chore(userspace/engine): format lua source code

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>

.circleci/config.yml

@@ -1,85 +1,5 @@
 version: 2
 jobs:
-  # Build a statically linked Falco release binary using musl
-  # This build is 100% static, there are no host dependencies
-  "build/musl":
-    docker:
-      - image: alpine:3.12
-    steps:
-      - checkout:
-          path: /source-static/falco
-      - run:
-          name: Update base image
-          command: apk update
-      - run:
-          name: Install build dependencies
-          command: apk add g++ gcc cmake cmake make ncurses-dev git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils
-      - run:
-          name: Prepare project
-          command: |
-            mkdir -p /build-static/release
-            cd /build-static/release
-            cmake -DCPACK_GENERATOR=TGZ -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco /source-static/falco
-      - run:
-          name: Build
-          command: |
-            cd /build-static/release
-            make -j4 all
-      - run:
-          name: Package
-          command: |
-            cd /build-static/release
-            make -j4 package
-      - run:
-          name: Run unit tests
-          command: |
-            cd /build-static/release
-            make tests
-      - run:
-          name: Prepare artifacts
-          command: |
-            mkdir -p /tmp/packages
-            cp /build-static/release/*.tar.gz /tmp/packages
-      - store_artifacts:
-          path: /tmp/packages
-          destination: /packages
-      - persist_to_workspace:
-          root: /
-          paths:
-            - build-static/release
-            - source-static
-  # Build the minimal Falco
-  # This build only contains the Falco engine and the basic input/output.
-  "build/minimal":
-    docker:
-      - image: ubuntu:focal
-    steps:
-      - checkout
-      - run:
-          name: Update base image
-          command: apt update -y
-      - run:
-          name: Install dependencies
-          command: DEBIAN_FRONTEND=noninteractive apt install libjq-dev libncurses-dev libyaml-cpp-dev libelf-dev cmake build-essential git -y
-      - run:
-          name: Prepare project
-          command: |
-            mkdir build-minimal
-            pushd build-minimal
-            cmake -DMINIMAL_BUILD=On -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release ..
-            popd
-      - run:
-          name: Build
-          command: |
-            pushd build-minimal
-            make -j4 all
-            popd
-      - run:
-          name: Run unit tests
-          command: |
-            pushd build-minimal
-            make tests
-            popd
   # Build using ubuntu LTS
   # This build is dynamic, most dependencies are taken from the OS
   "build/ubuntu-focal":
@@ -144,72 +64,8 @@ jobs:
             pushd build
             make tests
             popd
-  # Build using Ubuntu Bionic Beaver (18.04)
-  # This build is static, dependencies are bundled in the Falco binary
-  "build/ubuntu-bionic":
-    docker:
-      - image: ubuntu:bionic
-    steps:
-      - checkout
-      - run:
-          name: Update base image
-          command: apt update -y
-      - run:
-          name: Install dependencies
-          command: DEBIAN_FRONTEND=noninteractive apt install cmake build-essential clang llvm git linux-headers-generic libncurses-dev pkg-config autoconf libtool libelf-dev -y
-      - run:
-          name: Prepare project
-          command: |
-            mkdir build
-            pushd build
-            cmake -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=On ..
-            popd
-      - run:
-          name: Build
-          command: |
-            pushd build
-            KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4 all
-            popd
-      - run:
-          name: Run unit tests
-          command: |
-            pushd build
-            make tests
-            popd
-  # Build using CentOS 8
-  # This build is static, dependencies are bundled in the Falco binary
-  "build/centos8":
-    docker:
-      - image: centos:8
-    steps:
-      - checkout
-      - run:
-          name: Update base image
-          command: dnf update -y
-      - run:
-          name: Install dependencies
-          command: dnf install gcc gcc-c++ git make cmake autoconf automake pkg-config patch ncurses-devel libtool elfutils-libelf-devel diffutils kernel-devel kernel-headers kernel-core clang llvm which -y
-      - run:
-          name: Prepare project
-          command: |
-            mkdir build
-            pushd build
-            cmake -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=On ..
-            popd
-      - run:
-          name: Build
-          command: |
-            pushd build
-            KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4 all
-            popd
-      - run:
-          name: Run unit tests
-          command: |
-            pushd build
-            make tests
-            popd
   # Build using our own builder base image using centos 7
-  # This build is static, dependencies are bundled in the Falco binary
+  # This build is static, dependencies are bundled in the falco binary
   "build/centos7":
     docker:
       - image: falcosecurity/falco-builder:latest
@@ -246,7 +102,7 @@ jobs:
           path: /tmp/packages
           destination: /packages
   # Debug build using our own builder base image using centos 7
-  # This build is static, dependencies are bundled in the Falco binary
+  # This build is static, dependencies are bundled in the falco binary
   "build/centos7-debug":
     docker:
       - image: falcosecurity/falco-builder:latest
@@ -282,21 +138,6 @@ jobs:
       - run:
           name: Execute integration tests
           command: /usr/bin/entrypoint test
-  "tests/integration-static":
-    docker:
-      - image: falcosecurity/falco-tester:latest
-        environment:
-          SOURCE_DIR: "/source-static"
-          BUILD_DIR: "/build-static"
-          BUILD_TYPE: "release"
-          SKIP_PACKAGES_TESTS: "true"
-    steps:
-      - setup_remote_docker
-      - attach_workspace:
-          at: /
-      - run:
-          name: Execute integration tests
-          command: /usr/bin/entrypoint test
   "tests/driver-loader/integration":
     machine:
       image: ubuntu-1604:202004-01
@@ -362,34 +203,10 @@ jobs:
             FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
             jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
       - run:
-          name: Publish bin-dev
+          name: Publish tgz-dev
           command: |
-            FALCO_VERSION=$(cat /build-static/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin-dev/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
-  # Clenup the Falco development release packages
-  "cleanup/packages-dev":
-    docker:
-      - image: docker.bintray.io/jfrog/jfrog-cli-go:latest
-    steps:
-      - checkout:
-          path: /source/falco
-      - run:
-          name: Prepare env
-          command: |
-            apk add --no-cache --update
-            apk add curl jq
-      - run:
-          name: Only keep the 10 most recent Falco development release tarballs
-          command: |
-            /source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r bin-dev
-      - run:
-          name: Only keep the 50 most recent Falco development release RPMs
-          command: |
-            /source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r rpm-dev
-      - run:
-          name: Only keep the 50 most recent Falco development release DEBs
-          command: |
-            /source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r deb-dev
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin-dev/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
   # Publish docker packages
   "publish/docker-dev":
     docker:
@@ -446,10 +263,10 @@ jobs:
             FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
             jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
       - run:
-          name: Publish bin
+          name: Publish tgz
           command: |
-            FALCO_VERSION=$(cat /build-static/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
   # Publish docker packages
   "publish/docker":
     docker:
@@ -491,20 +308,13 @@ workflows:
   version: 2
   build_and_test:
     jobs:
-      - "build/musl"
-      - "build/minimal"
       - "build/ubuntu-focal"
       - "build/ubuntu-focal-debug"
-      - "build/ubuntu-bionic"
-      - "build/centos8"
       - "build/centos7"
       - "build/centos7-debug"
       - "tests/integration":
           requires:
             - "build/centos7"
-      - "tests/integration-static":
-          requires:
-            - "build/musl"
       - "tests/driver-loader/integration":
           requires:
             - "build/centos7"
@@ -526,16 +336,6 @@ workflows:
               only: master
           requires:
             - "rpm/sign"
-            - "tests/integration-static"
-      - "cleanup/packages-dev":
-          context: falco
-          filters:
-            tags:
-              ignore: /.*/
-            branches:
-              only: master
-          requires:
-            - "publish/packages-dev"
       - "publish/docker-dev":
           context: falco
           filters:
@@ -548,12 +348,6 @@ workflows:
             - "tests/driver-loader/integration"
   release:
     jobs:
-      - "build/musl":
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              ignore: /.*/
       - "build/centos7":
           filters:
             tags:
@@ -572,7 +366,6 @@ workflows:
       - "publish/packages":
           context: falco
           requires:
-            - "build/musl"
             - "rpm/sign"
           filters:
             tags:

CHANGELOG.md

@@ -2,48 +2,6 @@
 
 This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).
 
-## v0.25.0
-
-Released on 2020-08-25
-
-### Major Changes
-
-* new(userspace/falco): print the Falco and driver versions at the very beginning of the output. [[#1303](https://github.com/falcosecurity/falco/pull/1303)] - [@leogr](https://github.com/leogr)
-* new: libyaml is now bundled in the release process. Users can now avoid installing libyaml directly when getting Falco from the official release. [[#1252](https://github.com/falcosecurity/falco/pull/1252)] - [@fntlnz](https://github.com/fntlnz)
-
-
-### Minor Changes
-
-* docs(test): step-by-step instructions to run integration tests locally [[#1313](https://github.com/falcosecurity/falco/pull/1313)] - [@leodido](https://github.com/leodido)
-* update: renameat2 syscall support [[#1355](https://github.com/falcosecurity/falco/pull/1355)] - [@fntlnz](https://github.com/fntlnz)
-* update: support for 5.8.x kernels [[#1355](https://github.com/falcosecurity/falco/pull/1355)] - [@fntlnz](https://github.com/fntlnz)
-
-
-### Bug Fixes
-
-* fix(userspace/falco): correct the fallback mechanism for loading the kernel module [[#1366](https://github.com/falcosecurity/falco/pull/1366)] - [@leogr](https://github.com/leogr)
-* fix(falco-driver-loader): script crashing when using arguments [[#1330](https://github.com/falcosecurity/falco/pull/1330)] - [@antoinedeschenes](https://github.com/antoinedeschenes)
-
-
-### Rule Changes
-
-* rule(macro user_trusted_containers): add `sysdig/node-image-analyzer` and `sysdig/agent-slim` [[#1321](https://github.com/falcosecurity/falco/pull/1321)] - [@Kaizhe](https://github.com/Kaizhe)
-* rule(macro falco_privileged_images): add `docker.io/falcosecurity/falco` [[#1326](https://github.com/falcosecurity/falco/pull/1326)] - [@nvanheuverzwijn](https://github.com/nvanheuverzwijn)
-* rule(EphemeralContainers Created): add new rule to detect ephemeral container created [[#1339](https://github.com/falcosecurity/falco/pull/1339)] - [@Kaizhe](https://github.com/Kaizhe)
-* rule(macro user_read_sensitive_file_containers): replace endswiths with exact image repo name [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
-* rule(macro user_trusted_containers): replace endswiths with exact image repo name [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
-* rule(macro user_privileged_containers): replace endswiths with exact image repo name [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
-* rule(macro trusted_images_query_miner_domain_dns): replace endswiths with exact image repo name [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
-* rule(macro falco_privileged_containers): append "/" to quay.io/sysdig [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
-* rule(list falco_privileged_images): add images docker.io/sysdig/agent-slim and docker.io/sysdig/node-image-analyzer [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
-* rule(list falco_sensitive_mount_images): add image docker.io/sysdig/agent-slim [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
-* rule(list k8s_containers): prepend docker.io to images [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
-* rule(macro exe_running_docker_save): add better support for centos [[#1350](https://github.com/falcosecurity/falco/pull/1350)] - [@admiral0](https://github.com/admiral0)
-* rule(macro rename): add `renameat2` syscall [[#1359](https://github.com/falcosecurity/falco/pull/1359)] - [@leogr](https://github.com/leogr)
-* rule(Read sensitive file untrusted): add trusted images into whitelist [[#1327](https://github.com/falcosecurity/falco/pull/1327)] - [@Kaizhe](https://github.com/Kaizhe)
-* rule(Pod Created in Kube Namespace): add new list k8s_image_list as white list [[#1336](https://github.com/falcosecurity/falco/pull/1336)] - [@Kaizhe](https://github.com/Kaizhe)
-* rule(list allowed_k8s_users): add "kubernetes-admin" user [[#1323](https://github.com/falcosecurity/falco/pull/1323)] - [@leogr](https://github.com/leogr)
-
 ## v0.24.0
 
 Released on 2020-07-16

CMakeLists.txt

@@ -16,8 +16,6 @@ project(falco)
 
 option(USE_BUNDLED_DEPS "Bundle hard to find dependencies into the Falco binary" OFF)
 option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags" OFF)
-option(MINIMAL_BUILD "Build a minimal version of Falco, containing only the engine and basic input/output (EXPERIMENTAL)" OFF)
-option(MUSL_OPTIMIZED_BUILD "Enable if you want a musl optimized build" OFF)
 
 # Elapsed time
 # set_property(GLOBAL PROPERTY RULE_LAUNCH_COMPILE "${CMAKE_COMMAND} -E time") # TODO(fntlnz, leodido): add a flag to enable this
@@ -52,15 +50,7 @@ else()
 endif()
 message(STATUS "Build type: ${CMAKE_BUILD_TYPE}")
 
-if(MINIMAL_BUILD)
-  set(MINIMAL_BUILD_FLAGS "-DMINIMAL_BUILD")
-endif()
-
-if(MUSL_OPTIMIZED_BUILD)
-  set(MUSL_FLAGS "-static -Os -D__NEED_struct_timespec -D__NEED_time_t")
-endif()
-
-set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS} ${MINIMAL_BUILD_FLAGS} ${MUSL_FLAGS}")
+set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS}")
 
 if(BUILD_WARNINGS_AS_ERRORS)
   set(CMAKE_SUPPRESSED_WARNINGS
@@ -133,13 +123,11 @@ ExternalProject_Add(
 # yaml-cpp
 include(yaml-cpp)
 
-if(NOT MINIMAL_BUILD)
-  # OpenSSL
-  include(OpenSSL)
+# OpenSSL
+include(OpenSSL)
 
-  # libcurl
-  include(cURL)
-endif()
+# libcurl
+include(cURL)
 
 # LuaJIT
 set(LUAJIT_SRC "${PROJECT_BINARY_DIR}/luajit-prefix/src/luajit/src")
@@ -178,14 +166,16 @@ include(libyaml)
 set(LYAML_SRC "${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/ext/yaml")
 set(LYAML_LIB "${LYAML_SRC}/.libs/yaml.a")
 message(STATUS "Using bundled lyaml in '${LYAML_SRC}'")
+set(LYAML_DEPENDENCIES "")
+list(APPEND LYAML_DEPENDENCIES "luajit")
 ExternalProject_Add(
   lyaml
-  DEPENDS luajit libyaml
+  DEPENDS ${LYAML_DEPENDENCIES}
   URL "https://github.com/gvvaughan/lyaml/archive/release-v6.0.tar.gz"
   URL_HASH "SHA256=9d7cf74d776999ff6f758c569d5202ff5da1f303c6f4229d3b41f71cd3a3e7a7"
   BUILD_COMMAND ${CMD_MAKE}
   BUILD_IN_SOURCE 1
-  CONFIGURE_COMMAND ./configure --enable-static CFLAGS=-I${LIBYAML_INSTALL_DIR}/include CPPFLAGS=-I${LIBYAML_INSTALL_DIR}/include LDFLAGS=-L${LIBYAML_INSTALL_DIR}/lib LIBS=-lyaml LUA=${LUAJIT_SRC}/luajit LUA_INCLUDE=-I${LUAJIT_INCLUDE}
+  CONFIGURE_COMMAND ./configure --enable-static LIBS=-lyaml LUA_INCLUDE=-I${LUAJIT_INCLUDE} LUA=${LUAJIT_SRC}/luajit
   INSTALL_COMMAND sh -c
                   "cp -R ${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/lib/* ${PROJECT_SOURCE_DIR}/userspace/engine/lua")
 
@@ -206,30 +196,26 @@ ExternalProject_Add(
   BUILD_BYPRODUCTS ${TBB_LIB}
   INSTALL_COMMAND "")
 
-if(NOT MINIMAL_BUILD)
-  # civetweb
-  set(CIVETWEB_SRC "${PROJECT_BINARY_DIR}/civetweb-prefix/src/civetweb/")
-  set(CIVETWEB_LIB "${CIVETWEB_SRC}/install/lib/libcivetweb.a")
-  set(CIVETWEB_INCLUDE_DIR "${CIVETWEB_SRC}/install/include")
-  message(STATUS "Using bundled civetweb in '${CIVETWEB_SRC}'")
-  ExternalProject_Add(
-    civetweb
-    URL "https://github.com/civetweb/civetweb/archive/v1.11.tar.gz"
-    URL_HASH "SHA256=de7d5e7a2d9551d325898c71e41d437d5f7b51e754b242af897f7be96e713a42"
-    CONFIGURE_COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/lib
-    COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/include
-    BUILD_IN_SOURCE 1
-    BUILD_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" WITH_CPP=1
-    INSTALL_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" install-lib install-headers PREFIX=${CIVETWEB_SRC}/install "WITH_CPP=1")
-endif()
+# civetweb
+set(CIVETWEB_SRC "${PROJECT_BINARY_DIR}/civetweb-prefix/src/civetweb/")
+set(CIVETWEB_LIB "${CIVETWEB_SRC}/install/lib/libcivetweb.a")
+set(CIVETWEB_INCLUDE_DIR "${CIVETWEB_SRC}/install/include")
+message(STATUS "Using bundled civetweb in '${CIVETWEB_SRC}'")
+ExternalProject_Add(
+  civetweb
+  URL "https://github.com/civetweb/civetweb/archive/v1.11.tar.gz"
+  URL_HASH "SHA256=de7d5e7a2d9551d325898c71e41d437d5f7b51e754b242af897f7be96e713a42"
+  CONFIGURE_COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/lib
+  COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/include
+  BUILD_IN_SOURCE 1
+  BUILD_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" WITH_CPP=1
+  INSTALL_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" install-lib install-headers PREFIX=${CIVETWEB_SRC}/install "WITH_CPP=1")
 
 #string-view-lite
 include(DownloadStringViewLite)
 
-if(NOT MINIMAL_BUILD)
-  # gRPC
-  include(gRPC)
-endif()
+# gRPC
+include(gRPC)
 
 # sysdig
 include(sysdig)
@@ -237,13 +223,11 @@ include(sysdig)
 # Installation
 install(FILES falco.yaml DESTINATION "${FALCO_ETC_DIR}")
 
-if(NOT MINIMAL_BUILD)
-  # Coverage
-  include(Coverage)
+# Coverage
+include(Coverage)
 
-  # Tests
-  add_subdirectory(test)
-endif()
+# Tests
+add_subdirectory(test)
 
 # Rules
 add_subdirectory(rules)

CODE_OF_CONDUCT.md

@@ -0,0 +1,38 @@
+# CNCF Community Code of Conduct v1.0
+
+## Contributor Code of Conduct
+
+As contributors and maintainers of this project, and in the interest of fostering
+an open and welcoming community, we pledge to respect all people who contribute
+through reporting issues, posting feature requests, updating documentation,
+submitting pull requests or patches, and other activities.
+
+We are committed to making participation in this project a harassment-free experience for
+everyone, regardless of level of experience, gender, gender identity and expression,
+sexual orientation, disability, personal appearance, body size, race, ethnicity, age,
+religion, or nationality.
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery
+* Personal attacks
+* Trolling or insulting/derogatory comments
+* Public or private harassment
+* Publishing other's private information, such as physical or electronic addresses,
+ without explicit permission
+* Other unethical or unprofessional conduct.
+
+Project maintainers have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are not
+aligned to this Code of Conduct. By adopting this Code of Conduct, project maintainers
+commit themselves to fairly and consistently applying these principles to every aspect
+of managing this project. Project maintainers who do not follow or enforce the Code of
+Conduct may be permanently removed from the project team.
+
+This code of conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting a CNCF project maintainer, [Sarah Novotny](mailto:sarahnovotny@google.com), and/or [Dan Kohn](mailto:dan@linuxfoundation.org).
+
+This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.2.0, available at
+http://contributor-covenant.org/version/1/2/0/

CONTRIBUTING.md

@@ -0,0 +1,150 @@
+# Contributing to Falco
+
+- [Contributing to Falco](#contributing-to-falco)
+  - [Code of Conduct](#code-of-conduct)
+  - [Issues](#issues)
+    - [Triage issues](#triage-issues)
+      - [More about labels](#more-about-labels)
+    - [Slack](#slack)
+  - [Pull Requests](#pull-requests)
+    - [Commit convention](#commit-convention)
+      - [Rule type](#rule-type)
+  - [Coding Guidelines](#coding-guidelines)
+    - [C++](#c)
+    - [Unit testing](/tests/README.md)
+  - [Developer Certificate Of Origin](#developer-certificate-of-origin)
+
+## Code of Conduct
+
+Falco has a
+[Code of Conduct](CODE_OF_CONDUCT.md)
+to which all contributors must adhere, please read it before interacting with the repository or the community in any way.
+
+## Issues
+
+Issues are the heartbeat ❤️ of the Falco project, there are mainly three kinds of issues you can open:
+
+- Bug report: you believe you found a problem in Falco and you want to discuss and get it fixed,
+creating an issue with the **bug report template** is the best way to do so.
+- Enhancement: any kind of new feature need to be discussed in this kind of issue, do you want a new rule or a new feature? This is the kind of issue you want to open. Be very good at explaining your intent, it's always important that others can understand what you mean in order to discuss, be open and collaborative in letting others help you getting this done!
+- Failing tests: you noticed a flaky test or a problem with a build? This is the kind of issue to triage that!
+
+The best way to get **involved** in the project is through issues, you can help in many ways:
+
+- Issues triaging: participating in the discussion and adding details to open issues is always a good thing,
+sometimes issues need to be verified, you could be the one writing a test case to fix a bug!
+- Helping to resolve the issue: you can help in getting it fixed in many ways, more often by opening a pull request.
+
+### Triage issues
+
+We need help in categorizing issues. Thus any help is welcome!
+
+When you triage an issue, you:
+
+* assess whether it has merit or not
+
+* quickly close it by correctly answering a question
+
+* point the reporter to a resource or documentation answering the issue
+
+* tag it via labels, projects, or milestones
+
+* take ownership submitting a PR for it, in case you want 😇
+
+#### More about labels
+
+These guidelines are not set in stone and are subject to change.
+
+Anyway a `kind/*` label for any issue is mandatory.
+
+This is the current [label set](https://github.com/falcosecurity/falco/labels) we have.
+
+You can use commands - eg., `/label <some-label>` to add (or remove) labels or manually do it.
+
+The commands available are the following ones:
+
+```
+/[remove-](area|kind|priority|triage|label)
+```
+
+Some examples:
+
+* `/area rules`
+* `/remove-area rules`
+* `/kind kernel-module`
+* `/label good-first-issue`
+* `/triage duplicate`
+* `/triage unresolved`
+* `/triage not-reproducible`
+* `/triage support`
+* ...
+
+### Slack
+
+Other discussion, and **support requests** should go through the `#falco` channel in the Kubernetes slack, please join [here](https://slack.k8s.io/).
+
+## Pull Requests
+
+Thanks for taking time to make a [pull request](https://help.github.com/articles/about-pull-requests) (hereafter PR).
+
+In the PR body, feel free to add an area label if appropriate by typing `/area <AREA>`, PRs will also
+need a kind, make sure to specify the appropriate one by typing `/kind <KIND>`.
+
+The list of labels is [here](https://github.com/falcosecurity/falco/labels).
+
+Also feel free to suggest a reviewer with `/cc @theirname`, or to assign an assignee using `/assign @nickname`.
+
+Once your reviewer is happy, they will say `/lgtm` which will apply the
+`lgtm` label, and will apply the `approved` label if they are an
+[owner](/OWNERS).
+
+Your PR will be automatically merged once it has the `lgtm` and `approved`
+labels, does not have any `do-not-merge/*` labels, and all status checks (eg., rebase, tests, DCO) are positive.
+
+### Commit convention
+
+As commit convention, we adopt [Conventional Commits v1.0.0](https://www.conventionalcommits.org/en/v1.0.0/), we have an history
+of commits that do not adopt the convention but any new commit must follow it to be eligible for merge.
+
+#### Rule type
+
+Besides the classic types, we adopt a type for rules, `rule(<scope>):`.
+Example:
+
+```
+rule(Write below monitored dir): make sure monitored dirs are monitored.
+```
+
+Each rule change must be on its own commit, if a change to a macro is done while changing a rule they can go together but only one rule per commit must happen.
+
+If you are changing only a macro, the commit will look like this:
+
+```
+rule(macro user_known_write_monitored_dir_conditions): make sure conditions are great
+```
+
+## Coding Guidelines
+
+### C++
+
+* File `userspace/engine/banned.h` defines some functions as invalid tokens. These functions are not allowed to be used in the codebase. Whenever creating a new cpp file, include the `"banned.h"` headers. This ensures that the banned functions are not compiled.
+
+  A complete list of banned functions can be found [here](./userspace/engine/banned.h).
+
+## Developer Certificate Of Origin
+
+The [Developer Certificate of Origin (DCO)](https://developercertificate.org/) is a lightweight way for contributors to certify that they wrote or otherwise have the right to submit the code they are contributing to the project.
+
+Contributors to the Falco project sign-off that they adhere to these requirements by adding a `Signed-off-by` line to commit messages.
+
+```
+This is my commit message
+
+Signed-off-by: John Poiana <jpoiana@falco.org>
+```
+
+Git even has a `-s` command line option to append this automatically to your commit message:
+
+```
+$ git commit -s -m 'This is my commit message'
+```

README.md

@@ -3,6 +3,8 @@
 
 <hr>
 
+# The Falco Project
+
 [![Build Status](https://img.shields.io/circleci/build/github/falcosecurity/falco/master?style=for-the-badge)](https://circleci.com/gh/falcosecurity/falco) [![CII Best Practices Summary](https://img.shields.io/cii/summary/2317?label=CCI%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) [![GitHub](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING)
 
 #### Latest releases
@@ -17,78 +19,63 @@ Read the [change log](CHANGELOG.md).
 
 ---
 
-The Falco Project, originally created by [Sysdig](https://sysdig.com), is an incubating [CNCF](https://cncf.io) open source cloud native runtime security tool.
-Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack.
-Falco has a rich rule set of security rules specifically built for Kubernetes, Linux, and cloud-native.
-If a rule is violated in a system, Falco will send an alert notifying the user of the violation and its severity.
+Falco is a behavioral activity monitor designed to detect anomalous activity in your applications. Falco audits a system at the most fundamental level, the kernel. Falco then enriches this data with other input streams such as container runtime metrics, and Kubernetes metrics. Falco lets you continuously monitor and detect container, application, host, and network activity—all in one place—from one source of data, with one set of rules.
 
-### Installing Falco
+Falco is hosted by the Cloud Native Computing Foundation (CNCF) as a sandbox level project. If you are an organization that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF. For details read the [Falco CNCF project proposal](https://github.com/cncf/toc/tree/master/proposals/falco.adoc).
 
-If you would like to run Falco in **production** please adhere to the [official installation guide](https://falco.org/docs/installation/).
+#### What kind of behaviors can Falco detect?
 
-##### Kubernetes
+Falco can detect and alert on any behavior that involves making Linux system calls. Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process. For example, Falco can easily detect incidents including but not limited to:
 
-| Tool     | Link                                                                                       | Note                                                               |
-|----------|--------------------------------------------------------------------------------------------|--------------------------------------------------------------------|
-| Helm     | [Chart Repository](https://github.com/falcosecurity/charts/tree/master/falco#introduction) | The Falco community offers regular helm chart releases.            |
-| Minikube | [Tutorial](https://falco.org/docs/third-party/#minikube)                                   | The Falco driver has been baked into minikube for easy deployment. |
-| Kind     | [Tutorial](https://falco.org/docs/third-party/#kind)                                       | Running Falco with kind requires a driver on the host system.      |
-| GKE      | [Tutorial](https://falco.org/docs/third-party/#gke)                                        | We suggest using the eBPF driver for running Falco on GKE.         |
-
-### Developing
-
-Falco is designed to be extensible such that it can be built into cloud-native applications and infrastructure.
-
-Falco has a [gRPC](https://falco.org/docs/grpc/) endpoint and an API defined in [protobuf](https://github.com/falcosecurity/falco/blob/update-readme/userspace/falco/outputs.proto).
-The Falco Project supports various SDKs for this endpoint.
-
-##### SDKs
-
-| Language | Repository                                              |
-|----------|---------------------------------------------------------|
-| Go       | [client-go](https://github.com/falcosecurity/client-go) |
-| Rust     | [client-rs](https://github.com/falcosecurity/client-rs) |
-| Python   | [client-py](https://github.com/falcosecurity/client-py) |
-
-
-### What can Falco detect?
-
-Falco can detect and alert on any behavior that involves making Linux system calls.
-Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process.
-For example, Falco can easily detect incidents including but not limited to:
-
-- A shell is running inside a container or pod in Kubernetes.
+- A shell is running inside a container.
 - A container is running in privileged mode, or is mounting a sensitive path, such as `/proc`, from the host.
 - A server process is spawning a child process of an unexpected type.
 - Unexpected read of a sensitive file, such as `/etc/shadow`.
 - A non-device file is written to `/dev`.
 - A standard system binary, such as `ls`, is making an outbound network connection.
 
-### Documentation
 
-The [Official Documentation](https://falco.org/docs/) is the best resource to learn about Falco.
+### Installing Falco
 
-### Join the Community
+You can find the latest release downloads on the official [release archive](https://bintray.com/falcosecurity)
+
+Furthermore the comprehensive [installation guide](https://falco.org/docs/installation/) for Falco is available in the documentation website.
+
+#### How do you compare Falco with other security tools?
+
+One of the questions we often get when we talk about Falco is “How does Falco differ from other Linux security tools such as SELinux, AppArmor, Auditd, etc.?”. We wrote a [blog post](https://sysdig.com/blog/selinux-seccomp-falco-technical-discussion/) comparing Falco with other tools.
+
+
+Documentation
+---
+
+See [Falco Documentation](https://falco.org/docs/) to quickly get started using Falco.
+
+Join the Community
+---
 
 To get involved with The Falco Project please visit [the community repository](https://github.com/falcosecurity/community) to find more.
 
-### Contributing
+License Terms
+---
 
-See the [CONTRIBUTING.md](https://github.com/falcosecurity/.github/blob/master/CONTRIBUTING.md).
+Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
+
+Contributing
+---
+
+See the [CONTRIBUTING.md](./CONTRIBUTING.md).
+
+Security
+---
 
 ### Security Audit
 
 A third party security audit was performed by Cure53, you can see the full report [here](./audits/SECURITY_AUDIT_2019_07.pdf).
 
 ### Reporting security vulnerabilities
-
 Please report security vulnerabilities following the community process documented [here](https://github.com/falcosecurity/.github/blob/master/SECURITY.md).
 
-### License Terms
-
-Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
-
-
 [1]: https://dl.bintray.com/falcosecurity/rpm-dev
 [2]: https://dl.bintray.com/falcosecurity/rpm
 [3]: https://dl.bintray.com/falcosecurity/deb-dev/stable

RELEASE.md

@@ -10,26 +10,19 @@ Finally, on the proposed due date the assignees for the upcoming release proceed
 
 ## Pre-Release Checklist
 
-### 1. Drivers
-
-- Check whether the [driver version](https://github.com/falcosecurity/falco/blob/master/cmake/modules/sysdig.cmake#L32) has changed since the last stable release of Falco
-    - Verify the release notes (point 2) eventually communicate this change 
-- Update the [Drivers Build Grid](https://github.com/falcosecurity/test-infra/tree/master/driverkit) so to ship prebuilt drivers for it (**best-effort** task)
-
-### 2. Release notes
-
+### 1. Release notes
 - Let `YYYY-MM-DD` the day before of the [latest release](https://github.com/falcosecurity/falco/releases)
 - Check the release note block of every PR matching the `is:pr is:merged closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+closed%3A%3EYYYY-MM-DD)
     - Ensure the release note block follows the [commit convention](https://github.com/falcosecurity/falco/blob/master/CONTRIBUTING.md#commit-convention), otherwise fix its content
     - If the PR has no milestone, assign it to the milestone currently undergoing release
-- Check issues without a milestone (using [is:pr is:merged no:milestone closed:>YYYY-MM-DD](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD) filter) and add them to the milestone currently undergoing release
-- Double-check that there are no more merged PRs without the target milestone assigned with the `is:pr is:merged no:milestone closed:>YYYY-MM-DD` [filters](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD), if any, fix them
+- Check issues without a milestone (using [is:pr is:merged no:milestone closed:>YYYT-MM-DD](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYT-MM-DD) filter) and add them to the milestone currently undergoing release
+- Double-check that there are no more merged PRs without the target milestone assigned with the `is:pr is:merged no:milestone closed:>YYYT-MM-DD` [filters](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYT-MM-DD), if any, fix them
 
-### 3. Milestones
+### 2. Milestones
 
 - Move the [tasks not completed](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Aopen) to a new minor milestone
 
-### 4. Release PR
+### 3. Release PR
 
 - Double-check if any hard-coded version number is present in the code, it should be not present anywhere:
     - If any, manually correct it then open an issue to automate version number bumping later

cmake/modules/CPackConfig.cmake

@@ -25,11 +25,7 @@ set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/cmake/cpack/CMakeCPackOptio
 set(CPACK_STRIP_FILES "ON")
 set(CPACK_PACKAGE_RELOCATABLE "OFF")
 
-if(NOT CPACK_GENERATOR)
-    set(CPACK_GENERATOR DEB RPM TGZ)
-endif()
-
-message(STATUS "Using package generators: ${CPACK_GENERATOR}")
+set(CPACK_GENERATOR DEB RPM TGZ)
 
 set(CPACK_DEBIAN_PACKAGE_SECTION "utils")
 set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64")

cmake/modules/DownloadStringViewLite.cmake

@@ -15,7 +15,7 @@ include(ExternalProject)
 
 set(STRING_VIEW_LITE_PREFIX ${CMAKE_BINARY_DIR}/string-view-lite-prefix)
 set(STRING_VIEW_LITE_INCLUDE ${STRING_VIEW_LITE_PREFIX}/include)
-message(STATUS "Using bundled string-view-lite in ${STRING_VIEW_LITE_INCLUDE}")
+message(STATUS "Found string-view-lite: include: ${STRING_VIEW_LITE_INCLUDE}")
 
 ExternalProject_Add(
   string-view-lite

cmake/modules/OpenSSL.cmake

@@ -35,7 +35,7 @@ else()
     URL "https://github.com/openssl/openssl/archive/OpenSSL_1_0_2n.tar.gz"
     URL_HASH "SHA256=4f4bc907caff1fee6ff8593729e5729891adcee412049153a3bb4db7625e8364"
     # END CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
-    CONFIGURE_COMMAND ./config no-shared --prefix=${OPENSSL_INSTALL_DIR}
+    CONFIGURE_COMMAND ./config shared --prefix=${OPENSSL_INSTALL_DIR}
     BUILD_COMMAND ${CMD_MAKE}
     BUILD_IN_SOURCE 1
     INSTALL_COMMAND ${CMD_MAKE} install)

cmake/modules/cURL.cmake

@@ -19,9 +19,13 @@ else()
   set(CURL_INCLUDE_DIR "${CURL_BUNDLE_DIR}/include/")
   set(CURL_LIBRARIES "${CURL_BUNDLE_DIR}/lib/.libs/libcurl.a")
 
-  set(CURL_SSL_OPTION "--with-ssl=${OPENSSL_INSTALL_DIR}")
-  message(STATUS "Using bundled curl in '${CURL_BUNDLE_DIR}'")
-  message(STATUS "Using SSL for curl in '${CURL_SSL_OPTION}'")
+  if(NOT USE_BUNDLED_OPENSSL)
+    set(CURL_SSL_OPTION "--with-ssl")
+  else()
+    set(CURL_SSL_OPTION "--with-ssl=${OPENSSL_INSTALL_DIR}")
+    message(STATUS "Using bundled curl in '${CURL_BUNDLE_DIR}'")
+    message(STATUS "Using SSL for curl in '${CURL_SSL_OPTION}'")
+  endif()
 
   externalproject_add(
     curl

cmake/modules/gRPC.cmake

@@ -96,17 +96,12 @@ else()
   # that zlib will be very outdated
   set(ZLIB_INCLUDE "${GRPC_SRC}/third_party/zlib")
   set(ZLIB_LIB "${GRPC_LIBS_ABSOLUTE}/libz.a")
-  # we tell gRPC to compile c-ares for us because when a gRPC package is not available, like on CentOS, it's very likely
-  # that c-ares will be very outdated
-  set(CARES_INCLUDE "${GRPC_SRC}/third_party/cares" "${GRPC_SRC}/third_party/cares/cares")
-  set(CARES_LIB "${GRPC_LIBS_ABSOLUTE}/libares.a")
 
   message(STATUS "Using bundled gRPC in '${GRPC_SRC}'")
   message(
     STATUS
       "Bundled gRPC comes with protobuf: compiler: ${PROTOC}, include: ${PROTOBUF_INCLUDE}, lib: ${PROTOBUF_LIB}")
   message(STATUS "Bundled gRPC comes with zlib: include: ${ZLIB_INCLUDE}, lib: ${ZLIB_LIB}}")
-  message(STATUS "Bundled gRPC comes with cares: include: ${CARES_INCLUDE}, lib: ${CARES_LIB}}")
   message(STATUS "Bundled gRPC comes with gRPC C++ plugin: include: ${GRPC_CPP_PLUGIN}")
 
   get_filename_component(PROTOC_DIR ${PROTOC} PATH)
@@ -115,8 +110,8 @@ else()
     grpc
     DEPENDS openssl
     GIT_REPOSITORY https://github.com/grpc/grpc.git
-    GIT_TAG v1.31.1
-    GIT_SUBMODULES "third_party/protobuf third_party/zlib third_party/cares/cares third_party/abseil-cpp third_party/re2"
+    GIT_TAG v1.25.0
+    GIT_SUBMODULES "third_party/protobuf third_party/zlib third_party/cares/cares"
     BUILD_IN_SOURCE 1
     BUILD_BYPRODUCTS ${GRPC_LIB} ${GRPCPP_LIB}
     INSTALL_COMMAND ""
@@ -126,8 +121,6 @@ else()
       HAS_SYSTEM_ZLIB=false
       HAS_SYSTEM_PROTOBUF=false
       HAS_SYSTEM_CARES=false
-      HAS_EMBEDDED_OPENSSL_ALPN=false
-      HAS_SYSTEM_OPENSSL_ALPN=true
       PKG_CONFIG_PATH=${OPENSSL_BUNDLE_DIR}
       PKG_CONFIG=${PKG_CONFIG_EXECUTABLE}
       PATH=${PROTOC_DIR}:$ENV{PATH}

cmake/modules/jq.cmake

@@ -10,44 +10,26 @@
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 #
-if (NOT USE_BUNDLED_DEPS)
-    find_path(JQ_INCLUDE jq.h PATH_SUFFIXES jq)
-    find_library(JQ_LIB NAMES jq)
-    if (JQ_INCLUDE AND JQ_LIB)
-        message(STATUS "Found jq: include: ${JQ_INCLUDE}, lib: ${JQ_LIB}")
-    else ()
-        message(FATAL_ERROR "Couldn't find system jq")
-    endif ()
-else ()
-    set(JQ_SRC "${PROJECT_BINARY_DIR}/jq-prefix/src/jq")
-    message(STATUS "Using bundled jq in '${JQ_SRC}'")
-    set(JQ_INCLUDE "${JQ_SRC}/target/include")
-    set(JQ_INSTALL_DIR "${JQ_SRC}/target")
-    set(JQ_LIB "${JQ_INSTALL_DIR}/lib/libjq.a")
-    set(ONIGURUMA_LIB "${JQ_INSTALL_DIR}/lib/libonig.a")
-    message(STATUS "Bundled jq: include: ${JQ_INCLUDE}, lib: ${JQ_LIB}")
-
-    # Why we mirror jq here?
-    #
-    # In their readme, jq claims that you don't have
-    # to do autoreconf -fi when downloading a released tarball.
-    #
-    # However, they forgot to push the released makefiles
-    # into their release tarbal.
-    #
-    # For this reason, we have to mirror their release after
-    # doing the configuration ourselves.
-    #
-    # This is needed because many distros do not ship the right
-    # version of autoreconf, making virtually impossible to build Falco on them.
-    # Read more about it here:
-    #   https://github.com/stedolan/jq/issues/2061#issuecomment-593445920
-    ExternalProject_Add(
-            jq
-            URL "https://dl.bintray.com/falcosecurity/dependencies/jq-1.6.tar.gz"
-            URL_HASH "SHA256=787518068c35e244334cc79b8e56b60dbab352dff175b7f04a94f662b540bfd9"
-            CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking --with-oniguruma=builtin --prefix=${JQ_INSTALL_DIR}
-            BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
-            BUILD_IN_SOURCE 1
-            INSTALL_COMMAND ${CMD_MAKE} install)
-endif ()
+if(NOT USE_BUNDLED_DEPS)
+  find_path(JQ_INCLUDE jq.h PATH_SUFFIXES jq)
+  find_library(JQ_LIB NAMES jq)
+  if(JQ_INCLUDE AND JQ_LIB)
+    message(STATUS "Found jq: include: ${JQ_INCLUDE}, lib: ${JQ_LIB}")
+  else()
+    message(FATAL_ERROR "Couldn't find system jq")
+  endif()
+else()
+  set(JQ_SRC "${PROJECT_BINARY_DIR}/jq-prefix/src/jq")
+  message(STATUS "Using bundled jq in '${JQ_SRC}'")
+  set(JQ_INCLUDE "${JQ_SRC}")
+  set(JQ_LIB "${JQ_SRC}/.libs/libjq.a")
+  ExternalProject_Add(
+    jq
+    URL "https://github.com/stedolan/jq/releases/download/jq-1.5/jq-1.5.tar.gz"
+    URL_HASH "SHA256=c4d2bfec6436341113419debf479d833692cc5cdab7eb0326b5a4d4fbe9f493c"
+    CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking
+    BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
+    BUILD_IN_SOURCE 1
+    PATCH_COMMAND curl -L https://github.com/stedolan/jq/commit/8eb1367ca44e772963e704a700ef72ae2e12babd.patch | patch
+    INSTALL_COMMAND "")
+endif()

cmake/modules/libyaml.cmake

@@ -10,17 +10,23 @@
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 #
-
-set(LIBYAML_SRC "${PROJECT_BINARY_DIR}/libyaml-prefix/src/libyaml")
-set(LIBYAML_INSTALL_DIR "${LIBYAML_SRC}/target")
-message(STATUS "Using bundled libyaml in '${LIBYAML_SRC}'")
-set(LIBYAML_LIB "${LIBYAML_SRC}/src/.libs/libyaml.a")
-ExternalProject_Add(
-libyaml
-URL "https://github.com/yaml/libyaml/releases/download/0.2.5/yaml-0.2.5.tar.gz"
-URL_HASH "SHA256=c642ae9b75fee120b2d96c712538bd2cf283228d2337df2cf2988e3c02678ef4"
-CONFIGURE_COMMAND ./configure --prefix=${LIBYAML_INSTALL_DIR} CFLAGS=-fPIC CPPFLAGS=-fPIC --enable-static=true --enable-shared=false
-BUILD_COMMAND ${CMD_MAKE} 
-BUILD_IN_SOURCE 1
-INSTALL_COMMAND ${CMD_MAKE} install)
-
+if(NOT USE_BUNDLED_DEPS)
+    find_library(LIBYAML_LIB NAMES libyaml.so)
+    if(LIBYAML_LIB)
+    message(STATUS "Found libyaml: lib: ${LIBYAML_LIB}")
+    else()
+    message(FATAL_ERROR "Couldn't find system libyaml")
+    endif()
+else()
+    set(LIBYAML_SRC "${PROJECT_BINARY_DIR}/libyaml-prefix/src/libyaml")
+    message(STATUS "Using bundled libyaml in '${LIBYAML_SRC}'")
+    set(LIBYAML_LIB "${LIBYAML_SRC}/src/.libs/libyaml.a")
+    ExternalProject_Add(
+    libyaml
+    URL "https://github.com/yaml/libyaml/releases/download/0.2.5/yaml-0.2.5.tar.gz"
+    URL_HASH "SHA256=c642ae9b75fee120b2d96c712538bd2cf283228d2337df2cf2988e3c02678ef4"
+    CONFIGURE_COMMAND ./configure --enable-static=true --enable-shared=false
+    BUILD_COMMAND ${CMD_MAKE} 
+    BUILD_IN_SOURCE 1
+    INSTALL_COMMAND "")
+endif()

cmake/modules/sysdig.cmake

@@ -17,26 +17,23 @@ set(SYSDIG_CMAKE_WORKING_DIR "${CMAKE_BINARY_DIR}/sysdig-repo")
 # this needs to be here at the top
 if(USE_BUNDLED_DEPS)
   # explicitly force this dependency to use the bundled OpenSSL
-  if(NOT MINIMAL_BUILD)
-    set(USE_BUNDLED_OPENSSL ON)
-  endif()
-  set(USE_BUNDLED_JQ ON)
+  set(USE_BUNDLED_OPENSSL ON)
 endif()
 
 file(MAKE_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
 
-# The sysdig git reference (branch name, commit hash, or tag) To update sysdig version for the next release, change the
-# default below In case you want to test against another sysdig version just pass the variable - ie., `cmake
-# -DSYSDIG_VERSION=dev ..`
+# The sysdig git reference (branch name, commit hash, or tag)
+# To update sysdig version for the next release, change the default below
+# In case you want to test against another sysdig version just pass the variable - ie., `cmake -DSYSDIG_VERSION=dev ..`
 if(NOT SYSDIG_VERSION)
-  set(SYSDIG_VERSION "73554b9c48b06612eb50494ee6fa5b779c57edc0") # todo(leogr): set the correct version and checksum before merging
-  set(SYSDIG_CHECKSUM "SHA256=c1c73498a834533dea61c979786a4ac3866743c17829d81aef209ddaa1b31538")
+  set(SYSDIG_VERSION "85c88952b018fdbce2464222c3303229f5bfcfad")
+  set(SYSDIG_CHECKSUM "SHA256=6c3f5f2d699c9540e281f50cbc5cb6b580f0fc689798bc65d4a77f57f932a71c")
 endif()
 set(PROBE_VERSION "${SYSDIG_VERSION}")
 
 # cd /path/to/build && cmake /path/to/source
-execute_process(COMMAND "${CMAKE_COMMAND}" -DSYSDIG_VERSION=${SYSDIG_VERSION} -DSYSDIG_CHECKSUM=${SYSDIG_CHECKSUM}
-                        ${SYSDIG_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
+execute_process(COMMAND "${CMAKE_COMMAND}" -DSYSDIG_VERSION=${SYSDIG_VERSION} -DSYSDIG_CHECKSUM=${SYSDIG_CHECKSUM} ${SYSDIG_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
+
 
 # todo(leodido, fntlnz) > use the following one when CMake version will be >= 3.13
 
@@ -57,9 +54,6 @@ add_subdirectory("${SYSDIG_SOURCE_DIR}/driver" "${PROJECT_BINARY_DIR}/driver")
 # Add libscap directory
 add_definitions(-D_GNU_SOURCE)
 add_definitions(-DHAS_CAPTURE)
-if(MUSL_OPTIMIZED_BUILD)
-  add_definitions(-DMUSL_OPTIMIZED)
-endif()
 add_subdirectory("${SYSDIG_SOURCE_DIR}/userspace/libscap" "${PROJECT_BINARY_DIR}/userspace/libscap")
 
 # Add libsinsp directory
@@ -70,8 +64,5 @@ add_dependencies(sinsp tbb b64 luajit)
 set(CREATE_TEST_TARGETS OFF)
 
 if(USE_BUNDLED_DEPS)
-  add_dependencies(scap jq)
-  if(NOT MINIMAL_BUILD)
-    add_dependencies(scap curl grpc)
-  endif()
+  add_dependencies(scap grpc curl jq)
 endif()

docker/builder/root/usr/bin/entrypoint

@@ -34,7 +34,6 @@ case "$CMD" in
     -DCMAKE_BUILD_TYPE="$BUILD_TYPE" \
     -DCMAKE_INSTALL_PREFIX=/usr \
     -DBUILD_DRIVER="$BUILD_DRIVER" \
-    -DMINIMAL_BUILD="$MINIMAL_BUILD" \
     -DBUILD_BPF="$BUILD_BPF" \
     -DBUILD_WARNINGS_AS_ERRORS="$BUILD_WARNINGS_AS_ERRORS" \
     -DFALCO_VERSION="$FALCO_VERSION" \

docker/no-driver/Dockerfile

@@ -12,16 +12,47 @@ WORKDIR /
 
 ADD https://bintray.com/api/ui/download/falcosecurity/${VERSION_BUCKET}/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz /
 
-RUN tar -xvf falco-${FALCO_VERSION}-x86_64.tar.gz && \
+RUN apt-get update -y && \
+    apt-get install -y binutils && \
+    tar -xvf falco-${FALCO_VERSION}-x86_64.tar.gz && \
     rm -f falco-${FALCO_VERSION}-x86_64.tar.gz && \
     mv falco-${FALCO_VERSION}-x86_64 falco && \
-    rm -rf falco/usr/src/falco-* falco/usr/bin/falco-driver-loader
+    strip falco/usr/bin/falco && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
 
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
     && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml
 
 FROM scratch
 
+COPY --from=ubuntu /lib/x86_64-linux-gnu/libanl.so.1 \
+    /lib/x86_64-linux-gnu/libc.so.6 \
+    /lib/x86_64-linux-gnu/libdl.so.2 \
+    /lib/x86_64-linux-gnu/libgcc_s.so.1 \
+    /lib/x86_64-linux-gnu/libm.so.6 \
+    /lib/x86_64-linux-gnu/libnsl.so.1 \
+    /lib/x86_64-linux-gnu/libnss_compat.so.2 \
+    /lib/x86_64-linux-gnu/libnss_files.so.2 \
+    /lib/x86_64-linux-gnu/libnss_nis.so.2 \
+    /lib/x86_64-linux-gnu/libpthread.so.0 \
+    /lib/x86_64-linux-gnu/librt.so.1 \
+    /lib/x86_64-linux-gnu/libz.so.1 \
+    /lib/x86_64-linux-gnu/
+
+COPY --from=ubuntu /usr/lib/x86_64-linux-gnu/libstdc++.so.6 \
+    /usr/lib/x86_64-linux-gnu/libstdc++.so.6
+
+COPY --from=ubuntu /etc/ld.so.cache \
+    /etc/nsswitch.conf \
+    /etc/ld.so.cache \
+    /etc/passwd \
+    /etc/group \
+    /etc/
+
+COPY --from=ubuntu /etc/default/nss /etc/default/nss
+COPY --from=ubuntu /lib64/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2
+
 COPY --from=ubuntu /falco /
 
 CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/tester/root/usr/bin/entrypoint

@@ -1,11 +1,9 @@
 #!/usr/bin/env bash
 
-set -u -o pipefail
-
-BUILD_DIR=${BUILD_DIR:-/build}
-SOURCE_DIR=${SOURCE_DIR:-/source}
-SKIP_PACKAGES_TESTS=${SKIP_PACKAGES_TESTS:-false}
+set -eu -o pipefail
 
+SOURCE_DIR=/source
+BUILD_DIR=/build
 CMD=${1:-test}
 shift
 
@@ -58,11 +56,9 @@ case "$CMD" in
     fi
 
     # build docker images
-    if [ "$SKIP_PACKAGES_TESTS" = false ] ; then
-        build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "deb"
-        build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "rpm"
-        build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "tar.gz"
-    fi
+    build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "deb"
+    build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "rpm"
+    build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "tar.gz"
 
     # check that source directory contains Falco
     if [ ! -d "$SOURCE_DIR/falco/test" ]; then
@@ -73,14 +69,12 @@ case "$CMD" in
     # run tests
     echo "Running regression tests ..."
     cd "$SOURCE_DIR/falco/test"
-    SKIP_PACKAGES_TESTS=$SKIP_PACKAGES_TESTS ./run_regression_tests.sh -d "$BUILD_DIR/$BUILD_TYPE"
+    ./run_regression_tests.sh -d "$BUILD_DIR/$BUILD_TYPE"
 
     # clean docker images
-    if [ "$SKIP_PACKAGES_TESTS" = false ] ; then
-        clean_image "deb"
-        clean_image "rpm"
-        clean_image "tar.gz"
-    fi
+    clean_image "deb"
+    clean_image "rpm"
+    clean_image "tar.gz"
     ;;
 "bash")
     CMD=/bin/bash

proposals/20200506-artifacts-scope-part-1.md

@@ -4,7 +4,7 @@ The **Falco Artifact Scope** proposal is divided in two parts:
 1. the Part 1 - *this document*: the State of Art of Falco artifacts
 2. the [Part 2](./20200506-artifacts-scope-part-2.md): the intended state moving forward
 
-## Summary
+## Summary 
 
 As a project we would like to support the following artifacts.
 
@@ -16,7 +16,7 @@ Inspired by many previous issues and many of the weekly community calls.
 
 ## Terms
 
-**falco**
+**falco** 
 
 *The Falco binary*
 
@@ -30,12 +30,12 @@ Inspired by many previous issues and many of the weekly community calls.
 
 **package**
 
-*An installable artifact that is operating system specific. All packages MUST be hosted on [bintray](https://bintray.com/falcosecurity).*
+*An installable artifact that is operating system specific. All packages MUST be hosted on bintray.*
 
 **image**
 
 *OCI compliant container image hosted on dockerhub with tags for every release and the current master branch.*
-
+ 
 
 # Packages
 
@@ -52,11 +52,11 @@ List of currently official container images (for X86 64bits only):
 
 | Name | Directory | Description |
 |---|---|---|
-| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/stable | Falco (DEB built from git tag or from the master) with all the building toolchain. |
-| [falcosecurity/falco:latest-slim](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_-slim](https://hub.docker.com/repository/docker/falcosecurity/falco),[falcosecurity/falco:master-slim](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/slim | Falco (DEB build from git tag or from the master) without the building toolchain. |
-| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. |
-| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source. Used to build Falco (CI). |
-| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). |
+| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/stable | Falco (DEB built from git tag or from the master) with all the building toolchain. | 
+| [falcosecurity/falco:latest-slim](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_-slim](https://hub.docker.com/repository/docker/falcosecurity/falco),[falcosecurity/falco:master-slim](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/slim | Falco (DEB build from git tag or from the master) without the building toolchain. | 
+| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. | 
+| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source. Used to build Falco (CI). | 
+| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). | 
 | _to not be published_ | docker/local | Built on-the-fly and used by falco-tester. |
 
 **Note**: `falco-builder`, `falco-tester` (and the `docker/local` image which it's built on the fly by the `falco-tester` one) are not integrated into the release process because they are development and CI tools that need to be manually pushed only when updated.
@@ -76,7 +76,7 @@ This new [contrib](https://github.com/falcosecurity/contrib) repository will be
 
 ### repository
 
-"_Incubating level_" projects such as [falco-exporter](https://github.com/falco-exporter) can be promoted from `contrib` to their own repository.
+"_Incubating level_" projects such as [falco-exporter](https://github.com/falco-exporter) can be promoted from `contrib` to their own repository. 
 
 This is done as needed, and can best be measured by the need to cut a release and use the GitHub release features. Again, this is at the discretion of the Falco open source community.
 
@@ -92,7 +92,7 @@ The *Part 1* is mainly intended as a cleanup process.
 For each item not listed above, ask if it needs to be moved or deleted.
 After the cleanup process, all items will match the *Part 1* of this proposal.
 
-
+    
 ### Action Items
 
 Here are SOME of the items that would need to be done, for example:

proposals/20200818-artifacts-storage.md

@@ -1,83 +0,0 @@
-# Falco Artifacts Storage
-
-This document reflects the way we store the Falco artifacts.
-
-## Terms & Definitions
-
-- [Falco artifacts](./20200506-artifacts-scope-part-1.md)
-- Bintray: artifacts distribution platform
-
-## Packages
-
-The Falco packages are **automatically** built and sent to [bintray](https://bintray.com/falcosecurity) in the following cases:
-
-- a pull request gets merged into the master branch (**Falco development releases**)
-- a new Falco release (git tag) happens on the master branch (**Falco stable releases**)
-
-The only prerequisite is that the specific Falco source code builds successfully and that the tests pass.
-
-As per [Falco Artifacts Scope (#1)](./20200506-artifacts-scope-part-1.md) proposal we provide three kind of Falco packages:
-
-- DEB
-- RPM
-- Tarball
-
-Thus, we have three repositories for the Falco stable releases:
-
-- https://bintray.com/falcosecurity/deb
-- https://bintray.com/falcosecurity/rpm
-- https://bintray.com/falcosecurity/bin
-
-And three repositories for the Falco development releases:
-
-- https://bintray.com/falcosecurity/deb-dev
-- https://bintray.com/falcosecurity/rpm-dev
-- https://bintray.com/falcosecurity/bin-dev
-
-## Drivers
-
-The process of publishing a set of prebuilt Falco drivers is implemented by the **Drivers Build Grid (DBG)** in the [test-infra](https://github.com/falcosecurity/test-infra/tree/master/driverkit) repository (`driverkit` directory).
-
-This process is driven by the configuration files (YAML) present in the `driverkit/config` directory in the [test-infra](https://github.com/falcosecurity/test-infra/tree/master/driverkit) repository.
-
-Each of these files represents a prebuilt driver (eventually two: kernel module and eBPF probe, when possible) that will be published on [bintray](https://bintray.com/falcosecurity) if it builds correctly.
-
-Every time the `driverkit/config` directory on the master branch has some changes from the previous commit the CI system, which you can find defined in the [.circleci/config.yml](https://github.com/falcosecurity/test-infra/blob/master/.circleci/config.yml) file, takes care of building and publishing all the drivers.
-
-The driver versions we ship prebuilt drivers for are:
-
-- the driver version associated with the last Falco stable version ([see here](https://github.com/falcosecurity/falco/blob/c4b7f17271d1a4ca533b2e672ecaaea5289ccdc5/cmake/modules/sysdig.cmake#L29))
-- the driver version associated with the penultimate Falco stable version
-
-The prebuilt drivers get published into [this](https://bintray.com/falcosecurity/driver) generic artifacts repository.
-
-You can also visualize the full list of prebuilt drivers by driver version visiting this [URL](https://dl.bintray.com/falcosecurity/driver).
-
-### Notice
-
-The generation of new prebuilt drivers takes usually place with a frequency of 1-2 weeks, on a **best-effort** basis.
-
-Thus, it can happen the list of available prebuilt drivers does not yet contain the driver version currently on Falco master.
-
-Nevertheless, this process is an open, auditable, and transparent one.
-
-So, by sending a pull-request towards [test-infra](https://github.com/falcosecurity/test-infra) repository containing the configuration YAML files you can help the Falco community stay on track.
-
-Some pull-requests you can look at to create your own are:
-
-- https://github.com/falcosecurity/test-infra/pull/165
-- https://github.com/falcosecurity/test-infra/pull/163
-- https://github.com/falcosecurity/test-infra/pull/162
-
-While, the documentation of the YAML configuration files can be found [here](https://github.com/falcosecurity/driverkit/blob/master/README.md).
-
-## Container images
-
-As per Falco packages, also the Falco official container images are **automatically** published to the [dockerhub](https://hub.docker.com/r/falcosecurity/falco).
-
-These images are built and published in two cases:
-
-- a pull request gets merged into the master branch (**Falco development releases**)
-- a new Falco release (git tag) happens (**Falco stable releases**)
-
-For a detailed explanation of the container images we build and ship look at the following [documentation](https://github.com/falcosecurity/falco/blob/master/docker/README.md).

proposals/20200901-artifacts-cleanup.md

@@ -1,102 +0,0 @@
-# Falco Artifacts Cleanup
-
-This document reflects when and how we clean up the Falco artifacts from their storage location.
-
-## Motivation
-
-The [bintray](https://bintray.com/falcosecurity) open-source plan offers 10GB free space for storing artifacts.
-
-They also kindly granted us an additional 5GB of free space.
-
-## Goal
-
-Keep the storage space usage under 15GB by cleaning up the [Falco artifacts](./20200506-artifacts-scope-part-1.md) from the [storage](./20200818-artifacts-storage).
-
-## Status
-
-To be implemented.
-
-## Packages
-
-### Tarballs from Falco master
-
-At the moment of writing this document, this kind of Falco package requires approx. 50MB (maximum detected size) of storage space.
-
-Since, historically, the [bin-dev](https://bintray.com/falcosecurity/bin-dev) repository is the less used one, this document proposes to keep only the last 10 **Falco development releases** it contains.
-
-This means that the [bin-dev](https://bintray.com/falcosecurity/bin-dev) repository will take at maximum 500MB of storage space.
-
-### DEB from Falco master
-
-At the moment of writing this document, this kind of Falco package requires approx. 5.1MB (maximum detected size) of storage space.
-
-Historically, every Falco release is composed by less than 50 merges (upper limit).
-
-So, to theoretically retain all the **Falco development releases** that led to a Falco stable release, this document proposes to keep the last 50 Falco DEB packages.
-
-This means that the [deb-dev](https://bintray.com/falcosecurity/deb-dev) repository will take at maximum 255MB of storage space.
-
-### RPM from Falco master
-
-At the moment of writing this document, this kind of Falco package requires approx. 4.3MB (maximum detected size) of storage space.
-
-For the same exact reasons explained above this document proposes to keep the last 50 Falco RPM packages.
-
-This means that the [rpm-dev](https://bintray.com/falcosecurity/rpm-dev) repository will take at maximum 215MB of storage space.
-
-### Stable releases
-
-This document proposes to retain all the stable releases.
-
-This means that all the Falco packages present in the Falco stable release repositories will be kept.
-
-The [bin](https://bintray.com/falcosecurity/bin) repository contains a Falco tarball package for every release.
-This means it grows in space of ~50MB each month.
-
-The [deb](https://bintray.com/falcosecurity/deb) repository contains a Falco DEB package for every release.
-This means it grows in space of ~5MB each month.
-
-The [rpm](https://bintray.com/falcosecurity/rpm) repository contains a Falco RPM package for every release.
-This means it grows in space of ~4.3MB each month.
-
-### Considerations
-
-Assuming the size of the packages does not surpass the numbers listed in the above sections, the **Falco development releases** will always take less that 1GB of artifacts storage space.
-
-Assuming 12 stable releases at year, at the current size of packages, the **Falco stable releases** will take approx. 720MB of storage space every year.
-
-### Implementation
-
-The Falco CI will have a new CI job - called `cleanup/packages-dev` - responsible for removing the **Falco development releases** depending on the above plan.
-
-This job will be triggered after the `publish/packages-dev` completed successfully.
-
-## Drivers
-
-As explained in the [Artifacts Storage](./20200818-artifacts-storage) proposal, we build the drivers for the **last two driver versions** associated with **latest Falco stable releases**.
-Then, we store those drivers into a [generic bintray repository](https://bintray.com/falcosecurity/driver) from which the installation process automatically downloads them, if suitable.
-
-This document proposes to implement a cleanup mechanism that deletes all the other driver versions available.
-
-At the moment of writing, considering only the last two driver versions (**ae104eb**, **85c8895**) associated with the latest Falco stable releases, we ship ~340 eBPF drivers, each accounting for ~3.1MB of storage space, and 1512 kernel modules (~3.1MB size each, too).
-
-Thus, we obtain an estimate of approx. 2.875GB for **each** driver version.
-
-This document proposes to only store the last two driver versions associates with the latest Falco stable releases. And deleting the other ones.
-
-This way, assuming the number of prebuilt drivers does not skyrocket, we can reasonably estimate the storage space used by prebuilt drivers to be around 6GB.
-
-Notice that, in case a Falco stable release will not depend on a new driver version, this means the last two driver versions will, in this case, cover more than the two Falco stable releases.
-
-### Archivation
-
-Since the process of building drivers is time and resource consuming, this document also proposes to move the driver versions in other storage facilities.
-
-The candidate is an AWS S3 bucket responsible for holding the deleted driver version files.
-
-### Implementation
-
-The [test-infra](https://github.com/falcosecurity/test-infra) CI, specifically its part dedicated to run the **Drivers Build Grid** that runs every time it detects changes into the `driverkit` directory of the [test-infra](https://github.com/falcosecurity/test-infra) repository,
-will have a new job - called `drivers/cleanup` - responsible for removing all the Falco driver versions except the last two.
-
-This job will be triggered after the `drivers/publish` completed successfully on the master branch.

rules/CMakeLists.txt

@@ -37,7 +37,8 @@ if(DEFINED FALCO_COMPONENT)
     COMPONENT "${FALCO_COMPONENT}"
     DESTINATION "${FALCO_ETC_DIR}"
     RENAME "${FALCO_LOCAL_RULES_DEST_FILENAME}")
-# Intentionally *not* installing application_rules.yaml. Not needed when falco is embedded in other projects.
+
+  # Intentionally *not* installing application_rules.yaml. Not needed when falco is embedded in other projects.
 else()
   install(
     FILES falco_rules.yaml
@@ -56,8 +57,8 @@ else()
 
   install(
     FILES application_rules.yaml
-    DESTINATION "${FALCO_ETC_DIR}/rules.available"
+    DESTINATION "/etc/falco/rules.available"
     RENAME "${FALCO_APP_RULES_DEST_FILENAME}")
 
-  install(DIRECTORY DESTINATION "${FALCO_ETC_DIR}/rules.d")
+  install(DIRECTORY DESTINATION "/etc/falco/rules.d")
 endif()

rules/k8s_audit_rules.yaml

@@ -44,12 +44,18 @@
   items: ["vpa-recommender", "vpa-updater"]
 
 - list: allowed_k8s_users
-  items: [
-    "minikube", "minikube-user", "kubelet", "kops", "admin", "kube", "kube-proxy", "kube-apiserver-healthcheck",
-    "kubernetes-admin",
-    vertical_pod_autoscaler_users,
-    cluster-autoscaler,
-    system:addon-manager
+  items:
+    [
+      "minikube",
+      "minikube-user",
+      "kubelet",
+      "kops",
+      "admin",
+      "kube",
+      "kube-proxy",
+      "kube-apiserver-healthcheck",
+      "kubernetes-admin",
+      vertical_pod_autoscaler_users,
     ]
 
 - rule: Disallowed K8s User
@@ -117,6 +123,7 @@
 - macro: health_endpoint
   condition: ka.uri=/healthz
 
+# requires FALCO_ENGINE_VERSION 5
 - rule: Create Disallowed Pod
   desc: >
     Detect an attempt to start a pod with a container image outside of a list of allowed images.
@@ -126,6 +133,7 @@
   source: k8s_audit
   tags: [k8s]
 
+# requires FALCO_ENGINE_VERSION 5
 - rule: Create Privileged Pod
   desc: >
     Detect an attempt to start a pod with a privileged container
@@ -138,7 +146,8 @@
 - macro: sensitive_vol_mount
   condition: >
     (ka.req.pod.volumes.hostpath intersects (/proc, /var/run/docker.sock, /, /etc, /root, /var/run/crio/crio.sock, /home/admin, /var/lib/kubelet, /var/lib/kubelet/pki, /etc/kubernetes, /etc/kubernetes/manifests))
-
+    
+# requires FALCO_ENGINE_VERSION 5
 - rule: Create Sensitive Mount Pod
   desc: >
     Detect an attempt to start a pod with a volume from a sensitive host directory (i.e. /proc).
@@ -150,6 +159,7 @@
   tags: [k8s]
 
 # Corresponds to K8s CIS Benchmark 1.7.4
+# requires FALCO_ENGINE_VERSION 5
 - rule: Create HostNetwork Pod
   desc: Detect an attempt to start a pod using the host network.
   condition: kevt and pod and kcreate and ka.req.pod.host_network intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostnetwork_images)
@@ -181,7 +191,7 @@
 
 - rule: Create/Modify Configmap With Private Credentials
   desc: >
-     Detect creating/modifying a configmap containing a private credential (aws key, password, etc.)
+    Detect creating/modifying a configmap containing a private credential (aws key, password, etc.)
   condition: kevt and configmap and kmodify and contains_private_credentials
   output: K8s configmap with private credential (user=%ka.user.name verb=%ka.verb configmap=%ka.req.configmap.name config=%ka.req.configmap.obj)
   priority: WARNING
@@ -219,19 +229,6 @@
   source: k8s_audit
   tags: [k8s]
 
-- macro: user_known_pod_debug_activities
-  condition: (k8s_audit_never_true)
-
-# Only works when feature gate EphemeralContainers is enabled
-- rule: EphemeralContainers Created
-  desc: >
-    Detect any ephemeral container created
-  condition: kevt and pod_subresource and kmodify and ka.target.subresource in (ephemeralcontainers) and not user_known_pod_debug_activities
-  output: Ephemeral container is created in pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace ephemeral_container_name=%jevt.value[/requestObject/ephemeralContainers/0/name] ephemeral_container_image=%jevt.value[/requestObject/ephemeralContainers/0/image])
-  priority: NOTICE
-  source: k8s_audit
-  tags: [k8s]
-
 # In a local/user rules fie, you can append to this list to add additional allowed namespaces
 - list: allowed_namespaces
   items: [kube-system, kube-public, default]
@@ -244,48 +241,17 @@
   source: k8s_audit
   tags: [k8s]
 
-# Only defined for backwards compatibility. Use the more specific
-# user_allowed_kube_namespace_image_list instead.
 - list: user_trusted_image_list
   items: []
 
-- list: user_allowed_kube_namespace_image_list
-  items: [user_trusted_image_list]
-
-# Only defined for backwards compatibility. Use the more specific
-# allowed_kube_namespace_image_list instead.
-- list: k8s_image_list
-  items: []
-
-- list: allowed_kube_namespace_image_list
-  items: [
-    gcr.io/google-containers/prometheus-to-sd,
-    gcr.io/projectcalico-org/node,
-    gke.gcr.io/addon-resizer,
-    gke.gcr.io/heapster,
-    gke.gcr.io/gke-metadata-server,
-    k8s.gcr.io/ip-masq-agent-amd64,
-    k8s.gcr.io/kube-apiserver,
-    gke.gcr.io/kube-proxy,
-    gke.gcr.io/netd-amd64,
-    k8s.gcr.io/addon-resizer
-    k8s.gcr.io/prometheus-to-sd,
-    k8s.gcr.io/k8s-dns-dnsmasq-nanny-amd64,
-    k8s.gcr.io/k8s-dns-kube-dns-amd64,
-    k8s.gcr.io/k8s-dns-sidecar-amd64,
-    k8s.gcr.io/metrics-server-amd64,
-    kope/kube-apiserver-healthcheck,
-    k8s_image_list
-    ]
-
-- macro: allowed_kube_namespace_pods
-  condition: (ka.req.pod.containers.image.repository in (user_allowed_kube_namespace_image_list) or
-              ka.req.pod.containers.image.repository in (allowed_kube_namespace_image_list))
+- macro: trusted_pod
+  condition: (ka.req.pod.containers.image.repository in (user_trusted_image_list))
 
 # Detect any new pod created in the kube-system namespace
+# requires FALCO_ENGINE_VERSION 5
 - rule: Pod Created in Kube Namespace
   desc: Detect any attempt to create a pod in the kube-system or kube-public namespaces
-  condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public) and not allowed_kube_namespace_pods
+  condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public) and not trusted_pod
   output: Pod created in kube namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
   priority: WARNING
   source: k8s_audit
@@ -311,8 +277,7 @@
 # normal operation.
 - rule: System ClusterRole Modified/Deleted
   desc: Detect any attempt to modify/delete a ClusterRole/Role starting with system
-  condition: kevt and (role or clusterrole) and (kmodify or kdelete) and (ka.target.name startswith "system:") and
-             not ka.target.name in (system:coredns, system:managed-certificate-controller)
+  condition: kevt and (role or clusterrole) and (kmodify or kdelete) and (ka.target.name startswith "system:") and ka.target.name!="system:coredns"
   output: System ClusterRole/Role modified or deleted (user=%ka.user.name role=%ka.target.name ns=%ka.target.namespace action=%ka.verb)
   priority: WARNING
   source: k8s_audit
@@ -328,6 +293,7 @@
   source: k8s_audit
   tags: [k8s]
 
+# requires FALCO_ENGINE_VERSION 5
 - rule: ClusterRole With Wildcard Created
   desc: Detect any attempt to create a Role/ClusterRole with wildcard resources or verbs
   condition: kevt and (role or clusterrole) and kcreate and (ka.req.role.rules.resources intersects ("*") or ka.req.role.rules.verbs intersects ("*"))
@@ -340,6 +306,7 @@
   condition: >
     (ka.req.role.rules.verbs intersects (create, update, patch, delete, deletecollection))
 
+# requires FALCO_ENGINE_VERSION 5
 - rule: ClusterRole With Write Privileges Created
   desc: Detect any attempt to create a Role/ClusterRole that can perform write-related actions
   condition: kevt and (role or clusterrole) and kcreate and writable_verbs
@@ -348,6 +315,7 @@
   source: k8s_audit
   tags: [k8s]
 
+# requires FALCO_ENGINE_VERSION 5
 - rule: ClusterRole With Pod Exec Created
   desc: Detect any attempt to create a Role/ClusterRole that can exec to pods
   condition: kevt and (role or clusterrole) and kcreate and ka.req.role.rules.resources intersects ("pods/exec")
@@ -511,20 +479,26 @@
   source: k8s_audit
   tags: [k8s]
 
-
 # This macro disables following rule, change to k8s_audit_never_true to enable it
 - macro: allowed_full_admin_users
   condition: (k8s_audit_always_true)
 
 # This list includes some of the default user names for an administrator in several K8s installations
 - list: full_admin_k8s_users
-  items: ["admin", "kubernetes-admin",  "kubernetes-admin@kubernetes", "kubernetes-admin@cluster.local", "minikube-user"]
+  items:
+    [
+      "admin",
+      "kubernetes-admin",
+      "kubernetes-admin@kubernetes",
+      "kubernetes-admin@cluster.local",
+      "minikube-user",
+    ]
 
-# This rules detect an operation triggered by an user name that is 
-# included in the list of those that are default administrators upon 
-# cluster creation. This may signify a permission setting too broader. 
-# As we can't check for role of the user on a general ka.* event, this 
-# may or may not be an administrator. Customize the full_admin_k8s_users 
+# This rules detect an operation triggered by an user name that is
+# included in the list of those that are default administrators upon
+# cluster creation. This may signify a permission setting too broader.
+# As we can't check for role of the user on a general ka.* event, this
+# may or may not be an administrator. Customize the full_admin_k8s_users
 # list to your needs, and activate at your discrection.
 
 # # How to test:
@@ -574,7 +548,7 @@
   output: >
     K8s Ingress Without TLS Cert Created (user=%ka.user.name ingress=%ka.target.name
     namespace=%ka.target.namespace)
-  source: k8s_audit    
+  source: k8s_audit
   priority: WARNING
   tags: [k8s, network]
 
@@ -620,4 +594,3 @@
   priority: WARNING
   source: k8s_audit
   tags: [k8s]
-

scripts/cleanup

@@ -1,61 +0,0 @@
-#!/usr/bin/env bash
-
-usage() {
-    echo "usage: $0 -p 0987654321 -r <deb-dev|rpm-dev|bin-dev>"
-    exit 1
-}
-
-user=poiana
-
-# Get the versions to delete.
-#
-# $1: repository to lookup
-# $2: number of versions to skip.
-get_versions() {
-    # The API endpoint returns the Falco package versions sort by most recent.
-    IFS=$'\n' read -r -d '' -a all < <(curl -s --header "Content-Type: application/json" "https://api.bintray.com/packages/falcosecurity/$1/falco" | jq -r '.versions | .[]' | tail -n "+$2")
-}
-
-# Remove all the versions (${all[@]} array).
-#
-# $1: repository containing the versions.
-rem_versions() {
-    for i in "${!all[@]}";
-    do
-        JFROG_CLI_LOG_LEVEL=DEBUG jfrog bt vd --quiet --user "${user}" --key "${pass}" "falcosecurity/$1/falco/${all[$i]}"
-    done
-}
-
-while getopts ":p::r:" opt; do
-    case "${opt}" in
-        p )
-          pass=${OPTARG}
-          ;;
-        r )
-          repo="${OPTARG}"
-          [[ "${repo}" == "deb-dev" || "${repo}" == "rpm-dev" || "${repo}" == "bin-dev" ]] || usage
-          ;;
-        : )
-          echo "invalid option: ${OPTARG} requires an argument" 1>&2
-          exit 1
-          ;;
-        \?)
-          echo "invalid option: ${OPTARG}" 1>&2
-          exit 1
-          ;;
-    esac
-done
-shift $((OPTIND-1))
-
-if [ -z "${pass}" ] || [ -z "${repo}" ]; then
-    usage
-fi
-
-skip=51
-if [[ "${repo}" == "bin-dev" ]]; then
-    skip=11
-fi
-
-get_versions "${repo}" ${skip}
-echo "number of versions to delete: ${#all[@]}"
-rem_versions "${repo}"

scripts/falco-driver-loader

@@ -143,41 +143,33 @@ load_kernel_module_compile() {
 	# skip dkms on UEK hosts because it will always fail
 	if [[ $(uname -r) == *uek* ]]; then
 		echo "* Skipping dkms install for UEK host"
-		return
-	fi
-
-	if ! hash dkms &>/dev/null; then
-		echo "* Skipping dkms install (dkms not found)"
-		return
-	fi
-
-	# try to compile using all the available gcc versions
-	for CURRENT_GCC in $(which gcc) $(ls "$(dirname "$(which gcc)")"/gcc-* | grep 'gcc-[0-9]\+' | sort -r); do
-		echo "* Trying to dkms install ${DRIVER_NAME} module with GCC ${CURRENT_GCC}"
-		echo "#!/usr/bin/env bash" > /tmp/falco-dkms-make
-		echo "make CC=${CURRENT_GCC} \$@" >> /tmp/falco-dkms-make
-		chmod +x /tmp/falco-dkms-make
-		if dkms install --directive="MAKE='/tmp/falco-dkms-make'" -m "${DRIVER_NAME}" -v "${DRIVER_VERSION}" -k "${KERNEL_RELEASE}" 2>/dev/null; then
-			echo "* ${DRIVER_NAME} module installed in dkms, trying to insmod"				
-			if insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko" > /dev/null 2>&1; then
-				echo "* Success: ${DRIVER_NAME} module found and loaded in dkms"
-				exit 0
-			elif insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko.xz" > /dev/null 2>&1; then
-				echo "* Success: ${DRIVER_NAME} module found and loaded in dkms (xz)"
-				exit 0
+	else
+		if hash dkms &>/dev/null; then
+				echo "* Trying to dkms install ${DRIVER_NAME} module"
+			if dkms install -m "${DRIVER_NAME}" -v "${DRIVER_VERSION}" -k "${KERNEL_RELEASE}" 2>/dev/null; then
+				echo "* ${DRIVER_NAME} module installed in dkms, trying to insmod"				
+				if insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko" > /dev/null 2>&1; then
+					echo "* Success: ${DRIVER_NAME} module found and loaded in dkms"
+					exit 0
+				elif insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko.xz" > /dev/null 2>&1; then
+					echo "* Success: ${DRIVER_NAME} module found and loaded in dkms (xz)"
+					exit 0
+				else
+					echo "* Unable to insmod ${DRIVER_NAME} module"
+				fi
 			else
-				echo "* Unable to insmod ${DRIVER_NAME} module"
+				DKMS_LOG="/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/build/make.log"
+				if [ -f "${DKMS_LOG}" ]; then
+					echo "* Running dkms build failed, dumping ${DKMS_LOG}"
+					cat "${DKMS_LOG}"
+				else
+					echo "* Running dkms build failed, couldn't find ${DKMS_LOG}"
+				fi
 			fi
 		else
-			DKMS_LOG="/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/build/make.log"
-			if [ -f "${DKMS_LOG}" ]; then
-				echo "* Running dkms build failed, dumping ${DKMS_LOG} (with GCC ${CURRENT_GCC})"
-				cat "${DKMS_LOG}"
-			else
-				echo "* Running dkms build failed, couldn't find ${DKMS_LOG} (with GCC ${CURRENT_GCC})"
-			fi
+			echo "* Skipping dkms install (dkms not found)"
 		fi
-	done
+	fi
 }
 
 load_kernel_module_download() {

test/rules/detect_connect_using_in.yaml

@@ -18,5 +18,5 @@
   desc: Detect any connect to the localhost network, using fd.net and the in operator
   condition: evt.type=connect and fd.net in ("127.0.0.1/24")
   output: Program connected to localhost network
-    (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name)
+    (user=%user.name command=%proc.cmdline connection=%fd.name)
   priority: INFO

test/rules/k8s_audit/allow_nginx_container.yaml

@@ -1,3 +1,2 @@
 - macro: allowed_k8s_containers
   condition: (ka.req.pod.containers.image.repository in (nginx))
-

test/run_regression_tests.sh

@@ -19,13 +19,6 @@ set -euo pipefail
 
 SCRIPT=$(readlink -f $0)
 SCRIPTDIR=$(dirname "$SCRIPT")
-SKIP_PACKAGES_TESTS=${SKIP_PACKAGES_TESTS:-false}
-
-# Trace file tarballs are now versioned. Any time a substantial change
-# is made that affects the interaction of rules+engine and the trace
-# files here, upload a new trace file zip file and change the version
-# suffix here.
-TRACE_FILES_VERSION=20200831
 
 function download_trace_files() {
     for TRACE in traces-positive traces-negative traces-info ; do
@@ -33,7 +26,7 @@ function download_trace_files() {
         if [ "$OPT_BRANCH" != "none" ]; then
         curl -fso "$TRACE_DIR/$TRACE.zip" https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE-$OPT_BRANCH.zip
         else
-        curl -fso "$TRACE_DIR/$TRACE.zip" https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE-$TRACE_FILES_VERSION.zip
+        curl -fso "$TRACE_DIR/$TRACE.zip" https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE.zip
         fi
         unzip -d "$TRACE_DIR" "$TRACE_DIR/$TRACE.zip"
         rm -rf "$TRACE_DIR/$TRACE.zip"
@@ -98,13 +91,7 @@ function run_tests() {
     # as we're watching the return status when running avocado.
     set +e
     TEST_RC=0
-    suites=($SCRIPTDIR/falco_traces.yaml $SCRIPTDIR/falco_tests.yaml $SCRIPTDIR/falco_k8s_audit_tests.yaml $SCRIPTDIR/falco_tests_psp.yaml)
-
-    if [ "$SKIP_PACKAGES_TESTS" = false ] ; then
-        suites+=($SCRIPTDIR/falco_tests_package.yaml)
-    fi
-    
-    for mult in "${suites[@]}"; do
+    for mult in $SCRIPTDIR/falco_traces.yaml $SCRIPTDIR/falco_tests.yaml $SCRIPTDIR/falco_tests_package.yaml $SCRIPTDIR/falco_k8s_audit_tests.yaml $SCRIPTDIR/falco_tests_psp.yaml; do
         CMD="avocado run --mux-yaml $mult --job-results-dir $SCRIPTDIR/job-results -- $SCRIPTDIR/falco_test.py"
         echo "Running $CMD"
         BUILD_DIR=${OPT_BUILD_DIR} $CMD

tests/CMakeLists.txt

@@ -14,11 +14,7 @@
 # License for the specific language governing permissions and limitations under
 # the License.
 #
-if(MINIMAL_BUILD)
-  set(FALCO_TESTS_SOURCES test_base.cpp engine/test_token_bucket.cpp engine/test_rulesets.cpp engine/test_falco_utils.cpp)
-else()
-  set(FALCO_TESTS_SOURCES test_base.cpp engine/test_token_bucket.cpp engine/test_rulesets.cpp engine/test_falco_utils.cpp falco/test_webserver.cpp)
-endif()
+set(FALCO_TESTS_SOURCES test_base.cpp engine/test_token_bucket.cpp engine/test_rulesets.cpp engine/test_falco_utils.cpp falco/test_webserver.cpp)
 
 set(FALCO_TESTED_LIBRARIES falco_engine)
 
@@ -39,25 +35,14 @@ if(FALCO_BUILD_TESTS)
   add_executable(falco_test ${FALCO_TESTS_SOURCES})
 
   target_link_libraries(falco_test PUBLIC ${FALCO_TESTED_LIBRARIES})
-
-  if(MINIMAL_BUILD)
-    target_include_directories(
-      falco_test
-      PUBLIC "${CATCH2_INCLUDE}"
-            "${FAKEIT_INCLUDE}"
-            "${PROJECT_SOURCE_DIR}/userspace/engine"
-            "${YAMLCPP_INCLUDE_DIR}"
-            "${PROJECT_SOURCE_DIR}/userspace/falco")
-  else()
-    target_include_directories(
-      falco_test
-      PUBLIC "${CATCH2_INCLUDE}"
-            "${FAKEIT_INCLUDE}"
-            "${PROJECT_SOURCE_DIR}/userspace/engine"
-            "${YAMLCPP_INCLUDE_DIR}"
-            "${CIVETWEB_INCLUDE_DIR}"
-            "${PROJECT_SOURCE_DIR}/userspace/falco")
-  endif()
+  target_include_directories(
+    falco_test
+    PUBLIC "${CATCH2_INCLUDE}"
+           "${FAKEIT_INCLUDE}"
+           "${PROJECT_SOURCE_DIR}/userspace/engine"
+           "${YAMLCPP_INCLUDE_DIR}"
+           "${CIVETWEB_INCLUDE_DIR}"
+           "${PROJECT_SOURCE_DIR}/userspace/falco")
   add_dependencies(falco_test catch2)
 
   include(CMakeParseArguments)

userspace/engine/CMakeLists.txt

@@ -27,32 +27,18 @@ if(USE_BUNDLED_DEPS)
   add_dependencies(falco_engine libyaml)
 endif()
 
-if(MINIMAL_BUILD)
-  target_include_directories(
-    falco_engine
-    PUBLIC
-      "${LUAJIT_INCLUDE}"
-      "${NJSON_INCLUDE}"
-      "${TBB_INCLUDE_DIR}"
-      "${STRING_VIEW_LITE_INCLUDE}"
-      "${SYSDIG_SOURCE_DIR}/userspace/libsinsp/third-party/jsoncpp"
-      "${SYSDIG_SOURCE_DIR}/userspace/libscap"
-      "${SYSDIG_SOURCE_DIR}/userspace/libsinsp"
-      "${PROJECT_BINARY_DIR}/userspace/engine")
-else()
-  target_include_directories(
-    falco_engine
-    PUBLIC
-      "${LUAJIT_INCLUDE}"
-      "${NJSON_INCLUDE}"
-      "${CURL_INCLUDE_DIR}"
-      "${TBB_INCLUDE_DIR}"
-      "${STRING_VIEW_LITE_INCLUDE}"
-      "${SYSDIG_SOURCE_DIR}/userspace/libsinsp/third-party/jsoncpp"
-      "${SYSDIG_SOURCE_DIR}/userspace/libscap"
-      "${SYSDIG_SOURCE_DIR}/userspace/libsinsp"
-      "${PROJECT_BINARY_DIR}/userspace/engine")
-endif()
+target_include_directories(
+  falco_engine
+  PUBLIC
+    "${LUAJIT_INCLUDE}"
+    "${NJSON_INCLUDE}"
+    "${CURL_INCLUDE_DIR}"
+    "${TBB_INCLUDE_DIR}"
+    "${STRING_VIEW_LITE_INCLUDE}"
+    "${SYSDIG_SOURCE_DIR}/userspace/libsinsp/third-party/jsoncpp"
+    "${SYSDIG_SOURCE_DIR}/userspace/libscap"
+    "${SYSDIG_SOURCE_DIR}/userspace/libsinsp"
+    "${PROJECT_BINARY_DIR}/userspace/engine")
 
 target_link_libraries(falco_engine "${FALCO_SINSP_LIBRARY}" "${LPEG_LIB}" "${LYAML_LIB}" "${LIBYAML_LIB}")
 

userspace/engine/falco_engine_version.h

@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2020 The Falco Authors.
+Copyright (C) 2019 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -16,7 +16,7 @@ limitations under the License.
 
 // The version of rules/filter fields/etc supported by this falco
 // engine.
-#define FALCO_ENGINE_VERSION (7)
+#define FALCO_ENGINE_VERSION (6)
 
 // This is the result of running "falco --list -N | sha256sum" and
 // represents the fields supported by this version of falco. It's used

userspace/engine/lua/compiler.lua

@@ -1,4 +1,4 @@
--- Copyright (C) 2019 The Falco Authors.
+-- Copyright (C) 2020 The Falco Authors.
 --
 -- Licensed under the Apache License, Version 2.0 (the "License");
 -- you may not use this file except in compliance with the License.
@@ -11,25 +11,24 @@
 -- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 -- See the License for the specific language governing permissions and
 -- limitations under the License.
-
 local parser = require("parser")
 local compiler = {}
 
 compiler.trim = parser.trim
 
 function map(f, arr)
-   local res = {}
-   for i,v in ipairs(arr) do
-      res[i] = f(v)
-   end
-   return res
+    local res = {}
+    for i, v in ipairs(arr) do
+        res[i] = f(v)
+    end
+    return res
 end
 
 function foldr(f, acc, arr)
-   for i,v in pairs(arr) do
-      acc = f(acc, v)
-   end
-   return acc
+    for i, v in pairs(arr) do
+        acc = f(acc, v)
+    end
+    return acc
 end
 
 --[[
@@ -47,181 +46,192 @@ end
 --]]
 
 function copy_ast_obj(obj)
-   if type(obj) ~= 'table' then return obj end
-   local res = {}
-   for k, v in pairs(obj) do res[copy_ast_obj(k)] = copy_ast_obj(v) end
-   return res
+    if type(obj) ~= 'table' then
+        return obj
+    end
+    local res = {}
+    for k, v in pairs(obj) do
+        res[copy_ast_obj(k)] = copy_ast_obj(v)
+    end
+    return res
 end
 
 function expand_macros(ast, defs, changed)
 
-   if (ast.type == "Rule") then
-      return expand_macros(ast.filter, defs, changed)
-   elseif ast.type == "Filter" then
-      if (ast.value.type == "Macro") then
-         if (defs[ast.value.value] == nil) then
-	    return false, "Undefined macro '".. ast.value.value .. "' used in filter."
-         end
-	 defs[ast.value.value].used = true
-         ast.value = copy_ast_obj(defs[ast.value.value].ast)
-         changed = true
-	 return true, changed
-      end
-      return expand_macros(ast.value, defs, changed)
+    if (ast.type == "Rule") then
+        return expand_macros(ast.filter, defs, changed)
+    elseif ast.type == "Filter" then
+        if (ast.value.type == "Macro") then
+            if (defs[ast.value.value] == nil) then
+                return false, "Undefined macro '" .. ast.value.value .. "' used in filter."
+            end
+            defs[ast.value.value].used = true
+            ast.value = copy_ast_obj(defs[ast.value.value].ast)
+            changed = true
+            return true, changed
+        end
+        return expand_macros(ast.value, defs, changed)
 
-   elseif ast.type == "BinaryBoolOp" then
+    elseif ast.type == "BinaryBoolOp" then
 
-      if (ast.left.type == "Macro") then
-         if (defs[ast.left.value] == nil) then
-	    return false, "Undefined macro '".. ast.left.value .. "' used in filter."
-         end
-	 defs[ast.left.value].used = true
-         ast.left = copy_ast_obj(defs[ast.left.value].ast)
-         changed = true
-      end
+        if (ast.left.type == "Macro") then
+            if (defs[ast.left.value] == nil) then
+                return false, "Undefined macro '" .. ast.left.value .. "' used in filter."
+            end
+            defs[ast.left.value].used = true
+            ast.left = copy_ast_obj(defs[ast.left.value].ast)
+            changed = true
+        end
 
-      if (ast.right.type == "Macro") then
-         if (defs[ast.right.value] == nil) then
-	    return false, "Undefined macro ".. ast.right.value .. " used in filter."
-         end
-	 defs[ast.right.value].used = true
-         ast.right = copy_ast_obj(defs[ast.right.value].ast)
-         changed = true
-      end
+        if (ast.right.type == "Macro") then
+            if (defs[ast.right.value] == nil) then
+                return false, "Undefined macro " .. ast.right.value .. " used in filter."
+            end
+            defs[ast.right.value].used = true
+            ast.right = copy_ast_obj(defs[ast.right.value].ast)
+            changed = true
+        end
 
-      local status, changed_left = expand_macros(ast.left, defs, false)
-      if status == false then
-	 return false, changed_left
-      end
-      local status, changed_right = expand_macros(ast.right, defs, false)
-      if status == false then
-	 return false, changed_right
-      end
-      return true, changed or changed_left or changed_right
+        local status, changed_left = expand_macros(ast.left, defs, false)
+        if status == false then
+            return false, changed_left
+        end
+        local status, changed_right = expand_macros(ast.right, defs, false)
+        if status == false then
+            return false, changed_right
+        end
+        return true, changed or changed_left or changed_right
 
-   elseif ast.type == "UnaryBoolOp" then
-      if (ast.argument.type == "Macro") then
-         if (defs[ast.argument.value] == nil) then
-	    return false, "Undefined macro ".. ast.argument.value .. " used in filter."
-         end
-	 defs[ast.argument.value].used = true
-         ast.argument = copy_ast_obj(defs[ast.argument.value].ast)
-         changed = true
-      end
-      return expand_macros(ast.argument, defs, changed)
-   end
-   return true, changed
+    elseif ast.type == "UnaryBoolOp" then
+        if (ast.argument.type == "Macro") then
+            if (defs[ast.argument.value] == nil) then
+                return false, "Undefined macro " .. ast.argument.value .. " used in filter."
+            end
+            defs[ast.argument.value].used = true
+            ast.argument = copy_ast_obj(defs[ast.argument.value].ast)
+            changed = true
+        end
+        return expand_macros(ast.argument, defs, changed)
+    end
+    return true, changed
 end
 
 function get_macros(ast, set)
-   if (ast.type == "Macro") then
-      set[ast.value] = true
-      return set
-   end
+    if (ast.type == "Macro") then
+        set[ast.value] = true
+        return set
+    end
 
-   if ast.type == "Filter" then
-      return get_macros(ast.value, set)
-   end
+    if ast.type == "Filter" then
+        return get_macros(ast.value, set)
+    end
 
-   if ast.type == "BinaryBoolOp" then
-      local left = get_macros(ast.left, {})
-      local right = get_macros(ast.right, {})
+    if ast.type == "BinaryBoolOp" then
+        local left = get_macros(ast.left, {})
+        local right = get_macros(ast.right, {})
 
-      for m, _ in pairs(left) do set[m] = true end
-      for m, _ in pairs(right) do set[m] = true end
+        for m, _ in pairs(left) do
+            set[m] = true
+        end
+        for m, _ in pairs(right) do
+            set[m] = true
+        end
 
-      return set
-   end
-   if ast.type == "UnaryBoolOp" then
-      return get_macros(ast.argument, set)
-   end
-   return set
+        return set
+    end
+    if ast.type == "UnaryBoolOp" then
+        return get_macros(ast.argument, set)
+    end
+    return set
 end
 
 function get_filters(ast)
 
-   local filters = {}
+    local filters = {}
 
-   function cb(node)
-      if node.type == "FieldName" then
-	 filters[node.value] = 1
-      end
-   end
+    function cb(node)
+        if node.type == "FieldName" then
+            filters[node.value] = 1
+        end
+    end
 
-   parser.traverse_ast(ast.filter.value, {FieldName=1} , cb)
+    parser.traverse_ast(ast.filter.value, {
+        FieldName = 1
+    }, cb)
 
-   return filters
+    return filters
 end
 
 function compiler.expand_lists_in(source, list_defs)
 
-   for name, def in pairs(list_defs) do
+    for name, def in pairs(list_defs) do
 
-      local bpos = string.find(source, name, 1, true)
+        local bpos = string.find(source, name, 1, true)
 
-      while bpos ~= nil do
-	 def.used = true
+        while bpos ~= nil do
+            def.used = true
 
-	 local epos = bpos + string.len(name)
+            local epos = bpos + string.len(name)
 
-	 -- The characters surrounding the name must be delimiters of beginning/end of string
-	 if (bpos == 1 or string.match(string.sub(source, bpos-1, bpos-1), "[%s(),=]")) and (epos > string.len(source) or string.match(string.sub(source, epos, epos), "[%s(),=]")) then
-	    new_source = ""
+            -- The characters surrounding the name must be delimiters of beginning/end of string
+            if (bpos == 1 or string.match(string.sub(source, bpos - 1, bpos - 1), "[%s(),=]")) and
+                (epos > string.len(source) or string.match(string.sub(source, epos, epos), "[%s(),=]")) then
+                new_source = ""
 
-	    if bpos > 1 then
-	       new_source = new_source..string.sub(source, 1, bpos-1)
-	    end
+                if bpos > 1 then
+                    new_source = new_source .. string.sub(source, 1, bpos - 1)
+                end
 
-	    sub = table.concat(def.items, ", ")
+                sub = table.concat(def.items, ", ")
 
-	    new_source = new_source..sub
+                new_source = new_source .. sub
 
-	    if epos <= string.len(source) then
-	       new_source = new_source..string.sub(source, epos, string.len(source))
-	    end
+                if epos <= string.len(source) then
+                    new_source = new_source .. string.sub(source, epos, string.len(source))
+                end
 
-	    source = new_source
-	    bpos = bpos + (string.len(sub)-string.len(name))
-	 end
+                source = new_source
+                bpos = bpos + (string.len(sub) - string.len(name))
+            end
 
-	 bpos = string.find(source, name, bpos+1, true)
-      end
-   end
+            bpos = string.find(source, name, bpos + 1, true)
+        end
+    end
 
-   return source
+    return source
 end
 
 function compiler.compile_macro(line, macro_defs, list_defs)
 
-   line = compiler.expand_lists_in(line, list_defs)
+    line = compiler.expand_lists_in(line, list_defs)
 
-   local ast, error_msg = parser.parse_filter(line)
+    local ast, error_msg = parser.parse_filter(line)
 
-   if (error_msg) then
-      msg = "Compilation error when compiling \""..line.."\": ".. error_msg
-      return false, msg
-   end
+    if (error_msg) then
+        msg = "Compilation error when compiling \"" .. line .. "\": " .. error_msg
+        return false, msg
+    end
 
-   -- Simply as a validation step, try to expand all macros in this
-   -- macro's condition. This changes the ast, so we make a copy
-   -- first.
-   local ast_copy = copy_ast_obj(ast)
+    -- Simply as a validation step, try to expand all macros in this
+    -- macro's condition. This changes the ast, so we make a copy
+    -- first.
+    local ast_copy = copy_ast_obj(ast)
 
-   if (ast.type == "Rule") then
-      -- Line is a filter, so expand macro references
-      repeat
-	 status, expanded = expand_macros(ast_copy, macro_defs, false)
-	 if status == false then
-	    msg = "Compilation error when compiling \""..line.."\": ".. expanded
-	    return false, msg
-	 end
-      until expanded == false
+    if (ast.type == "Rule") then
+        -- Line is a filter, so expand macro references
+        repeat
+            status, expanded = expand_macros(ast_copy, macro_defs, false)
+            if status == false then
+                msg = "Compilation error when compiling \"" .. line .. "\": " .. expanded
+                return false, msg
+            end
+        until expanded == false
 
-   else
-      return false, "Unexpected top-level AST type: "..ast.type
-   end
+    else
+        return false, "Unexpected top-level AST type: " .. ast.type
+    end
 
-   return true, ast
+    return true, ast
 end
 
 --[[
@@ -229,32 +239,31 @@ end
 --]]
 function compiler.compile_filter(name, source, macro_defs, list_defs)
 
-   source = compiler.expand_lists_in(source, list_defs)
+    source = compiler.expand_lists_in(source, list_defs)
 
-   local ast, error_msg = parser.parse_filter(source)
+    local ast, error_msg = parser.parse_filter(source)
 
-   if (error_msg) then
-      msg = "Compilation error when compiling \""..source.."\": "..error_msg
-      return false, msg
-   end
+    if (error_msg) then
+        msg = "Compilation error when compiling \"" .. source .. "\": " .. error_msg
+        return false, msg
+    end
 
-   if (ast.type == "Rule") then
-      -- Line is a filter, so expand macro references
-      repeat
-	 status, expanded  = expand_macros(ast, macro_defs, false)
-	 if status == false then
-	    return false, expanded
-	 end
-      until expanded == false
+    if (ast.type == "Rule") then
+        -- Line is a filter, so expand macro references
+        repeat
+            status, expanded = expand_macros(ast, macro_defs, false)
+            if status == false then
+                return false, expanded
+            end
+        until expanded == false
 
-   else
-      return false, "Unexpected top-level AST type: "..ast.type
-   end
+    else
+        return false, "Unexpected top-level AST type: " .. ast.type
+    end
 
-   filters = get_filters(ast)
+    filters = get_filters(ast)
 
-   return true, ast, filters
+    return true, ast, filters
 end
 
-
 return compiler

userspace/engine/lua/parser.lua

@@ -1,4 +1,4 @@
--- Copyright (C) 2019 The Falco Authors.
+-- Copyright (C) 2020 The Falco Authors.
 --
 -- Licensed under the Apache License, Version 2.0 (the "License");
 -- you may not use this file except in compliance with the License.
@@ -12,7 +12,6 @@
 -- See the License for the specific language governing permissions and
 -- limitations under the License.
 --
-
 --[[
    Falco grammar and parser.
 
@@ -40,232 +39,258 @@ local space = lpeg.space
 
 -- creates an error message for the input string
 local function syntaxerror(errorinfo, pos, msg)
-   local error_msg = "%s: syntax error, %s"
-   return string.format(error_msg, pos, msg)
+    local error_msg = "%s: syntax error, %s"
+    return string.format(error_msg, pos, msg)
 end
 
 -- gets the farthest failure position
 local function getffp(s, i, t)
-   return t.ffp or i, t
+    return t.ffp or i, t
 end
 
 -- gets the table that contains the error information
 local function geterrorinfo()
-   return Cmt(Carg(1), getffp) * (C(V "OneWord") + Cc("EOF")) / function(t, u)
-         t.unexpected = u
-         return t
-      end
+    return Cmt(Carg(1), getffp) * (C(V "OneWord") + Cc("EOF")) / function(t, u)
+        t.unexpected = u
+        return t
+    end
 end
 
 -- creates an errror message using the farthest failure position
 local function errormsg()
-   return geterrorinfo() / function(t)
-         local p = t.ffp or 1
-         local msg = "unexpected '%s', expecting %s"
-         msg = string.format(msg, t.unexpected, t.expected)
-         return nil, syntaxerror(t, p, msg)
-      end
+    return geterrorinfo() / function(t)
+        local p = t.ffp or 1
+        local msg = "unexpected '%s', expecting %s"
+        msg = string.format(msg, t.unexpected, t.expected)
+        return nil, syntaxerror(t, p, msg)
+    end
 end
 
 -- reports a syntactic error
 local function report_error()
-   return errormsg()
+    return errormsg()
 end
 
 --- sets the farthest failure position and the expected tokens
 local function setffp(s, i, t, n)
-   if not t.ffp or i > t.ffp then
-      t.ffp = i
-      t.list = {}
-      t.list[n] = n
-      t.expected = "'" .. n .. "'"
-   elseif i == t.ffp then
-      if not t.list[n] then
-         t.list[n] = n
-         t.expected = "'" .. n .. "', " .. t.expected
-      end
-   end
-   return false
+    if not t.ffp or i > t.ffp then
+        t.ffp = i
+        t.list = {}
+        t.list[n] = n
+        t.expected = "'" .. n .. "'"
+    elseif i == t.ffp then
+        if not t.list[n] then
+            t.list[n] = n
+            t.expected = "'" .. n .. "', " .. t.expected
+        end
+    end
+    return false
 end
 
 local function updateffp(name)
-   return Cmt(Carg(1) * Cc(name), setffp)
+    return Cmt(Carg(1) * Cc(name), setffp)
 end
 
 -- regular combinators and auxiliary functions
 
 local function token(pat, name)
-   return pat * V "Skip" + updateffp(name) * P(false)
+    return pat * V "Skip" + updateffp(name) * P(false)
 end
 
 local function symb(str)
-   return token(P(str), str)
+    return token(P(str), str)
 end
 
 local function kw(str)
-   return token(P(str) * -V "idRest", str)
+    return token(P(str) * -V "idRest", str)
 end
 
 local function list(pat, sep)
-   return Ct(pat ^ -1 * (sep * pat ^ 0) ^ 0) / function(elements)
-         return {type = "List", elements = elements}
-      end
+    return Ct(pat ^ -1 * (sep * pat ^ 0) ^ 0) / function(elements)
+        return {
+            type = "List",
+            elements = elements
+        }
+    end
 end
 
---http://lua-users.org/wiki/StringTrim
+-- http://lua-users.org/wiki/StringTrim
 function trim(s)
-   if (type(s) ~= "string") then
-      return s
-   end
-   return (s:gsub("^%s*(.-)%s*$", "%1"))
+    if (type(s) ~= "string") then
+        return s
+    end
+    return (s:gsub("^%s*(.-)%s*$", "%1"))
 end
 parser.trim = trim
 
 local function terminal(tag)
-   -- Rather than trim the whitespace in this way, it would be nicer to exclude it from the capture...
-   return token(V(tag), tag) / function(tok)
-         val = tok
-         if tag ~= "String" then
+    -- Rather than trim the whitespace in this way, it would be nicer to exclude it from the capture...
+    return token(V(tag), tag) / function(tok)
+        val = tok
+        if tag ~= "String" then
             val = trim(tok)
-         end
-         return {type = tag, value = val}
-      end
+        end
+        return {
+            type = tag,
+            value = val
+        }
+    end
 end
 
 local function unaryboolop(op, e)
-   return {type = "UnaryBoolOp", operator = op, argument = e}
+    return {
+        type = "UnaryBoolOp",
+        operator = op,
+        argument = e
+    }
 end
 
 local function unaryrelop(e, op)
-   return {type = "UnaryRelOp", operator = op, argument = e}
+    return {
+        type = "UnaryRelOp",
+        operator = op,
+        argument = e
+    }
 end
 
 local function binaryop(e1, op, e2)
-   if not op then
-      return e1
-   else
-      return {type = "BinaryBoolOp", operator = op, left = e1, right = e2}
-   end
+    if not op then
+        return e1
+    else
+        return {
+            type = "BinaryBoolOp",
+            operator = op,
+            left = e1,
+            right = e2
+        }
+    end
 end
 
 local function bool(pat, sep)
-   return Cf(pat * Cg(sep * pat) ^ 0, binaryop)
+    return Cf(pat * Cg(sep * pat) ^ 0, binaryop)
 end
 
 local function rel(left, sep, right)
-   return left * sep * right / function(e1, op, e2)
-         return {type = "BinaryRelOp", operator = op, left = e1, right = e2}
-      end
+    return left * sep * right / function(e1, op, e2)
+        return {
+            type = "BinaryRelOp",
+            operator = op,
+            left = e1,
+            right = e2
+        }
+    end
 end
 
 -- grammar
 
 local function filter(e)
-   return {type = "Filter", value = e}
+    return {
+        type = "Filter",
+        value = e
+    }
 end
 
 local function rule(filter)
-   return {type = "Rule", filter = filter}
+    return {
+        type = "Rule",
+        filter = filter
+    }
 end
 
 local G = {
-   V "Start", -- Entry rule
-   Start = V "Skip" * (V "Comment" + V "Rule" / rule) ^ -1 * -1 + report_error(),
-   -- Grammar
-   Comment = P "#" * P(1) ^ 0,
-   Rule = V "Filter" / filter * ((V "Skip") ^ -1),
-   Filter = V "OrExpression",
-   OrExpression = bool(V "AndExpression", V "OrOp"),
-   AndExpression = bool(V "NotExpression", V "AndOp"),
-   NotExpression = V "UnaryBoolOp" * V "NotExpression" / unaryboolop + V "ExistsExpression",
-   ExistsExpression = terminal "FieldName" * V "ExistsOp" / unaryrelop + V "MacroExpression",
-   MacroExpression = terminal "Macro" + V "RelationalExpression",
-   RelationalExpression = rel(terminal "FieldName", V "RelOp", V "Value") +
-      rel(terminal "FieldName", V "SetOp", V "InList") +
-      V "PrimaryExp",
-   PrimaryExp = symb("(") * V "Filter" * symb(")"),
-   FuncArgs = symb("(") * list(V "Value", symb(",")) * symb(")"),
-   -- Terminals
-   Value = terminal "Number" + terminal "String" + terminal "BareString",
-   InList = symb("(") * list(V "Value", symb(",")) * symb(")"),
-   -- Lexemes
-   Space = space ^ 1,
-   Skip = (V "Space") ^ 0,
-   idStart = alpha + P("_"),
-   idRest = alnum + P("_"),
-   Identifier = V "idStart" * V "idRest" ^ 0,
-   Macro = V "idStart" * V "idRest" ^ 0 * -P ".",
-   Int = digit ^ 1,
-   PathString = (alnum + S ",.-_/*?") ^ 1,
-   PortRangeString = (V "Int" + S ":,") ^ 1,
-   Index = V "PortRangeString" + V "Int" + V "PathString",
-   FieldName = V "Identifier" * (P "." + V "Identifier") ^ 1 * (P "[" * V "Index" * P "]") ^ -1,
-   Name = C(V "Identifier") * -V "idRest",
-   Hex = (P("0x") + P("0X")) * xdigit ^ 1,
-   Expo = S("eE") * S("+-") ^ -1 * digit ^ 1,
-   Float = (((digit ^ 1 * P(".") * digit ^ 0) + (P(".") * digit ^ 1)) * V "Expo" ^ -1) + (digit ^ 1 * V "Expo"),
-   Number = C(V "Hex" + V "Float" + V "Int") / function(n)
-         return tonumber(n)
-      end,
-   String = (P '"' * C(((P "\\" * P(1)) + (P(1) - P '"')) ^ 0) * P '"' +
-      P "'" * C(((P "\\" * P(1)) + (P(1) - P "'")) ^ 0) * P "'"),
-   BareString = C((P(1) - S " (),=") ^ 1),
-   OrOp = kw("or") / "or",
-   AndOp = kw("and") / "and",
-   Colon = kw(":"),
-   RelOp = symb("=") / "=" + symb("==") / "==" + symb("!=") / "!=" + symb("<=") / "<=" + symb(">=") / ">=" +
-      symb("<") / "<" +
-      symb(">") / ">" +
-      symb("contains") / "contains" +
-      symb("icontains") / "icontains" +
-      symb("glob") / "glob" +
-      symb("startswith") / "startswith" +
-      symb("endswith") / "endswith",
-   SetOp = kw("in") / "in" + kw("intersects") / "intersects" + kw("pmatch") / "pmatch",
-   UnaryBoolOp = kw("not") / "not",
-   ExistsOp = kw("exists") / "exists",
-   -- for error reporting
-   OneWord = V "Name" + V "Number" + V "String" + P(1)
+    V "Start", -- Entry rule
+    Start = V "Skip" * (V "Comment" + V "Rule" / rule) ^ -1 * -1 + report_error(),
+    -- Grammar
+    Comment = P "#" * P(1) ^ 0,
+    Rule = V "Filter" / filter * ((V "Skip") ^ -1),
+    Filter = V "OrExpression",
+    OrExpression = bool(V "AndExpression", V "OrOp"),
+    AndExpression = bool(V "NotExpression", V "AndOp"),
+    NotExpression = V "UnaryBoolOp" * V "NotExpression" / unaryboolop + V "ExistsExpression",
+    ExistsExpression = terminal "FieldName" * V "ExistsOp" / unaryrelop + V "MacroExpression",
+    MacroExpression = terminal "Macro" + V "RelationalExpression",
+    RelationalExpression = rel(terminal "FieldName", V "RelOp", V "Value") +
+        rel(terminal "FieldName", V "SetOp", V "InList") + V "PrimaryExp",
+    PrimaryExp = symb("(") * V "Filter" * symb(")"),
+    FuncArgs = symb("(") * list(V "Value", symb(",")) * symb(")"),
+    -- Terminals
+    Value = terminal "Number" + terminal "String" + terminal "BareString",
+    InList = symb("(") * list(V "Value", symb(",")) * symb(")"),
+    -- Lexemes
+    Space = space ^ 1,
+    Skip = (V "Space") ^ 0,
+    idStart = alpha + P("_"),
+    idRest = alnum + P("_"),
+    Identifier = V "idStart" * V "idRest" ^ 0,
+    Macro = V "idStart" * V "idRest" ^ 0 * -P ".",
+    Int = digit ^ 1,
+    PathString = (alnum + S ",.-_/*?") ^ 1,
+    PortRangeString = (V "Int" + S ":,") ^ 1,
+    Index = V "PortRangeString" + V "Int" + V "PathString",
+    FieldName = V "Identifier" * (P "." + V "Identifier") ^ 1 * (P "[" * V "Index" * P "]") ^ -1,
+    Name = C(V "Identifier") * -V "idRest",
+    Hex = (P("0x") + P("0X")) * xdigit ^ 1,
+    Expo = S("eE") * S("+-") ^ -1 * digit ^ 1,
+    Float = (((digit ^ 1 * P(".") * digit ^ 0) + (P(".") * digit ^ 1)) * V "Expo" ^ -1) + (digit ^ 1 * V "Expo"),
+    Number = C(V "Hex" + V "Float" + V "Int") / function(n)
+        return tonumber(n)
+    end,
+    String = (P '"' * C(((P "\\" * P(1)) + (P(1) - P '"')) ^ 0) * P '"' + P "'" *
+        C(((P "\\" * P(1)) + (P(1) - P "'")) ^ 0) * P "'"),
+    BareString = C((P(1) - S " (),=") ^ 1),
+    OrOp = kw("or") / "or",
+    AndOp = kw("and") / "and",
+    Colon = kw(":"),
+    RelOp = symb("=") / "=" + symb("==") / "==" + symb("!=") / "!=" + symb("<=") / "<=" + symb(">=") / ">=" + symb("<") /
+        "<" + symb(">") / ">" + symb("contains") / "contains" + symb("icontains") / "icontains" + symb("glob") / "glob" +
+        symb("startswith") / "startswith" + symb("endswith") / "endswith",
+    SetOp = kw("in") / "in" + kw("intersects") / "intersects" + kw("pmatch") / "pmatch",
+    UnaryBoolOp = kw("not") / "not",
+    ExistsOp = kw("exists") / "exists",
+    -- for error reporting
+    OneWord = V "Name" + V "Number" + V "String" + P(1)
 }
 
 --[[
    Parses a single filter and returns the AST.
 --]]
 function parser.parse_filter(subject)
-   local errorinfo = {subject = subject}
-   lpeg.setmaxstack(1000)
-   local ast, error_msg = lpeg.match(G, subject, nil, errorinfo)
-   return ast, error_msg
+    local errorinfo = {
+        subject = subject
+    }
+    lpeg.setmaxstack(1000)
+    local ast, error_msg = lpeg.match(G, subject, nil, errorinfo)
+    return ast, error_msg
 end
 
 function print_ast(ast, level)
-   local t = ast.type
-   level = level or 0
-   local prefix = string.rep(" ", level * 4)
-   level = level + 1
+    local t = ast.type
+    level = level or 0
+    local prefix = string.rep(" ", level * 4)
+    level = level + 1
 
-   if t == "Rule" then
-      print_ast(ast.filter, level)
-   elseif t == "Filter" then
-      print_ast(ast.value, level)
-   elseif t == "BinaryBoolOp" or t == "BinaryRelOp" then
-      print(prefix .. ast.operator)
-      print_ast(ast.left, level)
-      print_ast(ast.right, level)
-   elseif t == "UnaryRelOp" or t == "UnaryBoolOp" then
-      print(prefix .. ast.operator)
-      print_ast(ast.argument, level)
-   elseif t == "List" then
-      for i, v in ipairs(ast.elements) do
-         print_ast(v, level)
-      end
-   elseif t == "FieldName" or t == "Number" or t == "String" or t == "BareString" or t == "Macro" then
-      print(prefix .. t .. " " .. ast.value)
-   elseif t == "MacroDef" then
-      -- don't print for now
-   else
-      error("Unexpected type in print_ast: " .. t)
-   end
+    if t == "Rule" then
+        print_ast(ast.filter, level)
+    elseif t == "Filter" then
+        print_ast(ast.value, level)
+    elseif t == "BinaryBoolOp" or t == "BinaryRelOp" then
+        print(prefix .. ast.operator)
+        print_ast(ast.left, level)
+        print_ast(ast.right, level)
+    elseif t == "UnaryRelOp" or t == "UnaryBoolOp" then
+        print(prefix .. ast.operator)
+        print_ast(ast.argument, level)
+    elseif t == "List" then
+        for i, v in ipairs(ast.elements) do
+            print_ast(v, level)
+        end
+    elseif t == "FieldName" or t == "Number" or t == "String" or t == "BareString" or t == "Macro" then
+        print(prefix .. t .. " " .. ast.value)
+    elseif t == "MacroDef" then
+        -- don't print for now
+    else
+        error("Unexpected type in print_ast: " .. t)
+    end
 end
 parser.print_ast = print_ast
 
@@ -275,32 +300,32 @@ parser.print_ast = print_ast
 --     cb(ast_node, ctx)
 -- ctx is optional.
 function traverse_ast(ast, node_types, cb, ctx)
-   local t = ast.type
+    local t = ast.type
 
-   if node_types[t] ~= nil then
-      cb(ast, ctx)
-   end
+    if node_types[t] ~= nil then
+        cb(ast, ctx)
+    end
 
-   if t == "Rule" then
-      traverse_ast(ast.filter, node_types, cb, ctx)
-   elseif t == "Filter" then
-      traverse_ast(ast.value, node_types, cb, ctx)
-   elseif t == "BinaryBoolOp" or t == "BinaryRelOp" then
-      traverse_ast(ast.left, node_types, cb, ctx)
-      traverse_ast(ast.right, node_types, cb, ctx)
-   elseif t == "UnaryRelOp" or t == "UnaryBoolOp" then
-      traverse_ast(ast.argument, node_types, cb, ctx)
-   elseif t == "List" then
-      for i, v in ipairs(ast.elements) do
-         traverse_ast(v, node_types, cb, ctx)
-      end
-   elseif t == "MacroDef" then
-      traverse_ast(ast.value, node_types, cb, ctx)
-   elseif t == "FieldName" or t == "Number" or t == "String" or t == "BareString" or t == "Macro" then
-      -- do nothing, no traversal needed
-   else
-      error("Unexpected type in traverse_ast: " .. t)
-   end
+    if t == "Rule" then
+        traverse_ast(ast.filter, node_types, cb, ctx)
+    elseif t == "Filter" then
+        traverse_ast(ast.value, node_types, cb, ctx)
+    elseif t == "BinaryBoolOp" or t == "BinaryRelOp" then
+        traverse_ast(ast.left, node_types, cb, ctx)
+        traverse_ast(ast.right, node_types, cb, ctx)
+    elseif t == "UnaryRelOp" or t == "UnaryBoolOp" then
+        traverse_ast(ast.argument, node_types, cb, ctx)
+    elseif t == "List" then
+        for i, v in ipairs(ast.elements) do
+            traverse_ast(v, node_types, cb, ctx)
+        end
+    elseif t == "MacroDef" then
+        traverse_ast(ast.value, node_types, cb, ctx)
+    elseif t == "FieldName" or t == "Number" or t == "String" or t == "BareString" or t == "Macro" then
+        -- do nothing, no traversal needed
+    else
+        error("Unexpected type in traverse_ast: " .. t)
+    end
 end
 parser.traverse_ast = traverse_ast
 

userspace/engine/lua/sinsp_rule_utils.lua

@@ -1,4 +1,4 @@
--- Copyright (C) 2019 The Falco Authors.
+-- Copyright (C) 2020 The Falco Authors.
 --
 -- Licensed under the Apache License, Version 2.0 (the "License");
 -- you may not use this file except in compliance with the License.
@@ -12,55 +12,52 @@
 -- See the License for the specific language governing permissions and
 -- limitations under the License.
 --
-
 local parser = require("parser")
 local sinsp_rule_utils = {}
 
 function sinsp_rule_utils.check_for_ignored_syscalls_events(ast, filter_type, source)
 
-   function check_syscall(val)
-      if ignored_syscalls[val] then
-	 error("Ignored syscall \""..val.."\" in "..filter_type..": "..source)
-      end
+    function check_syscall(val)
+        if ignored_syscalls[val] then
+            error("Ignored syscall \"" .. val .. "\" in " .. filter_type .. ": " .. source)
+        end
 
-   end
+    end
 
-   function check_event(val)
-      if ignored_events[val] then
-	 error("Ignored event \""..val.."\" in "..filter_type..": "..source)
-      end
-   end
+    function check_event(val)
+        if ignored_events[val] then
+            error("Ignored event \"" .. val .. "\" in " .. filter_type .. ": " .. source)
+        end
+    end
 
-   function cb(node)
-      if node.left.type == "FieldName" and
-	 (node.left.value == "evt.type" or
-	  node.left.value == "syscall.type") then
+    function cb(node)
+        if node.left.type == "FieldName" and (node.left.value == "evt.type" or node.left.value == "syscall.type") then
 
-	    if (node.operator == "in" or
-		node.operator == "intersects" or
-	        node.operator == "pmatch") then
-	       for i, v in ipairs(node.right.elements) do
-		  if v.type == "BareString" then
-		     if node.left.value == "evt.type" then
-			check_event(v.value)
-		     else
-			check_syscall(v.value)
-		     end
-		  end
-	       end
-	    else
-	       if node.right.type == "BareString" then
-		  if node.left.value == "evt.type" then
-		     check_event(node.right.value)
-		  else
-		     check_syscall(node.right.value)
-		  end
-	       end
-	    end
-      end
-   end
+            if (node.operator == "in" or node.operator == "intersects" or node.operator == "pmatch") then
+                for i, v in ipairs(node.right.elements) do
+                    if v.type == "BareString" then
+                        if node.left.value == "evt.type" then
+                            check_event(v.value)
+                        else
+                            check_syscall(v.value)
+                        end
+                    end
+                end
+            else
+                if node.right.type == "BareString" then
+                    if node.left.value == "evt.type" then
+                        check_event(node.right.value)
+                    else
+                        check_syscall(node.right.value)
+                    end
+                end
+            end
+        end
+    end
 
-   parser.traverse_ast(ast, {BinaryRelOp=1}, cb)
+    parser.traverse_ast(ast, {
+        BinaryRelOp = 1
+    }, cb)
 end
 
 -- Examine the ast and find the event types/syscalls for which the
@@ -75,125 +72,129 @@ end
 
 function sinsp_rule_utils.get_evttypes_syscalls(name, ast, source, warn_evttypes, verbose)
 
-   local evttypes = {}
-   local syscallnums = {}
-   local evtnames = {}
-   local found_event = false
-   local found_not = false
-   local found_event_after_not = false
+    local evttypes = {}
+    local syscallnums = {}
+    local evtnames = {}
+    local found_event = false
+    local found_not = false
+    local found_event_after_not = false
 
-   function cb(node)
-     if node.type == "UnaryBoolOp" then
-	if node.operator == "not" then
-	   found_not = true
-	end
-     else
-	 if node.operator == "!=" then
-	    found_not = true
-	 end
-	 if node.left.type == "FieldName" and node.left.value == "evt.type" then
-	    found_event = true
-	    if found_not then
-	       found_event_after_not = true
-	    end
-	    if (node.operator == "in" or
-                node.operator == "intersects" or
-                node.operator == "pmatch") then
-	       for i, v in ipairs(node.right.elements) do
-		  if v.type == "BareString" then
+    function cb(node)
+        if node.type == "UnaryBoolOp" then
+            if node.operator == "not" then
+                found_not = true
+            end
+        else
+            if node.operator == "!=" then
+                found_not = true
+            end
+            if node.left.type == "FieldName" and node.left.value == "evt.type" then
+                found_event = true
+                if found_not then
+                    found_event_after_not = true
+                end
+                if (node.operator == "in" or node.operator == "intersects" or node.operator == "pmatch") then
+                    for i, v in ipairs(node.right.elements) do
+                        if v.type == "BareString" then
 
-                     -- The event must be a known event
-                     if events[v.value] == nil and syscalls[v.value] == nil then
-                        error("Unknown event/syscall \""..v.value.."\" in filter: "..source)
-                     end
+                            -- The event must be a known event
+                            if events[v.value] == nil and syscalls[v.value] == nil then
+                                error("Unknown event/syscall \"" .. v.value .. "\" in filter: " .. source)
+                            end
 
-		     evtnames[v.value] = 1
-		     if events[v.value] ~= nil then
-			for id in string.gmatch(events[v.value], "%S+") do
-			   evttypes[id] = 1
-			end
-		     end
+                            evtnames[v.value] = 1
+                            if events[v.value] ~= nil then
+                                for id in string.gmatch(events[v.value], "%S+") do
+                                    evttypes[id] = 1
+                                end
+                            end
 
-		     if syscalls[v.value] ~= nil then
-			for id in string.gmatch(syscalls[v.value], "%S+") do
-			   syscallnums[id] = 1
-			end
-		     end
-		  end
-	       end
-	    else
-	       if node.right.type == "BareString" then
+                            if syscalls[v.value] ~= nil then
+                                for id in string.gmatch(syscalls[v.value], "%S+") do
+                                    syscallnums[id] = 1
+                                end
+                            end
+                        end
+                    end
+                else
+                    if node.right.type == "BareString" then
 
-		  -- The event must be a known event
-		  if events[node.right.value] == nil and syscalls[node.right.value] == nil then
-		     error("Unknown event/syscall \""..node.right.value.."\" in filter: "..source)
-		  end
+                        -- The event must be a known event
+                        if events[node.right.value] == nil and syscalls[node.right.value] == nil then
+                            error("Unknown event/syscall \"" .. node.right.value .. "\" in filter: " .. source)
+                        end
 
-		  evtnames[node.right.value] = 1
-		  if events[node.right.value] ~= nil then
-		     for id in string.gmatch(events[node.right.value], "%S+") do
-			evttypes[id] = 1
-		     end
-		  end
+                        evtnames[node.right.value] = 1
+                        if events[node.right.value] ~= nil then
+                            for id in string.gmatch(events[node.right.value], "%S+") do
+                                evttypes[id] = 1
+                            end
+                        end
 
-		  if syscalls[node.right.value] ~= nil then
-		     for id in string.gmatch(syscalls[node.right.value], "%S+") do
-			syscallnums[id] = 1
-		     end
-		  end
-	       end
-	    end
-	 end
-      end
-   end
+                        if syscalls[node.right.value] ~= nil then
+                            for id in string.gmatch(syscalls[node.right.value], "%S+") do
+                                syscallnums[id] = 1
+                            end
+                        end
+                    end
+                end
+            end
+        end
+    end
 
-   parser.traverse_ast(ast.filter.value, {BinaryRelOp=1, UnaryBoolOp=1} , cb)
+    parser.traverse_ast(ast.filter.value, {
+        BinaryRelOp = 1,
+        UnaryBoolOp = 1
+    }, cb)
 
-   if not found_event then
-      if warn_evttypes == true then
-	 io.stderr:write("Rule "..name..": warning (no-evttype):\n")
-	 io.stderr:write(source.."\n")
-	 io.stderr:write("         did not contain any evt.type restriction, meaning it will run for all event types.\n")
-	 io.stderr:write("         This has a significant performance penalty. Consider adding an evt.type restriction if possible.\n")
-      end
-      evttypes = {}
-      syscallnums = {}
-      evtnames = {}
-   end
+    if not found_event then
+        if warn_evttypes == true then
+            io.stderr:write("Rule " .. name .. ": warning (no-evttype):\n")
+            io.stderr:write(source .. "\n")
+            io.stderr:write(
+                "         did not contain any evt.type restriction, meaning it will run for all event types.\n")
+            io.stderr:write(
+                "         This has a significant performance penalty. Consider adding an evt.type restriction if possible.\n")
+        end
+        evttypes = {}
+        syscallnums = {}
+        evtnames = {}
+    end
 
-   if found_event_after_not then
-      if warn_evttypes == true then
-	 io.stderr:write("Rule "..name..": warning (trailing-evttype):\n")
-	 io.stderr:write(source.."\n")
-	 io.stderr:write("         does not have all evt.type restrictions at the beginning of the condition,\n")
-	 io.stderr:write("         or uses a negative match (i.e. \"not\"/\"!=\") for some evt.type restriction.\n")
-	 io.stderr:write("         This has a performance penalty, as the rule can not be limited to specific event types.\n")
-	 io.stderr:write("         Consider moving all evt.type restrictions to the beginning of the rule and/or\n")
-	 io.stderr:write("         replacing negative matches with positive matches if possible.\n")
-      end
-      evttypes = {}
-      syscallnums = {}
-      evtnames = {}
-   end
+    if found_event_after_not then
+        if warn_evttypes == true then
+            io.stderr:write("Rule " .. name .. ": warning (trailing-evttype):\n")
+            io.stderr:write(source .. "\n")
+            io.stderr:write("         does not have all evt.type restrictions at the beginning of the condition,\n")
+            io.stderr:write("         or uses a negative match (i.e. \"not\"/\"!=\") for some evt.type restriction.\n")
+            io.stderr:write(
+                "         This has a performance penalty, as the rule can not be limited to specific event types.\n")
+            io.stderr:write("         Consider moving all evt.type restrictions to the beginning of the rule and/or\n")
+            io.stderr:write("         replacing negative matches with positive matches if possible.\n")
+        end
+        evttypes = {}
+        syscallnums = {}
+        evtnames = {}
+    end
 
-   evtnames_only = {}
-   local num_evtnames = 0
-   for name, dummy in pairs(evtnames) do
-      table.insert(evtnames_only, name)
-      num_evtnames = num_evtnames + 1
-   end
+    evtnames_only = {}
+    local num_evtnames = 0
+    for name, dummy in pairs(evtnames) do
+        table.insert(evtnames_only, name)
+        num_evtnames = num_evtnames + 1
+    end
 
-   if num_evtnames == 0 then
-      table.insert(evtnames_only, "all")
-   end
+    if num_evtnames == 0 then
+        table.insert(evtnames_only, "all")
+    end
 
-   table.sort(evtnames_only)
+    table.sort(evtnames_only)
 
-   if verbose then
-      io.stderr:write("Event types/Syscalls for rule "..name..": "..table.concat(evtnames_only, ",").."\n")
-   end
+    if verbose then
+        io.stderr:write("Event types/Syscalls for rule " .. name .. ": " .. table.concat(evtnames_only, ",") .. "\n")
+    end
 
-   return evttypes, syscallnums
+    return evttypes, syscallnums
 end
 
 return sinsp_rule_utils

userspace/falco/CMakeLists.txt

@@ -13,35 +13,32 @@
 
 configure_file("${SYSDIG_SOURCE_DIR}/userspace/sysdig/config_sysdig.h.in" config_sysdig.h)
 
-if(NOT MINIMAL_BUILD)
-  add_custom_command(
-    OUTPUT
-      ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc
-      ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.h
-      ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
-      ${CMAKE_CURRENT_BINARY_DIR}/version.pb.h
-      ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc
-      ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.h
-      ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc
-      ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.h
-      ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc
-      ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.h
-    COMMENT "Generate gRPC API"
-    # Falco gRPC Version API
-    DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
-    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
-    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
-            ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
-    # Falco gRPC Outputs API
-    DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
-    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
-            ${CMAKE_CURRENT_SOURCE_DIR}/schema.proto
-    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
-            ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
-    WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR})
-endif()
+add_custom_command(
+  OUTPUT
+    ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.h
+    ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/version.pb.h
+    ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.h
+    ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.h
+    ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.h
+  COMMENT "Generate gRPC API"
+  # Falco gRPC Version API
+  DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
+  COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
+  COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
+          ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
+  # Falco gRPC Outputs API
+  DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
+  COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
+          ${CMAKE_CURRENT_SOURCE_DIR}/schema.proto
+  COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
+          ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
+  WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR})
 
-if(MINIMAL_BUILD)
 add_executable(
   falco
   configuration.cpp
@@ -50,109 +47,63 @@ add_executable(
   event_drops.cpp
   statsfilewriter.cpp
   falco.cpp
-  "${SYSDIG_SOURCE_DIR}/userspace/sysdig/fields_info.cpp")
-else()
-  add_executable(
-    falco
-    configuration.cpp
-    logger.cpp
-    falco_outputs.cpp
-    event_drops.cpp
-    statsfilewriter.cpp
-    falco.cpp
-    "${SYSDIG_SOURCE_DIR}/userspace/sysdig/fields_info.cpp"
-    webserver.cpp
-    grpc_context.cpp
-    grpc_server_impl.cpp
-    grpc_request_context.cpp
-    grpc_server.cpp
-    ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc
-    ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
-    ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc
-    ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc
-    ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc)
+  "${SYSDIG_SOURCE_DIR}/userspace/sysdig/fields_info.cpp"
+  webserver.cpp
+  grpc_context.cpp
+  grpc_server_impl.cpp
+  grpc_request_context.cpp
+  grpc_server.cpp
+  ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc
+  ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
+  ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc
+  ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc
+  ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc)
 
-    add_dependencies(falco civetweb)
-endif()
-
-add_dependencies(falco string-view-lite)
+add_dependencies(falco civetweb string-view-lite)
 
 if(USE_BUNDLED_DEPS)
   add_dependencies(falco yamlcpp)
 endif()
 
-if(MINIMAL_BUILD)
-  target_include_directories(
-    falco
-    PUBLIC
-      "${SYSDIG_SOURCE_DIR}/userspace/sysdig"
-      "${PROJECT_SOURCE_DIR}/userspace/engine"
-      "${PROJECT_BINARY_DIR}/userspace/falco"
-      "${PROJECT_BINARY_DIR}/driver/src"
-      "${STRING_VIEW_LITE_INCLUDE}"
-      "${YAMLCPP_INCLUDE_DIR}"
-      "${CMAKE_CURRENT_BINARY_DIR}"
-      "${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include")
+target_include_directories(
+  falco
+  PUBLIC
+    "${SYSDIG_SOURCE_DIR}/userspace/sysdig"
+    "${PROJECT_SOURCE_DIR}/userspace/engine"
+    "${PROJECT_BINARY_DIR}/userspace/falco"
+    "${PROJECT_BINARY_DIR}/driver/src"
+    "${STRING_VIEW_LITE_INCLUDE}"
+    "${YAMLCPP_INCLUDE_DIR}"
+    "${CIVETWEB_INCLUDE_DIR}"
+    "${GRPC_INCLUDE}"
+    "${GRPCPP_INCLUDE}"
+    "${PROTOBUF_INCLUDE}"
+    "${CMAKE_CURRENT_BINARY_DIR}"
+    "${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include")
 
-  target_link_libraries(
-    falco
-    falco_engine
-    sinsp
-    "${LIBYAML_LIB}"
-    "${YAMLCPP_LIB}")
-else()
-  target_include_directories(
-    falco
-    PUBLIC
-      "${SYSDIG_SOURCE_DIR}/userspace/sysdig"
-      "${PROJECT_SOURCE_DIR}/userspace/engine"
-      "${PROJECT_BINARY_DIR}/userspace/falco"
-      "${PROJECT_BINARY_DIR}/driver/src"
-      "${STRING_VIEW_LITE_INCLUDE}"
-      "${YAMLCPP_INCLUDE_DIR}"
-      "${CIVETWEB_INCLUDE_DIR}"
-      "${OPENSSL_INCLUDE_DIR}"
-      "${GRPC_INCLUDE}"
-      "${GRPCPP_INCLUDE}"
-      "${PROTOBUF_INCLUDE}"
-      "${CMAKE_CURRENT_BINARY_DIR}"
-      "${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include")
-
-  target_link_libraries(
-    falco
-    falco_engine
-    sinsp
-    "${GPR_LIB}"
-    "${GRPC_LIB}"
-    "${GRPCPP_LIB}"
-    "${PROTOBUF_LIB}"
-    "${OPENSSL_LIBRARY_SSL}"
-    "${OPENSSL_LIBRARY_CRYPTO}"
-    "${LIBYAML_LIB}"
-    "${YAMLCPP_LIB}"
-    "${CIVETWEB_LIB}")
-endif()
+target_link_libraries(
+  falco
+  falco_engine
+  sinsp
+  "${GPR_LIB}"
+  "${GRPC_LIB}"
+  "${GRPCPP_LIB}"
+  "${PROTOBUF_LIB}"
+  "${LIBYAML_LIB}"
+  "${YAMLCPP_LIB}"
+  "${CIVETWEB_LIB}")
 
 configure_file(config_falco.h.in config_falco.h)
 
-if(NOT MINIMAL_BUILD)
-  add_custom_command(
-    TARGET falco
-    COMMAND bash ${CMAKE_CURRENT_SOURCE_DIR}/verify_engine_fields.sh ${CMAKE_SOURCE_DIR}
-    WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
-    COMMENT "Comparing engine fields checksum in falco_engine.h to actual fields")
-else()
-  MESSAGE(STATUS "Skipping engine fields checksum when building the minimal Falco.")
-endif()
+add_custom_command(
+  TARGET falco
+  COMMAND bash ${CMAKE_CURRENT_SOURCE_DIR}/verify_engine_fields.sh ${CMAKE_SOURCE_DIR} ${OPENSSL_BINARY}
+  WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
+  COMMENT "Comparing engine fields checksum in falco_engine.h to actual fields")
 
-# strip the Falco binary when releasing using musl
-if(MUSL_OPTIMIZED_BUILD AND CMAKE_BUILD_TYPE STREQUAL "release")
-  add_custom_command(
-    TARGET falco
-    POST_BUILD
-    COMMAND ${CMAKE_STRIP} --strip-unneeded falco
-    COMMENT "Strip the Falco binary when releasing the musl build")
-endif()
+# add_custom_target(verify_engine_fields DEPENDS verify_engine_fields.sh falco_engine.h)
+
+# add_dependencies(verify_engine_fields falco)
 
 install(TARGETS falco DESTINATION ${FALCO_BIN_DIR})
 install(

userspace/falco/falco.cpp

@@ -43,10 +43,8 @@ limitations under the License.
 #include "falco_engine.h"
 #include "config_falco.h"
 #include "statsfilewriter.h"
-#ifndef MINIMAL_BUILD
 #include "webserver.h"
 #include "grpc_server.h"
-#endif
 #include "banned.h" // This raises a compilation error when certain functions are used
 
 typedef function<void(sinsp* inspector)> open_t;
@@ -106,7 +104,6 @@ static void usage()
 	   "                               Can not be specified with -t.\n"
 	   " -e <events_file>              Read the events from <events_file> (in .scap format for sinsp events, or jsonl for\n"
 	   "                               k8s audit events) instead of tapping into live.\n"
-#ifndef MINIMAL_BUILD
 	   " -k <url>, --k8s-api <url>\n"
 	   "                               Enable Kubernetes support by connecting to the API server specified as argument.\n"
        "                               E.g. \"http://admin:password@127.0.0.1:8080\".\n"
@@ -120,18 +117,15 @@ static void usage()
 	   "                               for this option, it will be interpreted as the name of a file containing bearer token.\n"
 	   "                               Note that the format of this command-line option prohibits use of files whose names contain\n"
 	   "                               ':' or '#' characters in the file name.\n"
-#endif
 	   " -L                            Show the name and description of all rules and exit.\n"
 	   " -l <rule>                     Show the name and description of the rule with name <rule> and exit.\n"
 	   " --list [<source>]             List all defined fields. If <source> is provided, only list those fields for\n"
 	   "                               the source <source>. Current values for <source> are \"syscall\", \"k8s_audit\"\n"
-#ifndef MINIMAL_BUILD
 	   " -m <url[,marathon_url]>, --mesos-api <url[,marathon_url]>\n"
 	   "                               Enable Mesos support by connecting to the API server\n"
 	   "                               specified as argument. E.g. \"http://admin:password@127.0.0.1:5050\".\n"
 	   "                               Marathon url is optional and defaults to Mesos address, port 8080.\n"
 	   "                               The API servers can also be specified via the environment variable FALCO_MESOS_API.\n"
-#endif
 	   " -M <num_seconds>              Stop collecting after <num_seconds> reached.\n"
 	   " -N                            When used with --list, only print field names.\n"
 	   " -o, --option <key>=<val>      Set the value of option <key> to <val>. Overrides values in configuration file.\n"
@@ -191,7 +185,6 @@ static void display_fatal_err(const string &msg)
 // Splitting into key=value or key.subkey=value will be handled by configuration class.
 std::list<string> cmdline_options;
 
-#ifndef MINIMAL_BUILD
 // Read a jsonl file containing k8s audit events and pass each to the engine.
 void read_k8s_audit_trace_file(falco_engine *engine,
 			       falco_outputs *outputs,
@@ -220,7 +213,6 @@ void read_k8s_audit_trace_file(falco_engine *engine,
 		}
 	}
 }
-#endif
 
 static std::string read_file(std::string filename)
 {
@@ -437,11 +429,9 @@ int falco_init(int argc, char **argv)
 	bool verbose = false;
 	bool names_only = false;
 	bool all_events = false;
-#ifndef MINIMAL_BUILD
 	string* k8s_api = 0;
 	string* k8s_api_cert = 0;
 	string* mesos_api = 0;
-#endif
 	string output_format = "";
 	uint32_t snaplen = 0;
 	bool replace_container_info = false;
@@ -471,11 +461,9 @@ int falco_init(int argc, char **argv)
 	double duration;
 	scap_stats cstats;
 
-#ifndef MINIMAL_BUILD
 	falco_webserver webserver;
 	falco::grpc::server grpc_server;
 	std::thread grpc_server_thread;
-#endif
 
 	static struct option long_options[] =
 	{
@@ -542,10 +530,8 @@ int falco_init(int argc, char **argv)
 				break;
 			case 'e':
 				trace_filename = optarg;
-#ifndef MINIMAL_BUILD
 				k8s_api = new string();
 				mesos_api = new string();
-#endif
 				break;
 			case 'F':
 				list_flds = optarg;
@@ -553,25 +539,21 @@ int falco_init(int argc, char **argv)
 			case 'i':
 				print_ignored_events = true;
 				break;
-#ifndef MINIMAL_BUILD
 			case 'k':
 				k8s_api = new string(optarg);
 				break;
 			case 'K':
 				k8s_api_cert = new string(optarg);
 				break;
-#endif
 			case 'L':
 				describe_all_rules = true;
 				break;
 			case 'l':
 				describe_rule = optarg;
 				break;
-#ifndef MINIMAL_BUILD
 			case 'm':
 				mesos_api = new string(optarg);
 				break;
-#endif
 			case 'M':
 				duration_to_tot = atoi(optarg);
 				if(duration_to_tot <= 0)
@@ -1092,12 +1074,6 @@ int falco_init(int argc, char **argv)
 
 			if(!trace_is_scap)
 			{
-#ifdef MINIMAL_BUILD
-				// Note that the webserver is not available when MINIMAL_BUILD is defined.
-				fprintf(stderr, "Cannot use k8s audit events trace file with a minimal Falco build");
-				result = EXIT_FAILURE;
-				goto exit;
-#else
 				try {
 					string line;
 					nlohmann::json j;
@@ -1122,7 +1098,6 @@ int falco_init(int argc, char **argv)
 					result = EXIT_FAILURE;
 					goto exit;
 				}
-#endif
 			}
 		}
 		else
@@ -1168,14 +1143,11 @@ int falco_init(int argc, char **argv)
 					// Try to insert the Falco kernel module
 					if(system("modprobe " PROBE_NAME " > /dev/null 2> /dev/null"))
 					{
-						falco_logger::log(LOG_ERR, "Unable to load the driver.\n");
+						falco_logger::log(LOG_ERR, "Unable to load the driver. Exiting.\n");
 					}
 					open_f(inspector);
-				} 
-				else 
-				{
-					rethrow_exception(current_exception());
 				}
+				rethrow_exception(current_exception());
 			}
 		}
 
@@ -1193,7 +1165,6 @@ int falco_init(int argc, char **argv)
 
 		duration = ((double)clock()) / CLOCKS_PER_SEC;
 
-#ifndef MINIMAL_BUILD
 		//
 		// Run k8s, if required
 		//
@@ -1277,15 +1248,12 @@ int falco_init(int argc, char **argv)
 				grpc_server.run();
 			});
 		}
-#endif
 
 		if(!trace_filename.empty() && !trace_is_scap)
 		{
-#ifndef MINIMAL_BUILD			
 			read_k8s_audit_trace_file(engine,
 						  outputs,
 						  trace_filename);
-#endif
 		}
 		else
 		{
@@ -1331,14 +1299,12 @@ int falco_init(int argc, char **argv)
 		inspector->close();
 		engine->print_stats();
 		sdropmgr.print_stats();
-#ifndef MINIMAL_BUILD
 		webserver.stop();
 		if(grpc_server_thread.joinable())
 		{
 			grpc_server.shutdown();
 			grpc_server_thread.join();
 		}
-#endif
 	}
 	catch(exception &e)
 	{
@@ -1346,14 +1312,12 @@ int falco_init(int argc, char **argv)
 
 		result = EXIT_FAILURE;
 
-#ifndef MINIMAL_BUILD
 		webserver.stop();
 		if(grpc_server_thread.joinable())
 		{
 			grpc_server.shutdown();
 			grpc_server_thread.join();
 		}
-#endif
 	}
 
 exit:

userspace/falco/falco_outputs.cpp

@@ -14,9 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-#ifndef MINIMAL_BUILD
 #include <google/protobuf/util/time_util.h>
-#endif
 
 #include "falco_outputs.h"
 
@@ -24,19 +22,15 @@ limitations under the License.
 
 #include "formats.h"
 #include "logger.h"
-#ifndef MINIMAL_BUILD
 #include "falco_outputs_queue.h"
-#endif
 #include "banned.h" // This raises a compilation error when certain functions are used
 
 using namespace std;
 
 const static struct luaL_reg ll_falco_outputs [] =
 {
-#ifndef MINIMAL_BUILD
 	{"handle_http", &falco_outputs::handle_http},
 	{"handle_grpc", &falco_outputs::handle_grpc},
-#endif
 	{NULL, NULL}
 };
 
@@ -265,7 +259,6 @@ void falco_outputs::reopen_outputs()
 	}
 }
 
-#ifndef MINIMAL_BUILD
 int falco_outputs::handle_http(lua_State *ls)
 {
 	CURL *curl = NULL;
@@ -376,4 +369,3 @@ int falco_outputs::handle_grpc(lua_State *ls)
 
 	return 1;
 }
-#endif

userspace/falco/falco_outputs.h

@@ -74,10 +74,8 @@ public:
 
 	void reopen_outputs();
 
-#ifndef MINIMAL_BUILD
 	static int handle_http(lua_State *ls);
 	static int handle_grpc(lua_State *ls);
-#endif
 
 private:
 

userspace/falco/verify_engine_fields.sh

@@ -1,12 +1,19 @@
-#!/bin/env/bash
+#!/bin/sh
 
 set -euo pipefail
 
 SOURCE_DIR=$1
+OPENSSL=$2
 
-NEW_CHECKSUM=$(./falco --list -N | sha256sum | awk '{print $1}')
+if ! command -v "${OPENSSL}" version > /dev/null 2>&1; then
+    echo "No openssl command at ${OPENSSL}"
+    exit 1
+fi
+
+NEW_CHECKSUM=$(./falco --list -N | ${OPENSSL} dgst -sha256 | awk '{print $2}')
 CUR_CHECKSUM=$(grep FALCO_FIELDS_CHECKSUM "${SOURCE_DIR}/userspace/engine/falco_engine_version.h" | awk '{print $3}' | sed -e 's/"//g')
 
+
 if [ "$NEW_CHECKSUM" != "$CUR_CHECKSUM" ]; then
     echo "Set of fields supported has changed (new checksum $NEW_CHECKSUM != old checksum $CUR_CHECKSUM)."
     echo "Update checksum and/or version in falco_engine_version.h."