ci: restore minimum set of required permissions

Commit #8171176 reduced workflow permissions and only allowed read
accesses to repo content. However, some workflows require write
permissions for token-id and attestations: these requirements resulted
in both master and release CIs being broken in the last month.

While still applying least privilege principle, this patch restores
the minimum set of required ones.

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>

.github/workflows/master.yaml

@@ -56,6 +56,9 @@ jobs:
 
   publish-dev-packages:
     needs: [fetch-version, test-dev-packages, test-dev-packages-arm64]
+    permissions:
+      id-token: write
+      contents: read
     uses: ./.github/workflows/reusable_publish_packages.yaml
     with:
       bucket_suffix: '-dev'
@@ -84,6 +87,10 @@ jobs:
     
   publish-dev-docker:
     needs: [fetch-version, build-dev-docker, build-dev-docker-arm64]
+    permissions:
+      attestations: write
+      id-token: write
+      contents: read
     uses: ./.github/workflows/reusable_publish_docker.yaml
     with:
       tag: master

.github/workflows/release.yaml

@@ -96,6 +96,9 @@ jobs:
 
   publish-packages:
     needs: [release-settings, test-packages, test-packages-arm64]
+    permissions:
+      id-token: write
+      contents: read
     uses: ./.github/workflows/reusable_publish_packages.yaml
     with:
       bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }}
@@ -125,6 +128,10 @@ jobs:
 
   publish-docker:
     needs: [release-settings, build-docker, build-docker-arm64]
+    permissions:
+      attestations: write
+      id-token: write
+      contents: read
     uses: ./.github/workflows/reusable_publish_docker.yaml
     secrets: inherit
     with:

cmake/modules/driver.cmake

@@ -35,9 +35,9 @@ else()
 	# FALCOSECURITY_LIBS_VERSION. In case you want to test against another driver version (or
 	# branch, or commit) just pass the variable - ie., `cmake -DDRIVER_VERSION=dev ..`
 	if(NOT DRIVER_VERSION)
-		set(DRIVER_VERSION "1aef789552ba32b58e36aeb72c5a0a2f814a8a1c")
+		set(DRIVER_VERSION "ed3ac8a370d5a3d946ed735df40c85fc7395052e")
 		set(DRIVER_CHECKSUM
-			"SHA256=360983e0cc77f4caa1b463124831fc8934f64fffc7f3f4411cebaedb4c654b6e"
+			"SHA256=ef21c3e15038aa2ba2be5841e7cde0d6675ecffb6e2840468fe81418d97ec95f"
 		)
 	endif()
 

cmake/modules/falcosecurity-libs.cmake

@@ -42,9 +42,9 @@ else()
 	# version (or branch, or commit) just pass the variable - ie., `cmake
 	# -DFALCOSECURITY_LIBS_VERSION=dev ..`
 	if(NOT FALCOSECURITY_LIBS_VERSION)
-		set(FALCOSECURITY_LIBS_VERSION "1aef789552ba32b58e36aeb72c5a0a2f814a8a1c")
+		set(FALCOSECURITY_LIBS_VERSION "ed3ac8a370d5a3d946ed735df40c85fc7395052e")
 		set(FALCOSECURITY_LIBS_CHECKSUM
-			"SHA256=360983e0cc77f4caa1b463124831fc8934f64fffc7f3f4411cebaedb4c654b6e"
+			"SHA256=ef21c3e15038aa2ba2be5841e7cde0d6675ecffb6e2840468fe81418d97ec95f"
 		)
 	endif()
 

falco.yaml

@@ -1180,7 +1180,7 @@ metrics:
   # (a.k.a. the threadtable).
   state_counters_enabled: true
   # -- Add kernel side event and drop counters to metrics output.
-  # This isan alternative to `syscall_event_drops`, but with some differences.
+  # This is an alternative to `syscall_event_drops`, but with some differences.
   # These counters reflect monotonic values since Falco's start and are exported at a
   # constant stats interval.
   kernel_event_counters_enabled: true
@@ -1200,6 +1200,10 @@ metrics:
   # Please note that if the respective plugin has no metrics implemented,
   # there will be no metrics available.
   plugins_metrics_enabled: true
+  # -- Add kernel side iterator event and drop counters to metrics output.
+  # These counters reflect monotonic values since Falco's start and are exported at a
+  # constant stats interval.
+  kernel_iter_event_counters_enabled: true
   # -- Add jemalloc stats to metrics output.
   # This option requires that Falco is built with jemalloc support, otherwise
   # it will have no effect.

userspace/engine/falco_engine_version.h

@@ -20,7 +20,7 @@ limitations under the License.
 
 // The version of this Falco engine
 #define FALCO_ENGINE_VERSION_MAJOR 0
-#define FALCO_ENGINE_VERSION_MINOR 60
+#define FALCO_ENGINE_VERSION_MINOR 61
 #define FALCO_ENGINE_VERSION_PATCH 0
 
 #define FALCO_ENGINE_VERSION                                                               \
@@ -36,4 +36,4 @@ limitations under the License.
 // It represents the fields supported by this version of Falco,
 // the event types, and the underlying driverevent schema. It's used to
 // detetect changes in engine version in our CI jobs.
-#define FALCO_ENGINE_CHECKSUM "17c1ac99576c032a58895a10f7091cf777008a1059b7f1bff3c78a6451b17fdf"
+#define FALCO_ENGINE_CHECKSUM "cff88efbc5ebf54d4a0763342ac480da48880d9c6edf9f65c65cda5c1b1fdc7c"

userspace/falco/config_json_schema.h

@@ -569,6 +569,9 @@ const char config_schema_string[] = LONG_STRING_CONST(
                 "plugins_metrics_enabled": {
                     "type": "boolean"
                 },
+            	"kernel_iter_event_counters_enabled": {
+					"type": "boolean"
+				},
                 "convert_memory_to_mb": {
                     "type": "boolean"
                 },

userspace/falco/configuration.cpp

@@ -590,6 +590,9 @@ void falco_configuration::load_yaml(const std::string &config_name) {
 	if(m_config.get_scalar<bool>("metrics.plugins_metrics_enabled", true)) {
 		m_metrics_flags |= METRICS_V2_PLUGINS;
 	}
+	if(m_config.get_scalar<bool>("metrics.kernel_iter_event_counters_enabled", true)) {
+		m_metrics_flags |= METRICS_V2_KERNEL_ITER_COUNTERS;
+	}
 	if(m_config.get_scalar<bool>("metrics.jemalloc_stats_enabled", true)) {
 		m_metrics_flags |= METRICS_V2_JEMALLOC_STATS;
 	}

userspace/falco/falco_metrics.cpp

@@ -59,6 +59,8 @@ namespace fs = std::filesystem;
     - `libbpf_stats_enabled` -> Resides in libs; must be retrieved by the syscalls inspector;
       not available for other inspectors.
     - `plugins_metrics_enabled` -> Must be retrieved for each inspector.
+    - `kernel_iter_event_counters_enabled` -> Resides in libs; must be retrieved by the syscalls
+      inspector; not available for other inspectors.
     - `jemalloc_stats_enabled` -> Agnostic; resides in falco; inspector is irrelevant;
       only performed once.
 */
@@ -308,6 +310,7 @@ std::string falco_metrics::sources_to_text_prometheus(
 		// kernel_event_counters_enabled
 		// kernel_event_counters_per_cpu_enabled
 		// libbpf_stats_enabled
+		// kernel_iter_event_counters_enabled
 		auto metrics_collector =
 		        libs::metrics::libs_metrics_collector(source_inspector.get(),
 		                                              state.config->m_metrics_flags);

userspace/falco/stats_writer.cpp

@@ -485,6 +485,7 @@ void stats_writer::collector::get_metrics_output_fields_additional(
 		// state_counters_enabled
 		// kernel_event_counters_enabled
 		// libbpf_stats_enabled
+		// kernel_iter_event_counters_enabled
 
 		// Refresh / New snapshot
 		auto& libs_metrics_collector = m_writer->m_libs_metrics_collectors[src];
@@ -508,7 +509,8 @@ void stats_writer::collector::get_metrics_output_fields_additional(
 			char metric_name[METRIC_NAME_MAX] = "falco.";
 			if((metric.flags & METRICS_V2_LIBBPF_STATS) ||
 			   (metric.flags & METRICS_V2_KERNEL_COUNTERS) ||
-			   (metric.flags & METRICS_V2_KERNEL_COUNTERS_PER_CPU)) {
+			   (metric.flags & METRICS_V2_KERNEL_COUNTERS_PER_CPU) ||
+			   (metric.flags & METRICS_V2_KERNEL_ITER_COUNTERS)) {
 				strlcpy(metric_name, "scap.", sizeof(metric_name));
 			}
 			if(metric.flags & METRICS_V2_PLUGINS) {
@@ -624,7 +626,8 @@ void stats_writer::collector::collect(const std::shared_ptr<sinsp>& inspector,
 			// Note: src is static for live captures
 			if(src != falco_common::syscall_source) {
 				flags &= ~(METRICS_V2_KERNEL_COUNTERS | METRICS_V2_KERNEL_COUNTERS_PER_CPU |
-				           METRICS_V2_STATE_COUNTERS | METRICS_V2_LIBBPF_STATS);
+				           METRICS_V2_STATE_COUNTERS | METRICS_V2_LIBBPF_STATS |
+				           METRICS_V2_KERNEL_ITER_COUNTERS);
 			}
 			m_writer->m_libs_metrics_collectors[src] =
 			        std::make_unique<libs::metrics::libs_metrics_collector>(inspector.get(), flags);