involved.
@@ -58,22 +71,28 @@ In addition, you can refer to the [falco](https://github.com/falcosecurity/falco
To report security vulnerabilities, please follow the community process outlined in the documentation found [here](https://github.com/falcosecurity/.github/blob/main/SECURITY.md).
## Building
## What's next for Falco?
For comprehensive, step-by-step instructions on building Falco from source, please refer to the [official documentation](https://falco.org/docs/developer-guide/source/).
Stay updated with Falco's evolving capabilities by exploring the [Falco Roadmap](https://github.com/orgs/falcosecurity/projects/5), which provides insights into the features currently under development and planned for future releases.
## License
Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
## Testing
<details>
<summary>Expand Testing Instructions</summary>
Falco's [Build Falco from source](https://falco.org/docs/developer-guide/source/) is the go-to resource to understand how to build Falco from source. In addition, the [falcosecurity/libs](https://github.com/falcosecurity/libs) repository offers additional valuable information about tests and debugging of Falco's underlying libraries and kernel drivers.
Falco's [Build Falco from source](https://falco.org/docs/install-operate/source/) is the go-to resource to understand how to build Falco from source. In addition, the [falcosecurity/libs](https://github.com/falcosecurity/libs) repository offers additional valuable information about tests and debugging of Falco's underlying libraries and kernel drivers.
Here's an example of a `cmake` command that will enable everything you need for all unit tests of this repository:
```bash
cmake \
-DUSE_BUNDLED_DEPS=ON \
-DBUILD_LIBSCAP_GVISOR=ON \
-DBUILD_BPF=ON \
-DBUILD_DRIVER=ON \
-DBUILD_FALCO_MODERN_BPF=ON \
-DCREATE_TEST_TARGETS=ON \
@@ -98,20 +117,14 @@ Lastly, The Falco Project has moved its Falco regression tests to [falcosecurity
</br>
## How to Contribute
Please refer to the [Contributing](https://github.com/falcosecurity/.github/blob/main/CONTRIBUTING.md) guide and the [Code of Conduct](https://github.com/falcosecurity/evolution/blob/main/CODE_OF_CONDUCT.md) for more information on how to contribute.
## FAQs
### Why is Falco in C++ rather than Go or {language}?
## Why is Falco in C++ rather than Go or {language}?
<details>
<summary>Expand Information</summary>
1. The first lines of code at the base of Falco were written some time ago, where Go didn't yet have the same level of maturity and adoption as today.
2. The Falco execution model is sequential and mono-thread due to the statefulness requirements of the tool, and so most of the concurrency-related selling points of the Go runtime would not be leveraged at all.
3. The Falco code deals with very low-level programming in many places, and we all know that interfacing Go with C is possible but brings tons of complexity and tradeoffs to the table.
3. The Falco code deals with very low-level programming in many places (e.g. some headers are shared with the eBPF probe and the Kernel module), and we all know that interfacing Go with C is possible but brings tons of complexity and tradeoffs to the table.
4. As a security tool meant to consume a crazy high throughput of events per second, Falco needs to squeeze performance in all hot paths at runtime and requires deep control on memory allocation, which the Go runtime can't provide (there's also garbage collection involved).
5. Although Go didn't suit the engineering requirements of the core of Falco, we still thought that it could be a good candidate for writing Falco extensions through the plugin system. This is the main reason we gave special attention and high priority to the development of the plugin-sdk-go.
6. Go is not a requirement for having statically-linked binaries. In fact, we provide fully-static Falco builds since few years. The only issue with those is that the plugin system can't be supported with the current dynamic library model we currently have.
@@ -123,14 +136,6 @@ Please refer to the [Contributing](https://github.com/falcosecurity/.github/blob
</details>
</br>
### What's next for Falco?
Stay updated with Falco's evolving capabilities by exploring the [Falco Roadmap](https://github.com/orgs/falcosecurity/projects/5), which provides insights into the features currently under development and planned for future releases.
## License
Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
## Resources
- [Governance](https://github.com/falcosecurity/evolution/blob/main/GOVERNANCE.md)
@@ -140,6 +145,5 @@ Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
- [Repositories Guidelines](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md)
- [Repositories List](https://github.com/falcosecurity/evolution/blob/main/README.md#repositories)
- [Adopters List](https://github.com/falcosecurity/falco/blob/master/ADOPTERS.md)
- [Release Process](RELEASE.md)
- [Setup documentation](https://falco.org/docs/setup/)
- [Install and Operate](https://falco.org/docs/install-operate/)
- [Troubleshooting](https://falco.org/docs/troubleshooting/)

38
RELEASE.md
View File

@@ -48,10 +48,11 @@ Alternatively Falco binaries or plugins can be downloaded from the Falco Artifac
> Note: This section specifically applies to non-modern BPF drivers.
The Falco Project publishes all drivers for each release for popular kernel versions / distros and `x86_64` and `aarch64` architectures to the Falco project's managed Artifacts repo. The Artifacts repo follows standard directory level conventions. The respective driver object file is prefixed by distro and named / versioned by kernel release - `$(uname -r)`. Pre-compiled drivers are released with a [best effort](https://github.com/falcosecurity/falco/blob/master/proposals/20200818-artifacts-storage.md#notice) notice. This is because gcc (`kmod`) sometimes fails to build the artifacts for a specific kernel version. More details around driver versioning and driver compatibility are provided in the [Falco Components Versioning](#falco-components-versioning) section. Short preview: If you use the standard Falco setup leveraging driver-loader, [driver-loader script](https://github.com/falcosecurity/falco/blob/master/scripts/falco-driver-loader) will fetch the kernel space artifact (object file) corresponding to the default `DRIVER_VERSION` Falco was shipped with.
The Falco Project publishes all drivers for each release for popular kernel versions / distros and `x86_64` and `aarch64` architectures to the Falco project's managed Artifacts repo. The Artifacts repo follows standard directory level conventions. The respective driver object file is prefixed by distro and named / versioned by kernel release - `$(uname -r)`. Pre-compiled drivers are released with a [best effort](https://github.com/falcosecurity/falco/blob/master/proposals/20200818-artifacts-storage.md#notice) notice. This is because gcc (`kmod`) and clang (`bpf`) compilers sometimes fail to build the artifacts for a specific kernel version. More details around driver versioning and driver compatibility are provided in the [Falco Components Versioning](#falco-components-versioning) section. Short preview: If you use the standard Falco setup leveraging driver-loader, [driver-loader script](https://github.com/falcosecurity/falco/blob/master/scripts/falco-driver-loader) will fetch the kernel space artifact (object file) corresponding to the default `DRIVER_VERSION` Falco was shipped with.
- [Falco Artifacts Repo Drivers Root](https://download.falco.org/?prefix=driver/)
- Kernel module (`.ko` files) - all under same driver version directory
- Option 1: Kernel module (`.ko` files) - all under same driver version directory
- Option 2: eBPF (`.o` files) - all under same driver version directory
### Timeline
@@ -65,7 +66,7 @@ Changes and new features are organized into [milestones](https://github.com/falc
The release process is mostly automated, requiring only a few manual steps to initiate and complete.
Moreover, we assign owners for each release (typically pairing a new person with an experienced one). Assignees and due dates for releases are proposed during the [community call](https://github.com/falcosecurity/community).
Moreover, we assign owners for each release (typically pairing a new person with an experienced one). Assignees and due dates for releases are proposed during the [weekly community call](https://github.com/falcosecurity/community).
At a high level each Falco release needs to follow a pre-determined sequencing of releases and build order:
@@ -83,15 +84,11 @@ Before proceeding with the release, make sure to complete the following preparat
### 1. Release notes
- Find the previous release date (`YYYY-MM-DD`) by looking at the [Falco releases](https://github.com/falcosecurity/falco/releases)
- Double-check, by using the following filters, if there is any closed issue/merge PR with no milestone assigned:
- `is:issue state:closed no:milestone closed:>YYYY-MM-DD`
[filter](https://github.com/falcosecurity/falco/issues?q=is%3Aissue%20state%3Aclosed%20no%3Amilestone%20closed%3A%3EYYYY-MM-DD)
- `is:pr is:merged no:milestone closed:>YYYY-MM-DD`
[filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD)
- Assign any issue/PR identified in the previous point to the milestone corresponding to the currently undergoing release
- Check the release note block of every PR matching the `is:pr is:merged milestone:M.m.p` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+milestone%3AM.m.p)
- Check the release note block of every PR matching the `is:pr is:merged closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+closed%3A%3EYYYY-MM-DD)
- Ensure the release note block follows the [commit convention](https://github.com/falcosecurity/.github/blob/master/CONTRIBUTING.md#commit-convention), otherwise fix its content
- If the PR has no milestone, assign it to the milestone currently undergoing release
- Check issues without a milestone (using `is:pr is:merged no:milestone closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD) ) and add them to the milestone currently undergoing release
- Double-check that there are no more merged PRs without the target milestone assigned with the `is:pr is:merged no:milestone closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD), if any, update those missing
### 2. Milestones
@@ -105,7 +102,7 @@ Its naming will be `release/M.m.x`; for example: `release/0.34.x`.
The same branch will then be used for any eventual cherry pick for patch releases.
For patch releases, instead, the `release/M.m.x` branch should already be in place; no more steps are needed.
Double-check that any PR that should be part of the tag has been cherry-picked from master!
Double check that any PR that should be part of the tag has been cherry-picked from master!
### 4. Release PR
@@ -115,7 +112,7 @@ The release PR is meant to be made against the respective `release/M.m.x` branch
- If any, manually correct it then open an issue to automate version number bumping later
- Versions table in the `README.md` updates itself automatically
- Generate the change log using [rn2md](https://github.com/leodido/rn2md):
- Execute `rn2md -r falcosecurity/falco -m M.m.p`
- Execute `rn2md -o falcosecurity -m <version> -r falco`
- In case `rn2md` emits error try to generate an GitHub OAuth access token and provide it with the `-t` flag
- Add the latest changes on top the previous `CHANGELOG.md`
- Submit a PR with the above modifications
@@ -128,18 +125,16 @@ The release PR is meant to be made against the respective `release/M.m.x` branch
Core maintainers and/or the release manager can decide to publish pre-releases at any time before the final release
is live for development and testing purposes.
The pre-release must be associated with a newly created tag. The tag is intended to be created while drafting the new pre-release through the GitHub form (this is indeed the only way to correctly associate the tag with a target branch; more on this below).
The pre-release tag must be formatted as `M.m.p-r`, where `r` is the pre-release version information (e.g. `0.35.0-rc1`).
The prerelease tag must be formatted as `M.m.p-r`where `r` is the prerelease version information (e.g. `0.35.0-rc1`.)
To create both pre-release tag and pre-release, do the following:
To do so:
- [Draft a new release](https://github.com/falcosecurity/falco/releases/new)
- Use `M.m.p-r` both as tag version and release title
- Associate `release/M.m.x` as "target branch" for the new tag
- Use `M.m.p-r` both as tag version and release title.
- Check the "Set as a pre-release" checkbox and make sure "Set as the latest release" is unchecked
- It is recommended to add a brief description so that other contributors will understand the reason why the prerelease is published
- Publish the prerelease!
- The release pipeline will start automatically. Packages will be uploaded to the `-dev` bucket and container images will be tagged with the specified tag
- The release pipeline will start automatically. Packages will be uploaded to the `-dev` bucket and container images will be tagged with the specified tag.
In order to check the status of the release pipeline click on the [GitHub Actions tab](https://github.com/falcosecurity/falco/actions?query=event%3Arelease) in the Falco repository and filter by release.
@@ -151,7 +146,6 @@ Assume `M.m.p` is the new version.
- [Draft a new release](https://github.com/falcosecurity/falco/releases/new)
- Use `M.m.p` both as tag version and release title
- Associate `release/M.m.x` as "target branch" for the new tag
- Do NOT fill body, since it will be autogenerated by the [github release workflow](.github/workflows/release.yaml)
- Publish the release!
- The release pipeline will start automatically upon publication and all packages and container images will be uploaded to the stable repositories.
@@ -164,7 +158,7 @@ For each release we archive the meeting notes in git for historical purposes.
- The notes from the Falco meetings can be [found here](https://hackmd.io/3qYPnZPUQLGKCzR14va_qg).
- Note: There may be other notes from working groups that can optionally be added as well as needed.
- Add the entire content of the document to a new file in [github.com/falcosecurity/community/tree/main/meeting-notes](https://github.com/falcosecurity/community/tree/main/meeting-notes) as a new file labeled `release-M.m.p.md`
- Add the entire content of the document to a new file in [github.com/falcosecurity/community/tree/master/meeting-notes](https://github.com/falcosecurity/community/tree/master/meeting-notes) as a new file labeled `release-M.m.p.md`
- Open up a pull request with the new change.
@@ -172,10 +166,10 @@ For each release we archive the meeting notes in git for historical purposes.
Announce the new release to the world!
- IFF the ongoing release introduces a **new minor version**, [archive a snapshot of the Falco website](https://github.com/falcosecurity/falco-website/blob/master/release.md#documentation-versioning)
- Publish a blog on [Falco website](https://github.com/falcosecurity/falco-website) ([example](https://github.com/falcosecurity/falco-website/blob/master/content/en/blog/falco-0-28-1.md))
- Send an announcement to cncf-falco-dev@lists.cncf.io (plain text, please)
- Let folks in the slack #falco channel know about a new release came out
- IFF the on going release introduces a **new minor version**, [archive a snapshot of the Falco website](https://github.com/falcosecurity/falco-website/blob/master/release.md#documentation-versioning)
## Falco Components Versioning
@@ -187,7 +181,9 @@ This section provides more details around the versioning of the components that
- Falco version is a git tag (`x.y.z`), see [Procedures](#procedures) section. Note that the Falco version is a sem-ver-like schema, but not fully compatible with sem-ver.
- [FALCO_ENGINE_VERSION](https://github.com/falcosecurity/falco/blob/master/userspace/engine/falco_engine_version.h) is not sem-ver and must be bumped either when a backward incompatible change has been introduced to the rules files syntax and loading logic, and/or when `FALCO_ENGINE_CHECKSUM` has changed. The checksum is computed by considering the available rules fields (see currently supported [Falco fields](https://falco.org/docs/reference/rules/supported-fields/)), the event types (see currently supported [Falco events](https://falco.org/docs/reference/rules/supported-events/)), and the supported driver schema version. A checksum indicates that something was not available in previous engine versions. See the [rules release guidelines](https://github.com/falcosecurity/rules/blob/main/RELEASE.md#versioning-a-ruleset) to understand how this affects the versioning of Falco rules. Breaking changes introduced in the Falco engine are not necessarily tied to the drivers or libs versions. The version number must be incremented every time and only when a single change or an atomic group of changes - which meet the criteria described above - is included in the `master` branch. Thus, a version bump can occur multiple times during the development and testing phases of a given release cycle. A given version bump must not group multiple changes that occurred sporadically during the release cycle.
- During development and release preparation, libs and driver reference commits are often bumped in Falco's cmake setup ([falcosecurity-libs cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/falcosecurity-libs.cmake#L30) and [driver cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/driver.cmake#L29)) in order to merge new Falco features. In practice, they are mostly bumped at the same time referencing the same `libs` commit. However, for the official Falco build `FALCOSECURITY_LIBS_VERSION` flag that references the stable libs version is used (read below).
- Similarly, Falco plugins versions are bumped in Falco's cmake setup ([plugins cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/plugins.cmake)) and those versions are the ones used for the Falco release.
- At release time Plugin, Libs and Driver versions are compatible with Falco.
- If you use the standard Falco setup leveraging driver-loader, [driver-loader script](https://github.com/falcosecurity/falco/blob/master/scripts/falco-driver-loader) will fetch the kernel space artifact (object file) corresponding to the default `DRIVER_VERSION` Falco was shipped with (read more below under Libs).
```

11
brand/README.md
View File

@@ -53,10 +53,15 @@ Notice the capitalization of the following terms.
This section contains key terms specifically used within the context of The Falco Project. For a more comprehensive list of Falco-related terminology, we invite you to visit the [Glossary](https://falco.org/docs/reference/glossary/) page on our official website.
#### eBPF Probe
Used to describe the `.o` object that would be dynamically loaded into the kernel as a secure and stable (e)BPF probe.
This is one option used to pass kernel events up to userspace for Falco to consume.
#### Modern eBPF Probe
Robust eBPF probe, which brings the CO-RE paradigm, better performances, and maintainability.
The modern eBPF probe is not shipped as a separate artifact but bundled into the Falco binary itself.
More robust [eBPF probe](#ebpf-probe), which brings the CO-RE paradigm, better performances, and maintainability.
Unlike the legacy probe, the modern eBPF probe is not shipped as a separate artifact but bundled into the Falco binary itself.
This is one option used to pass kernel events up to userspace for Falco to consume.
#### Kernel Module
@@ -66,7 +71,7 @@ This is one option used to pass kernel events up to userspace for Falco to consu
#### Driver
The global term for the software that sends events from the kernel. Such as the [Modern eBPF probe](#modern-ebpf-probe), or the [Kernel Module](#kernel-module).
The global term for the software that sends events from the kernel. Such as the [eBPF probe](#ebpf-probe), the [Modern eBPF probe](#modern-ebpf-probe), or the [Kernel Module](#kernel-module).
#### Plugin

5
cmake/cpack/CMakeCPackOptions.cmake
View File

@@ -29,6 +29,11 @@ if(CPACK_GENERATOR MATCHES "DEB" OR CPACK_GENERATOR MATCHES "RPM")
CPACK_INSTALL_COMMANDS
"cp scripts/systemd/falco-kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system"
)
list(
APPEND
CPACK_INSTALL_COMMANDS
"cp scripts/systemd/falco-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system"
)
list(
APPEND
CPACK_INSTALL_COMMANDS

2
cmake/cpack/debian/conffiles
View File

@@ -1,3 +1,3 @@
/etc/falco/falco.yaml
/etc/falco/falcoctl.yaml
/etc/falco/falco_rules.local.yaml
/etc/falcoctl/falcoctl.yaml

11
cmake/modules/CPackConfig.cmake
View File

@@ -24,11 +24,7 @@ set(CPACK_PACKAGE_VERSION_MAJOR "${FALCO_VERSION_MAJOR}")
set(CPACK_PACKAGE_VERSION_MINOR "${FALCO_VERSION_MINOR}")
set(CPACK_PACKAGE_VERSION_PATCH "${FALCO_VERSION_PATCH}")
set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/cmake/cpack/CMakeCPackOptions.cmake")
if(CMAKE_BUILD_TYPE STREQUAL "debug")
set(CPACK_STRIP_FILES "OFF")
else()
set(CPACK_STRIP_FILES "ON")
endif()
set(CPACK_STRIP_FILES "ON")
set(CPACK_PACKAGE_RELOCATABLE "OFF")
if(EMSCRIPTEN)
set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-wasm")
@@ -72,7 +68,7 @@ if(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "aarch64")
set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "arm64")
endif()
set(CPACK_DEBIAN_PACKAGE_HOMEPAGE "https://www.falco.org")
set(CPACK_DEBIAN_PACKAGE_SUGGESTS "dkms (>= 2.1.0.0)")
set(CPACK_DEBIAN_PACKAGE_DEPENDS "dkms (>= 2.1.0.0)")
set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
"${CMAKE_BINARY_DIR}/scripts/debian/postinst;${CMAKE_BINARY_DIR}/scripts/debian/prerm;${CMAKE_BINARY_DIR}/scripts/debian/postrm;${PROJECT_SOURCE_DIR}/cmake/cpack/debian/conffiles"
)
@@ -80,8 +76,7 @@ set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
set(CPACK_RPM_PACKAGE_LICENSE "Apache v2.0")
set(CPACK_RPM_PACKAGE_ARCHITECTURE, "amd64")
set(CPACK_RPM_PACKAGE_URL "https://www.falco.org")
set(CPACK_RPM_PACKAGE_REQUIRES "systemd")
set(CPACK_RPM_PACKAGE_SUGGESTS "dkms, kernel-devel")
set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, systemd")
set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postinstall")
set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/preuninstall")
set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postuninstall")

31
cmake/modules/CompilerFlags.cmake
View File

@@ -23,10 +23,6 @@ endif()
string(TOLOWER "${CMAKE_BUILD_TYPE}" CMAKE_BUILD_TYPE)
if(CMAKE_BUILD_TYPE STREQUAL "debug")
set(KBUILD_FLAGS "${FALCO_EXTRA_DEBUG_FLAGS} ${FALCO_EXTRA_FEATURE_FLAGS}")
add_definitions(-DBUILD_TYPE_DEBUG)
elseif(CMAKE_BUILD_TYPE STREQUAL "relwithdebinfo")
set(KBUILD_FLAGS "${FALCO_EXTRA_FEATURE_FLAGS}")
add_definitions(-DBUILD_TYPE_RELWITHDEBINFO)
else()
set(CMAKE_BUILD_TYPE "release")
set(KBUILD_FLAGS "${FALCO_EXTRA_FEATURE_FLAGS}")
@@ -68,17 +64,13 @@ if(NOT MSVC)
endif()
endif()
if(USE_FRAME_POINTER)
set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -fno-omit-frame-pointer")
endif()
set(CMAKE_COMMON_FLAGS
"${FALCO_SECURITY_FLAGS} -Wall -ggdb ${FALCO_EXTRA_FEATURE_FLAGS} ${MINIMAL_BUILD_FLAGS} ${MUSL_FLAGS}"
)
if(BUILD_WARNINGS_AS_ERRORS)
set(CMAKE_SUPPRESSED_WARNINGS
"-Wno-unused-parameter -Wno-unused-variable -Wno-unused-but-set-variable -Wno-missing-field-initializers -Wno-sign-compare -Wno-type-limits -Wno-implicit-fallthrough -Wno-format-truncation -Wno-stringop-truncation -Wno-stringop-overflow -Wno-restrict -Wno-deprecated-declarations"
"-Wno-unused-parameter -Wno-unused-variable -Wno-unused-but-set-variable -Wno-missing-field-initializers -Wno-sign-compare -Wno-type-limits -Wno-implicit-fallthrough -Wno-format-truncation -Wno-stringop-truncation -Wno-stringop-overflow -Wno-restrict"
)
set(CMAKE_COMPILE_WARNING_AS_ERROR ON)
set(CMAKE_COMMON_FLAGS "${CMAKE_COMMON_FLAGS} -Wextra ${CMAKE_SUPPRESSED_WARNINGS}")
@@ -93,17 +85,6 @@ if(NOT MSVC)
set(CMAKE_C_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")
set(CMAKE_CXX_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")
set(CMAKE_C_FLAGS_RELWITHDEBINFO "${CMAKE_C_FLAGS_RELEASE} -g")
set(CMAKE_CXX_FLAGS_RELWITHDEBINFO "${CMAKE_CXX_FLAGS_RELEASE} -g")
# Add linker flags to generate separate debug files
set(CMAKE_EXE_LINKER_FLAGS_RELWITHDEBINFO
"${CMAKE_EXE_LINKER_FLAGS_RELWITHDEBINFO} -Wl,--build-id"
)
set(CMAKE_SHARED_LINKER_FLAGS_RELWITHDEBINFO
"${CMAKE_SHARED_LINKER_FLAGS_RELWITHDEBINFO} -Wl,--build-id"
)
else() # MSVC
set(MINIMAL_BUILD ON)
set(CMAKE_MSVC_RUNTIME_LIBRARY "MultiThreaded$<$<CONFIG:Debug>:Debug>")
@@ -118,13 +99,6 @@ else() # MSVC
set(FALCOSECURITY_LIBS_COMMON_FLAGS "/EHsc /W3 /Zi /std:c++17")
set(FALCOSECURITY_LIBS_DEBUG_FLAGS "/MTd /Od")
set(FALCOSECURITY_LIBS_RELEASE_FLAGS "/MT")
set(FALCOSECURITY_LIBS_RELWITHDEBINFO_FLAGS "/MT /Zi")
# Ensure linker generates PDB files for MSVC
set(CMAKE_EXE_LINKER_FLAGS_RELWITHDEBINFO "${CMAKE_EXE_LINKER_FLAGS_RELWITHDEBINFO} /DEBUG")
set(CMAKE_SHARED_LINKER_FLAGS_RELWITHDEBINFO
"${CMAKE_SHARED_LINKER_FLAGS_RELWITHDEBINFO} /DEBUG"
)
set(CMAKE_C_FLAGS "${FALCOSECURITY_LIBS_COMMON_FLAGS}")
set(CMAKE_CXX_FLAGS "${FALCOSECURITY_LIBS_COMMON_FLAGS}")
@@ -135,7 +109,4 @@ else() # MSVC
set(CMAKE_C_FLAGS_RELEASE "${FALCOSECURITY_LIBS_RELEASE_FLAGS}")
set(CMAKE_CXX_FLAGS_RELEASE "${FALCOSECURITY_LIBS_RELEASE_FLAGS}")
set(CMAKE_C_FLAGS_RELWITHDEBINFO "${FALCOSECURITY_LIBS_RELWITHDEBINFO_FLAGS}")
set(CMAKE_CXX_FLAGS_RELWITHDEBINFO "${FALCOSECURITY_LIBS_RELWITHDEBINFO_FLAGS}")
endif()

78
cmake/modules/cares.cmake
View File

@@ -1,78 +0,0 @@
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
#
option(USE_BUNDLED_CARES "Enable building of the bundled c-ares" ${USE_BUNDLED_DEPS})
if(CARES_INCLUDE)
# we already have c-ares
elseif(NOT USE_BUNDLED_CARES)
find_path(CARES_INCLUDE NAMES cares/ares.h ares.h)
find_library(CARES_LIB NAMES cares)
if(CARES_INCLUDE AND CARES_LIB)
message(STATUS "Found c-ares: include: ${CARES_INCLUDE}, lib: ${CARES_LIB}")
else()
message(FATAL_ERROR "Couldn't find system c-ares")
endif()
else()
if(BUILD_SHARED_LIBS)
set(CARES_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
set(CARES_STATIC_OPTION "Off")
else()
set(CARES_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
set(CARES_STATIC_OPTION "On")
endif()
set(CARES_SRC "${PROJECT_BINARY_DIR}/c-ares-prefix/src/c-ares")
set(CARES_INCLUDE "${CARES_SRC}/include/")
set(CARES_LIB "${CARES_SRC}/lib/libcares${CARES_LIB_SUFFIX}")
if(NOT TARGET c-ares)
message(STATUS "Using bundled c-ares in '${CARES_SRC}'")
ExternalProject_Add(
c-ares
PREFIX "${PROJECT_BINARY_DIR}/c-ares-prefix"
URL "https://github.com/c-ares/c-ares/releases/download/v1.33.1/c-ares-1.33.1.tar.gz"
URL_HASH "SHA256=06869824094745872fa26efd4c48e622b9bd82a89ef0ce693dc682a23604f415"
BUILD_IN_SOURCE 1
CMAKE_ARGS -DCMAKE_POLICY_DEFAULT_CMP0091:STRING=NEW
-DCMAKE_MSVC_RUNTIME_LIBRARY=${CMAKE_MSVC_RUNTIME_LIBRARY}
-DCMAKE_INSTALL_LIBDIR=lib
-DCARES_SHARED=${BUILD_SHARED_LIBS}
-DCARES_STATIC=${CARES_STATIC_OPTION}
-DCARES_STATIC_PIC=${ENABLE_PIC}
-DCARES_BUILD_TOOLS=Off
-DCARES_INSTALL=Off
-DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
BUILD_BYPRODUCTS ${CARES_INCLUDE} ${CARES_LIB}
INSTALL_COMMAND ""
)
install(
FILES "${CARES_LIB}"
DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
)
install(
DIRECTORY "${CARES_INCLUDE}"
DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
)
endif()
endif()
if(NOT TARGET c-ares)
add_custom_target(c-ares)
endif()
include_directories("${CARES_INCLUDE}")

11
cmake/modules/cpp-httplib.cmake
View File

@@ -16,18 +16,11 @@
option(USE_BUNDLED_CPPHTTPLIB "Enable building of the bundled cpp-httplib" ${USE_BUNDLED_DEPS})
if(USE_BUNDLED_CPPHTTPLIB)
set(HTTPLIB_USE_BROTLI_IF_AVAILABLE OFF)
set(HTTPLIB_REQUIRE_BROTLI OFF)
set(HTTPLIB_USE_ZLIB_IF_AVAILABLE OFF)
set(HTTPLIB_REQUIRE_ZLIB OFF)
set(HTTPLIB_USE_ZSTD_IF_AVAILABLE OFF)
set(HTTPLIB_REQUIRE_ZSTD OFF)
set(HTTPLIB_USE_NON_BLOCKING_GETADDRINFO OFF)
include(FetchContent)
FetchContent_Declare(
cpp-httplib
URL https://github.com/yhirose/cpp-httplib/archive/refs/tags/v0.23.1.tar.gz
URL_HASH SHA256=410a1347ed6bcbcc4a19af8ed8ad3873fe9fa97731d52db845c4c78f3f9c31e6
URL https://github.com/yhirose/cpp-httplib/archive/refs/tags/v0.15.3.tar.gz
URL_HASH SHA256=2121bbf38871bb2aafb5f7f2b9b94705366170909f434428352187cb0216124e
)
FetchContent_MakeAvailable(cpp-httplib)
else()

100
cmake/modules/curl.cmake
View File

@@ -1,100 +0,0 @@
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
#
option(USE_BUNDLED_CURL "Enable building of the bundled curl" ${USE_BUNDLED_DEPS})
include(openssl)
include(zlib)
if(CURL_INCLUDE_DIRS)
# we already have curl
elseif(NOT USE_BUNDLED_CURL)
find_package(CURL REQUIRED)
message(STATUS "Found CURL: include: ${CURL_INCLUDE_DIRS}, lib: ${CURL_LIBRARIES}")
else()
if(BUILD_SHARED_LIBS)
set(CURL_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
set(CURL_STATIC_OPTION)
else()
set(CURL_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
set(CURL_STATIC_OPTION --disable-shared)
endif()
set(CURL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/curl-prefix/src/curl")
set(CURL_INCLUDE_DIRS "${CURL_BUNDLE_DIR}/include/")
set(CURL_LIBRARIES "${CURL_BUNDLE_DIR}/lib/.libs/libcurl${CURL_LIB_SUFFIX}")
if(NOT USE_BUNDLED_OPENSSL)
set(CURL_SSL_OPTION "--with-ssl")
else()
set(CURL_SSL_OPTION "--with-ssl=${OPENSSL_INSTALL_DIR}")
message(STATUS "Using SSL for curl in '${OPENSSL_INSTALL_DIR}'")
endif()
if(NOT USE_BUNDLED_ZLIB)
set(CURL_ZLIB_OPTION "--with-zlib")
else()
set(CURL_ZLIB_OPTION "--with-zlib=${ZLIB_SRC}")
message(STATUS "Using zlib for curl in '${ZLIB_SRC}'")
endif()
message(STATUS "Using bundled curl in '${CURL_BUNDLE_DIR}'")
if(NOT ENABLE_PIC)
set(CURL_PIC_OPTION)
else()
set(CURL_PIC_OPTION "--with-pic")
endif()
if(NOT TARGET curl)
ExternalProject_Add(
curl
PREFIX "${PROJECT_BINARY_DIR}/curl-prefix"
DEPENDS openssl zlib
URL "https://github.com/curl/curl/releases/download/curl-8_7_1/curl-8.7.1.tar.bz2"
URL_HASH "SHA256=05bbd2b698e9cfbab477c33aa5e99b4975501835a41b7ca6ca71de03d8849e76"
CONFIGURE_COMMAND
./configure ${CURL_SSL_OPTION} ${CURL_ZLIB_OPTION} ${CURL_STATIC_OPTION}
${CURL_PIC_OPTION} --enable-optimize --disable-curldebug --disable-rt --enable-http
--disable-ftp --disable-file --disable-ldap --disable-ldaps --disable-rtsp
--disable-telnet --disable-tftp --disable-pop3 --disable-imap --disable-smb
--disable-smtp --disable-gopher --disable-sspi --disable-ntlm-wb --disable-tls-srp
--without-winssl --without-polarssl --without-cyassl --without-nss --without-axtls
--without-librtmp --without-winidn --without-libidn2 --without-libpsl
--without-nghttp2 --without-libssh2 --with-ca-path=/etc/ssl/certs/
--disable-threaded-resolver --without-brotli --without-zstd
BUILD_COMMAND make
BUILD_IN_SOURCE 1
BUILD_BYPRODUCTS ${CURL_LIBRARIES}
INSTALL_COMMAND ""
)
install(
FILES "${CURL_LIBRARIES}"
DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
)
install(
DIRECTORY "${CURL_INCLUDE_DIRS}curl"
DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
FILES_MATCHING
PATTERN "*.h"
)
endif()
endif()
if(NOT TARGET curl)
add_custom_target(curl)
endif()
include_directories("${CURL_INCLUDE_DIRS}")

2
cmake/modules/cxxopts.cmake
View File

@@ -24,7 +24,7 @@ if(CXXOPTS_INCLUDE_DIR)
elseif(NOT USE_BUNDLED_CXXOPTS)
find_package(cxxopts CONFIG REQUIRED)
get_target_property(CXXOPTS_INCLUDE_DIR cxxopts::cxxopts INTERFACE_INCLUDE_DIRECTORIES)
elseif(NOT TARGET cxxopts)
else()
set(CXXOPTS_SRC "${PROJECT_BINARY_DIR}/cxxopts-prefix/src/cxxopts/")
set(CXXOPTS_INCLUDE_DIR "${CXXOPTS_SRC}/include")

6
cmake/modules/driver.cmake
View File

@@ -1,6 +1,6 @@
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (C) 2026 The Falco Authors.
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
@@ -35,9 +35,9 @@ else()
# FALCOSECURITY_LIBS_VERSION. In case you want to test against another driver version (or
# branch, or commit) just pass the variable - ie., `cmake -DDRIVER_VERSION=dev ..`
if(NOT DRIVER_VERSION)
set(DRIVER_VERSION "30a8910c1166358541bfafc07a75fc57447c5152")
set(DRIVER_VERSION "7.3.0+driver")
set(DRIVER_CHECKSUM
"SHA256=56586ce5063e5beea9a35c0def4e570cdfd197b14cd424c19e02c7820296eeea"
"SHA256=8f572d9a83feda635a3fa53b859d61e37af127c241e35068aadee3bc50d212c0"
)
endif()

8
cmake/modules/falcoctl.cmake
View File

@@ -1,6 +1,6 @@
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (C) 2025 The Falco Authors.
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
@@ -20,16 +20,16 @@ option(ADD_FALCOCTL_DEPENDENCY "Add falcoctl dependency while building falco" ON
if(ADD_FALCOCTL_DEPENDENCY)
string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} FALCOCTL_SYSTEM_NAME)
set(FALCOCTL_VERSION "0.12.2")
set(FALCOCTL_VERSION "0.10.1")
message(STATUS "Building with falcoctl: ${FALCOCTL_VERSION}")
if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
set(FALCOCTL_SYSTEM_PROC_GO "amd64")
set(FALCOCTL_HASH "7e0e232aa73825383d3382b3af8a38466289a768f9c1c7f25bd7e11a3ed6980a")
set(FALCOCTL_HASH "039961004a72d27409ab6ba82542134bd5df8a69ad341c897f3d26b6596b9e6a")
else() # aarch64
set(FALCOCTL_SYSTEM_PROC_GO "arm64")
set(FALCOCTL_HASH "9b7dd75189f997da6423bcdb5dfe68840f20c56f95d30d323d26d0c4bd75a8e3")
set(FALCOCTL_HASH "fbaf83512cc73e99f14f90cb14ed4eee83f40efde3d398c7b7ef02163116f2fc")
endif()
ExternalProject_Add(

18
cmake/modules/falcosecurity-libs.cmake
View File

@@ -1,6 +1,6 @@
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (C) 2026 The Falco Authors.
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
@@ -42,9 +42,9 @@ else()
# version (or branch, or commit) just pass the variable - ie., `cmake
# -DFALCOSECURITY_LIBS_VERSION=dev ..`
if(NOT FALCOSECURITY_LIBS_VERSION)
set(FALCOSECURITY_LIBS_VERSION "30a8910c1166358541bfafc07a75fc57447c5152")
set(FALCOSECURITY_LIBS_VERSION "0.18.2")
set(FALCOSECURITY_LIBS_CHECKSUM
"SHA256=56586ce5063e5beea9a35c0def4e570cdfd197b14cd424c19e02c7820296eeea"
"SHA256=b2e3e42c3255a6d41960afe086e8189d73e27f1dbc23abefaf6b05cf118eb6f4"
)
endif()
@@ -73,6 +73,7 @@ set(LIBS_PACKAGE_NAME "falcosecurity")
if(CMAKE_SYSTEM_NAME MATCHES "Linux")
add_definitions(-D_GNU_SOURCE)
add_definitions(-DHAS_CAPTURE)
endif()
if(MUSL_OPTIMIZED_BUILD)
@@ -87,8 +88,11 @@ if(NOT LIBS_DIR)
set(LIBS_DIR "${FALCOSECURITY_LIBS_SOURCE_DIR}")
endif()
# todo(ekoops): remove this once we remove gvisor from libs
option(BUILD_LIBSCAP_GVISOR OFF)
# configure gVisor support
set(BUILD_LIBSCAP_GVISOR
${BUILD_FALCO_GVISOR}
CACHE BOOL ""
)
# configure modern BPF support
set(BUILD_LIBSCAP_MODERN_BPF
@@ -105,10 +109,6 @@ set(BUILD_LIBSCAP_EXAMPLES
OFF
CACHE BOOL ""
)
set(BUILD_LIBSINSP_EXAMPLES
OFF
CACHE BOOL ""
)
set(USE_BUNDLED_TBB
ON

132
cmake/modules/gperftools.cmake
View File

@@ -1,132 +0,0 @@
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (C) 2026 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
#
# gperftools CPU profiler support This module provides: GPERFTOOLS_INCLUDE_DIR (include directory)
# and GPERFTOOLS_PROFILER_LIB (the profiler library path)
option(USE_BUNDLED_GPERFTOOLS "Build gperftools from source" ${USE_BUNDLED_DEPS})
if(GPERFTOOLS_INCLUDE_DIR)
# Already have gperftools configured
elseif(NOT USE_BUNDLED_GPERFTOOLS)
# Use system gperftools
find_path(
GPERFTOOLS_INCLUDE_DIR
NAMES gperftools/profiler.h
PATHS /usr/include /usr/local/include
)
find_library(
GPERFTOOLS_PROFILER_LIB
NAMES profiler
PATHS /usr/lib /usr/local/lib /usr/lib/x86_64-linux-gnu /usr/lib/aarch64-linux-gnu
)
if(GPERFTOOLS_INCLUDE_DIR AND GPERFTOOLS_PROFILER_LIB)
message(
STATUS
"Found system gperftools: include: ${GPERFTOOLS_INCLUDE_DIR}, lib: ${GPERFTOOLS_PROFILER_LIB}"
)
else()
message(
FATAL_ERROR
"Couldn't find system gperftools. Install it or use -DUSE_BUNDLED_GPERFTOOLS=ON\n"
" Ubuntu/Debian: sudo apt-get install libgoogle-perftools-dev\n"
" Fedora/RHEL: sudo dnf install gperftools-devel\n"
" macOS: brew install gperftools"
)
endif()
else()
# Build gperftools from source
set(GPERFTOOLS_SRC "${PROJECT_BINARY_DIR}/gperftools-prefix/src/gperftools")
set(GPERFTOOLS_INCLUDE_DIR "${GPERFTOOLS_SRC}/src")
if(BUILD_SHARED_LIBS)
set(GPERFTOOLS_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
else()
set(GPERFTOOLS_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
endif()
# The library is built in .libs subdirectory
set(GPERFTOOLS_PROFILER_LIB "${GPERFTOOLS_SRC}/.libs/libprofiler${GPERFTOOLS_LIB_SUFFIX}")
# gperftools version 2.15 (latest stable as of 2024)
set(GPERFTOOLS_VERSION "2.15")
set(GPERFTOOLS_URL
"https://github.com/gperftools/gperftools/releases/download/gperftools-${GPERFTOOLS_VERSION}/gperftools-${GPERFTOOLS_VERSION}.tar.gz"
)
set(GPERFTOOLS_URL_HASH
"SHA256=c69fef855628c81ef56f12e3c58f2b7ce1f326c0a1fe783e5cae0b88cbbe9a80"
)
message(STATUS "Building gperftools ${GPERFTOOLS_VERSION} from source")
# Configure options for gperftools
set(GPERFTOOLS_CONFIGURE_ARGS --enable-cpu-profiler --disable-heap-profiler
--disable-heap-checker --disable-debugalloc
)
# Check if libunwind is available for better stack traces
find_library(LIBUNWIND_LIBRARY NAMES unwind)
if(LIBUNWIND_LIBRARY)
list(APPEND GPERFTOOLS_CONFIGURE_ARGS --enable-libunwind)
message(STATUS "gperftools: libunwind found, enabling for better stack traces")
else()
list(APPEND GPERFTOOLS_CONFIGURE_ARGS --disable-libunwind)
message(STATUS "gperftools: libunwind not found, using frame pointers for stack traces")
endif()
ExternalProject_Add(
gperftools
PREFIX "${PROJECT_BINARY_DIR}/gperftools-prefix"
URL "${GPERFTOOLS_URL}"
URL_HASH "${GPERFTOOLS_URL_HASH}"
CONFIGURE_COMMAND <SOURCE_DIR>/configure ${GPERFTOOLS_CONFIGURE_ARGS}
BUILD_COMMAND ${CMD_MAKE} ${PROCESSOUR_COUNT_MAKE_FLAG}
BUILD_IN_SOURCE 1
INSTALL_COMMAND ""
UPDATE_COMMAND ""
BUILD_BYPRODUCTS ${GPERFTOOLS_PROFILER_LIB}
)
install(
FILES "${GPERFTOOLS_PROFILER_LIB}"
DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
OPTIONAL
)
endif()
# Create a custom target so we can always depend on 'gperftools' regardless of bundled/system
if(NOT TARGET gperftools)
add_custom_target(gperftools)
endif()
# Add include directory globally
include_directories(${GPERFTOOLS_INCLUDE_DIR})
# Add compile definition so code can detect profiling support
add_compile_definitions(HAS_GPERFTOOLS)
# Wrap the profiler library with --whole-archive to ensure the profiler's initialization code is
# linked even though we don't call ProfilerStart() directly. This is required for the CPUPROFILE
# environment variable to work.
set(GPERFTOOLS_PROFILER_LIB "-Wl,--whole-archive" "${GPERFTOOLS_PROFILER_LIB}"
"-Wl,--no-whole-archive"
)
message(STATUS "gperftools CPU profiler enabled")
message(STATUS " Include dir: ${GPERFTOOLS_INCLUDE_DIR}")
message(STATUS " Library: ${GPERFTOOLS_PROFILER_LIB}")

75
cmake/modules/jemalloc.cmake
View File

@@ -1,75 +0,0 @@
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (C) 2025 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
#
option(USE_BUNDLED_JEMALLOC "Use bundled jemalloc allocator" ${USE_BUNDLED_DEPS})
if(JEMALLOC_INCLUDE)
# we already have JEMALLOC
elseif(NOT USE_BUNDLED_JEMALLOC)
find_path(JEMALLOC_INCLUDE jemalloc/jemalloc.h)
set(JEMALLOC_INCLUDE ${JEMALLOC_INCLUDE}/jemalloc)
if(BUILD_SHARED_LIBS)
set(JEMALLOC_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
else()
set(JEMALLOC_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
endif()
find_library(MALLOC_LIB NAMES libjemalloc${JEMALLOC_LIB_SUFFIX})
if(MALLOC_LIB)
message(STATUS "Found system jemalloc: include: ${JEMALLOC_INCLUDE}, lib: ${MALLOC_LIB}")
else()
message(FATAL_ERROR "Couldn't find system jemalloc")
endif()
else()
if(BUILD_SHARED_LIBS)
set(JEMALLOC_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
else()
set(JEMALLOC_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
endif()
set(JEMALLOC_SRC "${PROJECT_BINARY_DIR}/jemalloc-prefix/src")
set(MALLOC_LIB "${JEMALLOC_SRC}/malloc/lib/libjemalloc${JEMALLOC_LIB_SUFFIX}")
set(JEMALLOC_INCLUDE "${JEMALLOC_SRC}/malloc/include/jemalloc")
if(CMAKE_SYSTEM_PROCESSOR STREQUAL "aarch64")
set(JEMALLOC_ARCH_SPECIFIC_CONFIGURE_ARGS --with-lg-page=14)
else()
set(JEMALLOC_ARCH_SPECIFIC_CONFIGURE_ARGS "")
endif()
ExternalProject_Add(
malloc
PREFIX "${PROJECT_BINARY_DIR}/jemalloc-prefix"
URL "https://github.com/jemalloc/jemalloc/archive/refs/tags/5.3.0.tar.gz"
URL_HASH "SHA256=ef6f74fd45e95ee4ef7f9e19ebe5b075ca6b7fbe0140612b2a161abafb7ee179"
CONFIGURE_COMMAND ./autogen.sh --enable-prof --disable-libdl
${JEMALLOC_ARCH_SPECIFIC_CONFIGURE_ARGS}
BUILD_IN_SOURCE 1
BUILD_COMMAND make build_lib_static
INSTALL_COMMAND ""
UPDATE_COMMAND ""
BUILD_BYPRODUCTS ${MALLOC_LIB}
)
install(
FILES "${MALLOC_LIB}"
DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
)
endif()
# We add a custom target, in this way we can always depend on `jemalloc` without distinguishing
# between "bundled" and "not-bundled" case
if(NOT TARGET malloc)
add_custom_target(malloc)
endif()
include_directories(${JEMALLOC_INCLUDE})
add_compile_definitions(HAS_JEMALLOC)

92
cmake/modules/mimalloc.cmake
View File

@@ -1,92 +0,0 @@
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (C) 2025 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
#
option(USE_BUNDLED_MIMALLOC "Use bundled mimalloc (microsoft) allocator" ${USE_BUNDLED_DEPS})
if(MIMALLOC_INCLUDE)
# we already have MIMALLOC
elseif(NOT USE_BUNDLED_MIMALLOC)
find_path(MIMALLOC_INCLUDE mimalloc/mimalloc.h)
set(MIMALLOC_INCLUDE ${MIMALLOC_INCLUDE}/mimalloc)
if(BUILD_SHARED_LIBS)
set(MIMALLOC_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
else()
set(MIMALLOC_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
endif()
find_library(MALLOC_LIB NAMES libmimalloc${MIMALLOC_LIB_SUFFIX})
if(MALLOC_LIB)
message(STATUS "Found system mimalloc: include: ${MIMALLOC_INCLUDE}, lib: ${MALLOC_LIB}")
else()
message(FATAL_ERROR "Couldn't find system mimalloc")
endif()
else()
if(BUILD_SHARED_LIBS)
set(BUILD_STATIC Off)
set(MIMALLOC_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
else()
set(BUILD_STATIC On)
set(MIMALLOC_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
endif()
set(MIMALLOC_SRC "${PROJECT_BINARY_DIR}/mimalloc-prefix/src")
string(TOLOWER "${CMAKE_BUILD_TYPE}" _build_type)
if(_build_type STREQUAL "debug")
set(MIMALLOC_LIB_BASENAME "libmimalloc-debug")
else()
set(MIMALLOC_LIB_BASENAME "libmimalloc")
endif()
set(MALLOC_LIB "${MIMALLOC_SRC}/malloc-build/${MIMALLOC_LIB_BASENAME}${MIMALLOC_LIB_SUFFIX}")
set(MIMALLOC_INCLUDE ${MIMALLOC_SRC}/malloc/include/)
# To avoid recent clang versions complaining with "error: expansion of date or time macro is not
# reproducible" while building mimalloc, we force-set both variables.
string(TIMESTAMP DATE "%Y%m%d")
string(TIMESTAMP TIME "%H:%M")
set(MIMALLOC_EXTRA_CPPDEFS __DATE__="${DATE}",__TIME__="${TIME}")
# We disable arch specific optimization because of issues with building with zig. Optimizations
# would be only effective on arm64. See MI_NO_OPT_ARCH=On.
ExternalProject_Add(
malloc
PREFIX "${PROJECT_BINARY_DIR}/mimalloc-prefix"
URL "https://github.com/microsoft/mimalloc/archive/refs/tags/v3.1.5.tar.gz"
URL_HASH "SHA256=1c6949032069d5ebea438ec5cedd602d06f40a92ddf0f0d9dcff0993e5f6635c"
LIST_SEPARATOR "," # to pass MIMALLOC_EXTRA_CPPDEFS as list
CMAKE_ARGS -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
-DMI_BUILD_SHARED=${BUILD_SHARED_LIBS}
-DMI_BUILD_STATIC=${BUILD_STATIC}
-DMI_BUILD_TESTS=Off
-DMI_BUILD_OBJECT=Off
-DMI_NO_OPT_ARCH=On
-DMI_EXTRA_CPPDEFS=${MIMALLOC_EXTRA_CPPDEFS}
INSTALL_COMMAND ""
UPDATE_COMMAND ""
BUILD_BYPRODUCTS ${MALLOC_LIB}
)
install(
FILES "${MALLOC_LIB}"
DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
)
endif()
# We add a custom target, in this way we can always depend on `mimalloc` without distinguishing
# between "bundled" and "not-bundled" case
if(NOT TARGET malloc)
add_custom_target(malloc)
endif()
include_directories(${MIMALLOC_INCLUDE})
add_compile_definitions(HAS_MIMALLOC)

81
cmake/modules/openssl.cmake
View File

@@ -1,81 +0,0 @@
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
#
option(USE_BUNDLED_OPENSSL "Enable building of the bundled OpenSSL" ${USE_BUNDLED_DEPS})
if(OPENSSL_INCLUDE_DIR)
# we already have openssl
elseif(NOT USE_BUNDLED_OPENSSL)
find_package(OpenSSL REQUIRED)
message(STATUS "Found OpenSSL: include: ${OPENSSL_INCLUDE_DIR}, lib: ${OPENSSL_LIBRARIES}")
else()
if(BUILD_SHARED_LIBS)
set(OPENSSL_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
set(OPENSSL_SHARED_OPTION shared)
else()
set(OPENSSL_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
set(OPENSSL_SHARED_OPTION no-shared)
endif()
set(OPENSSL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl")
set(OPENSSL_INSTALL_DIR "${OPENSSL_BUNDLE_DIR}/target")
set(OPENSSL_INCLUDE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl/include/")
set(OPENSSL_LIBRARY_SSL "${OPENSSL_INSTALL_DIR}/lib/libssl${OPENSSL_LIB_SUFFIX}")
set(OPENSSL_LIBRARY_CRYPTO "${OPENSSL_INSTALL_DIR}/lib/libcrypto${OPENSSL_LIB_SUFFIX}")
set(OPENSSL_LIBRARIES ${OPENSSL_LIBRARY_SSL} ${OPENSSL_LIBRARY_CRYPTO})
if(NOT TARGET openssl)
if(NOT ENABLE_PIC)
set(OPENSSL_PIC_OPTION)
else()
set(OPENSSL_PIC_OPTION "-fPIC")
endif()
message(STATUS "Using bundled openssl in '${OPENSSL_BUNDLE_DIR}'")
ExternalProject_Add(
openssl
PREFIX "${PROJECT_BINARY_DIR}/openssl-prefix"
URL "https://github.com/openssl/openssl/releases/download/openssl-3.1.4/openssl-3.1.4.tar.gz"
URL_HASH "SHA256=840af5366ab9b522bde525826be3ef0fb0af81c6a9ebd84caa600fea1731eee3"
CONFIGURE_COMMAND ./config ${OPENSSL_SHARED_OPTION} ${OPENSSL_PIC_OPTION}
--prefix=${OPENSSL_INSTALL_DIR} --libdir=lib
BUILD_COMMAND make
BUILD_IN_SOURCE 1
BUILD_BYPRODUCTS ${OPENSSL_LIBRARY_SSL} ${OPENSSL_LIBRARY_CRYPTO}
INSTALL_COMMAND make install_sw
)
install(
FILES "${OPENSSL_LIBRARY_SSL}"
DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
)
install(
FILES "${OPENSSL_LIBRARY_CRYPTO}"
DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
)
install(
DIRECTORY "${OPENSSL_INCLUDE_DIR}"
DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
)
endif()
endif()
if(NOT TARGET openssl)
add_custom_target(openssl)
endif()
include_directories("${OPENSSL_INCLUDE_DIR}")

6
cmake/modules/rules.cmake
View File

@@ -1,6 +1,6 @@
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (C) 2025 The Falco Authors.
# Copyright (C) 2024 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
@@ -18,9 +18,9 @@ include(ExternalProject)
if(NOT DEFINED FALCOSECURITY_RULES_FALCO_PATH)
# falco_rules.yaml
set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-5.0.0")
set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-3.2.0")
set(FALCOSECURITY_RULES_FALCO_CHECKSUM
"SHA256=ca87d972e102a9f960fed41f90d2736a73079fcc7e787187028f455ad58b1637"
"SHA256=b3990bf0209cfbf6a903b361e458a1f5851a9a5aeee808ad26a5ddbe1377157d"
)
set(FALCOSECURITY_RULES_FALCO_PATH
"${PROJECT_BINARY_DIR}/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml"

4
cmake/modules/yaml-cpp.cmake
View File

@@ -19,8 +19,8 @@ if(USE_BUNDLED_YAMLCPP)
include(FetchContent)
FetchContent_Declare(
yamlcpp
URL https://github.com/jbeder/yaml-cpp/archive/c2bec4c755c67ad86185a2a264996137904fb712.tar.gz
URL_HASH SHA256=faea1ffdbad81b958b3b45a63ba667f4db53a3fffb983ca5df4745cf90044797
URL https://github.com/jbeder/yaml-cpp/archive/refs/tags/0.8.0.tar.gz
URL_HASH SHA256=fbe74bbdcee21d656715688706da3c8becfd946d92cd44705cc6098bb23b3a16
)
FetchContent_MakeAvailable(yamlcpp)
else()

2
config/falco.container_plugin.yaml
View File

@@ -1,2 +0,0 @@
# Enable container plugin for linux non musl installation.
load_plugins: [container]

2
config/falco.iso8601_timeformat.yaml
View File

@@ -1,2 +0,0 @@
# Enable iso 8601 time format on docker
time_format_iso_8601: true

18
docker/README.md
View File

@@ -4,9 +4,15 @@ This directory contains various ways to package Falco as a container and related
## Currently Supported Images
| Name | Directory | Description |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/falco | Distroless image based on the latest released tar.gz of Falco. No tools are included in the image. |
| [falcosecurity/falco:latest-debian](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_-debian](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master-debian](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/falco-debian | Debian-based image. Include some tools (i.e. jq, curl). No driver-building toolchain support. |
| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | Based on falcosecurity/falco:x.y.z-debian (see above) plus the driver building toolchain support and falcoctl. This is intended to be used as an installer or an init container when modern eBPF cannot be used. |
| [falcosecurity/falco-driver-loader:latest-buster](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_-buster](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master-debian](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader-buster | Similar to falcosecurity/falco-driver-loader (see above) but based on a legacy Debian image (i.e. buster ). Recommended only for old kernel versions. |
| Name | Directory | Description |
|---|---|---|
| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/falco | Falco (DEB built from git tag or from the master) with all the building toolchain. |
| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. |
| [falcosecurity/falco-no-driver:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver), [falcosecurity/falco-no-driver:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver),[falcosecurity/falco-no-driver:master](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver) | docker/no-driver | Falco (TGZ built from git tag or from the master) without the building toolchain. |
| [falcosecurity/falco-driver-loader-legacy:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader-legacy), [falcosecurity/falco-driver-loader-legacy:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader-legacy) | docker/driver-loader-legacy | `falco-driver-loader` as entrypoint with the legacy building toolchain. Recommended for kernels < 4.0 |
## Experimental Images
| Name | Directory | Description |
|---|---|---|
| [falcosecurity/falco-distroless:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-distroless), [falcosecurity/falco-distroless:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-distroless),[falcosecurity/falco-distroless:master](https://hub.docker.com/repository/docker/falcosecurity/falco-distroless) | docker/no-driver/Dockerfile.distroless | Falco without the building toolchain built from a distroless base image. This results in a smaller image that has less potentially vulnerable components. |

2
docker/docker-compose/docker-compose.yaml
View File

@@ -13,7 +13,7 @@ services:
- /proc:/host/proc:ro
- /etc:/host/etc:ro
- ./config/http_output.yml:/etc/falco/config.d/http_output.yml
image: falcosecurity/falco:latest
image: falcosecurity/falco-no-driver:latest
sidekick:
container_name: falco-sidekick

67
docker/driver-loader-buster/Dockerfile → docker/driver-loader-legacy/Dockerfile
View File

@@ -1,38 +1,22 @@
FROM debian:buster
ARG FALCO_COMMIT_SHA
ARG FALCO_VERSION=latest
LABEL maintainer="cncf-falco-dev@lists.cncf.io"
LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
LABEL org.opencontainers.image.authors='The Falco Authors https://falco.org' \
org.opencontainers.image.url='https://falco.org' \
org.opencontainers.image.source='https://github.com/falcosecurity/falco' \
org.opencontainers.image.vendor='Falco Organization' \
org.opencontainers.image.licenses='Apache-2.0' \
org.opencontainers.image.revision=${FALCO_COMMIT_SHA} \
org.opencontainers.image.version=${FALCO_VERSION} \
maintainer="cncf-falco-dev@lists.cncf.io"
LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader:latest-buster [driver] [options]"
LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc --name NAME IMAGE"
ARG TARGETARCH
ARG FALCO_VERSION=latest
ARG VERSION_BUCKET=deb
ARG HOST_ROOT=/host
ARG HOME=/root
ENV FALCO_VERSION="${FALCO_VERSION}" \
VERSION_BUCKET="${VERSION_BUCKET}" \
HOST_ROOT="${HOST_ROOT}" \
HOME="${HOME}"
ENV VERSION_BUCKET=${VERSION_BUCKET}
ENV FALCO_VERSION=${FALCO_VERSION}
ENV HOST_ROOT /host
ENV HOME /root
RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
# Use 20250630T203427Z debian apt snapshot as it still contains support for buster.
RUN cat <<EOF > /etc/apt/sources.list
deb http://snapshot.debian.org/archive/debian/20250630T203427Z buster main
deb http://snapshot.debian.org/archive/debian-security/20250630T203427Z buster/updates main
deb http://snapshot.debian.org/archive/debian/20250630T203427Z buster-updates main
EOF
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
bash-completion \
@@ -47,6 +31,7 @@ RUN apt-get update \
gcc \
jq \
libc6-dev \
libelf-dev \
libssl-dev \
llvm-7 \
netcat \
@@ -56,8 +41,8 @@ RUN apt-get update \
&& rm -rf /var/lib/apt/lists/*
RUN if [ "$TARGETARCH" = "amd64" ]; \
then apt-get install -y --no-install-recommends libmpx2; \
fi
then apt-get install -y --no-install-recommends libmpx2; \
fi
# gcc 6 is no longer included in debian stable, but we need it to
# build kernel modules on the default debian-based ami used by
@@ -66,7 +51,7 @@ RUN if [ "$TARGETARCH" = "amd64" ]; \
# or so.
RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libcilkrts5_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \
curl -L -o cpp-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_${TARGETARCH}.deb \
curl -L -o cpp-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_${TARGETARCH}.deb \
&& curl -L -o gcc-6-base_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-6-base_6.3.0-18_${TARGETARCH}.deb \
&& curl -L -o gcc-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-6_6.3.0-18_${TARGETARCH}.deb \
&& curl -L -o libasan3_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libasan3_6.3.0-18_${TARGETARCH}.deb \
@@ -75,8 +60,8 @@ RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libcilkrts5_6.3.0-18_${TARGE
&& curl -L -o libmpfr4_3.1.3-2_${TARGETARCH}.deb https://download.falco.org/dependencies/libmpfr4_3.1.3-2_${TARGETARCH}.deb \
&& curl -L -o libisl15_0.18-1_${TARGETARCH}.deb https://download.falco.org/dependencies/libisl15_0.18-1_${TARGETARCH}.deb \
&& dpkg -i cpp-6_6.3.0-18_${TARGETARCH}.deb gcc-6-base_6.3.0-18_${TARGETARCH}.deb gcc-6_6.3.0-18_${TARGETARCH}.deb libasan3_6.3.0-18_${TARGETARCH}.deb; \
if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \
dpkg -i libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb \
if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \
dpkg -i libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb \
&& rm -f cpp-6_6.3.0-18_${TARGETARCH}.deb gcc-6-base_6.3.0-18_${TARGETARCH}.deb gcc-6_6.3.0-18_${TARGETARCH}.deb libasan3_6.3.0-18_${TARGETARCH}.deb libcilkrts5_6.3.0-18_${TARGETARCH}.deb libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb
# gcc 5 is no longer included in debian stable, but we need it to
@@ -85,15 +70,15 @@ RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libcilkrts5_6.3.0-18_${TARGE
# snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libmpx0_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \
curl -L -o cpp-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_${TARGETARCH}.deb \
curl -L -o cpp-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_${TARGETARCH}.deb \
&& curl -L -o gcc-5-base_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-5-base_5.5.0-12_${TARGETARCH}.deb \
&& curl -L -o gcc-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-5_5.5.0-12_${TARGETARCH}.deb \
&& curl -L -o libasan2_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/libasan2_5.5.0-12_${TARGETARCH}.deb \
&& curl -L -o libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb \
&& curl -L -o libisl15_0.18-4_${TARGETARCH}.deb https://download.falco.org/dependencies/libisl15_0.18-4_${TARGETARCH}.deb \
&& dpkg -i cpp-5_5.5.0-12_${TARGETARCH}.deb gcc-5-base_5.5.0-12_${TARGETARCH}.deb gcc-5_5.5.0-12_${TARGETARCH}.deb libasan2_5.5.0-12_${TARGETARCH}.deb; \
if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \
dpkg -i libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb \
if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \
dpkg -i libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb \
&& rm -f cpp-5_5.5.0-12_${TARGETARCH}.deb gcc-5-base_5.5.0-12_${TARGETARCH}.deb gcc-5_5.5.0-12_${TARGETARCH}.deb libasan2_5.5.0-12_${TARGETARCH}.deb libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb libmpx0_5.5.0-12_${TARGETARCH}.deb
# Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
@@ -112,8 +97,10 @@ RUN curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add - \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
# Change the falco config within the container to enable ISO 8601 output.
ADD ./config/falco.iso8601_timeformat.yaml /etc/falco/config.d/
# Change the falco config within the container to enable ISO 8601
# output.
RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
# Some base images have an empty /lib/modules by default
# If it's not empty, docker build will fail instead of
@@ -126,10 +113,10 @@ RUN rm -df /lib/modules \
# forcibly install binutils 2.30-22 instead.
RUN if [ "$TARGETARCH" = "amd64" ] ; then \
curl -L -o binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
else \
curl -L -o binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
fi
curl -L -o binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
else \
curl -L -o binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
fi
RUN curl -L -o binutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils_2.30-22_${TARGETARCH}.deb \
&& curl -L -o libbinutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/libbinutils_2.30-22_${TARGETARCH}.deb \
@@ -137,6 +124,6 @@ RUN curl -L -o binutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dep
&& dpkg -i *binutils*.deb \
&& rm -f *binutils*.deb
COPY docker/driver-loader-buster/docker-entrypoint.sh /
COPY ./docker-entrypoint.sh /
ENTRYPOINT ["/docker-entrypoint.sh"]

9
docker/driver-loader-buster/docker-entrypoint.sh → docker/driver-loader-legacy/docker-entrypoint.sh
View File

@@ -1,7 +1,7 @@
#!/usr/bin/env bash
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (C) 2026 The Falco Authors.
# Copyright (C) 2023 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -21,12 +21,13 @@
print_usage() {
echo ""
echo "Usage:"
echo " docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader:latest-buster [driver] [options]"
echo " docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader-legacy:latest [driver] [options]"
echo ""
echo "Available drivers:"
echo " auto leverage automatic driver selection logic (default)"
echo " modern_ebpf modern eBPF CORE probe"
echo " kmod kernel module"
echo " ebpf eBPF probe"
echo ""
echo "Options:"
echo " --help show this help message"
@@ -58,7 +59,7 @@ driver=
has_opts=
while test $# -gt 0; do
case "$1" in
auto|kmod|modern_ebpf)
auto|kmod|ebpf|modern_ebpf)
if [ -n "$driver" ]; then
>&2 echo "Only one driver per invocation"
print_usage
@@ -119,7 +120,7 @@ if [ "$driver" != "auto" ]; then
/usr/bin/falcoctl driver config --type $driver
else
# Needed because we need to configure Falco to start with correct driver
/usr/bin/falcoctl driver config --type modern_ebpf --type kmod
/usr/bin/falcoctl driver config --type modern_ebpf --type kmod --type ebpf
fi
/usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD --http-insecure=$HTTP_INSECURE --http-headers="$FALCOCTL_DRIVER_HTTP_HEADERS"

55
docker/driver-loader/Dockerfile
View File

@@ -1,55 +1,14 @@
ARG FALCO_IMAGE_TAG=latest
FROM docker.io/falcosecurity/falco:${FALCO_IMAGE_TAG}-debian
FROM docker.io/falcosecurity/falco:${FALCO_IMAGE_TAG}
ARG FALCO_COMMIT_SHA
ARG FALCO_VERSION
LABEL maintainer="cncf-falco-dev@lists.cncf.io"
LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
LABEL org.opencontainers.image.authors='The Falco Authors https://falco.org' \
org.opencontainers.image.url='https://falco.org' \
org.opencontainers.image.source='https://github.com/falcosecurity/falco' \
org.opencontainers.image.vendor='Falco Organization' \
org.opencontainers.image.licenses='Apache-2.0' \
org.opencontainers.image.revision=${FALCO_COMMIT_SHA} \
org.opencontainers.image.version=${FALCO_VERSION} \
maintainer="cncf-falco-dev@lists.cncf.io"
LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --name NAME IMAGE"
LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader:latest [driver] [options]"
ENV HOST_ROOT /host
ENV HOME /root
ENV HOST_ROOT=/host
ENV HOME=/root
RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
bc \
bison \
ca-certificates \
clang \
curl \
dkms \
dwarves \
flex \
gcc \
gcc-11 \
gnupg2 \
jq \
libc6-dev \
libssl-dev \
llvm \
make \
netcat-openbsd \
patchelf \
xz-utils \
zstd \
&& rm -rf /var/lib/apt/lists/*
# Some base images have an empty /lib/modules by default
# If it's not empty, docker build will fail instead of
# silently overwriting the existing directory
RUN rm -df /lib/modules \
&& ln -s $HOST_ROOT/lib/modules /lib/modules
COPY ./docker/driver-loader/docker-entrypoint.sh /
COPY ./docker-entrypoint.sh /
ENTRYPOINT ["/docker-entrypoint.sh"]

6
docker/driver-loader/docker-entrypoint.sh
View File

@@ -27,6 +27,7 @@ print_usage() {
echo " auto leverage automatic driver selection logic (default)"
echo " modern_ebpf modern eBPF CORE probe"
echo " kmod kernel module"
echo " ebpf eBPF probe"
echo ""
echo "Options:"
echo " --help show this help message"
@@ -49,7 +50,6 @@ echo "* Setting up /usr/src links from host"
for i in "$HOST_ROOT/usr/src"/*
do
[[ -e $i ]] || continue
base=$(basename "$i")
ln -s "$i" "/usr/src/$base"
done
@@ -63,7 +63,7 @@ extra_args=
while test $# -gt 0; do
case "$1" in
auto|kmod|modern_ebpf)
auto|kmod|ebpf|modern_ebpf)
if [ -n "$driver" ]; then
>&2 echo "Only one driver per invocation"
print_usage
@@ -132,7 +132,7 @@ if [ "$driver" != "auto" ]; then
/usr/bin/falcoctl driver config --type $driver
else
# Needed because we need to configure Falco to start with correct driver
/usr/bin/falcoctl driver config --type modern_ebpf --type kmod
/usr/bin/falcoctl driver config --type modern_ebpf --type kmod --type ebpf
fi
/usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD --http-insecure=$HTTP_INSECURE --http-headers="$FALCOCTL_DRIVER_HTTP_HEADERS" $extra_args

41
docker/falco-debian/Dockerfile
View File

@@ -1,41 +0,0 @@
FROM debian:12-slim
ARG FALCO_COMMIT_SHA
ARG FALCO_VERSION
LABEL org.opencontainers.image.authors='The Falco Authors https://falco.org' \
org.opencontainers.image.url='https://falco.org' \
org.opencontainers.image.source='https://github.com/falcosecurity/falco' \
org.opencontainers.image.vendor='Falco Organization' \
org.opencontainers.image.licenses='Apache-2.0' \
org.opencontainers.image.revision=${FALCO_COMMIT_SHA} \
org.opencontainers.image.version=${FALCO_VERSION} \
maintainer="cncf-falco-dev@lists.cncf.io"
LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /proc:/host/proc:ro -v /etc:/host/etc:ro falcosecurity/falco:latest-debian"
ARG VERSION_BUCKET=deb
ARG HOST_ROOT=/host
ARG HOME=/root
ENV FALCO_VERSION="${FALCO_VERSION}" \
VERSION_BUCKET="${VERSION_BUCKET}" \
HOST_ROOT="${HOST_ROOT}" \
HOME="${HOME}"
RUN apt-get -y update && apt-get -y install curl jq ca-certificates gnupg2 \
&& apt clean -y && rm -rf /var/lib/apt/lists/*
WORKDIR /
RUN curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add - \
&& echo "deb https://download.falco.org/packages/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
&& apt-get update -y \
&& if [ "$FALCO_VERSION" = "latest" ]; then FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco; else FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
# Change the falco config within the container to enable ISO 8601 output.
ADD config/falco.iso8601_timeformat.yaml /etc/falco/config.d/
CMD ["/usr/bin/falco"]

91
docker/falco/Dockerfile
View File

@@ -1,48 +1,67 @@
FROM cgr.dev/chainguard/wolfi-base
FROM debian:bookworm
ARG FALCO_COMMIT_SHA
ARG FALCO_VERSION
LABEL maintainer="cncf-falco-dev@lists.cncf.io"
LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
LABEL org.opencontainers.image.authors='The Falco Authors https://falco.org' \
org.opencontainers.image.url='https://falco.org' \
org.opencontainers.image.source='https://github.com/falcosecurity/falco' \
org.opencontainers.image.vendor='Falco Organization' \
org.opencontainers.image.licenses='Apache-2.0' \
org.opencontainers.image.revision=${FALCO_COMMIT_SHA} \
org.opencontainers.image.version=${FALCO_VERSION} \
maintainer="cncf-falco-dev@lists.cncf.io"
LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc --name NAME IMAGE"
LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /proc:/host/proc:ro -v /etc:/host/etc:ro falcosecurity/falco:latest"
# NOTE: for the "least privileged" use case, please refer to the official documentation
ARG TARGETARCH
ARG VERSION_BUCKET=bin
ARG HOST_ROOT=/host
ARG HOME=/root
ARG FALCO_VERSION=latest
ARG VERSION_BUCKET=deb
ENV VERSION_BUCKET=${VERSION_BUCKET}
ENV FALCO_VERSION="${FALCO_VERSION}" \
VERSION_BUCKET="${VERSION_BUCKET}" \
HOST_ROOT="${HOST_ROOT}" \
HOME="${HOME}"
ENV FALCO_VERSION=${FALCO_VERSION}
ENV HOST_ROOT /host
ENV HOME /root
RUN apk update && apk add curl ca-certificates jq libstdc++
RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
WORKDIR /
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
bc \
bison \
ca-certificates \
clang \
curl \
dkms \
dwarves \
flex \
gcc \
gcc-11 \
gnupg2 \
jq \
libc6-dev \
libelf-dev \
libssl-dev \
llvm \
make \
netcat-openbsd \
patchelf \
xz-utils \
zstd \
&& rm -rf /var/lib/apt/lists/*
RUN ARCH=$(uname -m) && \
FALCO_VERSION_URLENCODED=$(echo -n "${FALCO_VERSION}" | jq -sRr @uri) && \
echo "Downloading Falco ${FALCO_VERSION} for ${ARCH}" && \
curl -L -o falco.tar.gz \
https://download.falco.org/packages/${VERSION_BUCKET}/${ARCH}/falco-${FALCO_VERSION_URLENCODED}-${ARCH}.tar.gz && \
tar -xvf falco.tar.gz && \
rm -f falco.tar.gz && \
mv falco-${FALCO_VERSION}-${ARCH} falco && \
rm -rf /falco/usr/src/falco-* && \
cp -r /falco/* / && \
rm -rf /falco && \
rm -rf /usr/bin/falcoctl /etc/falcoctl/
RUN curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add - \
&& echo "deb https://download.falco.org/packages/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
&& apt-get update -y \
&& if [ "$FALCO_VERSION" = "latest" ]; then FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco; else FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
# Change the falco config within the container to enable ISO 8601
# output.
RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
# Change the falco config within the container to enable ISO 8601 output.
ADD config/falco.iso8601_timeformat.yaml /etc/falco/config.d/
# Some base images have an empty /lib/modules by default
# If it's not empty, docker build will fail instead of
# silently overwriting the existing directory
RUN rm -df /lib/modules \
&& ln -s $HOST_ROOT/lib/modules /lib/modules
COPY ./docker-entrypoint.sh /
ENTRYPOINT ["/docker-entrypoint.sh"]
CMD ["/usr/bin/falco"]

136
docker/falco/docker-entrypoint.sh Executable file
View File

@@ -0,0 +1,136 @@
#!/usr/bin/env bash
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (C) 2023 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
print_usage() {
echo ""
echo "Usage:"
echo " docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro -e 'FALCO_DRIVER_LOADER_OPTIONS=[driver] [options]' falcosecurity/falco:latest"
echo ""
echo "Available FALCO_DRIVER_LOADER_OPTIONS drivers:"
echo " auto leverage automatic driver selection logic (default)"
echo " modern_ebpf modern eBPF CORE probe"
echo " kmod kernel module"
echo " ebpf eBPF probe"
echo ""
echo "FALCO_DRIVER_LOADER_OPTIONS options:"
echo " --help show this help message"
echo " --clean try to remove an already present driver installation"
echo " --compile try to compile the driver locally (default true)"
echo " --download try to download a prebuilt driver (default true)"
echo " --http-insecure enable insecure downloads"
echo " --print-env skip execution and print env variables for other tools to consume"
echo ""
echo "Environment variables:"
echo " FALCOCTL_DRIVER_REPOS specify different URL(s) where to look for prebuilt Falco drivers (comma separated)"
echo " FALCOCTL_DRIVER_NAME specify a different name for the driver"
echo " FALCOCTL_DRIVER_HTTP_HEADERS specify comma separated list of http headers for driver download (e.g. 'x-emc-namespace: default,Proxy-Authenticate: Basic')"
echo ""
}
# Set the SKIP_DRIVER_LOADER variable to skip loading the driver
if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
echo "* Setting up /usr/src links from host"
for i in "$HOST_ROOT/usr/src"/*
do
base=$(basename "$i")
ln -s "$i" "/usr/src/$base"
done
# convert the optional space-separated env variable FALCO_DRIVER_LOADER_OPTIONS to array, prevent
# shell expansion and use it as argument list for falcoctl
read -a falco_driver_loader_option_arr <<< $FALCO_DRIVER_LOADER_OPTIONS
ENABLE_COMPILE="false"
ENABLE_DOWNLOAD="false"
HTTP_INSECURE="false"
driver=
has_opts=
for opt in "${falco_driver_loader_option_arr[@]}"
do
case "$opt" in
auto|kmod|ebpf|modern_ebpf)
if [ -n "$driver" ]; then
>&2 echo "Only one driver per invocation"
print_usage
exit 1
else
driver=$opt
fi
;;
-h|--help)
print_usage
exit 0
;;
--clean)
/usr/bin/falcoctl driver cleanup
exit 0
;;
--compile)
ENABLE_COMPILE="true"
has_opts="true"
;;
--download)
ENABLE_DOWNLOAD="true"
has_opts="true"
;;
--http-insecure)
HTTP_INSECURE="true"
;;
--print-env)
/usr/bin/falcoctl driver printenv
exit 0
;;
--*)
>&2 echo "Unknown option: $opt"
print_usage
exit 1
;;
*)
>&2 echo "Unknown driver: $opt"
print_usage
exit 1
;;
esac
done
# No opts passed, enable both compile and download
if [ -z "$has_opts" ]; then
ENABLE_COMPILE="true"
ENABLE_DOWNLOAD="true"
fi
# Default value: auto
if [ -z "$driver" ]; then
driver="auto"
fi
if [ "$driver" != "auto" ]; then
/usr/bin/falcoctl driver config --type $driver
else
# Needed because we need to configure Falco to start with correct driver
/usr/bin/falcoctl driver config --type modern_ebpf --type kmod --type ebpf
fi
/usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD --http-insecure=$HTTP_INSECURE --http-headers="$FALCOCTL_DRIVER_HTTP_HEADERS"
fi
exec "$@"

39
docker/no-driver/Dockerfile Normal file
View File

@@ -0,0 +1,39 @@
FROM debian:12 as builder
ARG FALCO_VERSION
ARG VERSION_BUCKET=bin
ENV FALCO_VERSION=${FALCO_VERSION}
ENV VERSION_BUCKET=${VERSION_BUCKET}
RUN apt-get -y update && apt-get -y install gridsite-clients curl ca-certificates
WORKDIR /
RUN curl -L -o falco.tar.gz \
https://download.falco.org/packages/${VERSION_BUCKET}/$(uname -m)/falco-$(urlencode ${FALCO_VERSION})-$(uname -m).tar.gz && \
tar -xvf falco.tar.gz && \
rm -f falco.tar.gz && \
mv falco-${FALCO_VERSION}-$(uname -m) falco && \
rm -rf /falco/usr/src/falco-*
RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
&& mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml
FROM debian:12-slim
LABEL maintainer="cncf-falco-dev@lists.cncf.io"
LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
# NOTE: for the "least privileged" use case, please refer to the official documentation
RUN apt-get -y update && apt-get -y install ca-certificates curl jq libelf1 \
&& apt clean -y && rm -rf /var/lib/apt/lists/*
ENV HOST_ROOT /host
ENV HOME /root
COPY --from=builder /falco /
CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

40
docker/no-driver/Dockerfile.distroless Normal file
View File

@@ -0,0 +1,40 @@
FROM cgr.dev/chainguard/wolfi-base as builder
ARG FALCO_VERSION
ARG VERSION_BUCKET=bin
ENV FALCO_VERSION=${FALCO_VERSION}
ENV VERSION_BUCKET=${VERSION_BUCKET}
RUN apk update && apk add build-base gcc curl ca-certificates jq elfutils
WORKDIR /
RUN FALCO_VERSION_URLENCODED=$(echo -n ${FALCO_VERSION}|jq -sRr @uri) && \
curl -L -o falco.tar.gz \
https://download.falco.org/packages/${VERSION_BUCKET}/$(uname -m)/falco-${FALCO_VERSION_URLENCODED}-$(uname -m).tar.gz && \
tar -xvf falco.tar.gz && \
rm -f falco.tar.gz && \
mv falco-${FALCO_VERSION}-$(uname -m) falco && \
rm -rf /falco/usr/src/falco-*
RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
&& mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml
FROM cgr.dev/chainguard/wolfi-base
LABEL maintainer="cncf-falco-dev@lists.cncf.io"
LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
# NOTE: for the "least privileged" use case, please refer to the official documentation
RUN apk update && apk add libelf libstdc++
ENV HOST_ROOT /host
ENV HOME /root
USER root
COPY --from=builder /falco /
CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

954
falco.yaml
View File

File diff suppressed because it is too large Load Diff

2
proposals/20231220-features-adoption-and-deprecation.md
View File

@@ -175,7 +175,7 @@ _The units represent the number of releases._
### Examples
**Example 1** Let's consider a feature _foo_ in the Output/Alerts Area introduced in Falco 1.0.0 and labeled as *Incubating*. The feature is promoted to *Stable* in Falco 1.1.0 (because the feature did not get any user-facing change).
Subsequently, maintainers decide that backward-incompatible changes must be introduced in _foo_ to improve its functionality. The part of the feature to be changed is labeled as *Deprecated* in Falco 1.2.0, and the deprecation period starts. The non-backward compatible change is then introduced in Falco 1.4.0.
Subsequently, maintainers decide that backward-compatible changes must be introduced in _foo_ to improve its functionality. The part of the feature to be changed is labeled as *Deprecated* in Falco 1.2.0, and the deprecation period starts. The non-backward compatible change is then introduced in Falco 1.4.0.
**Example 2** The `--bar` flag in the CLI/Config Area has been introduced since Falco 1.1.0 and is labeled as *Stable*. Before releasing Falco 1.5.0, maintainers realize `--bar` is redundant and should be removed. The flag is labeled as *Deprecated* in Falco 1.5.0, and the deprecation period starts. The flag is removed in Falco 1.6.0.

128
proposals/20251215-legacy-bpf-grpc-output-gvisor-engine-deprecation.md
View File

@@ -1,128 +0,0 @@
# Legacy eBPF probe, gVisor libscap engine and gRPC output deprecations
## Summary
This proposal aims to formalize motivations and procedures for deprecating the legacy eBPF probe, the gRPC output and
the gVisor libscap engine.
One of the key objectives of Falco is to maintain a seamless user experience, regardless of the system call event source
actually used. This objective imposes strong requirements among all drivers and engines acting as system call source
(i.e.: gVisor libscap engine), feature parity, among each other, above all. Feature parity raises challenges from both
technical and maintainability perspectives, and these challenges are not justified if the driver/engine is no/little
used. For these reasons, this document aims for raising consensus regarding the legacy eBPF probe and gRPC output
deprecation.
Similar arguments could be raised in favor of the gRPC output deprecation: this output requires dependency on the
gRPC framework, that introduces a non-negligible build time overhead and maintainability burden (especially in a C++
codebase), not justified by the little usage of the output.
Upcoming evidences of non-negligible use of the gVisor engine and the gRPC output could be addressed by providing a
separate source plugin in case of gVisor, and a Falco Sidekick output as a replacement of the gRPC output.
## Motivation
### Legacy eBPF probe deprecation
The following matrix details the current minimum kernel version officially supported by each driver, for each
architecture:
| | Kernel module | legacy eBPF probe | Modern eBPF probe | Status |
| ----------- |----------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------| ----------------- | ------ |
| **x86_64** | >= 3.10 | >= 4.14 | >= 5.8 | _STABLE_ |
| **aarch64** | >= [3.16](https://github.com/torvalds/linux/commit/055b1212d141f1f398fca548f8147787c0b6253f) | >= 4.17 | >= 5.8 | _STABLE_ |
| **s390x** | >= 3.10 | >= [5.5](https://github.com/torvalds/linux/commit/6ae08ae3dea) | >= 5.8 | _EXPERIMENTAL_ |
| **riscv64** | >= [5.0](https://github.com/torvalds/linux/commit/5aeb1b36cedd3a1dfdbfe368629fed52dee34103) | N/A | N/A | _EXPERIMENTAL_ |
| **ppc64le** | >= 3.10 | >= [5.1](https://github.com/torvalds/linux/commit/ed1cd6deb013a11959d17a94e35ce159197632da) | >= 5.8 | _STABLE_ |
The legacy eBPF probe strives to provide a little more coverage than the modern eBPF one. This increased coverage comes
at cost of flexibility and maintainability. Indeed:
1. it cannot leverage CORE eBPF features - as a result, falcosecurity must maintain a great number of officially
supported eBPF objects, each one built for a specific officially-supported kernel flavor; this increases the
maintainability burden and makes the system less flexible to kernel configurations/structures changes
2. old kernel versions support is difficult to retain - the verifier imposes huge limitations on old kernel versions,
and any tiny change easily result in the verifier rejecting the code
3. it is difficult to keep it up to date with other drivers - some desired features cannot be implemented in any way
using eBPF on old kernel flavors, due to lack of eBPF helpers/program types or verifier limitations (e.g.: there is no
way of implementing a synchronous data harvesting mechanism like the one provided by BPF iterators). As falcosecurity
strives for feature parity among drivers, this imposes a big limitation on the other drivers. Please notice that:
1. the kernel module is unconstrained on the nature of feature it can support
2. the modern eBPF probe can easily rely on CORE features to probe for kernel features and use them if available
Besides the above, the legacy eBPF probe provides support for a range of versions that is entirely contained by the
kernel module supported range. Additionally, different distro kernel flavors already back-port features required by the
modern eBPF, enabling its usage on kernel older than `5.8`.
The above considerations, together with the evidence of its little usage, make the legacy eBPF probe a good candidate
for deprecation.
### gVisor libscap engine deprecation
gVisor libscap engine implements a system call event source by leveraging events coming from gVisor itself through gRPC.
There is evidence that this engine is little used. Moreover, gVisor doesn't provide all information required to build
all supported event types, indeed resulting in a system call source not completely equivalent to the ones provided by
drivers. Finally, it requires `falcosecurity/libs` being dependent on protobuf, this latter introducing a non-negligible
build time overhead and maintainability burden.
Deprecating it would allow to streamline system call event sources alignment, maintainability, and reduce build time for
both `falcosecurity/falco` and `falcosecurity/libs`.
### gRPC output deprecation
The gRPC output provides a mechanism through which a gRPC client can subscribe to the Falco alerts stream. This output
leverages a gRPC server embedded into Falco.
As for the legacy eBPF probe and the gVisor libscap engine, there is evidence that this output is little used. Also,
similarly to the gVisor libscap engine, this requires Falco being dependent on the protobuf, and additionally, on the
entire C++ gRPC framework. Finally, the little amount of data that is sent through the gRPC stream, and the
communication model (only involving a one-way communication from the server to the client) doesn't justify the need of
using gRPC.
Deprecating it would allow to reduce the build system, streamline maintainability, and reduce build time for
`falcosecurity/falco`.
## Goals
* Deprecate the legacy eBPF probe, the gVisor libscap engine, and the gRPC output
* Detail a plan to follow during the deprecation period, before completely remove any of the aforementioned components
## Non-goals
* Implement a gVisor source plugin as gVisor libscap engine alternative
* Implement the gRPC output as Falco Sidekick output
* Detail a plan to follow after taking the decision to completely remove any of the aforementioned components
## The plan
This section aims to detail the plan to follow contextually and after the deprecation mark, but before taking any
definitive removal decision about the legacy eBPF probe, the gVisor libscap engine, and the gRPC output (collectively
referred to hereinafter as "the components" or simply "components").
The deprecation of these components introduces user-facing changes that must be addressed as prescribed by the current
deprecation policy for "non-backward compatible user-facing changes" (see
[20231220-features-adoption-and-deprecation.md#deprecation-policy](./20231220-features-adoption-and-deprecation.md#deprecation-policy)).
All components are stable, and considering that deprecations will first be enforced in the stable Falco version `0.43.0`
(ante `1.0.0`), the minimum deprecation period length is 1 release: this means that components cannot be removed before
Falco `0.44.0`.
At high level, the action plan is to inform users, during the deprecation period, about the deprecation: this is
achieved by emitting a deprecation notice if the user try to leverage any of the feature exposed by any component, and
by updating the website in any of the relevant areas.
During the deprecation period, but before taking decision to remove the components, projects belonging to the
`falcosecurity` organization will be updated to not use/rely on any of these. Specifically:
- on `falcosecurity/libs`, any CI job building and testing the legacy eBPF probe will be removed
- on `falcosecurity/kernel-testing`, playbooks will not build and test the legacy eBPF probe anymore
- on `falcosecurity/event-generator`, the internal gRPC alert retriever will be replaced with an HTTP alert retriever,
leveraging the existing HTTP output.
## The non-plan
This proposal does not address any design or implementation aspect of the gVisor engine and gRPC output replacement, nor
formalizes in any way the conditions under which a replacement should be delivered. Upcoming evidences of non-negligible
use of the gVisor engine and the gRPC output may be addressed by providing a separate source plugin in case of gVisor,
and a Falco Sidekick output as a replacement of the gRPC output, but these latter possibilities should be intended as
suggestions, and will not constraint in any way any related future choice.
Finally, this proposal doesn't detail any aspect of the eventual removal.

7
scripts/CMakeLists.txt
View File

@@ -24,6 +24,10 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux")
"${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod.service"
"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY
)
configure_file(
"${PROJECT_SOURCE_DIR}/scripts/systemd/falco-bpf.service"
"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY
)
configure_file(
"${PROJECT_SOURCE_DIR}/scripts/systemd/falco-modern-bpf.service"
"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY
@@ -64,6 +68,9 @@ if(NOT WIN32
if(BUILD_DRIVER)
list(APPEND FALCOCTL_DRIVER_TYPES_LIST "kmod")
endif()
if(BUILD_BPF)
list(APPEND FALCOCTL_DRIVER_TYPES_LIST "ebpf")
endif()
string(REPLACE ";" ", " FALCOCTL_DRIVER_TYPES "${FALCOCTL_DRIVER_TYPES_LIST}")
configure_file(
${CMAKE_CURRENT_SOURCE_DIR}/falcoctl/falcoctl.yaml.in

20
scripts/debian/postinst.in
View File

@@ -25,10 +25,12 @@ CHOICE=
# Every time we call this script we want to stat from a clean state.
echo "[POST-INSTALL] Disable all possible 'falco' services:"
systemctl --system stop 'falco-kmod.service' || true
systemctl --system stop 'falco-bpf.service' || true
systemctl --system stop 'falco-modern-bpf.service' || true
systemctl --system stop 'falco-custom.service' || true
systemctl --system stop 'falcoctl-artifact-follow.service' || true
systemctl --system disable 'falco-kmod.service' || true
systemctl --system disable 'falco-bpf.service' || true
systemctl --system disable 'falco-modern-bpf.service' || true
systemctl --system disable 'falco-custom.service' || true
systemctl --system disable 'falcoctl-artifact-follow.service' || true
@@ -45,9 +47,12 @@ if [ "$1" = "configure" ]; then
kmod)
CHOICE=3
;;
modern_ebpf)
ebpf)
CHOICE=4
;;
modern_ebpf)
CHOICE=5
;;
esac
if [ -z $CHOICE ] && [ -x /usr/bin/dialog ] && [ "${FALCO_FRONTEND}" != "noninteractive" ]; then
# If dialog is installed, create a dialog to let users choose the correct driver for them
@@ -55,7 +60,8 @@ if [ "$1" = "configure" ]; then
1 "Manual configuration (no unit is started)" \
2 "Automatic selection" \
3 "Kmod" \
4 "Modern eBPF" \
4 "eBPF" \
5 "Modern eBPF" \
2>&1 >/dev/tty)
fi
# "auto" case is not managed here since it is already the default, so no CHOICE=2
@@ -67,6 +73,9 @@ if [ "$1" = "configure" ]; then
chosen_driver="kmod"
;;
4)
chosen_driver="ebpf"
;;
5)
chosen_driver="modern_ebpf"
;;
esac
@@ -74,7 +83,7 @@ if [ "$1" = "configure" ]; then
echo "[POST-INSTALL] Configure falcoctl '$chosen_driver' driver type:"
if [ "$chosen_driver" = "auto" ]; then
# Configure falcoctl to enable all drivers
falcoctl driver config --type "modern_ebpf" --type "kmod"
falcoctl driver config --type "modern_ebpf" --type "kmod" --type "ebpf"
# Load the actually automatic chosen driver
chosen_driver=$(falcoctl driver printenv | grep DRIVER= | cut -d'"' -f2)
else
@@ -115,6 +124,11 @@ case "$chosen_driver" in
falcoctl driver install --download=false
chosen_unit="kmod"
;;
"ebpf")
echo "[POST-INSTALL] Call 'falcoctl driver install for ebpf':"
falcoctl driver install
chosen_unit="bpf"
;;
"modern_ebpf")
chosen_unit="modern-bpf"
;;

1
scripts/debian/postrm.in
View File

@@ -25,6 +25,7 @@ set -e
if [ -d /run/systemd/system ] && [ "$1" = remove ]; then
echo "[POST-REMOVE] Disable all Falco services:"
systemctl --system disable 'falco-kmod.service' || true
systemctl --system disable 'falco-bpf.service' || true
systemctl --system disable 'falco-modern-bpf.service' || true
systemctl --system disable 'falco-custom.service' || true
systemctl --system disable 'falcoctl-artifact-follow.service' || true

1
scripts/debian/prerm.in
View File

@@ -26,6 +26,7 @@ case "$1" in
remove|upgrade|deconfigure)
echo "[PRE-REMOVE] Stop all Falco services:"
systemctl --system stop 'falco-kmod.service' || true
systemctl --system stop 'falco-bpf.service' || true
systemctl --system stop 'falco-modern-bpf.service' || true
systemctl --system stop 'falco-custom.service' || true
systemctl --system stop 'falcoctl-artifact-follow.service' || true

4
scripts/falcoctl/falcoctl.yaml.in
View File

@@ -7,10 +7,10 @@ driver:
hostroot: "/"
artifact:
follow:
every: 168h0m0s
every: 6h0m0s
falcoVersions: http://localhost:8765/versions
refs:
- falco-rules:5
- falco-rules:3
indexes:
- name: falcosecurity
url: https://falcosecurity.github.io/falcoctl/index.yaml

26
scripts/ignored-calls.sh Executable file
View File

@@ -0,0 +1,26 @@
#!/usr/bin/env bash
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (C) 2023 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
scriptdir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
parentdir="$(dirname "$scriptdir")"
libsdir="${parentdir}/build/falcosecurity-libs-repo/falcosecurity-libs-prefix/src/falcosecurity-libs"
cat "${libsdir}/userspace/libscap/syscall_info_table.c" | grep EF_DROP_SIMPLE_CONS | sed -e 's/.*\"\(.*\)\".*/\1/' | sort > /tmp/ignored_syscall_info_table.txt
cat "${libsdir}/driver/event_table.c" | grep EF_DROP_SIMPLE_CONS | sed -e 's/[^\"]*\"\([^\"]*\)\".*/\1/' | sort | uniq > /tmp/ignored_driver_event_table.txt
cat /tmp/ignored_driver_event_table.txt /tmp/ignored_syscall_info_table.txt | sort | uniq | tr '\n' ', '

46
scripts/publish-rpm
View File

@@ -14,16 +14,6 @@ check_program() {
fi
}
# Sign RPM packages with embedded GPG signature using rpmsign
#
# $@: paths of RPM files to sign.
rpmsign_packages() {
echo "Signing RPM packages with rpmsign..."
rpmsign --define '_gpg_name Falcosecurity Package Signing' --resign "$@"
echo "Verifying RPM signatures..."
rpm -qp --qf '%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}: %|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{%{RSAHEADER:pgpsig}}:{(none)}|}|\n' "$@"
}
# Updates the signature of a RPM package in the local repository
#
# $1: path of the repository.
@@ -137,8 +127,6 @@ fi
check_program createrepo
check_program gpg
check_program aws
check_program rpmsign
check_program rpm
# settings
s3_bucket_repo="s3://falco-distribution/packages/${repo}"
@@ -152,32 +140,19 @@ aws s3 cp ${s3_bucket_repo} ${tmp_repo_path} --recursive
# update signatures for all existing packages
if [ "${sign_all}" ]; then
# collect all RPM files
rpm_files=()
for file in ${tmp_repo_path}/*; do
if [ -f "$file" ] && [[ $file == *.rpm ]]; then
rpm_files+=("$file")
if [ -f "$file" ]; then # exclude directories, symlinks, etc...
if [[ ! $file == *.asc ]]; then # exclude signature files
package=$(basename -- ${file})
echo "Signing ${package}..."
sign_rpm ${tmp_repo_path} ${file}
echo "Syncing ${package}.asc to ${s3_bucket_repo}..."
aws s3 cp ${tmp_repo_path}/${package}.asc ${s3_bucket_repo}/${package}.asc --acl public-read
fi
fi
done
# sign all RPM packages with embedded GPG signature
if [ ${#rpm_files[@]} -gt 0 ]; then
rpmsign_packages "${rpm_files[@]}"
fi
# create detached signatures and upload
for file in "${rpm_files[@]}"; do
package=$(basename -- ${file})
echo "Creating detached signature for ${package}..."
sign_rpm ${tmp_repo_path} ${file}
echo "Syncing ${package} and ${package}.asc to ${s3_bucket_repo}..."
aws s3 cp ${tmp_repo_path}/${package} ${s3_bucket_repo}/${package} --acl public-read
aws s3 cp ${tmp_repo_path}/${package}.asc ${s3_bucket_repo}/${package}.asc --acl public-read
done
aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/*.rpm
aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/*.asc
update_repo ${tmp_repo_path}
sign_repo ${tmp_repo_path}
fi
@@ -186,9 +161,8 @@ if [[ ${repo} == "rpm-dev" ]]; then
reduce_dir_size ${tmp_repo_path} 10 rpm
fi
# sign and add new packages to the repo
# update the repo by adding new packages
if ! [ ${#files[@]} -eq 0 ]; then
rpmsign_packages "${files[@]}"
for file in "${files[@]}"; do
echo "Adding ${file}..."
add_rpm ${tmp_repo_path} ${file}

20
scripts/rpm/postinstall.in
View File

@@ -24,10 +24,12 @@ CHOICE=
# Every time we call this script we want to stat from a clean state.
echo "[POST-INSTALL] Disable all possible enabled 'falco' service:"
systemctl --system stop 'falco-kmod.service' || true
systemctl --system stop 'falco-bpf.service' || true
systemctl --system stop 'falco-modern-bpf.service' || true
systemctl --system stop 'falco-custom.service' || true
systemctl --system stop 'falcoctl-artifact-follow.service' || true
systemctl --system disable 'falco-kmod.service' || true
systemctl --system disable 'falco-bpf.service' || true
systemctl --system disable 'falco-modern-bpf.service' || true
systemctl --system disable 'falco-custom.service' || true
systemctl --system disable 'falcoctl-artifact-follow.service' || true
@@ -44,9 +46,12 @@ if [ $1 -ge 1 ]; then
kmod)
CHOICE=3
;;
modern_ebpf)
ebpf)
CHOICE=4
;;
modern_ebpf)
CHOICE=5
;;
esac
if [ -z $CHOICE ] && [ -x /usr/bin/dialog ] && [ "${FALCO_FRONTEND}" != "noninteractive" ]; then
# If dialog is installed, create a dialog to let users choose the correct driver for them
@@ -54,7 +59,8 @@ if [ $1 -ge 1 ]; then
1 "Manual configuration (no unit is started)" \
2 "Automatic selection" \
3 "Kmod" \
4 "Modern eBPF" \
4 "eBPF" \
5 "Modern eBPF" \
2>&1 >/dev/tty)
fi
# "auto" case is not managed here since it is already the default, so no CHOICE=2
@@ -66,6 +72,9 @@ if [ $1 -ge 1 ]; then
chosen_driver="kmod"
;;
4)
chosen_driver="ebpf"
;;
5)
chosen_driver="modern_ebpf"
;;
esac
@@ -73,7 +82,7 @@ if [ $1 -ge 1 ]; then
echo "[POST-INSTALL] Configure falcoctl '$chosen_driver' driver type:"
if [ "$chosen_driver" = "auto" ]; then
# Configure falcoctl to enable all drivers
falcoctl driver config --type "modern_ebpf" --type "kmod"
falcoctl driver config --type "modern_ebpf" --type "kmod" --type "ebpf"
# Load the actually automatic chosen driver
chosen_driver=$(falcoctl driver printenv | grep DRIVER= | cut -d'"' -f2)
else
@@ -114,6 +123,11 @@ case "$chosen_driver" in
falcoctl driver install --download=false
chosen_unit="kmod"
;;
"ebpf")
echo "[POST-INSTALL] Call 'falcoctl driver install for ebpf':"
falcoctl driver install
chosen_unit="bpf"
;;
"modern_ebpf")
chosen_unit="modern-bpf"
;;

1
scripts/rpm/postuninstall.in
View File

@@ -21,6 +21,7 @@ set -e
if [ -d /run/systemd/system ] && [ $1 -eq 0 ]; then
echo "[POST-REMOVE] Disable all Falco services:"
systemctl --system disable 'falco-kmod.service'|| true
systemctl --system disable 'falco-bpf.service' || true
systemctl --system disable 'falco-modern-bpf.service' || true
systemctl --system disable 'falco-custom.service' || true
systemctl --system disable 'falcoctl-artifact-follow.service' || true

2
scripts/rpm/preuninstall.in
View File

@@ -20,6 +20,7 @@ set -e
# Currently running falco service uses the driver, so stop it before driver cleanup
echo "[PRE-REMOVE] Stop all Falco services:"
systemctl --system stop 'falco-kmod.service' || true
systemctl --system stop 'falco-bpf.service' || true
systemctl --system stop 'falco-modern-bpf.service' || true
systemctl --system stop 'falco-custom.service' || true
systemctl --system stop 'falcoctl-artifact-follow.service' || true
@@ -35,6 +36,7 @@ falcoctl driver cleanup
# if preuninstall:
# `systemd-update-helper remove-system-units <service>`
%systemd_preun 'falco-kmod.service'
%systemd_preun 'falco-bpf.service'
%systemd_preun 'falco-modern-bpf.service'
%systemd_preun 'falco-custom.service'
%systemd_preun 'falcoctl-artifact-follow.service'

27
scripts/systemd/falco-bpf.service Normal file
View File

@@ -0,0 +1,27 @@
[Unit]
Description=Falco: Container Native Runtime Security with ebpf
Documentation=https://falco.org/docs/
Before=falcoctl-artifact-follow.service
Wants=falcoctl-artifact-follow.service
[Service]
Type=simple
User=root
ExecStart=/usr/bin/falco -o engine.kind=ebpf
ExecReload=kill -1 $MAINPID
UMask=0077
TimeoutSec=30
RestartSec=15s
Restart=on-failure
PrivateTmp=true
NoNewPrivileges=yes
ProtectHome=read-only
ProtectSystem=full
ProtectKernelTunables=true
RestrictRealtime=true
RestrictAddressFamilies=~AF_PACKET
StandardOutput=null
[Install]
WantedBy=multi-user.target
Alias=falco.service

2
scripts/systemd/falcoctl-artifact-follow.service
View File

@@ -1,7 +1,7 @@
[Unit]
Description=Falcoctl Artifact Follow: automatic artifacts update service
Documentation=https://falco.org/docs/
PartOf=falco-kmod.service falco-modern-bpf.service falco-custom.service
PartOf=falco-bpf.service falco-kmod.service falco-modern-bpf.service falco-custom.service
[Service]
Type=simple

2
submodules/falcosecurity-rules

Submodule submodules/falcosecurity-rules updated: e63b765e23...b6ad373719

4
unit_tests/CMakeLists.txt
View File

@@ -25,7 +25,8 @@ FetchContent_Declare(
FetchContent_MakeAvailable(googletest)
# Create a libscap_test_var.h file with some variables used by our tests (e.g: the kmod path).
# Create a libscap_test_var.h file with some variables used by our tests for example the kmod path
# or the bpf path.
configure_file(
${CMAKE_CURRENT_SOURCE_DIR}/falco_test_var.h.in ${CMAKE_CURRENT_BINARY_DIR}/falco_test_var.h
)
@@ -44,7 +45,6 @@ add_executable(
engine/test_plugin_requirements.cpp
engine/test_rule_loader.cpp
engine/test_rulesets.cpp
falco/test_capture.cpp
falco/test_configuration.cpp
falco/test_configuration_rule_selection.cpp
falco/test_configuration_config_files.cpp

2
unit_tests/README.md
View File

@@ -7,7 +7,7 @@ Under `unit_tests/engine` and `unit_tests/falco` directories, we have different
## Build and Run
```bash
cmake -DMINIMAL_BUILD=On -DBUILD_DRIVER=Off -DBUILD_FALCO_UNIT_TESTS=On ..
cmake -DMINIMAL_BUILD=On -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DBUILD_FALCO_UNIT_TESTS=On ..
make falco_unit_tests
sudo ./unit_tests/falco_unit_tests
```

36
unit_tests/engine/test_alt_rule_loader.cpp
View File

@@ -15,7 +15,6 @@ See the License for the specific language governing permissions and
limitations under the License.
*/
#include <memory>
#include <string>
#include <gtest/gtest.h>
@@ -42,10 +41,7 @@ struct test_object_info {
struct test_compile_output : public rule_loader::compile_output {
test_compile_output() = default;
virtual ~test_compile_output() = default;
virtual std::unique_ptr<compile_output> clone() const override {
return std::make_unique<test_compile_output>(*this);
}
~test_compile_output() = default;
std::set<std::string> defined_test_properties;
};
@@ -324,33 +320,3 @@ TEST(engine_loader_alt_loader, falco_engine_alternate_loader) {
EXPECT_TRUE(defined_properties.find("other-value") != defined_properties.end());
EXPECT_TRUE(defined_properties.find("not-exists-value") == defined_properties.end());
};
TEST(engine_loader_alt_loader, clone_compile_output) {
sinsp inspector;
sinsp_filter_check_list filterchecks;
indexed_vector<falco_source> sources;
std::shared_ptr<rule_loader::configuration> cfg =
create_configuration(inspector, filterchecks, sources);
test_reader reader;
test_collector collector;
test_compiler compiler;
EXPECT_TRUE(reader.read(*cfg, collector));
std::unique_ptr<rule_loader::compile_output> compile_output = compiler.new_compile_output();
compiler.compile(*cfg, collector, *compile_output);
const test_compile_output& original_ref =
dynamic_cast<const test_compile_output&>(*(compile_output.get()));
std::unique_ptr<rule_loader::compile_output> copy = compile_output->clone();
const test_compile_output& copy_ref = dynamic_cast<const test_compile_output&>(*(copy.get()));
EXPECT_EQ(copy_ref.lists, original_ref.lists);
EXPECT_EQ(copy_ref.macros, original_ref.macros);
EXPECT_EQ(copy_ref.rules, original_ref.rules);
EXPECT_EQ(copy_ref.defined_test_properties, original_ref.defined_test_properties);
}

37
unit_tests/engine/test_extra_output.cpp
View File

@@ -28,7 +28,7 @@ TEST_F(test_falco_engine, extra_format_all) {
priority: INFO
)END";
m_engine->add_extra_output_format("evt.type=%evt.type", "", {}, "");
m_engine->add_extra_output_format("evt.type=%evt.type", "", {}, "", false);
ASSERT_TRUE(load_rules(rules_content, "legit_rules.yaml")) << m_load_result_string;
EXPECT_EQ(get_compiled_rule_output("legit_rule"),
@@ -50,7 +50,7 @@ TEST_F(test_falco_engine, extra_format_by_rule) {
priority: INFO
)END";
m_engine->add_extra_output_format("evt.type=%evt.type", "", {}, "legit_rule");
m_engine->add_extra_output_format("evt.type=%evt.type", "", {}, "legit_rule", false);
ASSERT_TRUE(load_rules(rules_content, "legit_rules.yaml")) << m_load_result_string;
EXPECT_EQ(get_compiled_rule_output("legit_rule"), "out 1 evt.type=%evt.type");
@@ -81,9 +81,9 @@ TEST_F(test_falco_engine, extra_format_by_tag_rule) {
tags: [tag1, tag2]
)END";
m_engine->add_extra_output_format("extra 1", "", {"tag1"}, "");
m_engine->add_extra_output_format("extra 2", "", {}, "another_rule");
m_engine->add_extra_output_format("extra 3", "", {"tag1", "tag2"}, "");
m_engine->add_extra_output_format("extra 1", "", {"tag1"}, "", false);
m_engine->add_extra_output_format("extra 2", "", {}, "another_rule", false);
m_engine->add_extra_output_format("extra 3", "", {"tag1", "tag2"}, "", false);
ASSERT_TRUE(load_rules(rules_content, "legit_rules.yaml")) << m_load_result_string;
@@ -92,7 +92,32 @@ TEST_F(test_falco_engine, extra_format_by_tag_rule) {
EXPECT_EQ(get_compiled_rule_output("a_third_rule"), "out 3 extra 1 extra 3");
}
TEST_F(test_falco_engine, extra_format_empty_container_info) {
TEST_F(test_falco_engine, extra_format_replace_container_info) {
std::string rules_content = R"END(
- rule: legit_rule
desc: legit rule description
condition: evt.type=open
output: out 1 (%container.info)
priority: INFO
tags: [tag1]
- rule: another_rule
desc: legit rule description
condition: evt.type=open
output: out 2
priority: INFO
tags: [tag1]
)END";
m_engine->add_extra_output_format("extra 1", "", {}, "", true);
ASSERT_TRUE(load_rules(rules_content, "legit_rules.yaml")) << m_load_result_string;
EXPECT_EQ(get_compiled_rule_output("legit_rule"), "out 1 (extra 1)");
EXPECT_EQ(get_compiled_rule_output("another_rule"), "out 2 extra 1");
}
TEST_F(test_falco_engine, extra_format_do_not_replace_container_info) {
std::string rules_content = R"END(
- rule: legit_rule
desc: legit rule description

12
unit_tests/engine/test_filter_warning_resolver.cpp
View File

@@ -15,16 +15,14 @@ See the License for the specific language governing permissions and
limitations under the License.
*/
#include <string>
#include <gtest/gtest.h>
#include <engine/filter_warning_resolver.h>
static bool warns(const std::string& condition) {
std::set<falco::load_result::warning_code> w;
auto ast = libsinsp::filter::parser(condition).parse();
rule_loader::context ctx("test");
rule_loader::result res("test");
filter_warning_resolver().run(ctx, res, *ast.get());
return res.has_warnings();
filter_warning_resolver().run(ast.get(), w);
return !w.empty();
}
TEST(WarningResolver, warnings_in_filtering_conditions) {
@@ -40,8 +38,4 @@ TEST(WarningResolver, warnings_in_filtering_conditions) {
ASSERT_TRUE(warns("ka.field intersects (otherval, <NA>)"));
ASSERT_TRUE(warns("ka.field pmatch (<NA>)"));
ASSERT_TRUE(warns("ka.field pmatch (otherval, <NA>)"));
ASSERT_TRUE(warns("evt.dir = <"));
ASSERT_TRUE(warns("evt.dir = >"));
ASSERT_TRUE(warns("proc.name=test and evt.dir = <"));
ASSERT_TRUE(warns("evt.dir = < and proc.name=test"));
}

138
unit_tests/engine/test_rule_loader.cpp
View File

@@ -1222,141 +1222,3 @@ TEST_F(test_falco_engine, exceptions_fields_transformer_space_quoted) {
EXPECT_EQ(get_compiled_rule_condition("test_rule"),
"(evt.type = open and not tolower(proc.name) = test)");
}
TEST_F(test_falco_engine, redefine_rule_different_source) {
auto rules_content = R"END(
- rule: LD_PRELOAD trick
desc: Some desc
condition: ka.verb = GET
output: some output
priority: INFO
source: k8s_audit
- rule: LD_PRELOAD trick
desc: Some desc
condition: and 1 = 2
output: Some output
priority: INFO
source: syscall
)END";
ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
ASSERT_TRUE(check_error_message("Rule has been re-defined with a different source"));
}
TEST_F(test_falco_engine, append_across_sources) {
auto rules_content = R"END(
- rule: LD_PRELOAD trick
desc: Some desc
condition: ka.verb = GET
output: some output
priority: INFO
source: k8s_audit
- rule: LD_PRELOAD trick
desc: Some desc
condition: and 1 = 2
output: Some output
priority: INFO
source: syscall
append: true
)END";
ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
ASSERT_TRUE(check_error_message("Rule has been re-defined with a different source"));
}
TEST_F(test_falco_engine, selective_replace_across_sources) {
auto rules_content = R"END(
- rule: LD_PRELOAD trick
desc: Some desc
condition: ka.verb = GET
output: some output
priority: INFO
source: k8s_audit
- rule: LD_PRELOAD trick
condition: 1 = 2
override:
condition: replace
source: syscall
)END";
ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
ASSERT_TRUE(check_error_message("Rule has been re-defined with a different source"));
}
TEST_F(test_falco_engine, empty_source_addl_rule) {
auto rules_content = R"END(
- rule: LD_PRELOAD trick
desc: Some desc
condition: evt.type=execve
output: some output
priority: INFO
source: syscall
- rule: LD_PRELOAD trick
desc: Some desc
condition: and proc.name=apache
output: Some output
priority: INFO
source:
append: true
)END";
EXPECT_TRUE(load_rules(rules_content, "rules.yaml"));
}
TEST_F(test_falco_engine, empty_string_source_addl_rule) {
auto rules_content = R"END(
- rule: LD_PRELOAD trick
desc: Some desc
condition: evt.type=execve
output: some output
priority: INFO
source: syscall
- rule: LD_PRELOAD trick
desc: Some desc
condition: and proc.name=apache
output: Some output
priority: INFO
source: ""
append: true
)END";
EXPECT_TRUE(load_rules(rules_content, "rules.yaml"));
}
TEST_F(test_falco_engine, deprecated_field_in_output) {
std::string rules_content = R"END(
- rule: test_rule_with_evt_dir_in_output
desc: test rule with evt.dir in output
condition: evt.type = close
output: user=%user.name command=%proc.cmdline file=%fd.name evt.dir=%evt.dir
priority: INFO
)END";
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
ASSERT_TRUE(has_warnings());
ASSERT_TRUE(check_warning_message(
"usage of deprecated field 'evt.dir' has been detected in the rule output"))
<< m_load_result_string;
EXPECT_EQ(num_rules_for_ruleset(), 1);
}
TEST_F(test_falco_engine, no_deprecated_field_warning_in_output) {
std::string rules_content = R"END(
- rule: test_rule_without_evt_dir
desc: test rule without evt.dir in output
condition: evt.type = close
output: user=%user.name command=%proc.cmdline file=%fd.name
priority: INFO
)END";
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
ASSERT_FALSE(check_warning_message("evt.dir")) << m_load_result_string;
EXPECT_EQ(num_rules_for_ruleset(), 1);
}

65
unit_tests/falco/app/actions/test_configure_interesting_sets.cpp
View File

@@ -116,6 +116,7 @@ TEST_F(test_falco_engine, preconditions_postconditions) {
s1.engine = nullptr;
s1.config = std::make_shared<falco_configuration>();
s1.options.all_events = false;
auto result = falco::app::actions::configure_interesting_sets(s1);
ASSERT_FALSE(result.success);
ASSERT_NE(result.errstr, "");
@@ -198,8 +199,9 @@ TEST_F(test_falco_engine, selection_not_allevents) {
falco::app::state s2;
// run app action with fake engine and without the `-A` option
s2.engine = m_engine;
s2.config->m_base_syscalls_all = false;
s2.options.all_events = false;
ASSERT_EQ(s2.options.all_events, false);
auto result = falco::app::actions::configure_interesting_sets(s2);
ASSERT_TRUE(result.success);
ASSERT_EQ(result.errstr, "");
@@ -254,8 +256,7 @@ TEST_F(test_falco_engine, selection_allevents) {
falco::app::state s3;
// run app action with fake engine and with the `-A` option
s3.engine = m_engine;
s3.config->m_base_syscalls_all = true;
s3.options.all_events = true;
auto result = falco::app::actions::configure_interesting_sets(s3);
ASSERT_TRUE(result.success);
ASSERT_EQ(result.errstr, "");
@@ -298,8 +299,8 @@ TEST_F(test_falco_engine, selection_allevents) {
TEST_F(test_falco_engine, selection_generic_evts) {
falco::app::state s4;
// run app action with fake engine and without the `m_base_syscalls_all` option
// run app action with fake engine and without the `-A` option
s4.options.all_events = false;
auto filters = s_sample_filters;
filters.insert(s_sample_generic_filters.begin(), s_sample_generic_filters.end());
load_rules(ruleset_from_filters(filters), "dummy_ruleset.yaml");
@@ -346,7 +347,8 @@ TEST_F(test_falco_engine, selection_custom_base_set) {
load_rules(ruleset_from_filters(s_sample_filters), "dummy_ruleset.yaml");
falco::app::state s5;
s5.config->m_base_syscalls_all = true;
// run app action with fake engine and without the `-A` option
s5.options.all_events = true;
s5.engine = m_engine;
auto default_base_set = libsinsp::events::sinsp_state_sc_set();
@@ -423,8 +425,8 @@ TEST_F(test_falco_engine, selection_custom_base_set) {
expected_sc_names.erase("accept4");
ASSERT_NAMES_EQ(selected_sc_names, expected_sc_names);
// non-empty custom base set (positive, disable all syscalls)
s5.config->m_base_syscalls_all = false;
// non-empty custom base set (positive, without -A)
s5.options.all_events = false;
s5.config->m_base_syscalls_custom_set = {"read"};
result = falco::app::actions::configure_interesting_sets(s5);
ASSERT_TRUE(result.success);
@@ -451,8 +453,8 @@ TEST_F(test_falco_engine, selection_custom_base_set_repair) {
load_rules(ruleset_from_filters(s_sample_filters), "dummy_ruleset.yaml");
falco::app::state s6;
// run app action with fake engine and without the `all syscalls` option
s6.config->m_base_syscalls_all = false;
// run app action with fake engine and without the `-A` option
s6.options.all_events = false;
s6.engine = m_engine;
// note: here we use file syscalls (e.g. open, openat) and have a custom
@@ -492,8 +494,8 @@ TEST_F(test_falco_engine, selection_empty_custom_base_set_repair) {
load_rules(ruleset_from_filters(s_sample_filters), "dummy_ruleset.yaml");
falco::app::state s7;
// run app action with fake engine and with the `all syscalls` option
s7.config->m_base_syscalls_all = true;
// run app action with fake engine and with the `-A` option
s7.options.all_events = true;
s7.engine = m_engine;
// simulate empty custom set but repair option set.
@@ -526,47 +528,10 @@ TEST_F(test_falco_engine, selection_empty_custom_base_set_repair) {
ASSERT_EQ(s7.selected_sc_set.size(), s7_state_set.size());
}
TEST_F(test_falco_engine, selection_base_syscalls_all) {
load_rules(ruleset_from_filters(s_sample_filters), "dummy_ruleset.yaml");
falco::app::state s7;
s7.engine = m_engine;
// simulate empty custom set but repair option set.
s7.config->m_base_syscalls_custom_set = {};
s7.config->m_base_syscalls_repair = true;
s7.config->m_base_syscalls_all = true;
auto result = falco::app::actions::configure_interesting_sets(s7);
auto s7_rules_set = s7.engine->sc_codes_for_ruleset(s_sample_source, s_sample_ruleset);
ASSERT_TRUE(result.success);
ASSERT_EQ(result.errstr, "");
auto selected_sc_names = libsinsp::events::sc_set_to_event_names(s7.selected_sc_set);
auto expected_sc_names = strset_t({// note: expecting syscalls from mock rules and
// `sinsp_repair_state_sc_set` enforced syscalls
"connect",
"accept",
"accept4",
"umount2",
"open",
"ptrace",
"mmap",
"execve",
"procexit",
"bind",
"socket",
"clone3",
"close",
"setuid"});
ASSERT_NAMES_CONTAIN(selected_sc_names, expected_sc_names);
auto s7_state_set = libsinsp::events::sinsp_repair_state_sc_set(s7_rules_set);
ASSERT_EQ(s7.selected_sc_set, s7_state_set);
ASSERT_EQ(s7.selected_sc_set.size(), s7_state_set.size());
}
TEST(ConfigureInterestingSets, ignored_set_expected_size) {
// unit test fence to make sure we don't have unexpected regressions
// in the ignored set, to be updated in the future
ASSERT_EQ(falco::app::ignored_sc_set().size(), 12);
ASSERT_EQ(falco::app::ignored_sc_set().size(), 14);
// we don't expect to ignore any syscall in the default base set
ASSERT_EQ(falco::app::ignored_sc_set().intersect(libsinsp::events::sinsp_state_sc_set()).size(),

15
unit_tests/falco/app/actions/test_load_config.cpp
View File

@@ -31,11 +31,19 @@ TEST(ActionLoadConfig, check_kmod_engine_config) {
EXPECT_EQ(s.config->m_kmod.m_buf_size_preset, 2);
EXPECT_FALSE(s.config->m_kmod.m_drop_failed_exit);
// Check that all other engine params are empty
EXPECT_TRUE(s.config->m_ebpf.m_probe_path.empty());
EXPECT_EQ(s.config->m_ebpf.m_buf_size_preset, 0);
EXPECT_FALSE(s.config->m_ebpf.m_drop_failed_exit);
EXPECT_EQ(s.config->m_modern_ebpf.m_cpus_for_each_buffer, 0);
EXPECT_EQ(s.config->m_modern_ebpf.m_buf_size_preset, 0);
EXPECT_FALSE(s.config->m_modern_ebpf.m_drop_failed_exit);
EXPECT_TRUE(s.config->m_replay.m_capture_file.empty());
EXPECT_TRUE(s.config->m_gvisor.m_config.empty());
EXPECT_TRUE(s.config->m_gvisor.m_root.empty());
}
TEST(ActionLoadConfig, check_modern_engine_config) {
@@ -55,7 +63,14 @@ TEST(ActionLoadConfig, check_modern_engine_config) {
EXPECT_EQ(s.config->m_kmod.m_buf_size_preset, 0);
EXPECT_FALSE(s.config->m_kmod.m_drop_failed_exit);
EXPECT_TRUE(s.config->m_ebpf.m_probe_path.empty());
EXPECT_EQ(s.config->m_ebpf.m_buf_size_preset, 0);
EXPECT_FALSE(s.config->m_ebpf.m_drop_failed_exit);
EXPECT_TRUE(s.config->m_replay.m_capture_file.empty());
EXPECT_TRUE(s.config->m_gvisor.m_config.empty());
EXPECT_TRUE(s.config->m_gvisor.m_root.empty());
}
#endif

1
unit_tests/falco/test_atomic_signal_handler.cpp
View File

@@ -24,7 +24,6 @@ limitations under the License.
#include <future>
#include <memory>
#include <vector>
#include <thread>
TEST(AtomicSignalHandler, lock_free_implementation) {
ASSERT_TRUE(falco::atomic_signal_handler().is_lock_free());

134
unit_tests/falco/test_capture.cpp
View File

@@ -1,134 +0,0 @@
// SPDX-License-Identifier: Apache-2.0
/*
Copyright (C) 2025 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#include <falco/app/actions/helpers.h>
#include <falco/configuration.h>
#include <gtest/gtest.h>
TEST(Capture, generate_scap_file_path_realistic_scenario) {
// Simulate a realistic timestamp (nanoseconds since epoch)
uint64_t timestamp = 1648178040000000000ULL; // 2022-03-25 04:14:00 CET (03:14:00 UTC) in ns,
// birth date of my son Michelangelo :)
uint64_t evt_num = 1011;
std::string prefix = "/var/log/falco/captures/security_event";
std::string result = falco::app::actions::generate_scap_file_path(prefix, timestamp, evt_num);
std::string expected =
"/var/log/falco/captures/security_event_01648178040000000000_00000000000000001011.scap";
EXPECT_EQ(result, expected);
}
TEST(Capture, generate_scap_file_path_lexicographic_ordering) {
std::string prefix = "/tmp/test";
// Generate multiple file paths with different timestamps
std::string path1 = falco::app::actions::generate_scap_file_path(prefix, 1000, 1);
std::string path2 = falco::app::actions::generate_scap_file_path(prefix, 2000, 1);
std::string path3 = falco::app::actions::generate_scap_file_path(prefix, 10000, 1);
// Verify lexicographic ordering (important for file sorting)
EXPECT_LT(path1, path2);
EXPECT_LT(path2, path3);
// Also test with same timestamp but different event numbers
std::string path4 = falco::app::actions::generate_scap_file_path(prefix, 1000, 1);
std::string path5 = falco::app::actions::generate_scap_file_path(prefix, 1000, 2);
std::string path6 = falco::app::actions::generate_scap_file_path(prefix, 1000, 100);
EXPECT_LT(path4, path5);
EXPECT_LT(path5, path6);
}
TEST(Capture, generate_scap_file_path_empty_prefix) {
std::string prefix = "";
uint64_t timestamp = 123;
uint64_t evt_num = 456;
std::string result = falco::app::actions::generate_scap_file_path(prefix, timestamp, evt_num);
std::string expected = "_00000000000000000123_00000000000000000456.scap";
EXPECT_EQ(result, expected);
}
TEST(Capture, capture_config_disabled_by_default) {
std::string config_content = R"(
plugins:
)";
falco_configuration config;
config_loaded_res res;
ASSERT_NO_THROW(res = config.init_from_content(config_content, {}));
// Capture should be disabled by default
EXPECT_FALSE(config.m_capture_enabled);
EXPECT_EQ(config.m_capture_path_prefix, "/tmp/falco");
EXPECT_EQ(config.m_capture_mode, capture_mode_t::RULES);
EXPECT_EQ(config.m_capture_default_duration_ns, 5000 * 1000000LL); // 5 seconds in ns
}
TEST(Capture, capture_config_enabled_rules_mode) {
std::string config_content = R"(
capture:
enabled: true
path_prefix: /var/log/captures/falco
mode: rules
default_duration: 10000
)";
falco_configuration config;
config_loaded_res res;
ASSERT_NO_THROW(res = config.init_from_content(config_content, {}));
EXPECT_TRUE(config.m_capture_enabled);
EXPECT_EQ(config.m_capture_path_prefix, "/var/log/captures/falco");
EXPECT_EQ(config.m_capture_mode, capture_mode_t::RULES);
EXPECT_EQ(config.m_capture_default_duration_ns, 10000 * 1000000LL); // 10 seconds in ns
}
TEST(Capture, capture_config_enabled_all_rules_mode) {
std::string config_content = R"(
capture:
enabled: true
path_prefix: /tmp/debug/falco
mode: all_rules
default_duration: 30000
)";
falco_configuration config;
config_loaded_res res;
ASSERT_NO_THROW(res = config.init_from_content(config_content, {}));
EXPECT_TRUE(config.m_capture_enabled);
EXPECT_EQ(config.m_capture_path_prefix, "/tmp/debug/falco");
EXPECT_EQ(config.m_capture_mode, capture_mode_t::ALL_RULES);
EXPECT_EQ(config.m_capture_default_duration_ns, 30000 * 1000000LL); // 30 seconds in ns
}
TEST(Capture, capture_config_invalid_mode) {
std::string config_content = R"(
capture:
enabled: true
mode: invalid_mode
)";
falco_configuration config;
config_loaded_res res;
// Should throw an exception for invalid mode
EXPECT_THROW(res = config.init_from_content(config_content, {}), std::logic_error);
}

7
unit_tests/falco/test_configs/engine_kmod_config.yaml
View File

@@ -25,9 +25,16 @@ engine:
kmod:
buf_size_preset: 2
drop_failed_exit: false
ebpf:
probe: /path/to/probe.o
buf_size_preset: 7
drop_failed_exit: true
modern_ebpf:
cpus_for_each_buffer: 2
buf_size_preset: 4
drop_failed_exit: false
replay:
capture_file: /path/to/file.scap
gvisor:
config: /path/to/gvisor_config.yaml
root: ""

7
unit_tests/falco/test_configs/engine_modern_config.yaml
View File

@@ -25,9 +25,16 @@ engine:
kmod:
buf_size_preset: 1
drop_failed_exit: true
ebpf:
probe: /path/to/probe.o
buf_size_preset: 4
drop_failed_exit: false
modern_ebpf:
cpus_for_each_buffer: 1
# missing `buf_size_preset` should be defaulted
drop_failed_exit: true
replay:
capture_file: /path/to/file.scap
gvisor:
config: /path/to/gvisor_config.yaml
root: ""

316
unit_tests/falco/test_configuration_config_files.cpp
View File

@@ -92,6 +92,7 @@ TEST(Configuration, configuration_config_files_ok) {
outfile.close();
std::vector<std::string> cmdline_config_options;
std::vector<std::string> loaded_conf_files;
falco_configuration falco_config;
config_loaded_res res;
ASSERT_NO_THROW(res = falco_config.init_from_file("main.yaml", cmdline_config_options));
@@ -244,316 +245,6 @@ TEST(Configuration, configuration_config_files_override) {
std::filesystem::remove("conf_3.yaml");
}
TEST(Configuration, configuration_config_files_sequence_strategy_default) {
const std::string main_conf_yaml = yaml_helper::configs_key +
":\n"
" - conf_2.yaml\n" // default merge-strategy: append
" - conf_3.yaml\n"
"foo: [ bar ]\n"
"base_value:\n"
" id: 1\n"
" name: foo\n";
const std::string conf_yaml_2 =
"foo: [ bar2 ]\n" // append to foo sequence
"base_value_2:\n"
" id: 2\n";
const std::string conf_yaml_3 =
"base_value:\n" // override base_value
" id: 3\n";
std::ofstream outfile("main.yaml");
outfile << main_conf_yaml;
outfile.close();
outfile.open("conf_2.yaml");
outfile << conf_yaml_2;
outfile.close();
outfile.open("conf_3.yaml");
outfile << conf_yaml_3;
outfile.close();
std::vector<std::string> cmdline_config_options;
falco_configuration falco_config;
config_loaded_res res;
ASSERT_NO_THROW(res = falco_config.init_from_file("main.yaml", cmdline_config_options));
// main + conf_2 + conf_3
ASSERT_EQ(res.size(), 3);
ASSERT_TRUE(falco_config.m_config.is_defined("foo"));
std::vector<std::string> foos;
auto expected_foos = std::vector<std::string>{"bar", "bar2"};
ASSERT_NO_THROW(falco_config.m_config.get_sequence<std::vector<std::string>>(foos, "foo"));
ASSERT_EQ(foos.size(), 2); // 2 elements in `foo` sequence because we appended to it
for(size_t i = 0; i < foos.size(); ++i) {
EXPECT_EQ(foos[i], expected_foos[i])
<< "Vectors foo's and expected_foo's differ at index " << i;
}
ASSERT_TRUE(falco_config.m_config.is_defined("base_value.id"));
ASSERT_EQ(falco_config.m_config.get_scalar<int>("base_value.id", 0), 3); // overridden!
ASSERT_FALSE(falco_config.m_config.is_defined(
"base_value.name")); // no more present since entire `base_value` block was overridden
ASSERT_TRUE(falco_config.m_config.is_defined("base_value_2.id"));
ASSERT_EQ(falco_config.m_config.get_scalar<int>("base_value_2.id", 0), 2);
ASSERT_FALSE(falco_config.m_config.is_defined("base_value_3.id")); // not defined
std::filesystem::remove("main.yaml");
std::filesystem::remove("conf_2.yaml");
std::filesystem::remove("conf_3.yaml");
}
TEST(Configuration, configuration_config_files_sequence_strategy_append) {
const std::string main_conf_yaml = yaml_helper::configs_key +
":\n"
" - path: conf_2.yaml\n"
" strategy: append\n"
" - conf_3.yaml\n"
"foo: [ bar ]\n"
"base_value:\n"
" id: 1\n"
" name: foo\n";
const std::string conf_yaml_2 =
"foo: [ bar2 ]\n" // append to foo sequence
"base_value_2:\n"
" id: 2\n";
const std::string conf_yaml_3 =
"base_value:\n" // override base_value
" id: 3\n";
std::ofstream outfile("main.yaml");
outfile << main_conf_yaml;
outfile.close();
outfile.open("conf_2.yaml");
outfile << conf_yaml_2;
outfile.close();
outfile.open("conf_3.yaml");
outfile << conf_yaml_3;
outfile.close();
std::vector<std::string> cmdline_config_options;
falco_configuration falco_config;
config_loaded_res res;
ASSERT_NO_THROW(res = falco_config.init_from_file("main.yaml", cmdline_config_options));
// main + conf_2 + conf_3
ASSERT_EQ(res.size(), 3);
ASSERT_TRUE(falco_config.m_config.is_defined("foo"));
std::vector<std::string> foos;
auto expected_foos = std::vector<std::string>{"bar", "bar2"};
ASSERT_NO_THROW(falco_config.m_config.get_sequence<std::vector<std::string>>(foos, "foo"));
ASSERT_EQ(foos.size(), 2); // 2 elements in `foo` sequence because we appended to it
for(size_t i = 0; i < foos.size(); ++i) {
EXPECT_EQ(foos[i], expected_foos[i])
<< "Vectors foo's and expected_foo's differ at index " << i;
}
ASSERT_TRUE(falco_config.m_config.is_defined("base_value.id"));
ASSERT_EQ(falco_config.m_config.get_scalar<int>("base_value.id", 0), 3); // overridden!
ASSERT_FALSE(falco_config.m_config.is_defined(
"base_value.name")); // no more present since entire `base_value` block was overridden
ASSERT_TRUE(falco_config.m_config.is_defined("base_value_2.id"));
ASSERT_EQ(falco_config.m_config.get_scalar<int>("base_value_2.id", 0), 2);
ASSERT_FALSE(falco_config.m_config.is_defined("base_value_3.id")); // not defined
std::filesystem::remove("main.yaml");
std::filesystem::remove("conf_2.yaml");
std::filesystem::remove("conf_3.yaml");
}
TEST(Configuration, configuration_config_files_sequence_strategy_override) {
const std::string main_conf_yaml = yaml_helper::configs_key +
":\n"
" - path: conf_2.yaml\n"
" strategy: override\n"
" - conf_3.yaml\n"
"foo: [ bar ]\n"
"base_value:\n"
" id: 1\n"
" name: foo\n";
const std::string conf_yaml_2 =
"foo: [ bar2 ]\n" // override foo sequence
"base_value_2:\n"
" id: 2\n";
const std::string conf_yaml_3 =
"base_value:\n" // override base_value
" id: 3\n";
std::ofstream outfile("main.yaml");
outfile << main_conf_yaml;
outfile.close();
outfile.open("conf_2.yaml");
outfile << conf_yaml_2;
outfile.close();
outfile.open("conf_3.yaml");
outfile << conf_yaml_3;
outfile.close();
std::vector<std::string> cmdline_config_options;
falco_configuration falco_config;
config_loaded_res res;
ASSERT_NO_THROW(res = falco_config.init_from_file("main.yaml", cmdline_config_options));
// main + conf_2 + conf_3
ASSERT_EQ(res.size(), 3);
ASSERT_TRUE(falco_config.m_config.is_defined("foo"));
std::vector<std::string> foos;
auto expected_foos = std::vector<std::string>{"bar2"};
ASSERT_NO_THROW(falco_config.m_config.get_sequence<std::vector<std::string>>(foos, "foo"));
ASSERT_EQ(foos.size(), 1); // one element in `foo` sequence because we overrode it
for(size_t i = 0; i < foos.size(); ++i) {
EXPECT_EQ(foos[i], expected_foos[i])
<< "Vectors foo's and expected_foo's differ at index " << i;
}
ASSERT_TRUE(falco_config.m_config.is_defined("base_value.id"));
ASSERT_EQ(falco_config.m_config.get_scalar<int>("base_value.id", 0), 3); // overridden!
ASSERT_FALSE(falco_config.m_config.is_defined(
"base_value.name")); // no more present since entire `base_value` block was overridden
ASSERT_TRUE(falco_config.m_config.is_defined("base_value_2.id"));
ASSERT_EQ(falco_config.m_config.get_scalar<int>("base_value_2.id", 0), 2);
ASSERT_FALSE(falco_config.m_config.is_defined("base_value_3.id")); // not defined
std::filesystem::remove("main.yaml");
std::filesystem::remove("conf_2.yaml");
std::filesystem::remove("conf_3.yaml");
}
TEST(Configuration, configuration_config_files_sequence_strategy_addonly) {
/* Test that included config files are able to override configs from main file */
const std::string main_conf_yaml = yaml_helper::configs_key +
":\n"
" - path: conf_2.yaml\n"
" strategy: add-only\n"
" - conf_3.yaml\n"
"foo: [ bar ]\n"
"base_value:\n"
" id: 1\n"
" name: foo\n";
const std::string conf_yaml_2 =
"foo: [ bar2 ]\n" // ignored: add-only strategy
"base_value_2:\n"
" id: 2\n";
const std::string conf_yaml_3 =
"base_value:\n" // override base_value
" id: 3\n";
std::ofstream outfile("main.yaml");
outfile << main_conf_yaml;
outfile.close();
outfile.open("conf_2.yaml");
outfile << conf_yaml_2;
outfile.close();
outfile.open("conf_3.yaml");
outfile << conf_yaml_3;
outfile.close();
std::vector<std::string> cmdline_config_options;
falco_configuration falco_config;
config_loaded_res res;
ASSERT_NO_THROW(res = falco_config.init_from_file("main.yaml", cmdline_config_options));
// main + conf_2 + conf_3
ASSERT_EQ(res.size(), 3);
ASSERT_TRUE(falco_config.m_config.is_defined("foo"));
std::vector<std::string> foos;
auto expected_foos =
std::vector<std::string>{"bar"}; // bar2 is ignored because of merge-strategy: add-only
ASSERT_NO_THROW(falco_config.m_config.get_sequence<std::vector<std::string>>(foos, "foo"));
ASSERT_EQ(foos.size(), 1); // one element in `foo` sequence because we overrode it
for(size_t i = 0; i < foos.size(); ++i) {
EXPECT_EQ(foos[i], expected_foos[i])
<< "Vectors foo's and expected_foo's differ at index " << i;
}
ASSERT_TRUE(falco_config.m_config.is_defined("base_value.id"));
ASSERT_EQ(falco_config.m_config.get_scalar<int>("base_value.id", 0), 3); // overridden!
ASSERT_FALSE(falco_config.m_config.is_defined(
"base_value.name")); // no more present since entire `base_value` block was overridden
ASSERT_TRUE(falco_config.m_config.is_defined("base_value_2.id"));
ASSERT_EQ(falco_config.m_config.get_scalar<int>("base_value_2.id", 0), 2);
ASSERT_FALSE(falco_config.m_config.is_defined("base_value_3.id")); // not defined
std::filesystem::remove("main.yaml");
std::filesystem::remove("conf_2.yaml");
std::filesystem::remove("conf_3.yaml");
}
TEST(Configuration, configuration_config_files_sequence_wrong_strategy) {
const std::string main_conf_yaml = yaml_helper::configs_key +
":\n"
" - path: conf_2.yaml\n"
" strategy: wrong\n"
" - conf_3.yaml\n"
"foo: [ bar ]\n"
"base_value:\n"
" id: 1\n"
" name: foo\n";
const std::string conf_yaml_2 =
"foo: [ bar2 ]\n" // append to foo sequence
"base_value_2:\n"
" id: 2\n";
const std::string conf_yaml_3 =
"base_value:\n" // override base_value
" id: 3\n";
std::ofstream outfile("main.yaml");
outfile << main_conf_yaml;
outfile.close();
outfile.open("conf_2.yaml");
outfile << conf_yaml_2;
outfile.close();
outfile.open("conf_3.yaml");
outfile << conf_yaml_3;
outfile.close();
std::vector<std::string> cmdline_config_options;
falco_configuration falco_config;
config_loaded_res res;
ASSERT_NO_THROW(res = falco_config.init_from_file("main.yaml", cmdline_config_options));
// main
ASSERT_EQ(res.size(), 3);
auto validation = res["main.yaml"];
// Since we are using a wrong strategy, the validation should fail
// but the enforced strategy should be "append"
ASSERT_NE(validation, yaml_helper::validation_ok);
ASSERT_TRUE(falco_config.m_config.is_defined("foo"));
std::vector<std::string> foos;
auto expected_foos = std::vector<std::string>{"bar", "bar2"};
ASSERT_NO_THROW(falco_config.m_config.get_sequence<std::vector<std::string>>(foos, "foo"));
ASSERT_EQ(foos.size(), 2); // 2 elements in `foo` sequence because we appended to it
for(size_t i = 0; i < foos.size(); ++i) {
EXPECT_EQ(foos[i], expected_foos[i])
<< "Vectors foo's and expected_foo's differ at index " << i;
}
ASSERT_TRUE(falco_config.m_config.is_defined("base_value.id"));
ASSERT_EQ(falco_config.m_config.get_scalar<int>("base_value.id", 0), 3); // overridden!
ASSERT_FALSE(falco_config.m_config.is_defined(
"base_value.name")); // no more present since entire `base_value` block was overridden
ASSERT_TRUE(falco_config.m_config.is_defined("base_value_2.id"));
ASSERT_EQ(falco_config.m_config.get_scalar<int>("base_value_2.id", 0), 2);
ASSERT_FALSE(falco_config.m_config.is_defined("base_value_3.id")); // not defined
std::filesystem::remove("main.yaml");
std::filesystem::remove("conf_2.yaml");
std::filesystem::remove("conf_3.yaml");
}
TEST(Configuration, configuration_config_files_unexistent) {
/* Test that including an unexistent file just skips it */
const std::string main_conf_yaml = yaml_helper::configs_key +
@@ -775,9 +466,6 @@ TEST(Configuration, configuration_config_files_cmdline) {
std::vector<std::string> cmdline_config_options;
cmdline_config_options.push_back((yaml_helper::configs_key + "=conf_2.yaml"));
// Override foo2 value from cli
cmdline_config_options.push_back(("foo2=bar22"));
falco_configuration falco_config;
config_loaded_res res;
ASSERT_NO_THROW(res = falco_config.init_from_file("main.yaml", cmdline_config_options));
@@ -792,7 +480,7 @@ TEST(Configuration, configuration_config_files_cmdline) {
ASSERT_TRUE(falco_config.m_config.is_defined("base_value.name"));
ASSERT_EQ(falco_config.m_config.get_scalar<std::string>("base_value.name", ""), "foo");
ASSERT_TRUE(falco_config.m_config.is_defined("foo2"));
ASSERT_EQ(falco_config.m_config.get_scalar<std::string>("foo2", ""), "bar22");
ASSERT_EQ(falco_config.m_config.get_scalar<std::string>("foo2", ""), "bar2");
ASSERT_TRUE(falco_config.m_config.is_defined("base_value_2.id"));
ASSERT_EQ(falco_config.m_config.get_scalar<int>("base_value_2.id", 0), 2);

3
unit_tests/test_falco_engine.cpp
View File

@@ -1,9 +1,10 @@
#include "test_falco_engine.h"
test_falco_engine::test_falco_engine(): m_engine(std::make_shared<falco_engine>()) {
test_falco_engine::test_falco_engine() {
// create a falco engine ready to load the ruleset
m_filter_factory = std::make_shared<sinsp_filter_factory>(&m_inspector, m_filterlist);
m_formatter_factory = std::make_shared<sinsp_evt_formatter_factory>(&m_inspector, m_filterlist);
m_engine = std::make_shared<falco_engine>();
m_engine->add_source(m_sample_source, m_filter_factory, m_formatter_factory);
}

10
userspace/engine/CMakeLists.txt
View File

@@ -36,14 +36,6 @@ if(EMSCRIPTEN)
target_compile_options(falco_engine PRIVATE "-sDISABLE_EXCEPTION_CATCHING=0")
endif()
set(ENGINE_LIBRARIES sinsp nlohmann_json::nlohmann_json yaml-cpp)
if(CMAKE_SYSTEM_NAME MATCHES "Linux" AND NOT MINIMAL_BUILD)
# Used by falco_utils.cpp
add_dependencies(falco_engine openssl)
list(APPEND ENGINE_LIBRARIES "${OPENSSL_LIBRARIES}")
endif()
target_include_directories(falco_engine PUBLIC ${CMAKE_CURRENT_SOURCE_DIR} ${TBB_INCLUDE_DIR})
target_link_libraries(falco_engine PUBLIC ${ENGINE_LIBRARIES})
target_link_libraries(falco_engine PUBLIC sinsp nlohmann_json::nlohmann_json yaml-cpp)

4
userspace/engine/evttype_index_ruleset.cpp
View File

@@ -56,7 +56,7 @@ bool evttype_index_ruleset::run_wrappers(sinsp_evt *evt,
filter_wrapper_list &wrappers,
uint16_t ruleset_id,
falco_rule &match) {
for(const auto &wrap : wrappers) {
for(auto &wrap : wrappers) {
if(wrap->m_filter->run(evt)) {
match = wrap->m_rule;
return true;
@@ -72,7 +72,7 @@ bool evttype_index_ruleset::run_wrappers(sinsp_evt *evt,
std::vector<falco_rule> &matches) {
bool match_found = false;
for(const auto &wrap : wrappers) {
for(auto &wrap : wrappers) {
if(wrap->m_filter->run(evt)) {
matches.push_back(wrap->m_rule);
match_found = true;

2
userspace/engine/evttype_index_ruleset.h
View File

@@ -43,7 +43,7 @@ struct evttype_index_wrapper {
class evttype_index_ruleset : public indexable_ruleset<evttype_index_wrapper> {
public:
explicit evttype_index_ruleset(std::shared_ptr<sinsp_filter_factory> factory);
virtual ~evttype_index_ruleset() override;
virtual ~evttype_index_ruleset();
// From filter_ruleset
void add(const falco_rule &rule,

2
userspace/engine/falco_common.h
View File

@@ -29,8 +29,6 @@ limitations under the License.
#define DEFAULT_OUTPUTS_QUEUE_CAPACITY_UNBOUNDED_MAX_LONG_VALUE std::ptrdiff_t(~size_t(0) / 2)
#define DEFAULT_FALCO_LIBS_THREAD_TABLE_SIZE 262144
#define DEFAULT_FALCO_LIBS_THREAD_TABLE_AUTO_PURGING_INTERVAL_S (5 * 60) // 5 minutes.
#define DEFAULT_FALCO_LIBS_THREAD_TABLE_AUTO_PURGING_THREAD_TIMEOUT_S (5 * 60) // 5 minutes.
//
// Most falco_* classes can throw exceptions. Unless directly related

22
userspace/engine/falco_engine.cpp
View File

@@ -1,6 +1,6 @@
// SPDX-License-Identifier: Apache-2.0
/*
Copyright (C) 2025 The Falco Authors.
Copyright (C) 2023 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -413,8 +413,6 @@ std::unique_ptr<std::vector<falco_engine::rule_result>> falco_engine::process_ev
rule_result.source = rule.source;
rule_result.format = rule.output;
rule_result.priority_num = rule.priority;
rule_result.capture = rule.capture;
rule_result.capture_duration_ns = uint64_t(rule.capture_duration) * 1000000LL;
rule_result.tags = rule.tags;
rule_result.exception_fields = rule.exception_fields;
rule_result.extra_output_fields = rule.extra_output_fields;
@@ -570,8 +568,6 @@ void falco_engine::get_json_details(
rule_info["description"] = r.description;
rule_info["enabled"] = info.enabled;
rule_info["source"] = r.source;
rule_info["capture"] = r.capture;
rule_info["capture_duration"] = r.capture_duration;
rule_info["tags"] = sequence_to_json_array(info.tags);
out["info"] = std::move(rule_info);
@@ -895,6 +891,17 @@ std::shared_ptr<filter_ruleset> falco_engine::ruleset_for_source(std::size_t sou
return source->ruleset;
}
void falco_engine::read_file(const std::string &filename, std::string &contents) {
std::ifstream is;
is.open(filename);
if(!is.is_open()) {
throw falco_exception("Could not open " + filename + " for reading");
}
contents.assign(std::istreambuf_iterator<char>(is), std::istreambuf_iterator<char>());
}
static bool check_plugin_requirement_alternatives(
const std::vector<falco_engine::plugin_version_requirement> &plugins,
const rule_loader::plugin_version_info::requirement_alternatives &alternatives,
@@ -979,8 +986,9 @@ void falco_engine::set_sampling_multiplier(double sampling_multiplier) {
void falco_engine::add_extra_output_format(const std::string &format,
const std::string &source,
const std::set<std::string> &tags,
const std::string &rule) {
m_extra_output_format.push_back({format, source, tags, rule});
const std::string &rule,
bool replace_container_info) {
m_extra_output_format.push_back({format, source, tags, rule, replace_container_info});
}
void falco_engine::add_extra_output_formatted_field(const std::string &key,

17
userspace/engine/falco_engine.h
View File

@@ -199,12 +199,14 @@ public:
void add_extra_output_format(const std::string &format,
const std::string &source,
const std::set<std::string> &tags,
const std::string &rule);
const std::string &rule,
bool replace_container_info);
// You can optionally add fields that will only show up in the object output (e.g. json)
// alongside other output_fields and not in the text message output. You can add two types of
// fields: formatted which will act like an additional output format that appears in the output
// field
// You can optionally add fields that will only show up in the object
// output (e.g. json, gRPC) alongside other output_fields
// and not in the text message output.
// You can add two types of fields: formatted which will act like
// an additional output format that appears in the output field
void add_extra_output_formatted_field(const std::string &key,
const std::string &format,
const std::string &source,
@@ -227,8 +229,6 @@ public:
std::set<std::string> exception_fields;
std::set<std::string> tags;
extra_output_field_t extra_output_fields;
bool capture;
uint64_t capture_duration_ns;
};
//
@@ -379,6 +379,9 @@ private:
filter_ruleset::engine_state_funcs m_engine_state;
// Throws falco_exception if the file can not be read
void read_file(const std::string &filename, std::string &contents);
indexed_vector<falco_source> m_sources;
inline const falco_source *find_source(std::size_t index) {

6
userspace/engine/falco_engine_version.h
View File

@@ -1,6 +1,6 @@
// SPDX-License-Identifier: Apache-2.0
/*
Copyright (C) 2025 The Falco Authors.
Copyright (C) 2023 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -20,7 +20,7 @@ limitations under the License.
// The version of this Falco engine
#define FALCO_ENGINE_VERSION_MAJOR 0
#define FALCO_ENGINE_VERSION_MINOR 60
#define FALCO_ENGINE_VERSION_MINOR 43
#define FALCO_ENGINE_VERSION_PATCH 0
#define FALCO_ENGINE_VERSION \
@@ -36,4 +36,4 @@ limitations under the License.
// It represents the fields supported by this version of Falco,
// the event types, and the underlying driverevent schema. It's used to
// detetect changes in engine version in our CI jobs.
#define FALCO_ENGINE_CHECKSUM "17c1ac99576c032a58895a10f7091cf777008a1059b7f1bff3c78a6451b17fdf"
#define FALCO_ENGINE_CHECKSUM "8a7f383c1e7682c484096bb6a5cb68c29b818acbe65fa2854acbcc98277fd7e0"

72
userspace/engine/falco_load_result.cpp
View File

@@ -75,14 +75,8 @@ static const std::string warning_codes[] = {"LOAD_UNKNOWN_SOURCE",
"LOAD_INVALID_LIST_NAME",
"LOAD_COMPILE_CONDITION"};
// Compile-time check to ensure warning_codes array has the correct size
static_assert(std::size(warning_codes) ==
static_cast<int>(falco::load_result::warning_code::LOAD_COMPILE_CONDITION) +
1,
"warning_codes array size must match the last warning_code enum value + 1");
const std::string& falco::load_result::warning_code_str(warning_code wc) {
return warning_codes[static_cast<int>(wc)];
return warning_codes[wc];
}
static const std::string warning_strings[] = {"Unknown event source",
@@ -100,14 +94,8 @@ static const std::string warning_strings[] = {"Unknown event source",
"Invalid list name",
"Warning in rule condition"};
// Compile-time check to ensure warning_strings array has the correct size
static_assert(std::size(warning_strings) ==
static_cast<int>(falco::load_result::warning_code::LOAD_COMPILE_CONDITION) +
1,
"warning_strings array size must match the last warning_code enum value + 1");
const std::string& falco::load_result::warning_str(warning_code wc) {
return warning_strings[static_cast<int>(wc)];
return warning_strings[wc];
}
static const std::string warning_descs[] = {
@@ -133,60 +121,6 @@ static const std::string warning_descs[] = {
"A list is defined with an invalid name",
"A rule condition or output have been parsed with a warning"};
// Compile-time check to ensure warning_descs array has the correct size
static_assert(std::size(warning_descs) ==
static_cast<int>(falco::load_result::warning_code::LOAD_COMPILE_CONDITION) +
1,
"warning_descs array size must match the last warning_code enum value + 1");
const std::string& falco::load_result::warning_desc(warning_code wc) {
return warning_descs[static_cast<int>(wc)];
}
static const std::string deprecated_fields[] = {"evt.dir",
"evt.latency",
"evt.latency.s",
"evt.latency.ns",
"evt.latency.human",
"evt.wait_latency"};
// Compile-time check to ensure deprecated_fields array has the correct size
static_assert(
std::size(deprecated_fields) ==
static_cast<int>(falco::load_result::deprecated_field::DEPRECATED_FIELD_NOT_FOUND),
"deprecated_fields array size must match DEPRECATED_FIELD_NOT_FOUND enum value");
const std::string& falco::load_result::deprecated_field_str(deprecated_field df) {
return deprecated_fields[static_cast<int>(df)];
}
// Shared description suffix for latency fields
static const std::string latency_field_desc_suffix =
"field is not available due to the drop of enter events.";
static const std::string deprecated_field_descs[] = {
"due to the drop of enter events, 'evt.dir = <' always evaluates to true, and 'evt.dir = "
">' always evaluates to false. The rule expression can be simplified by removing the "
"condition on 'evt.dir'",
latency_field_desc_suffix,
latency_field_desc_suffix,
latency_field_desc_suffix,
latency_field_desc_suffix,
latency_field_desc_suffix};
// Compile-time check to ensure deprecated_field_descs array has the correct size
static_assert(
std::size(deprecated_field_descs) ==
static_cast<int>(falco::load_result::deprecated_field::DEPRECATED_FIELD_NOT_FOUND),
"deprecated_field_descs array size must match DEPRECATED_FIELD_NOT_FOUND enum value");
const std::string& falco::load_result::deprecated_field_desc(deprecated_field df) {
return deprecated_field_descs[static_cast<int>(df)];
}
falco::load_result::deprecated_field falco::load_result::deprecated_field_from_str(
const std::string& f) {
return falco::load_result::deprecated_field(
std::find(std::begin(deprecated_fields), std::end(deprecated_fields), f) -
std::begin(deprecated_fields));
return warning_descs[wc];
}

27
userspace/engine/falco_load_result.h
View File

@@ -46,9 +46,7 @@ public:
// impact.
static const std::string& error_desc(error_code ec);
virtual ~load_result() = default;
enum class warning_code {
enum warning_code {
LOAD_UNKNOWN_SOURCE = 0,
LOAD_UNSAFE_NA_CHECK,
LOAD_NO_EVTTYPE,
@@ -65,6 +63,8 @@ public:
LOAD_COMPILE_CONDITION
};
virtual ~load_result() = default;
// The warning code as a string
static const std::string& warning_code_str(warning_code ec);
@@ -75,27 +75,6 @@ public:
// impact.
static const std::string& warning_desc(warning_code ec);
enum class deprecated_field {
DEPRECATED_FIELD_EVT_DIR,
DEPRECATED_FIELD_EVT_LATENCY,
DEPRECATED_FIELD_EVT_LATENCY_S,
DEPRECATED_FIELD_EVT_LATENCY_NS,
DEPRECATED_FIELD_EVT_LATENCY_HUMAN,
DEPRECATED_FIELD_EVT_WAIT_LATENCY,
DEPRECATED_FIELD_NOT_FOUND
};
// The deprecated field as a string
static const std::string& deprecated_field_str(deprecated_field df);
// A longer description of what the deprecated field represents and the
// impact.
static const std::string& deprecated_field_desc(deprecated_field df);
// Return the deprecated field from a field string name, or DEPRECATED_FIELD_NOT_FOUND if the
// field is not deprecated
static deprecated_field deprecated_field_from_str(const std::string& f);
// If true, the rules were loaded successfully and can be used
// against events. If false, there were one or more
// errors--use one of the as_xxx methods to return information

36
userspace/engine/falco_rule.h
View File

@@ -1,6 +1,6 @@
// SPDX-License-Identifier: Apache-2.0
/*
Copyright (C) 2025 The Falco Authors.
Copyright (C) 2023 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -35,11 +35,6 @@ struct falco_list {
falco_list& operator=(const falco_list&) = default;
~falco_list() = default;
bool operator==(const falco_list& rhs) const {
return (this->used == rhs.used && this->id == rhs.id && this->name == rhs.name &&
this->items == rhs.items);
}
bool used;
std::size_t id;
std::string name;
@@ -58,14 +53,6 @@ struct falco_macro {
falco_macro& operator=(const falco_macro&) = default;
~falco_macro() = default;
bool operator==(const falco_macro& rhs) const {
// Note this only ensures that the shared_ptrs are
// pointing to the same underlying memory, not that
// they are logically equal.
return (this->used == rhs.used && this->id == rhs.id && this->name == rhs.name &&
this->condition.get() == rhs.condition.get());
}
bool used;
std::size_t id;
std::string name;
@@ -77,30 +64,13 @@ struct falco_macro {
The rule ID must be unique across all the rules loaded in the engine.
*/
struct falco_rule {
falco_rule():
id(0),
priority(falco_common::PRIORITY_DEBUG),
capture(false),
capture_duration(0) {}
falco_rule(): id(0), priority(falco_common::PRIORITY_DEBUG) {}
falco_rule(falco_rule&&) = default;
falco_rule& operator=(falco_rule&&) = default;
falco_rule(const falco_rule&) = default;
falco_rule& operator=(const falco_rule&) = default;
~falco_rule() = default;
bool operator==(const falco_rule& rhs) const {
// Note this only ensures that the shared_ptrs are
// pointing to the same underlying memory, not that
// they are logically equal.
return (this->id == rhs.id && this->source == rhs.source && this->name == rhs.name &&
this->description == rhs.description && this->output == rhs.output &&
this->tags == rhs.tags && this->exception_fields == rhs.exception_fields &&
this->priority == rhs.priority && this->capture == rhs.capture &&
this->capture_duration == rhs.capture_duration &&
this->condition.get() == rhs.condition.get() &&
this->filter.get() == rhs.filter.get());
}
std::size_t id;
std::string source;
std::string name;
@@ -110,8 +80,6 @@ struct falco_rule {
std::set<std::string> tags;
std::set<std::string> exception_fields;
falco_common::priority_type priority;
bool capture;
uint32_t capture_duration;
std::shared_ptr<libsinsp::filter::ast::expr> condition;
std::shared_ptr<sinsp_filter> filter;
};

25
userspace/engine/falco_utils.cpp
View File

@@ -23,7 +23,7 @@ limitations under the License.
#include <re2/re2.h>
#if defined(__linux__) and !defined(MINIMAL_BUILD) and !defined(__EMSCRIPTEN__)
#include <openssl/evp.h>
#include <openssl/sha.h>
#endif
#include <cstring>
#include <fstream>
@@ -120,10 +120,11 @@ uint64_t parse_prometheus_interval(std::string interval_str) {
ONE_MS_TO_MS};
for(size_t i = 0; i < sizeof(all_prometheus_units) / sizeof(const char*); i++) {
std::string cur_interval_str;
uint64_t cur_interval = 0;
const auto& group_it = named_groups.find(all_prometheus_units[i]);
if(group_it != named_groups.end()) {
uint64_t cur_interval = 0;
std::string cur_interval_str = args[group_it->second - 1];
cur_interval_str = args[group_it->second - 1];
if(!cur_interval_str.empty()) {
cur_interval = std::stoull(cur_interval_str, nullptr, 0);
}
@@ -143,22 +144,22 @@ std::string calculate_file_sha256sum(const std::string& filename) {
return "";
}
std::unique_ptr<EVP_MD_CTX, decltype(&EVP_MD_CTX_free)> ctx(EVP_MD_CTX_new(), EVP_MD_CTX_free);
EVP_DigestInit_ex(ctx.get(), EVP_sha256(), nullptr);
SHA256_CTX sha256_context;
SHA256_Init(&sha256_context);
constexpr size_t buffer_size = 4096;
char buffer[buffer_size];
while(file.read(buffer, buffer_size)) {
EVP_DigestUpdate(ctx.get(), buffer, buffer_size);
SHA256_Update(&sha256_context, buffer, buffer_size);
}
EVP_DigestUpdate(ctx.get(), buffer, file.gcount());
SHA256_Update(&sha256_context, buffer, file.gcount());
std::vector<uint8_t> digest(EVP_MD_size(EVP_sha256()));
EVP_DigestFinal_ex(ctx.get(), digest.data(), nullptr);
unsigned char digest[SHA256_DIGEST_LENGTH];
SHA256_Final(digest, &sha256_context);
std::ostringstream ss;
for(auto& c : digest) {
ss << std::hex << std::setw(2) << std::setfill('0') << (int)c;
std::stringstream ss;
for(int i = 0; i < SHA256_DIGEST_LENGTH; ++i) {
ss << std::hex << std::setw(2) << std::setfill('0') << static_cast<unsigned>(digest[i]);
}
return ss.str();
}

10
userspace/engine/filter_details_resolver.cpp
View File

@@ -125,13 +125,5 @@ void filter_details_resolver::visitor::visit(ast::field_expr* e) {
void filter_details_resolver::visitor::visit(ast::field_transformer_expr* e) {
m_details.transformers.insert(e->transformer);
for(auto& value : e->values) {
value->accept(this);
}
}
void filter_details_resolver::visitor::visit(ast::transformer_list_expr* e) {
for(auto& child : e->children) {
child->accept(this);
}
e->value->accept(this);
}

1
userspace/engine/filter_details_resolver.h
View File

@@ -72,7 +72,6 @@ private:
void visit(libsinsp::filter::ast::binary_check_expr* e) override;
void visit(libsinsp::filter::ast::field_expr* e) override;
void visit(libsinsp::filter::ast::field_transformer_expr* e) override;
void visit(libsinsp::filter::ast::transformer_list_expr* e) override;
filter_details& m_details;
bool m_expect_list;

4
userspace/engine/filter_macro_resolver.cpp
View File

@@ -105,10 +105,6 @@ void filter_macro_resolver::visitor::visit(ast::field_transformer_expr* e) {
m_node_substitute = nullptr;
}
void filter_macro_resolver::visitor::visit(ast::transformer_list_expr* e) {
m_node_substitute = nullptr;
}
void filter_macro_resolver::visitor::visit(ast::identifier_expr* e) {
const auto& macro = m_macros.find(e->identifier);
if(macro != m_macros.end() && macro->second) // skip null-ptr macros

1
userspace/engine/filter_macro_resolver.h
View File

@@ -121,7 +121,6 @@ private:
void visit(libsinsp::filter::ast::binary_check_expr* e) override;
void visit(libsinsp::filter::ast::field_expr* e) override;
void visit(libsinsp::filter::ast::field_transformer_expr* e) override;
void visit(libsinsp::filter::ast::transformer_list_expr* e) override;
};
std::vector<value_info> m_errors;

42
userspace/engine/filter_warning_resolver.cpp
View File

@@ -15,7 +15,6 @@ See the License for the specific language governing permissions and
limitations under the License.
*/
#include <string>
#include <libsinsp/sinsp.h>
#include "filter_warning_resolver.h"
@@ -33,30 +32,14 @@ static inline bool is_equality_operator(const std::string& op) {
op == "pmatch";
}
bool filter_warning_resolver::run(const rule_loader::context& ctx,
rule_loader::result& res,
libsinsp::filter::ast::expr& filter) const {
std::set<falco::load_result::warning_code> warnings;
std::set<falco::load_result::deprecated_field> deprecated_fields;
visitor v(warnings, deprecated_fields);
bool filter_warning_resolver::run(libsinsp::filter::ast::expr* filter,
std::set<load_result::warning_code>& warnings) const {
visitor v;
auto size = warnings.size();
v.m_is_equality_check = false;
filter.accept(&v);
for(auto& w : warnings) {
switch(w) {
case falco::load_result::warning_code::LOAD_DEPRECATED_ITEM:
// add a warning for each deprecated field
for(auto& deprecated_field : deprecated_fields) {
res.add_deprecated_field_warning(
deprecated_field,
falco::load_result::deprecated_field_desc(deprecated_field),
ctx);
}
break;
default:
res.add_warning(w, "", ctx);
}
}
return !warnings.empty();
v.m_warnings = &warnings;
filter->accept(&v);
return warnings.size() > size;
}
void filter_warning_resolver::visitor::visit(libsinsp::filter::ast::binary_check_expr* e) {
@@ -71,24 +54,17 @@ void filter_warning_resolver::visitor::visit(libsinsp::filter::ast::binary_check
void filter_warning_resolver::visitor::visit(libsinsp::filter::ast::field_expr* e) {
m_last_node_is_unsafe_field = is_unsafe_field(e->field);
// Check for deprecated dir field usage
if(auto df = falco::load_result::deprecated_field_from_str(e->field);
df != falco::load_result::deprecated_field::DEPRECATED_FIELD_NOT_FOUND) {
m_deprecated_fields->insert(df);
m_warnings->insert(falco::load_result::warning_code::LOAD_DEPRECATED_ITEM);
}
}
void filter_warning_resolver::visitor::visit(libsinsp::filter::ast::value_expr* e) {
if(m_is_equality_check && e->value == no_value) {
m_warnings->insert(falco::load_result::warning_code::LOAD_UNSAFE_NA_CHECK);
m_warnings->insert(load_result::LOAD_UNSAFE_NA_CHECK);
}
}
void filter_warning_resolver::visitor::visit(libsinsp::filter::ast::list_expr* e) {
if(m_is_equality_check &&
std::find(e->values.begin(), e->values.end(), no_value) != e->values.end()) {
m_warnings->insert(falco::load_result::warning_code::LOAD_UNSAFE_NA_CHECK);
m_warnings->insert(load_result::LOAD_UNSAFE_NA_CHECK);
}
}

Some files were not shown because too many files have changed in this diff Show More