chore(userspace/falco): fail if timer_delete fails too.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

.github/release_template.md

@@ -1,5 +1,5 @@
-![LIBS](https://img.shields.io/badge/LIBS-LIBSVER-yellow)
-![DRIVER](https://img.shields.io/badge/DRIVER-DRIVERVER-yellow)
+[![LIBS](https://img.shields.io/badge/LIBS-LIBSVER-yellow)](https://github.com/falcosecurity/libs/releases/tag/LIBSVER)
+[![DRIVER](https://img.shields.io/badge/DRIVER-DRIVERVER-yellow)](https://github.com/falcosecurity/libs/releases/tag/DRIVERVER)
 
 | Packages | Download                                                                                                                                               |
 | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |

.github/workflows/ci.yml

@@ -64,7 +64,7 @@ jobs:
     needs: [build-dev]
     steps:    
       - name: Checkout PR head ref
-        uses: actions/checkout@v3
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           fetch-depth: 0
           ref: ${{ github.event.pull_request.head.sha }}
@@ -89,7 +89,7 @@ jobs:
     needs: [build-dev]
     steps:    
       - name: Checkout base ref
-        uses: actions/checkout@v3
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           fetch-depth: 0
           ref: ${{ github.base_ref }}
@@ -97,7 +97,10 @@ jobs:
       - name: Check Engine version
         run: |
           base_hash=$(grep CHECKSUM "./userspace/engine/falco_engine_version.h" | awk '{print $3}' | sed -e 's/"//g')
-          base_engine_ver=$(grep ENGINE_VERSION "./userspace/engine/falco_engine_version.h" | awk '{print $3}' | sed -e 's/(//g' -e 's/)//g')
+          base_engine_ver_major=$(grep ENGINE_VERSION_MAJOR "./userspace/engine/falco_engine_version.h" | head -n 1 | awk '{print $3}' | sed -e 's/(//g' -e 's/)//g')
+          base_engine_ver_minor=$(grep ENGINE_VERSION_MINOR "./userspace/engine/falco_engine_version.h" | head -n 1 | awk '{print $3}' | sed -e 's/(//g' -e 's/)//g')
+          base_engine_ver_patch=$(grep ENGINE_VERSION_PATCH "./userspace/engine/falco_engine_version.h" | head -n 1 | awk '{print $3}' | sed -e 's/(//g' -e 's/)//g')
+          base_engine_ver="${base_engine_ver_major}.${base_engine_ver_minor}.${base_engine_ver_patch}"
 
           cur_hash=$(echo "${{ needs.build-dev.outputs.cmdout }}" | cut -d ' ' -f 2)
           cur_engine_ver=$(echo "${{ needs.build-dev.outputs.cmdout }}" | cut -d ' ' -f 1)

.github/workflows/codeql.yaml

@@ -36,13 +36,13 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
       with:
         fetch-depth: 0
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -72,4 +72,4 @@ jobs:
           popd
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9

.github/workflows/codespell.yml

@@ -5,8 +5,8 @@ jobs:
   codespell:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
-    - uses: codespell-project/actions-codespell@master
+    - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+    - uses: codespell-project/actions-codespell@94259cd8be02ad2903ba34a22d9c13de21a74461 # v2.0
       with:
         skip: .git
         ignore_words_file: .codespellignore

.github/workflows/engine-version-weakcheck.yaml

@@ -15,8 +15,8 @@ jobs:
     outputs:
       engine_version_changed: ${{ steps.filter.outputs.engine_version }}
     steps:
-    - uses: actions/checkout@v2
-    - uses: dorny/paths-filter@v2
+    - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+    - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
       id: filter
       with:
         filters: |
@@ -31,7 +31,7 @@ jobs:
     if: needs.paths-filter.outputs.engine_version_changed == 'false'
     steps:
       - name: Check driver Falco engine version
-        uses: mshick/add-pr-comment@v2
+        uses: mshick/add-pr-comment@7c0890544fb33b0bdd2e59467fbacb62e028a096 # v2.8.1
         with:
           message: |
             This PR may bring feature or behavior changes in the Falco engine and may require the engine version to be bumped.

.github/workflows/release.yaml

@@ -131,7 +131,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Clone repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
           
       - name: Extract LIBS and DRIVER versions
         run: |
@@ -161,7 +161,7 @@ jobs:
           echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md
         
       - name: Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
         with:
           body_path: ./release-body.md
           tag_name: ${{ github.event.release.tag_name }}

.github/workflows/reusable_build_dev.yaml

@@ -37,7 +37,7 @@ jobs:
       cmdout: ${{ steps.run_cmd.outputs.out }}  
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           fetch-depth: 0
           ref: ${{ inputs.git_ref }}

.github/workflows/reusable_build_docker.yaml

@@ -32,7 +32,7 @@ jobs:
       TARGETARCH: ${{ (inputs.arch == 'aarch64' && 'arm64') || 'amd64' }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
@@ -87,7 +87,7 @@ jobs:
             docker save docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-driver-loader-legacy-${{ inputs.arch }}.tar
 
       - name: Upload images tarballs
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: falco-images
           path: /tmp/falco-*.tar

.github/workflows/reusable_build_packages.yaml

@@ -23,7 +23,7 @@ jobs:
           dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake libbpf-devel
     
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
 
       - name: Build modern BPF skeleton
         run: |
@@ -32,7 +32,7 @@ jobs:
           make ProbeSkeleton -j6
           
       - name: Upload skeleton
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: bpf_probe_${{ inputs.arch }}.skel.h
           path: skeleton-build/skel_dir/bpf_probe.skel.h
@@ -53,10 +53,11 @@ jobs:
           yum install -y wget git make m4 rpm-build perl-IPC-Cmd
     
       - name: Checkout
-        uses: actions/checkout@v3
+        # It is not possible to upgrade the checkout action to versions >= v4.0.0 because of incompatibilities with centos 7's libc.
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
     
       - name: Download skeleton
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: bpf_probe_${{ inputs.arch }}.skel.h
           path: /tmp
@@ -97,21 +98,21 @@ jobs:
           make package
 
       - name: Upload Falco tar.gz package
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: falco-${{ inputs.version }}-${{ inputs.arch }}.tar.gz
           path: |
             ${{ github.workspace }}/build/falco-*.tar.gz
             
       - name: Upload Falco deb package
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: falco-${{ inputs.version }}-${{ inputs.arch }}.deb
           path: |
             ${{ github.workspace }}/build/falco-*.deb
       
       - name: Upload Falco rpm package
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: falco-${{ inputs.version }}-${{ inputs.arch }}.rpm
           path: |
@@ -129,7 +130,7 @@ jobs:
           apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils bpftool clang
     
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           fetch-depth: 0
           
@@ -154,7 +155,7 @@ jobs:
           mv falco-${{ inputs.version }}-x86_64.tar.gz falco-${{ inputs.version }}-static-x86_64.tar.gz 
           
       - name: Upload Falco static package
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: falco-${{ inputs.version }}-static-x86_64.tar.gz
           path: |
@@ -171,12 +172,12 @@ jobs:
           sudo DEBIAN_FRONTEND=noninteractive apt install cmake build-essential git emscripten -y
 
       - name: Select node version
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
         with:
           node-version: 14
     
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           fetch-depth: 0
           
@@ -210,7 +211,7 @@ jobs:
           emmake make -j6 package
           
       - name: Upload Falco WASM package
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: falco-${{ inputs.version }}-wasm.tar.gz
           path: |

.github/workflows/reusable_fetch_version.yaml

@@ -19,7 +19,7 @@ jobs:
       version: ${{ steps.store_version.outputs.version }}  
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           fetch-depth: 0
           

.github/workflows/reusable_publish_docker.yaml

@@ -26,10 +26,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v2 # TODO needs to be updated
     
       - name: Download images tarballs
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: falco-images
           path: /tmp/falco-images
@@ -39,7 +39,7 @@ jobs:
           for img in /tmp/falco-images/falco-*.tar; do docker load --input $img; done
     
       - name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v2 # TODO needs to be updated
         with:
           username: ${{ secrets.DOCKERHUB_USER }}
           password: ${{ secrets.DOCKERHUB_SECRET }}
@@ -57,7 +57,7 @@ jobs:
           registry-type: public    
       
       - name: Setup Crane
-        uses: imjasonh/setup-crane@v0.3
+        uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.3
         with:
           version: v0.15.1
 
@@ -76,7 +76,7 @@ jobs:
           docker push docker.io/falcosecurity/falco-driver-loader-legacy:x86_64-${{ inputs.tag }}
 
       - name: Create no-driver manifest on Docker Hub
-        uses: Noelware/docker-manifest-action@0.3.1
+        uses: Noelware/docker-manifest-action@0.3.1 # TODO needs to be updated (it might have cosign integration!)
         with:
           inputs: docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }}
           images: docker.io/falcosecurity/falco-no-driver:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-no-driver:x86_64-${{ inputs.tag }}

.github/workflows/reusable_publish_packages.yaml

@@ -26,7 +26,7 @@ jobs:
     container: docker.io/centos:7
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
     
       - name: Install dependencies
         run: |
@@ -38,37 +38,37 @@ jobs:
       # Configure AWS role; see https://github.com/falcosecurity/test-infra/pull/1102
       # Note: master CI can only push dev packages as we have 2 different roles for master and release.
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v2
+        uses: aws-actions/configure-aws-credentials@v2 # TODO needs to be updated
         with:
           role-to-assume: "arn:aws:iam::292999226676:role/github_actions-falco${{ inputs.bucket_suffix }}-s3"
           aws-region: ${{ env.AWS_S3_REGION }}    
           
       - name: Download RPM x86_64
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: falco-${{ inputs.version }}-x86_64.rpm
           path: /tmp/falco-build-rpm
 
       - name: Download RPM aarch64
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: falco-${{ inputs.version }}-aarch64.rpm
           path: /tmp/falco-build-rpm
 
       - name: Download binary x86_64
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: falco-${{ inputs.version }}-x86_64.tar.gz
           path: /tmp/falco-build-bin
 
       - name: Download binary aarch64
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: falco-${{ inputs.version }}-aarch64.tar.gz
           path: /tmp/falco-build-bin
 
       - name: Download static binary x86_64
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: falco-${{ inputs.version }}-static-x86_64.tar.gz
           path: /tmp/falco-build-bin-static
@@ -112,7 +112,7 @@ jobs:
     container: docker.io/debian:stable
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
     
       - name: Install dependencies
         run: |
@@ -128,13 +128,13 @@ jobs:
           aws-region: ${{ env.AWS_S3_REGION }}     
       
       - name: Download deb x86_64
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: falco-${{ inputs.version }}-x86_64.deb
           path: /tmp/falco-build-deb
 
       - name: Download deb aarch64
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: falco-${{ inputs.version }}-aarch64.deb
           path: /tmp/falco-build-deb

.github/workflows/reusable_test_packages.yaml

@@ -22,18 +22,18 @@ jobs:
     runs-on: ${{ (inputs.arch == 'aarch64' && fromJSON('[ "self-hosted", "linux", "ARM64" ]')) || 'ubuntu-latest' }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           fetch-depth: 0
           submodules: 'true'
       
       - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v3 # TODO needs to be updated
         with:
           go-version: '>=1.17.0'
 
       - name: Download binary
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: falco-${{ inputs.version }}${{ inputs.static && '-static' || '' }}-${{ inputs.arch }}.tar.gz
       
@@ -84,7 +84,7 @@ jobs:
 
       - name: Test Summary
         if: always() # run this even if previous step fails
-        uses: test-summary/action@v2
+        uses: test-summary/action@62bc5c68de2a6a0d02039763b8c754569df99e3f # v2.1
         with:
           paths: "submodules/falcosecurity-testing/report.xml"
           show: "fail"

.github/workflows/staticanalysis.yaml

@@ -7,7 +7,7 @@ jobs:
 
     steps:
       - name: Checkout ⤵️
-        uses: actions/checkout@v3
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           fetch-depth: 0
           ref: ${{ github.event.pull_request.head.sha }}
@@ -25,7 +25,7 @@ jobs:
           make -j4 cppcheck_htmlreport
 
       - name: Upload reports ⬆️
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: static-analysis-reports
           path: ./build/static-analysis-reports

CHANGELOG.md

@@ -22,7 +22,7 @@ Released on 2023-09-26
 
 
 * new(falco-driver-loader): --source-only now prints the values as env vars [[#2353](https://github.com/falcosecurity/falco/pull/2353)] - [@steakunderscore](https://github.com/steakunderscore)
-* new(docker): allow passing options to falco-driver-loader from the driver loader cointainer [[#2781](https://github.com/falcosecurity/falco/pull/2781)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new(docker): allow passing options to falco-driver-loader from the driver loader container [[#2781](https://github.com/falcosecurity/falco/pull/2781)] - [@LucaGuerra](https://github.com/LucaGuerra)
 * new(docker): add experimental falco-distroless image based on Wolfi [[#2768](https://github.com/falcosecurity/falco/pull/2768)] - [@LucaGuerra](https://github.com/LucaGuerra)
 * new: the legacy falco image is available as driver-loader-legacy [[#2718](https://github.com/falcosecurity/falco/pull/2718)] - [@LucaGuerra](https://github.com/LucaGuerra)
 * new: added option to enable/disable echoing of server answer to stdout (disabled by default) when using HTTP output [[#2602](https://github.com/falcosecurity/falco/pull/2602)] - [@FedeDP](https://github.com/FedeDP)
@@ -1086,7 +1086,7 @@ Released on 2021-01-18
 ### Minor Changes
 
 * build: bump b64 to v2.0.0.1 [[#1441](https://github.com/falcosecurity/falco/pull/1441)] - [@fntlnz](https://github.com/fntlnz)
-* rules(macro container_started): re-use `spawned_process` macro inside `container_started` macro [[#1449](https://github.com/falcosecurity/falco/pull/1449)] - [@leodido](https://github.com/leodido)
+* rules(macro container_started): reuse `spawned_process` macro inside `container_started` macro [[#1449](https://github.com/falcosecurity/falco/pull/1449)] - [@leodido](https://github.com/leodido)
 * docs: reach out documentation [[#1472](https://github.com/falcosecurity/falco/pull/1472)] - [@fntlnz](https://github.com/fntlnz)
 * docs: Broken outputs.proto link [[#1493](https://github.com/falcosecurity/falco/pull/1493)] - [@deepskyblue86](https://github.com/deepskyblue86)
 * docs(README.md): correct broken links [[#1506](https://github.com/falcosecurity/falco/pull/1506)] - [@leogr](https://github.com/leogr)

cmake/modules/falcosecurity-libs.cmake

@@ -35,8 +35,8 @@ else()
   # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
   # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..` 
   if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "0.13.1")
-    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=2be42a27be3ffe6bd7e53eaa5d8358cab05a0dca821819c6e9059e51b9786219")
+    set(FALCOSECURITY_LIBS_VERSION "00fa5c5196edf5858daf229ec8a96756d22fa854")
+    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=d7fd77830f97406828e7dd41bcd3178d54075c91638a8e40492d4e864457548a")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

falco.yaml

@@ -273,34 +273,6 @@ json_include_tags_property: true
 # output mechanism. By default, buffering is disabled (false).
 buffered_outputs: false
 
-# [Stable] `outputs`
-#
-# [DEPRECATED]
-# This config is deprecated and it will be removed in Falco 0.37
-#
-# A throttling mechanism, implemented as a token bucket, can be used to control
-# the rate of Falco outputs. Each event source has its own rate limiter,
-# ensuring that alerts from one source do not affect the throttling of others.
-# The following options control the mechanism:
-#  - rate: the number of tokens (i.e. right to send a notification) gained per
-#    second. When 0, the throttling mechanism is disabled. Defaults to 0.
-#  - max_burst: the maximum number of tokens outstanding. Defaults to 1000.
-#
-# For example, setting the rate to 1 allows Falco to send up to 1000
-# notifications initially, followed by 1 notification per second. The burst
-# capacity is fully restored after 1000 seconds of no activity.
-#
-# Throttling can be useful in various scenarios, such as preventing notification
-# floods, managing system load, controlling event processing, or complying with
-# rate limits imposed by external systems or APIs. It allows for better resource
-# utilization, avoids overwhelming downstream systems, and helps maintain a
-# balanced and controlled flow of notifications.
-#
-# With the default settings, the throttling mechanism is disabled.
-outputs:
-  rate: 0
-  max_burst: 1000
-
 # [Experimental] `rule_matching`
 #
 # The `rule_matching` configuration key's values are:

proposals/20221129-artifacts-distribution.md

@@ -69,7 +69,7 @@ The allowed publishing channels are:
 Both channels are equivalent and may publish the same artifacts. However, for historical reasons and to avoid confusion, the **`docker.io` registry should only be used for container images** and not for other kinds of artifacts (e.g., plugins, rules, etc.).
 
 
-Mirrors are allowed and encouraged if they facilitate artifacts consumption by our users. This proposal reccomends to enable mirrors on the major public OCI registry, such as [Amazon ECR](https://gallery.ecr.aws/) (which is already implentend in our infra at the time of writing).
+Mirrors are allowed and encouraged if they facilitate artifacts consumption by our users. This proposal recommends to enable mirrors on the major public OCI registry, such as [Amazon ECR](https://gallery.ecr.aws/) (which is already implentend in our infra at the time of writing).
 
 
 Official **channels and mirrors must be listed at [falco.org](https://falco.org/)**. 

userspace/engine/falco_engine.cpp

@@ -75,9 +75,9 @@ falco_engine::~falco_engine()
 	m_sources.clear();
 }
 
-uint32_t falco_engine::engine_version()
+sinsp_version falco_engine::engine_version()
 {
-	return (uint32_t) FALCO_ENGINE_VERSION;
+	return sinsp_version(FALCO_ENGINE_VERSION);
 }
 
 const falco_source* falco_engine::find_source(const std::string& name) const
@@ -567,7 +567,7 @@ void falco_engine::describe_rule(std::string *rule, const std::vector<std::share
 
 		// Store required engine version
 		auto required_engine_version = m_rule_collector.required_engine_version();
-		output["required_engine_version"] = std::to_string(required_engine_version.version);
+		output["required_engine_version"] = required_engine_version.version.as_string();
 
 		// Store required plugin versions
 		Json::Value plugin_versions = Json::arrayValue;
@@ -1007,14 +1007,14 @@ static bool check_plugin_requirement_alternatives(
 			{
 				sinsp_version req_version(req.version);
 				sinsp_version plugin_version(plugin.version);
-				if(!plugin_version.m_valid)
+				if(!plugin_version.is_valid())
 				{
 					err = "Plugin '" + plugin.name
 						+ "' has invalid version string '"
 						+ plugin.version + "'";
 					return false;
 				}
-				if (!plugin_version.check(req_version))
+				if (!plugin_version.compatible_with(req_version))
 				{
 					err = "Plugin '" + plugin.name
 					+ "' version '" + plugin.version

userspace/engine/falco_engine.h

@@ -39,6 +39,7 @@ limitations under the License.
 #include "falco_source.h"
 #include "falco_load_result.h"
 #include "filter_details_resolver.h"
+#include "rule_loader_reader.h"
 
 //
 // This class acts as the primary interface between a program and the
@@ -56,7 +57,16 @@ public:
 	// and rules file format it supports. This version will change
 	// any time the code that handles rules files, expression
 	// fields, etc, changes.
-	static uint32_t engine_version();
+	static sinsp_version engine_version();
+
+	// Engine version used to be represented as a simple progressive
+	// number. With the new semver schema, the number now represents
+	// the semver minor number. This function converts the legacy version 
+	// number to the new semver schema.
+	static inline sinsp_version get_implicit_version(uint32_t minor)
+	{
+		return rule_loader::reader::get_implicit_engine_version(minor);
+	}
 
 	// Print to stdout (using printf) a description of each field supported by this engine.
 	// If source is non-empty, only fields for the provided source are printed.

userspace/engine/falco_engine_version.h

@@ -15,8 +15,18 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// The version of this Falco engine.
-#define FALCO_ENGINE_VERSION (26)
+#define __FALCO_ENGINE_STRINGIFY1(str) #str
+#define __FALCO_ENGINE_STRINGIFY(str) __FALCO_ENGINE_STRINGIFY1(str)
+
+// The version of this Falco engine
+#define FALCO_ENGINE_VERSION_MAJOR 0
+#define FALCO_ENGINE_VERSION_MINOR 26
+#define FALCO_ENGINE_VERSION_PATCH 0
+
+#define FALCO_ENGINE_VERSION \
+	__FALCO_ENGINE_STRINGIFY(FALCO_ENGINE_VERSION_MAJOR) "." \
+	__FALCO_ENGINE_STRINGIFY(FALCO_ENGINE_VERSION_MINOR) "." \
+	__FALCO_ENGINE_STRINGIFY(FALCO_ENGINE_VERSION_PATCH)
 
 // This is the result of running the following command:
 //   FALCO="falco -c ./falco.yaml"
@@ -24,4 +34,4 @@ limitations under the License.
 // It represents the fields supported by this version of Falco,
 // the event types, and the underlying driverevent schema. It's used to
 // detetect changes in engine version in our CI jobs.
-#define FALCO_ENGINE_CHECKSUM "98c6e665031b95c666a9ab02d5470e7008e8636bf02f4cc410912005b90dff5c"
+#define FALCO_ENGINE_CHECKSUM "df5b0b40d3e1dafc0de13459a4b889f8680ec154690f445952e74799920ae380"

userspace/engine/rule_loader.cpp

@@ -517,7 +517,7 @@ const nlohmann::json& rule_loader::result::as_json(const rules_contents_t& conte
 }
 
 rule_loader::engine_version_info::engine_version_info(context &ctx)
-	: ctx(ctx), version(0)
+	: ctx(ctx)
 {
 }
 

userspace/engine/rule_loader.h

@@ -24,6 +24,7 @@ limitations under the License.
 #include "falco_source.h"
 #include "falco_load_result.h"
 #include "indexed_vector.h"
+#include "version.h"
 
 namespace rule_loader
 {
@@ -298,7 +299,7 @@ namespace rule_loader
 	*/
 	struct engine_version_info
 	{
-		engine_version_info() : ctx("no-filename-given"), version(0) { };
+		engine_version_info() : ctx("no-filename-given"), version("0.0.0") { };
 		engine_version_info(context &ctx);
 		~engine_version_info() = default;
 		engine_version_info(engine_version_info&&) = default;
@@ -307,7 +308,7 @@ namespace rule_loader
 		engine_version_info& operator = (const engine_version_info&) = default;
 
 		context ctx;
-		uint32_t version;
+		sinsp_version version;
 	};
 
 	/*!

userspace/engine/rule_loader_collector.cpp

@@ -146,9 +146,11 @@ const indexed_vector<rule_loader::rule_info>& rule_loader::collector::rules() co
 void rule_loader::collector::define(configuration& cfg, engine_version_info& info)
 {
 	auto v = falco_engine::engine_version();
-	THROW(v < info.version, "Rules require engine version "
-	      + std::to_string(info.version) + ", but engine version is " + std::to_string(v),
+	THROW(!v.compatible_with(info.version), "Rules require engine version "
+	      + info.version.as_string() + ", but engine version is " + v.as_string(),
 	      info.ctx);
+		  
+	// Store max required_engine_version
 	if(m_required_engine_version.version < info.version)
 	{
 		m_required_engine_version = info;
@@ -161,7 +163,7 @@ void rule_loader::collector::define(configuration& cfg, plugin_version_info& inf
 	for (const auto& req : info.alternatives)
 	{
 		sinsp_version plugin_version(req.version);
-		THROW(!plugin_version.m_valid,
+		THROW(!plugin_version.is_valid(),
 			"Invalid required version '" + req.version
 				+ "' for plugin '" + req.name + "'",
 			info.ctx);

userspace/engine/rule_loader_reader.cpp

@@ -19,6 +19,8 @@ limitations under the License.
 #include <vector>
 
 #include "rule_loader_reader.h"
+#include "falco_engine_version.h"
+#include "logger.h"
 
 #define THROW(cond, err, ctx)    { if ((cond)) { throw rule_loader::rule_load_exception(falco::load_result::LOAD_ERR_YAML_VALIDATE, (err), (ctx)); } }
 
@@ -255,8 +257,27 @@ static void read_item(
 	{
 		rule_loader::context ctx(item, rule_loader::context::REQUIRED_ENGINE_VERSION, "", parent);
 		rule_loader::engine_version_info v(ctx);
+		
+		try
+		{
+			// Convert convert to an uint (more restrictive than converting to a string)
+			uint32_t ver;
+			decode_val(item, "required_engine_version", ver, ctx);
+
+			// Build proper semver representation
+			v.version = rule_loader::reader::get_implicit_engine_version(ver);
+		} 
+		catch(std::exception& e)
+		{
+			// Convert to string
+			std::string ver;
+			decode_val(item, "required_engine_version", ver, ctx);
+
+			v.version = sinsp_version(ver);
+
+			THROW(!v.version.is_valid(), "Unable to parse engine version '" + ver + "' as a semver string. Expected \"x.y.z\" semver format.", ctx);
+		}
 
-		decode_val(item, "required_engine_version", v.version, ctx);
 		collector.define(cfg, v);
 	}
 	else if(item["required_plugin_versions"].IsDefined())

userspace/engine/rule_loader_reader.h

@@ -19,6 +19,9 @@ limitations under the License.
 
 #include "rule_loader.h"
 #include "rule_loader_collector.h"
+#include "logger.h"
+#include "version.h"
+#include "falco_engine_version.h"
 
 namespace rule_loader
 {
@@ -41,6 +44,19 @@ public:
         thew new definitions
 	*/
 	virtual bool read(configuration& cfg, collector& loader);
+    
+    /*!
+        \brief Engine version used to be represented as a simple progressive
+	    number. With the new semver schema, the number now represents
+	    the semver minor number. This function converts the legacy version 
+	    number to the new semver schema.
+    */
+	static inline sinsp_version get_implicit_engine_version(uint32_t minor)
+	{
+		return sinsp_version(std::to_string(FALCO_ENGINE_VERSION_MAJOR) + "."
+			+ std::to_string(minor) + "." 
+			+ std::to_string(FALCO_ENGINE_VERSION_PATCH));
+	}
 };
 
 }; // namespace rule_loader

userspace/falco/app/actions/process_events.cpp

@@ -25,7 +25,6 @@ limitations under the License.
 #include <unordered_map>
 
 #include "falco_utils.h"
-#include "token_bucket.h"
 
 #include "actions.h"
 #include "helpers.h"
@@ -137,8 +136,6 @@ static falco::app::run_result do_inspect(
 	stats_writer::collector stats_collector(statsw);
 	uint64_t duration_start = 0;
 	uint32_t timeouts_since_last_success_or_msg = 0;
-	token_bucket rate_limiter;
-	const bool rate_limiter_enabled = s.config->m_notifications_rate > 0;
 	const bool is_capture_mode = source.empty();
 	size_t source_engine_idx = 0;
 
@@ -156,14 +153,6 @@ static falco::app::run_result do_inspect(
 		source_engine_idx = s.source_infos.at(source)->engine_idx;
 	}
 
-	// if enabled, init rate limiter
-	if (rate_limiter_enabled)
-	{
-		rate_limiter.init(
-			s.config->m_notifications_rate,
-			s.config->m_notifications_max_burst);
-	}
-
 	// reset event counter
 	num_evts = 0;
 
@@ -333,14 +322,7 @@ static falco::app::run_result do_inspect(
 		{
 			for(auto& rule_res : *res.get())
 			{
-				if (!rate_limiter_enabled || rate_limiter.claim())
-				{
-					s.outputs->handle_event(rule_res.evt, rule_res.rule, rule_res.source, rule_res.priority_num, rule_res.format, rule_res.tags);
-				}
-				else
-				{
-					falco_logger::log(LOG_DEBUG, "Skipping rate-limited notification for rule " + rule_res.rule + "\n");
-				}
+				s.outputs->handle_event(rule_res.evt, rule_res.rule, rule_res.source, rule_res.priority_num, rule_res.format, rule_res.tags);
 			}
 		}
 		

userspace/falco/atomic_signal_handler.h

@@ -87,9 +87,9 @@ namespace falco
         /**
          * @brief If a signal is triggered, performs an handler action.
          * The action function will be invoked exactly once among all the
-         * simultaneus calls. The action will not be performed if the
+         * simultaneous calls. The action will not be performed if the
          * signal is not triggered, or if the triggered has already been
-         * handled. When an action is being performed, all the simultaneus
+         * handled. When an action is being performed, all the simultaneous
          * callers will wait and be blocked up until its execution is finished.
          * If the handler action throws an exception, it will be considered
          * performed. After the first handler has been performed, every

userspace/falco/configuration.cpp

@@ -36,8 +36,6 @@ falco_configuration::falco_configuration():
 	m_json_output(false),
 	m_json_include_output_property(true),
 	m_json_include_tags_property(true),
-	m_notifications_rate(0),
-	m_notifications_max_burst(1000),
 	m_rule_matching(falco_common::rule_matching::FIRST),
 	m_watch_config_files(true),
 	m_buffered_outputs(false),
@@ -264,13 +262,6 @@ void falco_configuration::load_yaml(const std::string& config_name, const yaml_h
 
 	m_output_timeout = config.get_scalar<uint32_t>("output_timeout", 2000);
 
-	m_notifications_rate = config.get_scalar<uint32_t>("outputs.rate", 0);
-	if(m_notifications_rate != 0)
-	{
-		falco_logger::log(LOG_WARNING, "'output.rate' config is deprecated and it will be removed in Falco 0.37\n");
-	}
-	m_notifications_max_burst = config.get_scalar<uint32_t>("outputs.max_burst", 1000);
-
 	std::string rule_matching = config.get_scalar<std::string>("rule_matching", "first");
 	if (!falco_common::parse_rule_matching(rule_matching, m_rule_matching))
 	{

userspace/falco/configuration.h

@@ -65,8 +65,6 @@ public:
 	bool m_json_include_tags_property;
 	std::string m_log_level;
 	std::vector<falco::outputs::config> m_outputs;
-	uint32_t m_notifications_rate;
-	uint32_t m_notifications_max_burst;
 
 	falco_common::priority_type m_min_priority;
 	falco_common::rule_matching m_rule_matching;

userspace/falco/falco_outputs.h

@@ -36,7 +36,7 @@ limitations under the License.
 
 	All methods in this class are thread-safe. The output framework supports
 	a multi-producer model where messages are stored in a queue and consumed
-	by each configured output asynchrounously.
+	by each configured output asynchronously.
 */
 class falco_outputs
 {

userspace/falco/grpc_server_impl.cpp

@@ -16,6 +16,7 @@ limitations under the License.
 */
 
 #include "config_falco.h"
+#include "falco_engine.h"
 #include "falco_engine_version.h"
 #include "grpc_server_impl.h"
 #include "grpc_queue.h"
@@ -79,6 +80,10 @@ void falco::grpc::server_impl::version(const context& ctx, const version::reques
 
 	res.set_engine_version(FALCO_ENGINE_VERSION);
 	res.set_engine_fields_checksum(FALCO_ENGINE_CHECKSUM); 
+	auto engine_version = falco_engine::engine_version();
+	res.set_engine_major(engine_version.major());
+	res.set_engine_minor(engine_version.minor());
+	res.set_engine_patch(engine_version.patch());
 
 	res.set_major(FALCO_VERSION_MAJOR);
 	res.set_minor(FALCO_VERSION_MINOR);

userspace/falco/stats_writer.cpp

@@ -60,7 +60,14 @@ bool stats_writer::init_ticker(uint32_t interval_msec, std::string &err)
 	sev.sigev_value.sival_ptr = &s_timerid;
 #ifndef __EMSCRIPTEN__
 	// delete any previously set timer
-	timer_delete(s_timerid);
+	if (s_timerid)
+	{
+		if (timer_delete(s_timerid) == -1)
+		{
+			err = std::string("Failed to delete existing timer: ") + strerror(errno);
+			return false;
+		}
+	}
 	if (timer_create(CLOCK_MONOTONIC, &sev, &s_timerid) == -1) {
 		err = std::string("Could not create periodic timer: ") + strerror(errno);
 		return false;
@@ -134,7 +141,11 @@ stats_writer::~stats_writer()
 		}
 		// delete timerID and reset timer
 #ifndef __EMSCRIPTEN__
-		timer_delete(s_timerid);
+		if (s_timerid)
+		{
+			timer_delete(s_timerid);
+			s_timerid = nullptr;
+		}
 #endif
 	}
 }

userspace/falco/version.proto

@@ -45,6 +45,9 @@ message response
   string prerelease = 5;
   string build = 6;
 // falco engine version
-  uint32 engine_version = 7;
+  uint32 engine_minor = 7;
   string engine_fields_checksum = 8;
+  uint32 engine_major = 9;
+  uint32 engine_patch = 10;
+  string engine_version = 11;
 }

userspace/falco/versions_info.cpp

@@ -51,7 +51,7 @@ static inline std::string get_driver_schema_version(const std::shared_ptr<sinsp>
 falco::versions_info::versions_info(const std::shared_ptr<sinsp>& inspector)
 {
     falco_version = FALCO_VERSION;
-    engine_version = std::to_string(FALCO_ENGINE_VERSION);
+    engine_version = FALCO_ENGINE_VERSION;
     libs_version = FALCOSECURITY_LIBS_VERSION;
     plugin_api_version = inspector->get_plugin_api_version();
     driver_api_version = get_driver_api_version(inspector);