test

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

.github/release_template.md

@@ -1,21 +0,0 @@
-![LIBS](https://img.shields.io/badge/LIBS-LIBSVER-yellow)
-![DRIVER](https://img.shields.io/badge/DRIVER-DRIVERVER-yellow)
-
-| Packages | Download                                                                                                                                               |
-| -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| rpm-x86_64      | [![rpm](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpmFALCOBUCKET/falco-FALCOVER-x86_64.rpm)        |
-| deb-x86_64      | [![deb](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/debFALCOBUCKET/stable/falco-FALCOVER-x86_64.deb) |
-| tgz-x86_64      | [![tgz](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/binFALCOBUCKET/x86_64/falco-FALCOVER-x86_64.tar.gz) |
-| rpm-aarch64      | [![rpm](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpmFALCOBUCKET/falco-FALCOVER-aarch64.rpm)        |
-| deb-aarch64      | [![deb](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/debFALCOBUCKET/stable/falco-FALCOVER-aarch64.deb) |
-| tgz-aarch64      | [![tgz](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/binFALCOBUCKET/aarch64/falco-FALCOVER-aarch64.tar.gz) |
-
-| Images                                                                      |
-| --------------------------------------------------------------------------- |
-| `docker pull docker.io/falcosecurity/falco:FALCOVER`                           |
-| `docker pull public.ecr.aws/falcosecurity/falco:FALCOVER`                      |
-| `docker pull docker.io/falcosecurity/falco-driver-loader:FALCOVER`             |
-| `docker pull docker.io/falcosecurity/falco-driver-loader-legacy:FALCOVER`      |
-| `docker pull docker.io/falcosecurity/falco-no-driver:FALCOVER`                 |
-| `docker pull docker.io/falcosecurity/falco-distroless:FALCOVER`                |
-

.github/workflows/ci.yml

@@ -13,6 +13,18 @@ concurrency:
   cancel-in-progress: true  
 
 jobs:
+  my-test:
+    runs-on: [ "self-hosted", "linux", "ARM64" ]
+    steps:
+      - name: etc os release
+        run: cat /etc/os-release
+      
+      - name: uname
+        run: uname -a
+      
+      - name: install deps
+        run: sudo yum update && sudo yum install make
+
   fetch-version:
     uses: ./.github/workflows/reusable_fetch_version.yaml
 
@@ -56,7 +68,7 @@ jobs:
       git_ref: ${{ github.event.pull_request.head.sha }}
       minimal: false
       build_type: Debug
-      cmd: "echo $(build/userspace/falco/falco -c ./falco.yaml --version | grep 'Engine:' | awk '{print $2}') $(echo $(build/userspace/falco/falco -c ./falco.yaml --version | grep 'Schema version:' | awk '{print $3}') $(build/userspace/falco/falco -c ./falco.yaml --list --markdown | grep '^`' | sort) $(build/userspace/falco/falco -c ./falco.yaml --list-events | sort) | sha256sum)"
+      cmd: "echo $(build/userspace/falco/falco -c ./falco.yaml --version | grep 'Engine:' | awk '{print $2}') $(echo $(build/userspace/falco/falco -c ./falco.yaml --version | grep 'Schema version:' | awk '{print $3}') $(build/userspace/falco/falco -c ./falco.yaml --list --markdown | grep '^`' | sort) $(build/userspace/falco/falco -c ./falco.yaml --list-syscall-events | sort) | sha256sum)"
 
   # checks the falco engine checksum for consistency
   check-engine-checksum:

.github/workflows/release.yaml

@@ -122,47 +122,3 @@ jobs:
       is_latest: ${{ needs.release-settings.outputs.is_latest == 'true' }}
       tag: ${{ github.event.release.tag_name }}
       sign: true
-      
-  release-body:
-    needs: [release-settings, publish-docker]
-    if: ${{ needs.release-settings.outputs.is_latest == 'true' }} # only for latest releases
-    permissions:
-      contents: write
-    runs-on: ubuntu-latest
-    steps:
-      - name: Clone repo
-        uses: actions/checkout@v4
-          
-      - name: Extract LIBS and DRIVER versions
-        run: |
-          cp .github/release_template.md release-body.md
-          LIBS_VERS=$(cat cmake/modules/falcosecurity-libs.cmake | grep 'set(FALCOSECURITY_LIBS_VERSION' | tail -n1 | grep -o '[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*')
-          DRIVER_VERS=$(cat cmake/modules/driver.cmake | grep 'set(DRIVER_VERSION' | tail -n1 | grep -o '[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*')
-          sed -i s/LIBSVER/$LIBS_VERS/g release-body.md
-          sed -i s/DRIVERVER/$DRIVER_VERS/g release-body.md
-          
-      - name: Append release matrixes
-        run: |
-          sed -i s/FALCOBUCKET/${{ needs.release-settings.outputs.bucket_suffix }}/g release-body.md
-          sed -i s/FALCOVER/${{ github.event.release.tag_name }}/g release-body.md
-          
-      - name: Generate release notes
-        uses: leodido/rn2md@0669e5f3b21492c11c2db43cd6e267566f5880f3
-        with:
-          milestone: ${{ github.event.release.tag_name }}
-          output: ./notes.md
-        
-      - name: Merge release notes to pre existent body
-        run: cat notes.md >> release-body.md
-        
-      - name: Attach release creator to release body
-        run: |
-          echo "" >> release-body.md
-          echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md
-        
-      - name: Release
-        uses: softprops/action-gh-release@v1
-        with:
-          body_path: ./release-body.md
-          tag_name: ${{ github.event.release.tag_name }}
-          name: ${{ github.event.release.name }}

.github/workflows/reusable_build_docker.yaml

@@ -46,16 +46,6 @@ jobs:
             --build-arg TARGETARCH=${TARGETARCH} \
             .
             docker save docker.io/falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-no-driver-${{ inputs.arch }}.tar
-
-      - name: Build distroless image
-        run: |
-          cd ${{ github.workspace }}/docker/no-driver/
-          docker build -f Dockerfile.distroless -t docker.io/falcosecurity/falco-distroless:${{ inputs.arch }}-${{ inputs.tag }} \
-            --build-arg VERSION_BUCKET=bin${{ inputs.bucket_suffix }} \
-            --build-arg FALCO_VERSION=${{ inputs.version }} \
-            --build-arg TARGETARCH=${TARGETARCH} \
-            .
-            docker save docker.io/falcosecurity/falco-distroless:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-distroless-${{ inputs.arch }}.tar
             
       - name: Build falco image
         run: |
@@ -75,17 +65,7 @@ jobs:
             --build-arg TARGETARCH=${TARGETARCH} \
             .
             docker save docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-driver-loader-${{ inputs.arch }}.tar
-
-      - name: Build falco-driver-loader-legacy image
-        run: |
-          cd ${{ github.workspace }}/docker/driver-loader-legacy/
-          docker build -t docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.arch }}-${{ inputs.tag }} \
-            --build-arg VERSION_BUCKET=deb${{ inputs.bucket_suffix }} \
-            --build-arg FALCO_VERSION=${{ inputs.version }} \
-            --build-arg TARGETARCH=${TARGETARCH} \
-            .
-            docker save docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-driver-loader-legacy-${{ inputs.arch }}.tar
-
+            
       - name: Upload images tarballs
         uses: actions/upload-artifact@v3
         with:

.github/workflows/reusable_publish_docker.yaml

@@ -66,14 +66,10 @@ jobs:
         run: |
           docker push docker.io/falcosecurity/falco-no-driver:aarch64-${{ inputs.tag }}
           docker push docker.io/falcosecurity/falco-no-driver:x86_64-${{ inputs.tag }}
-          docker push docker.io/falcosecurity/falco-distroless:aarch64-${{ inputs.tag }}
-          docker push docker.io/falcosecurity/falco-distroless:x86_64-${{ inputs.tag }}
           docker push docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }}
           docker push docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}
           docker push docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }}
           docker push docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}
-          docker push docker.io/falcosecurity/falco-driver-loader-legacy:aarch64-${{ inputs.tag }}
-          docker push docker.io/falcosecurity/falco-driver-loader-legacy:x86_64-${{ inputs.tag }}
 
       - name: Create no-driver manifest on Docker Hub
         uses: Noelware/docker-manifest-action@0.3.1
@@ -81,13 +77,6 @@ jobs:
           inputs: docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }}
           images: docker.io/falcosecurity/falco-no-driver:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-no-driver:x86_64-${{ inputs.tag }}
           push: true
-
-      - name: Create distroless manifest on Docker Hub
-        uses: Noelware/docker-manifest-action@0.3.1
-        with:
-          inputs: docker.io/falcosecurity/falco-distroless:${{ inputs.tag }}
-          images: docker.io/falcosecurity/falco-distroless:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-distroless:x86_64-${{ inputs.tag }}
-          push: true
           
       - name: Tag slim manifest on Docker Hub
         run: |
@@ -107,46 +96,31 @@ jobs:
           images: docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}
           push: true
 
-      - name: Create falco-driver-loader-legacy manifest on Docker Hub
-        uses: Noelware/docker-manifest-action@0.3.1
-        with:
-          inputs: docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }}
-          images: docker.io/falcosecurity/falco-driver-loader-legacy:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-driver-loader-legacy:x86_64-${{ inputs.tag }}
-          push: true
-
       - name: Get Digests for images
         id: digests
         run: |
           echo "falco-no-driver=$(crane digest docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }})" >> $GITHUB_OUTPUT
-          echo "falco-distroless=$(crane digest docker.io/falcosecurity/falco-distroless:${{ inputs.tag }})" >> $GITHUB_OUTPUT
           echo "falco=$(crane digest docker.io/falcosecurity/falco:${{ inputs.tag }})" >> $GITHUB_OUTPUT
           echo "falco-driver-loader=$(crane digest docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }})" >> $GITHUB_OUTPUT
-          echo "falco-driver-loader-legacy=$(crane digest docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }})" >> $GITHUB_OUTPUT
 
       - name: Publish images to ECR
         run: |
           crane copy docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }}
-          crane copy docker.io/falcosecurity/falco-distroless:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-distroless:${{ inputs.tag }}
           crane copy docker.io/falcosecurity/falco:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}
           crane copy docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }}
-          crane copy docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }}
           crane copy public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-slim
 
       - name: Tag latest on Docker Hub and ECR
         if: inputs.is_latest
         run: |
           crane tag docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} latest
-          crane tag docker.io/falcosecurity/falco-distroless:${{ inputs.tag }} latest
           crane tag docker.io/falcosecurity/falco:${{ inputs.tag }} latest
           crane tag docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }} latest
-          crane tag docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }} latest
           crane tag docker.io/falcosecurity/falco:${{ inputs.tag }}-slim latest-slim
 
           crane tag public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }} latest
-          crane tag public.ecr.aws/falcosecurity/falco-distroless:${{ inputs.tag }} latest
           crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }} latest
           crane tag public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }} latest
-          crane tag public.ecr.aws/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }} latest
           crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-slim latest-slim
 
       - name: Setup Cosign
@@ -162,13 +136,9 @@ jobs:
           COSIGN_YES: "true"
         run: |
           cosign sign docker.io/falcosecurity/falco-no-driver@${{ steps.digests.outputs.falco-no-driver }}
-          cosign sign docker.io/falcosecurity/falco-distroless@${{ steps.digests.outputs.falco-distroless }}
           cosign sign docker.io/falcosecurity/falco@${{ steps.digests.outputs.falco }}
           cosign sign docker.io/falcosecurity/falco-driver-loader@${{ steps.digests.outputs.falco-driver-loader }}
-          cosign sign docker.io/falcosecurity/falco-driver-loader-legacy@${{ steps.digests.outputs.falco-driver-loader-legacy }}
 
           cosign sign public.ecr.aws/falcosecurity/falco-no-driver@${{ steps.digests.outputs.falco-no-driver }}
-          cosign sign public.ecr.aws/falcosecurity/falco-distroless@${{ steps.digests.outputs.falco-distroless }}
           cosign sign public.ecr.aws/falcosecurity/falco@${{ steps.digests.outputs.falco }}
           cosign sign public.ecr.aws/falcosecurity/falco-driver-loader@${{ steps.digests.outputs.falco-driver-loader }}
-          cosign sign public.ecr.aws/falcosecurity/falco-driver-loader-legacy@${{ steps.digests.outputs.falco-driver-loader-legacy }}

.github/workflows/reusable_test_packages.yaml

@@ -44,7 +44,14 @@ jobs:
           cd falco-${{ inputs.version }}-${{ inputs.arch }}
           sudo cp -r * /
 
-      # x86_64 job run on ubuntu-22.04 and here we can install kernel-headers
+      # aarch64 job run on amazon-linux-2
+      - name: Install dependencies for falco-driver-loader tests on aarch64
+        if: ${{ inputs.arch == 'aarch64' }}
+        run: |
+          sudo yum update -y
+          sudo yum install -y build-essential clang make llvm gcc dkms kernel-devel-$(uname -r)
+
+      # x86_64 job run on ubuntu-22.04
       - name: Install dependencies for falco-driver-loader tests on x86
         if: ${{ inputs.arch == 'x86_64' }}
         run: |
@@ -63,21 +70,14 @@ jobs:
           go generate ./...
           popd
 
-      # Right now we are not able to install kernel-headers on our ARM64 self-hosted runner.
-      # For this reason, we disable the falco-driver-loader tests, which require kernel headers on the host.
       - name: Run regression tests
-        env:
-          # fixme(leogr): this is a workaround for https://github.com/falcosecurity/falco/issues/2784
-          HOST_ROOT: ""
         run: |
           pushd submodules/falcosecurity-testing
           ./build/falco.test -falco-static=${{ inputs.static && 'true' || 'false' }} -test.timeout=90s -test.v >> ./report.txt 2>&1 || true
           if ${{ inputs.static && 'false' || 'true' }}; then
             ./build/falcoctl.test -test.timeout=90s -test.v >> ./report.txt 2>&1 || true
             ./build/k8saudit.test -test.timeout=90s -test.v >> ./report.txt 2>&1 || true
-            if ${{ inputs.arch == 'x86_64' && 'true' || 'false' }}; then
-                sudo ./build/falco-driver-loader.test -test.timeout=90s -test.v >> ./report.txt 2>&1 || true
-            fi
+            sudo ./build/falco-driver-loader.test -test.timeout=90s -test.v >> ./report.txt 2>&1 || true
           fi
           cat ./report.txt | go-junit-report -set-exit-code > report.xml
           popd

CHANGELOG.md

@@ -1,132 +1,5 @@
 # Change Log
 
-
-## v0.36.0
-
-Released on 2023-09-26
-
-### Breaking Changes
-
-- The default rules file that is shipped in the Falco image and/or can be downloaded via falcoctl as `falco-rules` is now a _stable_ rule file. This file **contains a much smaller number of rules** that are less noisy and have been vetted by the community. This serves as a much requested "starter" Falco rule set that covers many common use case. The rest of that file has been expanded and split into `falco-incubating-rules` and `falco-sandbox-rules`. For more information, see the [rules repository](https://github.com/falcosecurity/rules)
-- The main `falcosecurity/falco` container image and its `falco-driver-loader` counterpart have been upgraded. Now they are able to compile the kernel module or classic eBPF probe for relatively newer version of the kernel (5.x and above) while we no longer ship toolchains to compile the kernel module for older versions in the default images. Downloading of prebuilt drivers and the modern eBPF will work exactly like before. The older image, meant for compatibility with older kernels (4.x and below), is currently retained as `falcosecurity/falco-driver-loader-legacy`.
-- The Falco HTTP output no longer logs to stdout by default for performance reasons. You can set stdout logging preferences and restore the previous behavior with the configuration option `http_output.echo` in `falco.yaml`.
-- The `--list-syscall-events` command line option has been replaced by `--list-events` which prints all supported system events (syscall, tracepoints, metaevents, internal plugin events) in addition to extra information about flags.
-- The semantics of `proc.exepath` have changed. Now that field contains the executable path on disk even if the binary was launched from a symbolic link.
-- The `-d` daemonize option has been removed.
-- The `-p` option is now changed:
-    - when only `-pc` is set Falco will print `container_id=%container.id container_image=%container.image.repository container_image_tag=%container.image.tag container_name=%container.name`
-    - when `-pk` is set it will print as above, but with `k8s_ns=%k8s.ns.name k8s_pod_name=%k8s.pod.name` appended
-
-
-### Major Changes
-
-
-* new(falco-driver-loader): --source-only now prints the values as env vars [[#2353](https://github.com/falcosecurity/falco/pull/2353)] - [@steakunderscore](https://github.com/steakunderscore)
-* new(docker): allow passing options to falco-driver-loader from the driver loader cointainer [[#2781](https://github.com/falcosecurity/falco/pull/2781)] - [@LucaGuerra](https://github.com/LucaGuerra)
-* new(docker): add experimental falco-distroless image based on Wolfi [[#2768](https://github.com/falcosecurity/falco/pull/2768)] - [@LucaGuerra](https://github.com/LucaGuerra)
-* new: the legacy falco image is available as driver-loader-legacy [[#2718](https://github.com/falcosecurity/falco/pull/2718)] - [@LucaGuerra](https://github.com/LucaGuerra)
-* new: added option to enable/disable echoing of server answer to stdout (disabled by default) when using HTTP output [[#2602](https://github.com/falcosecurity/falco/pull/2602)] - [@FedeDP](https://github.com/FedeDP)
-* new: support systemctl reload for Falco services [[#2588](https://github.com/falcosecurity/falco/pull/2588)] - [@jabdr](https://github.com/jabdr)
-* new(falco/config): add new configurations for http_output that allow mTLS [[#2633](https://github.com/falcosecurity/falco/pull/2633)] - [@annadorottya](https://github.com/annadorottya)
-* new: allow falco to match multiple rules on same event [[#2705](https://github.com/falcosecurity/falco/pull/2705)] - [@loresuso](https://github.com/loresuso)
-
-
-### Minor Changes
-
-* update(cmake): bumped bundled falcoctl to 0.6.2 [[#2829](https://github.com/falcosecurity/falco/pull/2829)] - [@FedeDP](https://github.com/FedeDP)
-* update(rules)!: major rule update to version 2.0.0 [[#2823](https://github.com/falcosecurity/falco/pull/2823)] - [@LucaGuerra](https://github.com/LucaGuerra)
-* update(cmake): bumped plugins to latest stable versions [[#2820](https://github.com/falcosecurity/falco/pull/2820)] - [@FedeDP](https://github.com/FedeDP)
-* update(cmake): bumped libs to 0.13.0-rc2 and driver to 6.0.1+driver [[#2806](https://github.com/falcosecurity/falco/pull/2806)] - [@FedeDP](https://github.com/FedeDP)
-* update!: default substitution for `%container.info` is now equal `container_id=%container.id container_name=%container.name` [[#2793](https://github.com/falcosecurity/falco/pull/2793)] - [@leogr](https://github.com/leogr)
-* update!: the --list-syscall-events flag is now called --list-events and lists all events [[#2771](https://github.com/falcosecurity/falco/pull/2771)] - [@LucaGuerra](https://github.com/LucaGuerra)
-* update!: the Falco base image is now based on Debian 12 with gcc 11-12 [[#2718](https://github.com/falcosecurity/falco/pull/2718)] - [@LucaGuerra](https://github.com/LucaGuerra)
-* update(docker): the Falco no-driver image is now based on Debian 12 [[#2782](https://github.com/falcosecurity/falco/pull/2782)] - [@LucaGuerra](https://github.com/LucaGuerra)
-* feat(userspace)!: remove `-d` daemonize option [[#2677](https://github.com/falcosecurity/falco/pull/2677)] - [@incertum](https://github.com/incertum)
-* build(deps): Bump submodules/falcosecurity-rules from 3f52480 to 0d0e333 [[#2693](https://github.com/falcosecurity/falco/pull/2693)] - [@dependabot[bot]](https://github.com/apps/dependabot)
-* build(deps): Bump submodules/falcosecurity-rules from 3f52480 to b42893a [[#2756](https://github.com/falcosecurity/falco/pull/2756)] - [@dependabot[bot]](https://github.com/apps/dependabot)
-* build(deps): Bump submodules/falcosecurity-rules from b42893a to 6ed73fe [[#2780](https://github.com/falcosecurity/falco/pull/2780)] - [@dependabot[bot]](https://github.com/apps/dependabot)
-* update(cmake): bumped libs to 0.13.0-rc1 and driver to 6.0.0+driver. [[#2783](https://github.com/falcosecurity/falco/pull/2783)] - [@FedeDP](https://github.com/FedeDP)
-* feat: support parsing of system environment variables in yaml [[#2562](https://github.com/falcosecurity/falco/pull/2562)] - [@therealdwright](https://github.com/therealdwright)
-* feat(userspace)!: deprecate stats command args option in favor of metrics configs in falco.yaml [[#2739](https://github.com/falcosecurity/falco/pull/2739)] - [@incertum](https://github.com/incertum)
-* update: upgrade `falcoctl` to version 0.6.0 [[#2764](https://github.com/falcosecurity/falco/pull/2764)] - [@leogr](https://github.com/leogr)
-* cleanup: deprecate rate limiter mechanism [[#2762](https://github.com/falcosecurity/falco/pull/2762)] - [@Andreagit97](https://github.com/Andreagit97)
-* cleanup(config): add more info [[#2758](https://github.com/falcosecurity/falco/pull/2758)] - [@incertum](https://github.com/incertum)
-* update(userspace/engine): improve skip-if-unknown-filter YAML field [[#2749](https://github.com/falcosecurity/falco/pull/2749)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* chore: improved HTTP output performance [[#2602](https://github.com/falcosecurity/falco/pull/2602)] - [@FedeDP](https://github.com/FedeDP)
-* update!: HTTP output will no more echo to stdout by default [[#2602](https://github.com/falcosecurity/falco/pull/2602)] - [@FedeDP](https://github.com/FedeDP)
-* chore: remove b64 from falco dependencies [[#2746](https://github.com/falcosecurity/falco/pull/2746)] - [@Andreagit97](https://github.com/Andreagit97)
-* update(cmake): support building libs and driver from forks [[#2747](https://github.com/falcosecurity/falco/pull/2747)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* update: `-p` presets have been updated to reflect the new rules style guide [[#2737](https://github.com/falcosecurity/falco/pull/2737)] - [@leogr](https://github.com/leogr)
-* feat: Allow specifying explicit kernel release and version for falco-driver-loader [[#2728](https://github.com/falcosecurity/falco/pull/2728)] - [@johananl](https://github.com/johananl)
-* cleanup(config): assign Stable to `base_syscalls` config [[#2740](https://github.com/falcosecurity/falco/pull/2740)] - [@incertum](https://github.com/incertum)
-* update : support build for wasm [[#2663](https://github.com/falcosecurity/falco/pull/2663)] - [@Rohith-Raju](https://github.com/Rohith-Raju)
-* docs(config.yaml): fix wrong severity levels for sinsp logger [[#2736](https://github.com/falcosecurity/falco/pull/2736)] - [@Andreagit97](https://github.com/Andreagit97)
-* update(cmake): bump libs and driver to 0.12.0 [[#2721](https://github.com/falcosecurity/falco/pull/2721)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* update(docker): remove experimental image based on RedHat UBI [[#2720](https://github.com/falcosecurity/falco/pull/2720)] - [@leogr](https://github.com/leogr)
-
-
-### Bug Fixes
-
-* fix(outputs): expose queue_capacity_outputs config for memory control [[#2711](https://github.com/falcosecurity/falco/pull/2711)] - [@incertum](https://github.com/incertum)
-* fix(userspace/falco): cleanup metrics timer upon leaving. [[#2759](https://github.com/falcosecurity/falco/pull/2759)] - [@FedeDP](https://github.com/FedeDP)
-* fix: restore Falco MINIMAL_BUILD and deprecate `userspace` option [[#2761](https://github.com/falcosecurity/falco/pull/2761)] - [@Andreagit97](https://github.com/Andreagit97)
-* fix(userspace/engine): support appending to unknown sources [[#2753](https://github.com/falcosecurity/falco/pull/2753)] - [@jasondellaluce](https://github.com/jasondellaluce)
-
-
-
-### Non user-facing changes
-
-* build(deps): Bump submodules/falcosecurity-rules from `69c9be8` to `77ba57a` [[#2833](https://github.com/falcosecurity/falco/pull/2833)] - [@dependabot[bot]](https://github.com/apps/dependabot)
-* chore: bump submodule testing to 62edc65 [[#2831](https://github.com/falcosecurity/falco/pull/2831)] - [@Andreagit97](https://github.com/Andreagit97)
-* update(gha): add version for rn2md [[#2830](https://github.com/falcosecurity/falco/pull/2830)] - [@LucaGuerra](https://github.com/LucaGuerra)
-* chore: automatically attach release author to release body. [[#2828](https://github.com/falcosecurity/falco/pull/2828)] - [@FedeDP](https://github.com/FedeDP)
-* new(ci): autogenerate release body. [[#2812](https://github.com/falcosecurity/falco/pull/2812)] - [@FedeDP](https://github.com/FedeDP)
-* fix(dockerfile): remove useless CMD [[#2824](https://github.com/falcosecurity/falco/pull/2824)] - [@Andreagit97](https://github.com/Andreagit97)
-* chore: bump to the latest libs [[#2822](https://github.com/falcosecurity/falco/pull/2822)] - [@Andreagit97](https://github.com/Andreagit97)
-* update: add SPDX license identifier [[#2809](https://github.com/falcosecurity/falco/pull/2809)] - [@leogr](https://github.com/leogr)
-* chore: bump to latest libs [[#2815](https://github.com/falcosecurity/falco/pull/2815)] - [@Andreagit97](https://github.com/Andreagit97)
-* build(deps): Bump submodules/falcosecurity-rules from `ee5fb38` to `bea364e` [[#2814](https://github.com/falcosecurity/falco/pull/2814)] - [@dependabot[bot]](https://github.com/apps/dependabot)
-* fix(build): set the right bucket and version for driver legacy [[#2800](https://github.com/falcosecurity/falco/pull/2800)] - [@LucaGuerra](https://github.com/LucaGuerra)
-* build(deps): Bump submodules/falcosecurity-rules from `43580b4` to `ee5fb38` [[#2810](https://github.com/falcosecurity/falco/pull/2810)] - [@dependabot[bot]](https://github.com/apps/dependabot)
-* cleanup(userspace): thrown exceptions and avoid multiple logs [[#2803](https://github.com/falcosecurity/falco/pull/2803)] - [@Andreagit97](https://github.com/Andreagit97)
-* build(deps): Bump submodules/falcosecurity-rules from `c6e01fa` to `43580b4` [[#2801](https://github.com/falcosecurity/falco/pull/2801)] - [@dependabot[bot]](https://github.com/apps/dependabot)
-* build(deps): Bump submodules/falcosecurity-testing from `76d1743` to `30c3643` [[#2802](https://github.com/falcosecurity/falco/pull/2802)] - [@dependabot[bot]](https://github.com/apps/dependabot)
-* fix(userspace/falco): clearing full output queue [[#2798](https://github.com/falcosecurity/falco/pull/2798)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* update(docs): add driver-loader-legacy to readme and fix bad c&p [[#2799](https://github.com/falcosecurity/falco/pull/2799)] - [@LucaGuerra](https://github.com/LucaGuerra)
-* build(deps): Bump submodules/falcosecurity-rules from `d31dbc2` to `c6e01fa` [[#2797](https://github.com/falcosecurity/falco/pull/2797)] - [@dependabot[bot]](https://github.com/apps/dependabot)
-* docs: add LICENSE file [[#2796](https://github.com/falcosecurity/falco/pull/2796)] - [@leogr](https://github.com/leogr)
-* build(deps): Bump submodules/falcosecurity-rules from `b6372d2` to `d31dbc2` [[#2794](https://github.com/falcosecurity/falco/pull/2794)] - [@dependabot[bot]](https://github.com/apps/dependabot)
-* fix(stats): always initialize m_output field [[#2789](https://github.com/falcosecurity/falco/pull/2789)] - [@Andreagit97](https://github.com/Andreagit97)
-* build(deps): Bump submodules/falcosecurity-rules from `6ed73fe` to `b6372d2` [[#2786](https://github.com/falcosecurity/falco/pull/2786)] - [@dependabot[bot]](https://github.com/apps/dependabot)
-* update(cmake/modules): bump rules to falco-rules-2.0.0-rc1 [[#2775](https://github.com/falcosecurity/falco/pull/2775)] - [@leogr](https://github.com/leogr)
-* update(OWNERS): add LucaGuerra to owners [[#2650](https://github.com/falcosecurity/falco/pull/2650)] - [@LucaGuerra](https://github.com/LucaGuerra)
-* build(deps): Bump submodules/falcosecurity-rules from `9126bef` to `0328c59` [[#2709](https://github.com/falcosecurity/falco/pull/2709)] - [@dependabot[bot]](https://github.com/apps/dependabot)
-* build(deps): Bump submodules/falcosecurity-rules from `0d0e333` to `64ce419` [[#2731](https://github.com/falcosecurity/falco/pull/2731)] - [@dependabot[bot]](https://github.com/apps/dependabot)
-* build(deps): Bump submodules/falcosecurity-rules from `3ceea88` to `40a9817` [[#2745](https://github.com/falcosecurity/falco/pull/2745)] - [@dependabot[bot]](https://github.com/apps/dependabot)
-* docs(README.md): correct URL [[#2772](https://github.com/falcosecurity/falco/pull/2772)] - [@vjjmiras](https://github.com/vjjmiras)
-* #2393 Document why Falco is written in C++ rather than anything else [[#2410](https://github.com/falcosecurity/falco/pull/2410)] - [@RichardoC](https://github.com/RichardoC)
-* chore: bump Falco to latest libs [[#2769](https://github.com/falcosecurity/falco/pull/2769)] - [@Andreagit97](https://github.com/Andreagit97)
-* ci: disable falco-driver-loader tests on ARM64 [[#2770](https://github.com/falcosecurity/falco/pull/2770)] - [@Andreagit97](https://github.com/Andreagit97)
-* update(userspace/falco): revised CLI help messages [[#2755](https://github.com/falcosecurity/falco/pull/2755)] - [@leogr](https://github.com/leogr)
-* fix(engine): fix reorder warning for m_watch_config_files / m_rule_matching [[#2767](https://github.com/falcosecurity/falco/pull/2767)] - [@LucaGuerra](https://github.com/LucaGuerra)
-* update: introduce new stats updated to the latest libs version [[#2766](https://github.com/falcosecurity/falco/pull/2766)] - [@Andreagit97](https://github.com/Andreagit97)
-* ci: support tests on amazon-linux [[#2765](https://github.com/falcosecurity/falco/pull/2765)] - [@Andreagit97](https://github.com/Andreagit97)
-* chore: bump Falco to latest libs master [[#2754](https://github.com/falcosecurity/falco/pull/2754)] - [@Andreagit97](https://github.com/Andreagit97)
-* build(deps): Bump submodules/falcosecurity-testing from `b39c807` to `9110022` [[#2760](https://github.com/falcosecurity/falco/pull/2760)] - [@dependabot[bot]](https://github.com/apps/dependabot)
-* fix: fix "ebpf_enabled" output stat [[#2751](https://github.com/falcosecurity/falco/pull/2751)] - [@Andreagit97](https://github.com/Andreagit97)
-* fix(userspace/engine): support both old and new gcc + std::move [[#2748](https://github.com/falcosecurity/falco/pull/2748)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* cleanup: turn some warnings into errors [[#2744](https://github.com/falcosecurity/falco/pull/2744)] - [@Andreagit97](https://github.com/Andreagit97)
-* update(ci): minimize retention days for build-only CI artifacts [[#2743](https://github.com/falcosecurity/falco/pull/2743)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* cleanup: remove unused `--pidfile` option from systemd units [[#2742](https://github.com/falcosecurity/falco/pull/2742)] - [@Andreagit97](https://github.com/Andreagit97)
-* build(deps): Bump submodules/falcosecurity-rules from `bf1639a` to `3ceea88` [[#2741](https://github.com/falcosecurity/falco/pull/2741)] - [@dependabot[bot]](https://github.com/apps/dependabot)
-* build(deps): Bump submodules/falcosecurity-rules from `64ce419` to `bf1639a` [[#2738](https://github.com/falcosecurity/falco/pull/2738)] - [@dependabot[bot]](https://github.com/apps/dependabot)
-* Relocate tools on Flatcar in BPF mode [[#2729](https://github.com/falcosecurity/falco/pull/2729)] - [@johananl](https://github.com/johananl)
-* build: update versioning with cmake [[#2727](https://github.com/falcosecurity/falco/pull/2727)] - [@leogr](https://github.com/leogr)
-* update(userspace/engine): make rule_matching strategy stateless  [[#2726](https://github.com/falcosecurity/falco/pull/2726)] - [@loresuso](https://github.com/loresuso)
-* chore: bump Falco to latest libs version [[#2722](https://github.com/falcosecurity/falco/pull/2722)] - [@Andreagit97](https://github.com/Andreagit97)
-* update: enforce bumping engine version whenever appropriate [[#2719](https://github.com/falcosecurity/falco/pull/2719)] - [@jasondellaluce](https://github.com/jasondellaluce)
-
-
 ## v0.35.1
 
 Released on 2023-06-29

CMakeLists.txt

@@ -1,4 +1,3 @@
-# SPDX-License-Identifier: Apache-2.0
 #
 # Copyright (C) 2023 The Falco Authors.
 #

LICENSE

@@ -1,202 +0,0 @@
-
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright 2019 The Falco Authors
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.

README.md

@@ -46,7 +46,8 @@ Considerations and guidance for Falco adopters:
 
 ## How to Contribute
 
-Please refer to the [contributing guide](https://github.com/falcosecurity/.github/blob/main/CONTRIBUTING.md) and the [code of conduct](https://github.com/falcosecurity/evolution/blob/main/CODE_OF_CONDUCT.md) for more information on how to contribute.
+Please refer to the [contributing guide](https://github.com/falcosecurity/.github/blob/main/CONTRIBUTING.md) and the [code of conduct](https://github.com/falcosecurity/evolution/CODE_OF_CONDUCT.md) for more information on how to contribute.
+
 
 ## Join the Community
 

RELEASE.md

@@ -146,8 +146,46 @@ Assume `M.m.p` is the new version.
 
 - [Draft a new release](https://github.com/falcosecurity/falco/releases/new)
 - Use `M.m.p` both as tag version and release title
-- Do NOT fill body, since it will be autogenerated by the [github release workflow](.github/workflows/release.yaml)
-- Publish the release!
+- Use the following template to fill the release description:
+    ```
+    <!-- Substitute M.m.p with the current release version -->
+
+    | Packages | Download                                                                                                                                               |
+    | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
+    | rpm-x86_64      | [![rpm](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpm/falco-M.m.p-x86_64.rpm)        |
+    | deb-x86_64      | [![deb](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/deb/stable/falco-M.m.p-x86_64.deb) |
+    | tgz-x86_64      | [![tgz](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/bin/x86_64/falco-M.m.p-x86_64.tar.gz) |
+    | rpm-aarch64      | [![rpm](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpm/falco-M.m.p-aarch64.rpm)        |
+    | deb-aarch64      | [![deb](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/deb/stable/falco-M.m.p-aarch64.deb) |
+    | tgz-aarch64      | [![tgz](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/bin/aarch64/falco-M.m.p-aarch64.tar.gz) |
+
+    | Images                                                                      |
+    | --------------------------------------------------------------------------- |
+    | `docker pull docker.io/falcosecurity/falco:M.m.p`                           |
+    | `docker pull public.ecr.aws/falcosecurity/falco:M.m.p`                      |
+    | `docker pull docker.io/falcosecurity/falco-driver-loader:M.m.p`             |
+    | `docker pull docker.io/falcosecurity/falco-no-driver:M.m.p`                 |
+
+    <changelog>
+
+    <!-- Substitute <changelog> with the one generated by [rn2md](https://github.com/leodido/rn2md) -->
+
+    ### Statistics
+
+    | Merged PRs      | Number |
+    | --------------- | ------ |
+    | Not user-facing | x      |
+    | Release note    | x      |
+    | Total           | x      |
+
+    <!-- Calculate stats and fill the above table -->
+
+    #### Release Manager <github handle>
+
+    <!-- Substitute GitHub handle with the release manager's one -->
+    ```
+
+- Finally, publish the release!
 - The release pipeline will start automatically upon publication and all packages and container images will be uploaded to the stable repositories.
 
 In order to check the status of the release pipeline click on the [GitHub Actions tab](https://github.com/falcosecurity/falco/actions?query=event%3Arelease) in the Falco repository and filter by release.

cmake/cpack/CMakeCPackOptions.cmake

@@ -1,17 +1,3 @@
-# SPDX-License-Identifier: Apache-2.0
-#
-# Copyright (C) 2023 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
 if(CPACK_GENERATOR MATCHES "DEB" OR CPACK_GENERATOR MATCHES "RPM")
 	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
 	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod-inject.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")

cmake/modules/CPackConfig.cmake

@@ -1,6 +1,5 @@
-# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2023 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at

cmake/modules/Coverage.cmake

@@ -1,6 +1,5 @@
-# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2023 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at

cmake/modules/copy_files_to_build_dir.cmake

@@ -1,6 +1,5 @@
-# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2023 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at

cmake/modules/cpp-httplib.cmake

@@ -1,6 +1,5 @@
-# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2023 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at

cmake/modules/cxxopts.cmake

@@ -1,6 +1,5 @@
-# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2023 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at

cmake/modules/driver-repo/CMakeLists.txt

@@ -1,6 +1,5 @@
-# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2023 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at

cmake/modules/driver.cmake

@@ -1,6 +1,5 @@
-# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2023 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -34,8 +33,8 @@ else()
   # In case you want to test against another driver version (or branch, or commit) just pass the variable -
   # ie., `cmake -DDRIVER_VERSION=dev ..`
   if(NOT DRIVER_VERSION)
-    set(DRIVER_VERSION "6.0.1+driver")
-    set(DRIVER_CHECKSUM "SHA256=2b4412b5053c8ed5bd1a9de745faa16ec0210dc65dc858af65951d4c8d22207c")
+    set(DRIVER_VERSION "6301c01b9279c3f4981df24b3e8e0d97c18f76e8")
+    set(DRIVER_CHECKSUM "SHA256=cc5c51b4a01cf83d36c3af0670a36b2c8b55f3baebc03736725dc6425898d018")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

cmake/modules/falco-version.cmake

@@ -1,6 +1,5 @@
-# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2023 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at

cmake/modules/falcoctl.cmake

@@ -1,4 +1,3 @@
-# SPDX-License-Identifier: Apache-2.0
 #
 # Copyright (C) 2023 The Falco Authors.
 #
@@ -16,14 +15,14 @@ include(ExternalProject)
 
 string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} FALCOCTL_SYSTEM_NAME)
 
-set(FALCOCTL_VERSION "0.6.2")
+set(FALCOCTL_VERSION "0.6.0")
 
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
     set(FALCOCTL_SYSTEM_PROC_GO "amd64")
-    set(FALCOCTL_HASH "2d06d7577dbae91fb085f71477ff6e22076a815978bddd036984fa077236a515")
+    set(FALCOCTL_HASH "b81c36449b525e1de871288741beeadead021ac133d9b306f0636be1befe58a5")
 else() # aarch64
     set(FALCOCTL_SYSTEM_PROC_GO "arm64")
-    set(FALCOCTL_HASH "0b711a1b3499f479d999f4f4d2c94fc4f0bc23a2506711b613e6eedb0593631b")
+    set(FALCOCTL_HASH "6e99fd765f67cdd46fa8c5b2969e97497856d2e615698ced04046c8898187b18")
 endif()
 
 ExternalProject_Add(

cmake/modules/falcosecurity-libs-repo/CMakeLists.txt

@@ -1,6 +1,5 @@
-# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2023 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at

cmake/modules/falcosecurity-libs.cmake

@@ -1,4 +1,3 @@
-# SPDX-License-Identifier: Apache-2.0
 #
 # Copyright (C) 2023 The Falco Authors.
 #
@@ -35,8 +34,8 @@ else()
   # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
   # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..` 
   if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "ebd17a1cfb5935d774681aa6a4696deb6561d965")
-    # set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=2be42a27be3ffe6bd7e53eaa5d8358cab05a0dca821819c6e9059e51b9786219")
+    set(FALCOSECURITY_LIBS_VERSION "6301c01b9279c3f4981df24b3e8e0d97c18f76e8")
+    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=cc5c51b4a01cf83d36c3af0670a36b2c8b55f3baebc03736725dc6425898d018")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

cmake/modules/libyaml.cmake

@@ -1,6 +1,5 @@
-# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2023 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at

cmake/modules/njson.cmake

@@ -1,4 +1,3 @@
-# SPDX-License-Identifier: Apache-2.0
 #
 # Copyright (C) 2023 The Falco Authors.
 #

cmake/modules/plugins.cmake

@@ -1,4 +1,3 @@
-# SPDX-License-Identifier: Apache-2.0
 #
 # Copyright (C) 2023 The Falco Authors.
 #
@@ -24,11 +23,11 @@ if(NOT DEFINED PLUGINS_COMPONENT_NAME)
 endif()
 
 # k8saudit
-set(PLUGIN_K8S_AUDIT_VERSION "0.6.1")
+set(PLUGIN_K8S_AUDIT_VERSION "0.6.0")
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-    set(PLUGIN_K8S_AUDIT_HASH "e2908ebf2c03feecd26307ceab55aec9cae1cbc63d6aa05e147d8786e7670fb0")
+    set(PLUGIN_K8S_AUDIT_HASH "560e8f8dc8fd169e524d95462d65b5227415a7a157442e82383c7d9f456ce58f")
 else() # aarch64
-    set(PLUGIN_K8S_AUDIT_HASH "8987a995fa09518aebc488ba549448166d605596c2d6478c10415a9d9f5f05dd")
+    set(PLUGIN_K8S_AUDIT_HASH "e4757af1bac42b21c5937340790841dedc3805759050a6ffb22d1761e1dd1d31")
 endif()
 
 ExternalProject_Add(
@@ -44,7 +43,7 @@ install(FILES "${PROJECT_BINARY_DIR}/k8saudit-plugin-prefix/src/k8saudit-plugin/
 ExternalProject_Add(
   k8saudit-rules
   URL "https://download.falco.org/plugins/${PLUGINS_DOWNLOAD_BUCKET}/k8saudit-rules-${PLUGIN_K8S_AUDIT_VERSION}.tar.gz"
-  URL_HASH "SHA256=36321b3f1d7969926073a4d40bbbb7b4b28805b038c067f140795210ab641161"
+  URL_HASH "SHA256=44cee2fb88312d889213e1dbe1b9902d0a3f5c594cce73b2cac8e54fb51321b7"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""
   INSTALL_COMMAND "")
@@ -52,11 +51,11 @@ ExternalProject_Add(
 install(FILES "${PROJECT_BINARY_DIR}/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml" DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
 
 # cloudtrail
-set(PLUGIN_CLOUDTRAIL_VERSION "0.9.0")
+set(PLUGIN_CLOUDTRAIL_VERSION "0.8.0")
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-    set(PLUGIN_CLOUDTRAIL_HASH "c8dc8ea5337aa9475042e6441320a5188bbf76977e3a69dd34a49a6251f8e9ad")
+    set(PLUGIN_CLOUDTRAIL_HASH "13ba77602c0859936f6e3b00f93bd218c463300c6a797b694a0d5aeecde13976")
 else() # aarch64
-    set(PLUGIN_CLOUDTRAIL_HASH "bea12e81409c3df5698f7ab6a740ee9698b9dd1275b5985810daf70ac505c810")
+    set(PLUGIN_CLOUDTRAIL_HASH "a01730738e9d5769f69957a204c8afe528b059e9a22f59792dfc65e19d6a43db")
 endif()
 
 ExternalProject_Add(
@@ -72,7 +71,7 @@ install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-plugin-prefix/src/cloudtrail-plu
 ExternalProject_Add(
   cloudtrail-rules
   URL "https://download.falco.org/plugins/${PLUGINS_DOWNLOAD_BUCKET}/cloudtrail-rules-${PLUGIN_CLOUDTRAIL_VERSION}.tar.gz"
-  URL_HASH "SHA256=b0c2b6c78d61cc3e7fb66445bcd8f763d15eb4a24f518385377e704aacec6b3f"
+  URL_HASH "SHA256=27f2fc0a74d39476ad968a61318dec65a82b109c4a462b9fa22be45425ddaaad"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""
   INSTALL_COMMAND "")
@@ -80,11 +79,11 @@ ExternalProject_Add(
 install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-rules-prefix/src/cloudtrail-rules/aws_cloudtrail_rules.yaml" DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
 
 # json
-set(PLUGIN_JSON_VERSION "0.7.1")
+set(PLUGIN_JSON_VERSION "0.7.0")
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-    set(PLUGIN_JSON_HASH "3177fd667b384df2ffd2ae3260bda867c407c09d3fbcae841af204b82c1341c1")
+    set(PLUGIN_JSON_HASH "a7bf52009a935f22b473724f722566fde27aec5c7d618ecd426eed81e477e94d")
 else() # aarch64
-    set(PLUGIN_JSON_HASH "3b5d0a9190bfd08e21915f997f88ca314f2027564a022eb88eef80ff4e2c77fa")
+    set(PLUGIN_JSON_HASH "9cd65fac3f1cbc7f723b69671d42d35901cd322a23d8f2b9dc95fb0593918a7e")
 endif()
 
 ExternalProject_Add(

cmake/modules/rules.cmake

@@ -1,4 +1,3 @@
-# SPDX-License-Identifier: Apache-2.0
 #
 # Copyright (C) 2023 The Falco Authors.
 #
@@ -16,8 +15,8 @@ include(GNUInstallDirs)
 include(ExternalProject)
 
 # falco_rules.yaml
-set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-2.0.0")
-set(FALCOSECURITY_RULES_FALCO_CHECKSUM "SHA256=48b6c5ae7a619a320eb51dbe036d1bc78622ab692956c9493390678874757b32")
+set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-1.0.1")
+set(FALCOSECURITY_RULES_FALCO_CHECKSUM "SHA256=2348d43196bbbdea92e3f67fa928721a241b0406d0ef369693bdefcec2b3fa13")
 set(FALCOSECURITY_RULES_FALCO_PATH "${PROJECT_BINARY_DIR}/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml")
 ExternalProject_Add(
   falcosecurity-rules-falco

cmake/modules/static-analysis.cmake

@@ -1,17 +1,3 @@
-# SPDX-License-Identifier: Apache-2.0
-#
-# Copyright (C) 2023 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
 # create the reports folder
 file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports)
 file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck)

cmake/modules/yaml-cpp.cmake

@@ -1,6 +1,5 @@
-# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2023 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at

docker/README.md

@@ -9,10 +9,3 @@ This directory contains various ways to package Falco as a container and related
 | [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/falco | Falco (DEB built from git tag or from the master) with all the building toolchain. |
 | [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. |
 | [falcosecurity/falco-no-driver:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver), [falcosecurity/falco-no-driver:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver),[falcosecurity/falco-no-driver:master](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver) | docker/no-driver | Falco (TGZ built from git tag or from the master) without the building toolchain. |
-| [falcosecurity/falco-driver-loader-legacy:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader-legacy), [falcosecurity/falco-driver-loader-legacy:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader-legacy) | docker/driver-loader-legacy | `falco-driver-loader` as entrypoint with the legacy building toolchain. Recommended for kernels < 4.0 |
-
-## Experimental Images
-
-| Name | Directory | Description |
-|---|---|---|
-| [falcosecurity/falco-distroless:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-distroless), [falcosecurity/falco-distroless:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-distroless),[falcosecurity/falco-distroless:master](https://hub.docker.com/repository/docker/falcosecurity/falco-distroless) | docker/no-driver/Dockerfile.distroless | Falco without the building toolchain built from a distroless base image. This results in a smaller image that has less potentially vulnerable components. |

docker/driver-loader-legacy/Dockerfile

@@ -1,128 +0,0 @@
-FROM debian:buster
-
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
-
-LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc --name NAME IMAGE"
-
-ARG TARGETARCH
-
-ARG FALCO_VERSION=latest
-ARG VERSION_BUCKET=deb
-ENV VERSION_BUCKET=${VERSION_BUCKET}
-
-ENV FALCO_VERSION=${FALCO_VERSION}
-ENV HOST_ROOT /host
-ENV HOME /root
-
-RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
-
-RUN apt-get update \
-	&& apt-get install -y --no-install-recommends \
-	bash-completion \
-	bc \
-	bison \
-	clang-7 \
-	ca-certificates \
-	curl \
-	dkms \
-	flex \
-	gnupg2 \
-	gcc \
-	jq \
-	libc6-dev \
-	libelf-dev \
-	libssl-dev \
-	llvm-7 \
-	netcat \
-	patchelf \
-	xz-utils \
-	&& rm -rf /var/lib/apt/lists/*
-
-RUN if [ "$TARGETARCH" = "amd64" ]; \
-    then apt-get install -y --no-install-recommends libmpx2; \
-    fi
-
-# gcc 6 is no longer included in debian stable, but we need it to
-# build kernel modules on the default debian-based ami used by
-# kops. So grab copies we've saved from debian snapshots with the
-# prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
-# or so.
-
-RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libcilkrts5_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \
-    curl -L -o cpp-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_${TARGETARCH}.deb \
-	&& curl -L -o gcc-6-base_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-6-base_6.3.0-18_${TARGETARCH}.deb \
-	&& curl -L -o gcc-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-6_6.3.0-18_${TARGETARCH}.deb \
-	&& curl -L -o libasan3_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libasan3_6.3.0-18_${TARGETARCH}.deb \
-	&& curl -L -o libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb \
-	&& curl -L -o libubsan0_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libubsan0_6.3.0-18_${TARGETARCH}.deb \
-	&& curl -L -o libmpfr4_3.1.3-2_${TARGETARCH}.deb https://download.falco.org/dependencies/libmpfr4_3.1.3-2_${TARGETARCH}.deb \
-	&& curl -L -o libisl15_0.18-1_${TARGETARCH}.deb https://download.falco.org/dependencies/libisl15_0.18-1_${TARGETARCH}.deb \
-	&& dpkg -i cpp-6_6.3.0-18_${TARGETARCH}.deb gcc-6-base_6.3.0-18_${TARGETARCH}.deb gcc-6_6.3.0-18_${TARGETARCH}.deb libasan3_6.3.0-18_${TARGETARCH}.deb; \
-    if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \
-    dpkg -i libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb \
-	&& rm -f cpp-6_6.3.0-18_${TARGETARCH}.deb gcc-6-base_6.3.0-18_${TARGETARCH}.deb gcc-6_6.3.0-18_${TARGETARCH}.deb libasan3_6.3.0-18_${TARGETARCH}.deb libcilkrts5_6.3.0-18_${TARGETARCH}.deb libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb
-
-# gcc 5 is no longer included in debian stable, but we need it to
-# build centos kernels, which are 3.x based and explicitly want a gcc
-# version 3, 4, or 5 compiler. So grab copies we've saved from debian
-# snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
-
-RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libmpx0_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \
-    curl -L -o cpp-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_${TARGETARCH}.deb \
-	&& curl -L -o gcc-5-base_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-5-base_5.5.0-12_${TARGETARCH}.deb \
-	&& curl -L -o gcc-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-5_5.5.0-12_${TARGETARCH}.deb \
-	&& curl -L -o libasan2_5.5.0-12_${TARGETARCH}.deb	https://download.falco.org/dependencies/libasan2_5.5.0-12_${TARGETARCH}.deb \
-	&& curl -L -o libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb \
-	&& curl -L -o libisl15_0.18-4_${TARGETARCH}.deb https://download.falco.org/dependencies/libisl15_0.18-4_${TARGETARCH}.deb \
-	&& dpkg -i cpp-5_5.5.0-12_${TARGETARCH}.deb gcc-5-base_5.5.0-12_${TARGETARCH}.deb gcc-5_5.5.0-12_${TARGETARCH}.deb libasan2_5.5.0-12_${TARGETARCH}.deb; \
-    if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \
-    dpkg -i libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb \
-	&& rm -f cpp-5_5.5.0-12_${TARGETARCH}.deb gcc-5-base_5.5.0-12_${TARGETARCH}.deb gcc-5_5.5.0-12_${TARGETARCH}.deb libasan2_5.5.0-12_${TARGETARCH}.deb libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb libmpx0_5.5.0-12_${TARGETARCH}.deb
-
-# Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
-# default to gcc-5.
-RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc
-
-RUN rm -rf /usr/bin/clang \
-	&& rm -rf /usr/bin/llc \
-	&& ln -s /usr/bin/clang-7 /usr/bin/clang \
-	&& ln -s /usr/bin/llc-7 /usr/bin/llc
-
-RUN curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add - \
-	&& echo "deb https://download.falco.org/packages/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
-	&& apt-get update -y \
-	&& if [ "$FALCO_VERSION" = "latest" ]; then apt-get install -y --no-install-recommends falco; else apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
-	&& apt-get clean \
-	&& rm -rf /var/lib/apt/lists/*
-
-# Change the falco config within the container to enable ISO 8601
-# output.
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
-	&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
-
-# Some base images have an empty /lib/modules by default
-# If it's not empty, docker build will fail instead of
-# silently overwriting the existing directory
-RUN rm -df /lib/modules \
-	&& ln -s $HOST_ROOT/lib/modules /lib/modules
-
-# debian:stable head contains binutils 2.31, which generates
-# binaries that are incompatible with kernels < 4.16. So manually
-# forcibly install binutils 2.30-22 instead.
-
-RUN if [ "$TARGETARCH" = "amd64" ] ; then \
-    curl -L -o binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
-    else  \
-    curl -L -o  binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
-    fi
-
-RUN curl -L -o binutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils_2.30-22_${TARGETARCH}.deb \
-	&& curl -L -o libbinutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/libbinutils_2.30-22_${TARGETARCH}.deb \
-	&& curl -L -o binutils-common_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-common_2.30-22_${TARGETARCH}.deb \
-	&& dpkg -i *binutils*.deb \
-	&& rm -f *binutils*.deb
-
-COPY ./docker-entrypoint.sh /
-
-ENTRYPOINT ["/docker-entrypoint.sh"]

docker/driver-loader-legacy/docker-entrypoint.sh

@@ -1,29 +0,0 @@
-#!/usr/bin/env bash
-# SPDX-License-Identifier: Apache-2.0
-#
-# Copyright (C) 2023 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-
-echo "* Setting up /usr/src links from host"
-
-for i in "$HOST_ROOT/usr/src"/*
-do
-    base=$(basename "$i")
-    ln -s "$i" "/usr/src/$base"
-done
-
-/usr/bin/falco-driver-loader "$@"

docker/driver-loader/docker-entrypoint.sh

@@ -1,7 +1,6 @@
 #!/usr/bin/env bash
-# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2023 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -26,4 +25,4 @@ do
     ln -s "$i" "/usr/src/$base"
 done
 
-/usr/bin/falco-driver-loader "$@"
+/usr/bin/falco-driver-loader "$@"

docker/falco/Dockerfile

@@ -1,4 +1,4 @@
-FROM debian:bookworm
+FROM debian:buster
 
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
@@ -19,19 +19,76 @@ RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
 
 RUN apt-get update \
 	&& apt-get install -y --no-install-recommends \
+	bash-completion \
+	bc \
+	bison \
+	clang-7 \
 	ca-certificates \
-	clang \
 	curl \
 	dkms \
-	gcc \
-	gcc-11 \
+	flex \
 	gnupg2 \
+	gcc \
 	jq \
-	libelf1 \
-	llvm \
-	make \
+	libc6-dev \
+	libelf-dev \
+	libssl-dev \
+	llvm-7 \
+	netcat \
+	patchelf \
+	xz-utils \
 	&& rm -rf /var/lib/apt/lists/*
 
+RUN if [ "$TARGETARCH" = "amd64" ]; \
+    then apt-get install -y --no-install-recommends libmpx2; \
+    fi
+
+# gcc 6 is no longer included in debian stable, but we need it to
+# build kernel modules on the default debian-based ami used by
+# kops. So grab copies we've saved from debian snapshots with the
+# prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
+# or so.
+
+RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libcilkrts5_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \
+    curl -L -o cpp-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o gcc-6-base_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-6-base_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o gcc-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-6_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o libasan3_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libasan3_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o libubsan0_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libubsan0_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o libmpfr4_3.1.3-2_${TARGETARCH}.deb https://download.falco.org/dependencies/libmpfr4_3.1.3-2_${TARGETARCH}.deb \
+	&& curl -L -o libisl15_0.18-1_${TARGETARCH}.deb https://download.falco.org/dependencies/libisl15_0.18-1_${TARGETARCH}.deb \
+	&& dpkg -i cpp-6_6.3.0-18_${TARGETARCH}.deb gcc-6-base_6.3.0-18_${TARGETARCH}.deb gcc-6_6.3.0-18_${TARGETARCH}.deb libasan3_6.3.0-18_${TARGETARCH}.deb; \
+    if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \
+    dpkg -i libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb \
+	&& rm -f cpp-6_6.3.0-18_${TARGETARCH}.deb gcc-6-base_6.3.0-18_${TARGETARCH}.deb gcc-6_6.3.0-18_${TARGETARCH}.deb libasan3_6.3.0-18_${TARGETARCH}.deb libcilkrts5_6.3.0-18_${TARGETARCH}.deb libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb
+
+# gcc 5 is no longer included in debian stable, but we need it to
+# build centos kernels, which are 3.x based and explicitly want a gcc
+# version 3, 4, or 5 compiler. So grab copies we've saved from debian
+# snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
+
+RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libmpx0_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \
+    curl -L -o cpp-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_${TARGETARCH}.deb \
+	&& curl -L -o gcc-5-base_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-5-base_5.5.0-12_${TARGETARCH}.deb \
+	&& curl -L -o gcc-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-5_5.5.0-12_${TARGETARCH}.deb \
+	&& curl -L -o libasan2_5.5.0-12_${TARGETARCH}.deb	https://download.falco.org/dependencies/libasan2_5.5.0-12_${TARGETARCH}.deb \
+	&& curl -L -o libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb \
+	&& curl -L -o libisl15_0.18-4_${TARGETARCH}.deb https://download.falco.org/dependencies/libisl15_0.18-4_${TARGETARCH}.deb \
+	&& dpkg -i cpp-5_5.5.0-12_${TARGETARCH}.deb gcc-5-base_5.5.0-12_${TARGETARCH}.deb gcc-5_5.5.0-12_${TARGETARCH}.deb libasan2_5.5.0-12_${TARGETARCH}.deb; \
+    if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \
+    dpkg -i libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb \
+	&& rm -f cpp-5_5.5.0-12_${TARGETARCH}.deb gcc-5-base_5.5.0-12_${TARGETARCH}.deb gcc-5_5.5.0-12_${TARGETARCH}.deb libasan2_5.5.0-12_${TARGETARCH}.deb libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb libmpx0_5.5.0-12_${TARGETARCH}.deb
+
+# Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
+# default to gcc-5.
+RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc
+
+RUN rm -rf /usr/bin/clang \
+	&& rm -rf /usr/bin/llc \
+	&& ln -s /usr/bin/clang-7 /usr/bin/clang \
+	&& ln -s /usr/bin/llc-7 /usr/bin/llc
+
 RUN curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add - \
 	&& echo "deb https://download.falco.org/packages/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
 	&& apt-get update -y \
@@ -50,6 +107,22 @@ RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/fa
 RUN rm -df /lib/modules \
 	&& ln -s $HOST_ROOT/lib/modules /lib/modules
 
+# debian:stable head contains binutils 2.31, which generates
+# binaries that are incompatible with kernels < 4.16. So manually
+# forcibly install binutils 2.30-22 instead.
+
+RUN if [ "$TARGETARCH" = "amd64" ] ; then \
+    curl -L -o binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
+    else  \
+    curl -L -o  binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
+    fi
+
+RUN curl -L -o binutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils_2.30-22_${TARGETARCH}.deb \
+	&& curl -L -o libbinutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/libbinutils_2.30-22_${TARGETARCH}.deb \
+	&& curl -L -o binutils-common_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-common_2.30-22_${TARGETARCH}.deb \
+	&& dpkg -i *binutils*.deb \
+	&& rm -f *binutils*.deb
+
 COPY ./docker-entrypoint.sh /
 
 ENTRYPOINT ["/docker-entrypoint.sh"]

docker/falco/docker-entrypoint.sh

@@ -1,7 +1,6 @@
 #!/usr/bin/env bash
-# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2023 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -28,10 +27,7 @@ if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
         ln -s "$i" "/usr/src/$base"
     done
 
-    # convert the optional space-separated env variable FALCO_DRIVER_LOADER_OPTIONS to array, prevent 
-    # shell expansion and use it as argument list for falco-driver-loader
-    read -a falco_driver_loader_option_arr <<< $FALCO_DRIVER_LOADER_OPTIONS
-    /usr/bin/falco-driver-loader "${falco_driver_loader_option_arr[@]}"
+    /usr/bin/falco-driver-loader
 fi
 
-exec "$@"
+exec "$@"

docker/no-driver/Dockerfile

@@ -1,4 +1,4 @@
-FROM debian:12 as builder
+FROM ubuntu:18.04 as ubuntu
 
 ARG FALCO_VERSION
 ARG VERSION_BUCKET=bin
@@ -20,7 +20,7 @@ RUN curl -L -o falco.tar.gz \
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
     && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml
 
-FROM debian:12-slim
+FROM debian:11-slim
 
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
@@ -34,6 +34,6 @@ RUN apt-get -y update && apt-get -y install ca-certificates curl jq \
 ENV HOST_ROOT /host
 ENV HOME /root
 
-COPY --from=builder /falco /
+COPY --from=ubuntu /falco /
 
 CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/no-driver/Dockerfile.distroless

@@ -1,38 +0,0 @@
-FROM cgr.dev/chainguard/wolfi-base as builder
-
-ARG FALCO_VERSION
-ARG VERSION_BUCKET=bin
-
-ENV FALCO_VERSION=${FALCO_VERSION}
-ENV VERSION_BUCKET=${VERSION_BUCKET}
-
-RUN apk update && apk add build-base gcc curl ca-certificates jq
-
-WORKDIR /
-
-RUN FALCO_VERSION_URLENCODED=$(echo -n ${FALCO_VERSION}|jq -sRr @uri) && \
-    curl -L -o falco.tar.gz \
-    https://download.falco.org/packages/${VERSION_BUCKET}/$(uname -m)/falco-${FALCO_VERSION_URLENCODED}-$(uname -m).tar.gz && \
-    tar -xvf falco.tar.gz && \
-    rm -f falco.tar.gz && \
-    mv falco-${FALCO_VERSION}-$(uname -m) falco && \
-    rm -rf /falco/usr/src/falco-* /falco/usr/bin/falco-driver-loader
-
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
-    && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml
-
-FROM cgr.dev/chainguard/glibc-dynamic
-
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
-
-LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
-# NOTE: for the "least privileged" use case, please refer to the official documentation
-
-ENV HOST_ROOT /host
-ENV HOME /root
-
-USER root
-COPY --from=builder /falco /
-
-CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

falco.yaml

@@ -1,4 +1,3 @@
-# SPDX-License-Identifier: Apache-2.0
 #
 # Copyright (C) 2023 The Falco Authors.
 #
@@ -40,8 +39,6 @@
 #     json_include_tags_property
 #     buffered_outputs
 #     outputs (throttling)
-#     rule_matching
-#     outputs_queue
 # Falco outputs channels
 #     stdout_output
 #     syslog_output
@@ -322,34 +319,6 @@ outputs:
 # deploying it in production.
 rule_matching: first
 
-# [Experimental] `outputs_queue`
-#
-# Falco utilizes tbb::concurrent_bounded_queue for handling outputs, and this parameter
-# allows you to customize the queue capacity. Please refer to the official documentation:
-# https://oneapi-src.github.io/oneTBB/main/tbb_userguide/Concurrent_Queue_Classes.html.
-# On a healthy system with optimized Falco rules, the queue should not fill up.
-# If it does, it is most likely happening due to the entire event flow being too slow,
-# indicating that the server is under heavy load.
-# 
-# Lowering the number of items can prevent memory from steadily increasing until the OOM
-# killer stops the Falco process. We provide recovery actions to self-limit or self-kill
-# in order to handle this situation earlier, similar to how we expose the kernel buffer size
-# as a parameter. However, it will not address the root cause of the event pipe not keeping up.
-# 
-# `capacity`: the maximum number of items allowed in the queue is determined by this value. 
-# Setting the value to 0 (which is the default) is equivalent to keeping the queue unbounded. 
-# In other words, when this configuration is set to 0, the number of allowed items is effectively 
-# set to the largest possible long value, disabling this setting.
-# 
-# `recovery`: strategy to follow when the queue becomes filled up. It applies only when the
-# queue is bounded and there is still available system memory. In the case of an unbounded
-# queue, if the available memory on the system is consumed, the Falco process would be
-# OOM killed. The value `exit` is the default, `continue` does nothing special and `empty` 
-# empties the queue and then continues.
-outputs_queue:
-  capacity: 0
-  recovery: exit
-
 
 ##########################
 # Falco outputs channels #
@@ -675,12 +644,6 @@ syscall_event_drops:
 # periodic metric snapshots (including stats and resource utilization) captured
 # at regular intervals
 #
-# --- [Warning]
-#
-# Due to a regression (https://github.com/falcosecurity/falco/issues/2821) some metrics
-# like `falco.host_num_cpus` or `falco.start_ts` will not be available when you use
-# source plugins (like k8saudit).
-#
 # --- [Description]
 #
 # Consider these key points about the `metrics` feature in Falco:

scripts/CMakeLists.txt

@@ -1,6 +1,5 @@
-# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2023 The Falco Authors.
+# Copyright (C) 2021 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

scripts/debian/postinst.in

@@ -1,7 +1,6 @@
 #!/bin/sh
-# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2023 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

scripts/debian/postrm.in

@@ -1,7 +1,6 @@
 #!/bin/sh
-# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2023 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

scripts/debian/prerm.in

@@ -1,7 +1,6 @@
 #!/bin/sh
-# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2023 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

scripts/falco-driver-loader

@@ -1,7 +1,6 @@
 #!/usr/bin/env bash
-# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2023 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

scripts/ignored-calls.sh

@@ -1,7 +1,6 @@
 #!/usr/bin/env bash
-# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2023 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

scripts/rpm/postinstall.in

@@ -1,6 +1,5 @@
-# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2023 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

scripts/rpm/postuninstall.in

@@ -1,6 +1,5 @@
-# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2023 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

scripts/rpm/preuninstall.in

@@ -1,6 +1,5 @@
-# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2023 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

unit_tests/CMakeLists.txt

@@ -1,4 +1,3 @@
-# SPDX-License-Identifier: Apache-2.0
 #
 # Copyright (C) 2023 The Falco Authors.
 #

unit_tests/engine/test_falco_utils.cpp

@@ -1,4 +1,3 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 

unit_tests/engine/test_filter_details_resolver.cpp

@@ -1,4 +1,3 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 
@@ -47,4 +46,4 @@ TEST(DetailsResolver, resolve_ast)
     // Assert lists
     ASSERT_EQ(details.lists.size(), 1);
     ASSERT_NE(details.lists.find("known_procs"), details.lists.end());
-}
+}

unit_tests/engine/test_filter_macro_resolver.cpp

@@ -1,4 +1,3 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 

unit_tests/engine/test_filter_warning_resolver.cpp

@@ -1,4 +1,3 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 

unit_tests/engine/test_plugin_requirements.cpp

@@ -1,4 +1,3 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 

unit_tests/engine/test_rulesets.cpp

@@ -1,4 +1,3 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 

unit_tests/falco/app/actions/app_action_helpers.h

@@ -1,19 +1,3 @@
-// SPDX-License-Identifier: Apache-2.0
-/*
-Copyright (C) 2023 The Falco Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
 #pragma once
 #include <gtest/gtest.h>
 #include <falco/app/state.h>

unit_tests/falco/app/actions/test_configure_interesting_sets.cpp

@@ -1,4 +1,3 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 

unit_tests/falco/app/actions/test_configure_syscall_buffer_num.cpp

@@ -1,4 +1,3 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 

unit_tests/falco/app/actions/test_select_event_sources.cpp

@@ -1,4 +1,3 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 

unit_tests/falco/test_atomic_signal_handler.cpp

@@ -1,4 +1,3 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 
@@ -129,4 +128,4 @@ TEST(AtomicSignalHandler, handle_and_reset)
 	ASSERT_FALSE(handler.triggered());
 	ASSERT_FALSE(handler.handled());
 	ASSERT_FALSE(handler.handle(do_nothing));
-}
+}

unit_tests/falco/test_configuration.cpp

@@ -1,4 +1,3 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 
@@ -89,88 +88,16 @@ TEST(Configuration, modify_yaml_fields)
 {
 	std::string key = "base_value.subvalue.subvalue2.boolean";
 	yaml_helper conf;
-
+	
     /* Get original value */
     conf.load_from_string(sample_yaml);
 	ASSERT_EQ(conf.get_scalar<bool>(key, false), true);
-
+	
     /* Modify the original value */
     conf.set_scalar<bool>(key, false);
 	ASSERT_EQ(conf.get_scalar<bool>(key, true), false);
-
+	
     /* Modify it again */
     conf.set_scalar<bool>(key, true);
 	ASSERT_EQ(conf.get_scalar<bool>(key, false), true);
 }
-
-TEST(Configuration, configuration_environment_variables)
-{
-    // Set an environment variable for testing purposes
-    std::string env_var_value = "envVarValue";
-    std::string env_var_name = "ENV_VAR";
-    std::string default_value = "default";
-    setenv(env_var_name.c_str(), env_var_value.c_str(), 1);
-    yaml_helper conf;
-
-    std::string sample_yaml =
-        "base_value:\n"
-        "    id: $ENV_VAR\n"
-        "    name: '${ENV_VAR}'\n"
-        "    string: my_string\n"
-        "    invalid: $${ENV_VAR}\n"
-		"    invalid_env: $$ENV_VAR\n"
-        "    escaped: \"${ENV_VAR}\"\n"
-        "    subvalue:\n"
-        "        subvalue2:\n"
-        "            boolean: ${UNSED_XX_X_X_VAR}\n"
-        "base_value_2:\n"
-        "    sample_list:\n"
-        "        - ${ENV_VAR}\n"
-        "        - ' ${ENV_VAR}'\n"
-        "        - $UNSED_XX_X_X_VAR\n";
-    conf.load_from_string(sample_yaml);
-
-    /* Check if the base values are defined */
-    ASSERT_TRUE(conf.is_defined("base_value"));
-    ASSERT_TRUE(conf.is_defined("base_value_2"));
-    ASSERT_FALSE(conf.is_defined("unknown_base_value"));
-
-    /* Test fetching of a regular string without any environment variable */
-    std::string base_value_string = conf.get_scalar<std::string>("base_value.string", default_value);
-    ASSERT_EQ(base_value_string, "my_string");
-
-    /* Test fetching of escaped environment variable format. Should return the string as-is after stripping the leading `$` */
-    std::string base_value_invalid = conf.get_scalar<std::string>("base_value.invalid", default_value);
-    ASSERT_EQ(base_value_invalid, "${ENV_VAR}");
-
-	/* Test fetching of invalid escaped environment variable format. Should return the string as-is */
-    std::string base_value_invalid_env = conf.get_scalar<std::string>("base_value.invalid_env", default_value);
-    ASSERT_EQ(base_value_invalid_env, "$$ENV_VAR");
-
-    /* Test fetching of strings that contain environment variables */
-    std::string base_value_id = conf.get_scalar<std::string>("base_value.id", default_value);
-    ASSERT_EQ(base_value_id, "$ENV_VAR"); // Does not follow the `${VAR}` format, so it should be treated as a regular string
-
-    std::string base_value_name = conf.get_scalar<std::string>("base_value.name", default_value);
-    ASSERT_EQ(base_value_name, env_var_value); // Proper environment variable format
-
-    std::string base_value_escaped = conf.get_scalar<std::string>("base_value.escaped", default_value);
-    ASSERT_EQ(base_value_escaped, env_var_value); // Environment variable within quotes
-
-    /* Test fetching of an undefined environment variable. Expected to return the default value.*/
-    std::string unknown_boolean = conf.get_scalar<std::string>("base_value.subvalue.subvalue2.boolean", default_value);
-    ASSERT_EQ(unknown_boolean, default_value);
-
-    /* Test fetching of environment variables from a list */
-    std::string base_value_2_list_0 = conf.get_scalar<std::string>("base_value_2.sample_list[0]", default_value);
-    ASSERT_EQ(base_value_2_list_0, env_var_value); // Proper environment variable format
-
-    std::string base_value_2_list_1 = conf.get_scalar<std::string>("base_value_2.sample_list[1]", default_value);
-    ASSERT_EQ(base_value_2_list_1, " ${ENV_VAR}"); // Environment variable preceded by a space, hence treated as a regular string
-
-    std::string base_value_2_list_2 = conf.get_scalar<std::string>("base_value_2.sample_list[2]", default_value);
-    ASSERT_EQ(base_value_2_list_2, "$UNSED_XX_X_X_VAR"); // Does not follow the `${VAR}` format, so should be treated as a regular string
-
-    /* Clear the set environment variable after testing */
-    unsetenv(env_var_name.c_str());
-}

userspace/engine/CMakeLists.txt

@@ -1,6 +1,5 @@
-# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2023 The Falco Authors.
+# Copyright (C) 2019 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at

userspace/engine/banned.h

@@ -1,4 +1,3 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 

userspace/engine/evttype_index_ruleset.cpp

@@ -1,6 +1,5 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2023 The Falco Authors.
+Copyright (C) 2019 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/evttype_index_ruleset.h

@@ -1,6 +1,5 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2023 The Falco Authors.
+Copyright (C) 2019 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/falco_common.cpp

@@ -1,6 +1,5 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2023 The Falco Authors.
+Copyright (C) 2022 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -33,12 +32,6 @@ static std::vector<std::string> rule_matching_names = {
 	"all"
 };
 
-static std::vector<std::string> outputs_queue_recovery_names = {
-		"continue",
-		"exit",
-		"empty",
-};
-
 bool falco_common::parse_priority(std::string v, priority_type& out)
 {
 	for (size_t i = 0; i < priority_names.size(); i++)
@@ -66,19 +59,6 @@ falco_common::priority_type falco_common::parse_priority(std::string v)
 	return out;
 }
 
-bool falco_common::parse_queue_recovery(std::string v, outputs_queue_recovery_type& out)
-{
-	for (size_t i = 0; i < outputs_queue_recovery_names.size(); i++)
-	{
-		if (!strcasecmp(v.c_str(), outputs_queue_recovery_names[i].c_str()))
-		{
-			out = (outputs_queue_recovery_type) i;
-			return true;
-		}
-	}
-	return false;
-}
-
 bool falco_common::format_priority(priority_type v, std::string& out, bool shortfmt)
 {
 	if ((size_t) v < priority_names.size())
@@ -117,4 +97,4 @@ bool falco_common::parse_rule_matching(std::string v, rule_matching& out)
 		}
 	}
 	return false;
-}
+}

userspace/engine/falco_common.h

@@ -1,6 +1,5 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2023 The Falco Authors.
+Copyright (C) 2022 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -22,12 +21,6 @@ limitations under the License.
 #include <mutex>
 #include <sinsp.h>
 
-//
-// equivalent to an "unbounded queue" in TBB terms or largest long value
-// https://github.com/oneapi-src/oneTBB/blob/b2474bfc636937052d05daf8b3f4d6b76e20273a/include/oneapi/tbb/concurrent_queue.h#L554
-//
-#define DEFAULT_OUTPUTS_QUEUE_CAPACITY_UNBOUNDED_MAX_LONG_VALUE std::ptrdiff_t(~size_t(0) / 2)
-
 //
 // Most falco_* classes can throw exceptions. Unless directly related
 // to low-level failures like inability to open file, etc, they will
@@ -59,13 +52,6 @@ struct falco_exception : std::exception
 
 namespace falco_common
 {
-
-	enum outputs_queue_recovery_type {
-		RECOVERY_CONTINUE = 0,  /* outputs_queue_capacity recovery strategy of continuing on. */
-		RECOVERY_EXIT = 1,  /* outputs_queue_capacity recovery strategy of exiting, self OOM kill. */
-		RECOVERY_EMPTY = 2,  /* outputs_queue_capacity recovery strategy of emptying queue then continuing. */
-	};
-
 	const std::string syscall_source = sinsp_syscall_event_source_name;
 
 	// Same as numbers/indices into the above vector
@@ -83,7 +69,6 @@ namespace falco_common
 	
 	bool parse_priority(std::string v, priority_type& out);
 	priority_type parse_priority(std::string v);
-	bool parse_queue_recovery(std::string v, outputs_queue_recovery_type& out);
 	bool format_priority(priority_type v, std::string& out, bool shortfmt=false);
 	std::string format_priority(priority_type v, bool shortfmt=false);
 

userspace/engine/falco_engine.cpp

@@ -1,6 +1,5 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2023 The Falco Authors.
+Copyright (C) 2019 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -46,6 +45,7 @@ limitations under the License.
 #include "utils.h"
 #include "banned.h" // This raises a compilation error when certain functions are used
 #include "evttype_index_ruleset.h"
+#include "filter_details_resolver.h"
 
 const std::string falco_engine::s_default_ruleset = "falco-default-ruleset";
 
@@ -190,60 +190,22 @@ void falco_engine::load_rules(const std::string &rules_content, bool verbose, bo
 std::unique_ptr<load_result> falco_engine::load_rules(const std::string &rules_content, const std::string &name)
 {
 	rule_loader::configuration cfg(rules_content, m_sources, name);
+	cfg.min_priority = m_min_priority;
 	cfg.output_extra = m_extra;
 	cfg.replace_output_container_info = m_replace_container_info;
+	cfg.default_ruleset_id = m_default_ruleset_id;
 
-	// read rules YAML file and collect its definitions
 	rule_loader::reader reader;
 	if (reader.read(cfg, m_rule_collector))
-	{	
-		// compile the definitions (resolve macro/list refs, exceptions, ...)
-		rule_loader::compiler::compile_output out;
-		rule_loader::compiler().compile(cfg, m_rule_collector, out);
-
-		// clear the rules known by the engine and each ruleset
-		m_rules.clear();
+	{
 		for (auto &src : m_sources)
 		{
 			src.ruleset = src.ruleset_factory->new_ruleset();
 		}
 
-		// add rules to the engine and the rulesets
-		for (const auto& rule : out.rules)
-		{
-			// skip the rule if below the minimum priority
-			if (rule.priority > m_min_priority)
-			{
-				continue;
-			}
-
-			auto info = m_rule_collector.rules().at(rule.name);
-			if (!info)
-			{
-				// this is just defensive, it should never happen
-				throw falco_exception("can't find internal rule info at name: " + name);
-			}
-
-			// the rule is ok, we can add it to the engine and the rulesets
-			// note: the compiler should guarantee that the rule's condition
-			// is a valid sinsp filter
-			auto source = find_source(rule.source);
-			std::shared_ptr<gen_event_filter> filter(
-				sinsp_filter_compiler(source->filter_factory, rule.condition.get()).compile());
-			auto rule_id = m_rules.insert(rule, rule.name);
-			m_rules.at(rule_id)->id = rule_id;
-			source->ruleset->add(rule, filter, rule.condition);
-
-			// By default rules are enabled/disabled for the default ruleset
-			if(info->enabled)
-			{
-				source->ruleset->enable(rule.name, true, m_default_ruleset_id);
-			}
-			else
-			{
-				source->ruleset->disable(rule.name, true, m_default_ruleset_id);
-			}
-		}
+		rule_loader::compiler compiler;
+		m_rules.clear();
+		compiler.compile(cfg, m_rule_collector, m_rules);
 	}
 
 	if (cfg.res->successful())
@@ -506,17 +468,7 @@ std::size_t falco_engine::add_source(const std::string &source,
 	return m_sources.insert(src, source);
 }
 
-template <typename T> inline Json::Value sequence_to_json_array(const T& seq)
-{
-	Json::Value ret = Json::arrayValue;
-	for (auto it = seq.begin(); it != seq.end(); it++)
-	{
-		ret.append(*it);
-	}
-	return ret;
-}
-
-void falco_engine::describe_rule(std::string *rule, const std::vector<std::shared_ptr<sinsp_plugin>>& plugins, bool json) const
+void falco_engine::describe_rule(std::string *rule, bool json) const
 {
 	if(!json)
 	{
@@ -545,20 +497,10 @@ void falco_engine::describe_rule(std::string *rule, const std::vector<std::share
 		return;
 	}
 
-	// use previously-loaded collector definitions to obtain a compiled
-	// output of rules, macros, and lists.
-	// note: we ignore the loading result (errors, warnings), as they should have
-	// already been checked when previously-loading the rules files. Thus, we
-	// assume that the definitions will give no compilation error.
-	rule_loader::configuration cfg("", m_sources, "");
-	cfg.output_extra = m_extra;
-	cfg.replace_output_container_info = m_replace_container_info;
-	rule_loader::compiler::compile_output compiled;
-	rule_loader::compiler().compile(cfg, m_rule_collector, compiled);
-
-	// use collected and compiled info to print a json output
+	std::unique_ptr<sinsp> insp(new sinsp());
 	Json::FastWriter writer;
 	std::string json_str;
+
 	if(!rule)
 	{
 		// In this case we build json information about
@@ -594,33 +536,33 @@ void falco_engine::describe_rule(std::string *rule, const std::vector<std::share
 
 		// Store information about rules
 		Json::Value rules_array = Json::arrayValue;
-		for(const auto& r : compiled.rules)
+		for(const auto& r : m_rules)
 		{
-			auto info = m_rule_collector.rules().at(r.name);
+			auto ri = m_rule_collector.rules().at(r.name);
 			Json::Value rule;
-			get_json_details(rule, r, *info, plugins);
+			get_json_details(r, *ri, insp.get(), rule);
+
+			// Append to rule array
 			rules_array.append(rule);
 		}
 		output["rules"] = rules_array;
 		
 		// Store information about macros
-		Json::Value macros_array = Json::arrayValue;
-		for(const auto &m : compiled.macros)
+		Json::Value macros_array;
+		for(const auto &m : m_rule_collector.macros())
 		{
-			auto info = m_rule_collector.macros().at(m.name);
 			Json::Value macro;
-			get_json_details(macro, m, *info, plugins);
+			get_json_details(m, macro);
 			macros_array.append(macro);
 		}
 		output["macros"] = macros_array;
 
 		// Store information about lists 
 		Json::Value lists_array = Json::arrayValue;
-		for(const auto &l : compiled.lists)
+		for(const auto &l : m_rule_collector.lists())
 		{
-			auto info = m_rule_collector.lists().at(l.name);
 			Json::Value list;
-			get_json_details(list, l, *info, plugins);
+			get_json_details(l, list);
 			lists_array.append(list);			
 		}
 		output["lists"] = lists_array;
@@ -637,73 +579,68 @@ void falco_engine::describe_rule(std::string *rule, const std::vector<std::share
 		}
 		auto r = m_rules.at(ri->name);
 		Json::Value rule; 
-		get_json_details(rule, *r, *ri, plugins);
+		get_json_details(*r, *ri, insp.get(), rule);
 		json_str = writer.write(rule);
 	}
 
 	fprintf(stdout, "%s", json_str.c_str());
 }
 
-void falco_engine::get_json_details(
-	Json::Value &out,
-	const falco_rule &r,
-	const rule_loader::rule_info &info,
-	const std::vector<std::shared_ptr<sinsp_plugin>>& plugins) const
+void falco_engine::get_json_details(const falco_rule &r,
+	const rule_loader::rule_info &ri,
+	sinsp *insp,
+	Json::Value &rule) const
 {
 	Json::Value rule_info;
 
 	// Fill general rule information
 	rule_info["name"] = r.name;
-	rule_info["condition"] = info.cond;
+	rule_info["condition"] = ri.cond;
 	rule_info["priority"] = format_priority(r.priority, false);
-	rule_info["output"] = info.output;
+	rule_info["output"] = r.output;
 	rule_info["description"] = r.description;
-	rule_info["enabled"] = info.enabled;
+	rule_info["enabled"] = ri.enabled;
 	rule_info["source"] = r.source;
-	rule_info["tags"] = sequence_to_json_array(info.tags);
-	out["info"] = rule_info;
+	Json::Value tags = Json::arrayValue;
+	for(const auto &t : ri.tags)
+	{
+		tags.append(t);
+	}
+	rule_info["tags"] = tags;
+	rule["info"] = rule_info;
 
-	// Parse rule condition and build the non-compiled AST
-	// Assumption: no error because rules have already been loaded.
-	auto ast = libsinsp::filter::parser(info.cond).parse();
-
-	// get details related to the condition's filter
-	filter_details details;
-	filter_details compiled_details;
+	// Parse rule condition and build the AST
+	// Assumption: no exception because rules have already been loaded.
+	auto ast = libsinsp::filter::parser(ri.cond).parse();
 	Json::Value json_details;
-	for(const auto &m : m_rule_collector.macros())
-	{
-		details.known_macros.insert(m.name);
-		compiled_details.known_macros.insert(m.name);
-	}
-	for(const auto &l : m_rule_collector.lists())
-	{
-		details.known_lists.insert(l.name);
-		compiled_details.known_lists.insert(l.name);
-	}
-	filter_details_resolver().run(ast.get(), details);
-	filter_details_resolver().run(r.condition.get(), compiled_details);
-
-	out["details"]["macros"] = sequence_to_json_array(details.macros);
-	out["details"]["lists"] = sequence_to_json_array(details.lists);
-	out["details"]["condition_operators"] = sequence_to_json_array(compiled_details.operators);
-	out["details"]["condition_fields"] = sequence_to_json_array(compiled_details.fields);
+	get_json_details(ast.get(), json_details);
+	rule["details"] = json_details;
 
 	// Get fields from output string
 	auto fmt = create_formatter(r.source, r.output);
 	std::vector<std::string> out_fields;
 	fmt->get_field_names(out_fields);
-	out["details"]["output_fields"] = sequence_to_json_array(out_fields);
+	Json::Value outputFields = Json::arrayValue;
+	for(const auto &of : out_fields)
+	{
+		outputFields.append(of);
+	}
+	rule["details"]["output_fields"] = outputFields;
 
 	// Get fields from exceptions
-	out["details"]["exception_fields"] = sequence_to_json_array(r.exception_fields);
+	Json::Value exception_fields = Json::arrayValue;
+	for(const auto &f : r.exception_fields)
+	{
+		exception_fields.append(f);
+	}
+	rule["details"]["exception_fields"] = exception_fields;
 
 	// Get names and operators from exceptions
-	std::unordered_set<std::string> exception_names;
-	std::unordered_set<std::string> exception_operators;
-	for(const auto &e : info.exceptions)
+	Json::Value exception_names = Json::arrayValue;
+	Json::Value exception_operators = Json::arrayValue;
+	for(const auto &e : ri.exceptions)
 	{
-		exception_names.insert(e.name);
+		exception_names.append(e.name);
 		if(e.comps.is_list)
 		{
 			for(const auto& c : e.comps.items)
@@ -713,237 +650,141 @@ void falco_engine::get_json_details(
 					// considering max two levels of lists
 					for(const auto& i : c.items)
 					{
-						exception_operators.insert(i.item);
+						exception_operators.append(i.item);
 					}
 				}
 				else
 				{
-					exception_operators.insert(c.item);
+					exception_operators.append(c.item);
 				}
 			}
 		}
 		else
 		{
-			exception_operators.insert(e.comps.item);
+			exception_operators.append(e.comps.item);
 		}	
 	}
-	out["details"]["exception_names"] = sequence_to_json_array(exception_names);
-	out["details"]["exception_operators"] = sequence_to_json_array(exception_operators);
+	rule["details"]["exceptions"] = exception_names;
+	rule["details"]["exception_operators"] = exception_operators;
 
-	// Store event types
-	Json::Value events;
-	get_json_evt_types(events, info.source, r.condition.get());
-	out["details"]["events"] = events;
-
-	// Store compiled condition and output
-	out["details"]["condition_compiled"] = libsinsp::filter::ast::as_string(r.condition.get());
-	out["details"]["output_compiled"] = r.output;
-
-	// Compute the plugins that are actually used by this rule. This is involves:
-	// - The rule's event source, that can be implemented by a plugin
-	// - The fields used in the rule's condition, output, and exceptions
-	// - The evt types used in the rule's condition checks, that can potentially
-	//   match plugin-provided async events
-	Json::Value used_plugins;
-	// note: making a union of conditions's and output's fields
-	// note: the condition's AST accounts for all the resolved refs and exceptions
-	compiled_details.fields.insert(out_fields.begin(), out_fields.end());
-	get_json_used_plugins(used_plugins, info.source, compiled_details.evtnames, compiled_details.fields, plugins);
-	out["details"]["plugins"] = used_plugins;
+	if(ri.source == falco_common::syscall_source)
+	{
+		// Store event types
+		Json::Value events;
+		get_json_evt_types(ast.get(), events);
+		rule["details"]["events"] = events;
+	}
 }
 
-void falco_engine::get_json_details(
-	Json::Value& out,
-	const falco_macro& m,
-	const rule_loader::macro_info& info,
-	const std::vector<std::shared_ptr<sinsp_plugin>>& plugins) const
+void falco_engine::get_json_details(const rule_loader::macro_info& m,
+	Json::Value& macro) const
 {
 	Json::Value macro_info;
 
 	macro_info["name"] = m.name;
-	macro_info["condition"] = info.cond;
-	out["info"] = macro_info;
+	macro_info["condition"] = m.cond;
+	macro["info"] = macro_info;
 
-	// Parse the macro condition and build the non-compiled AST
 	// Assumption: no exception because rules have already been loaded.
-	auto ast = libsinsp::filter::parser(info.cond).parse();
+	auto ast = libsinsp::filter::parser(m.cond).parse();
 
-	// get details related to the condition's filter
-	filter_details details;
-	filter_details compiled_details;
 	Json::Value json_details;
-	for(const auto &m : m_rule_collector.macros())
-	{
-		details.known_macros.insert(m.name);
-		compiled_details.known_macros.insert(m.name);
-	}
-	for(const auto &l : m_rule_collector.lists())
-	{
-		details.known_lists.insert(l.name);
-		compiled_details.known_lists.insert(l.name);
-	}
-	filter_details_resolver().run(ast.get(), details);
-	filter_details_resolver().run(m.condition.get(), compiled_details);
-
-	out["details"]["used"] = m.used;
-	out["details"]["macros"] = sequence_to_json_array(details.macros);
-	out["details"]["lists"] = sequence_to_json_array(details.lists);
-	out["details"]["condition_operators"] = sequence_to_json_array(compiled_details.operators);
-	out["details"]["condition_fields"] = sequence_to_json_array(compiled_details.fields);
+	get_json_details(ast.get(), json_details);
+	macro["details"] = json_details;
 
 	// Store event types
 	Json::Value events;
-	get_json_evt_types(events, "", m.condition.get());
-	out["details"]["events"] = events;
-
-	// Store compiled condition
-	out["details"]["condition_compiled"] = libsinsp::filter::ast::as_string(m.condition.get());
-
-	// Compute the plugins that are actually used by this macro.
-	// Note: macros have no specific source, we need to set an empty list of used
-	// plugins because we can't be certain about their actual usage. For example,
-	// if a macro uses a plugin's field, we can't be sure which plugin actually
-	// is used until we resolve the macro ref in a rule providing a source for
-	// disambiguation.
-	out["details"]["plugins"] = Json::arrayValue;
+	get_json_evt_types(ast.get(), events);
+	macro["details"]["events"] = events;
 }
 
-void falco_engine::get_json_details(
-	Json::Value& out,
-	const falco_list& l,
-	const rule_loader::list_info& info,
-	const std::vector<std::shared_ptr<sinsp_plugin>>& plugins) const
+void falco_engine::get_json_details(const rule_loader::list_info& l, 
+	Json::Value& list) const
 {
 	Json::Value list_info;
 	list_info["name"] = l.name;
 
-	// note: the syntactic definitions still has the list refs unresolved
 	Json::Value items = Json::arrayValue;
-	std::unordered_set<std::string> lists;
-	for(const auto &i : info.items)
+	Json::Value lists = Json::arrayValue;
+	for(const auto &i : l.items)
 	{
-		// if an item is present in the syntactic def of a list, but not
-		// on the compiled_items of the same list, then we can assume it
-		// being a resolved list ref
-		if(std::find(l.items.begin(), l.items.end(), i) == l.items.end())
+		if(m_rule_collector.lists().at(i) != nullptr)
 		{
-			lists.insert(i);
+			lists.append(i);
 			continue;
 		}
 		items.append(i);
 	}
 
 	list_info["items"] = items;
-	out["info"] = list_info;
-	out["details"]["used"] = l.used;
-	out["details"]["lists"] = sequence_to_json_array(lists);
-	out["details"]["items_compiled"] = sequence_to_json_array(l.items);
-	out["details"]["plugins"] = Json::arrayValue; // always empty
+	list["info"] = list_info;
+	list["details"]["lists"] = lists;
 }
 
-void falco_engine::get_json_evt_types(
-	Json::Value& out,
-	const std::string& source,
-	libsinsp::filter::ast::expr* ast) const
+void falco_engine::get_json_details(libsinsp::filter::ast::expr* ast,
+	Json::Value& output) const
 {
-	// note: this duplicates part of the logic of evttype_index_ruleset,
-	// not good but it's our best option for now
-	if (source.empty() || source == falco_common::syscall_source)
+	filter_details details;
+	for(const auto &m : m_rule_collector.macros())
 	{
-		auto evtcodes = libsinsp::filter::ast::ppm_event_codes(ast);
-		evtcodes.insert(ppm_event_code::PPME_ASYNCEVENT_E);
-		auto syscodes = libsinsp::filter::ast::ppm_sc_codes(ast);
-		auto syscodes_to_evt_names = libsinsp::events::sc_set_to_event_names(syscodes);
-		auto evtcodes_to_evt_names = libsinsp::events::event_set_to_names(evtcodes, false);
-		out = sequence_to_json_array(unordered_set_union(syscodes_to_evt_names, evtcodes_to_evt_names));
+		details.known_macros.insert(m.name);
 	}
-	else
+
+	for(const auto &l : m_rule_collector.lists())
 	{
-		out = sequence_to_json_array(libsinsp::events::event_set_to_names(
-			{ppm_event_code::PPME_PLUGINEVENT_E, ppm_event_code::PPME_ASYNCEVENT_E}));
+		details.known_lists.insert(l.name);
 	}
+
+	// Resolve the AST details
+	filter_details_resolver resolver;
+	resolver.run(ast, details);
+
+	Json::Value macros = Json::arrayValue;
+	for(const auto &m : details.macros)
+	{
+		macros.append(m);
+	}
+	output["macros"] = macros;
+
+	Json::Value operators = Json::arrayValue;
+	for(const auto &o : details.operators)
+	{
+		operators.append(o);
+	}
+	output["operators"] = operators;
+
+	Json::Value condition_fields = Json::arrayValue;
+	for(const auto &f : details.fields)
+	{
+		condition_fields.append(f);
+	}
+	output["condition_fields"] = condition_fields;
+
+	Json::Value lists = Json::arrayValue;
+	for(const auto &l : details.lists)
+	{
+		lists.append(l);
+	}
+	output["lists"] = lists;
+	
+	details.reset();
 }
 
-void falco_engine::get_json_used_plugins(
-	Json::Value& out,
-	const std::string& source,
-	const std::unordered_set<std::string>& evtnames,
-	const std::unordered_set<std::string>& fields,
-	const std::vector<std::shared_ptr<sinsp_plugin>>& plugins) const
+void falco_engine::get_json_evt_types(libsinsp::filter::ast::expr* ast,
+					Json::Value& output) const
 {
-	// note: condition and output fields may have an argument, so
-	// we need to isolate the field names
-	std::unordered_set<std::string> fieldnames;
-	for (auto f: fields)
+	output = Json::arrayValue;
+	auto evtcodes = libsinsp::filter::ast::ppm_event_codes(ast);
+	auto syscodes = libsinsp::filter::ast::ppm_sc_codes(ast);
+	auto syscodes_to_evt_names = libsinsp::events::sc_set_to_event_names(syscodes);
+	auto evtcodes_to_evt_names = libsinsp::events::event_set_to_names(evtcodes, false);
+	for (const auto& n : unordered_set_union(syscodes_to_evt_names, evtcodes_to_evt_names))
 	{
-		auto argpos = f.find('[');
-		if (argpos != std::string::npos)
-		{
-			f = f.substr(0, argpos);
-		}
-		fieldnames.insert(f);
+		output.append(n);
 	}
-
-	std::unordered_set<std::string> used_plugins;
-	for (const auto& p : plugins)
-	{
-		bool used = false;
-		if (p->caps() & CAP_SOURCING)
-		{
-			// The rule's source is implemented by a plugin with event
-			// sourcing capability.
-			// Note: if Falco loads two plugins implementing the same source,
-			// they will both be included in the list.
-			if (!used && p->event_source() == source)
-			{
-				used_plugins.insert(p->name());
-				used = true;
-			}
-		}
-		if (!used && p->caps() & CAP_EXTRACTION)
-		{
-			// The rule uses a field implemented by a plugin with field
-			// extraction capability that is compatible with the rule's source.
-			// Note: here we're assuming that Falco will prevent loading
-			// plugins implementing fields with the same name for the same
-			// event source (implemented in init_inspectors app action).
-			if (sinsp_plugin::is_source_compatible(p->extract_event_sources(), source))
-			{
-				for (const auto &f : p->fields())
-				{
-					if (!used && fieldnames.find(f.m_name) != fieldnames.end())
-					{
-						used_plugins.insert(p->name());
-						used = true;
-						break;
-					}
-				}
-			}
-		}
-		if (!used && p->caps() & CAP_ASYNC)
-		{
-			// The rule matches an event type implemented by a plugin with
-			// async events capability that is compatible with the rule's source.
-			// Note: if Falco loads two plugins implementing async events with
-			// the same name, they will both be included in the list.
-			if (sinsp_plugin::is_source_compatible(p->async_event_sources(), source))
-			{
-				for (const auto &n : p->async_event_names())
-				{
-					if (!used && evtnames.find(n) != evtnames.end())
-					{
-						used_plugins.insert(p->name());
-						used = true;
-						break;
-					}
-				}
-			}
-		}
-	}
-
-	out = sequence_to_json_array(used_plugins);
 }
 
+
 void falco_engine::print_stats() const
 {
 	std::string out;

userspace/engine/falco_engine.h

@@ -1,6 +1,5 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2023 The Falco Authors.
+Copyright (C) 2019 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -125,7 +124,7 @@ public:
 	// Print details on the given rule. If rule is NULL, print
 	// details on all rules.
 	//
-	void describe_rule(std::string *rule, const std::vector<std::shared_ptr<sinsp_plugin>>& plugins, bool json) const;
+	void describe_rule(std::string *rule, bool json) const;
 
 	//
 	// Print statistics on how many events matched each rule.
@@ -303,31 +302,18 @@ private:
 	inline bool should_drop_evt() const;
 
 	// Retrieve json details from rules, macros, lists
-	void get_json_details(
-		Json::Value& out,
-		const falco_rule& r,
-		const rule_loader::rule_info& info,
-		const std::vector<std::shared_ptr<sinsp_plugin>>& plugins) const;
-	void get_json_details(
-		Json::Value& out,
-		const falco_macro& m,
-		const rule_loader::macro_info& info,
-		const std::vector<std::shared_ptr<sinsp_plugin>>& plugins) const;
-	void get_json_details(
-		Json::Value& out,
-		const falco_list& l,
-		const rule_loader::list_info& info,
-		const std::vector<std::shared_ptr<sinsp_plugin>>& plugins) const;
-	void get_json_evt_types(
-		Json::Value& out,
-		const std::string& source,
-		libsinsp::filter::ast::expr* ast) const;
-	void get_json_used_plugins(
-		Json::Value& out,
-		const std::string& source,
-		const std::unordered_set<std::string>& evttypes,
-		const std::unordered_set<std::string>& fields,
-		const std::vector<std::shared_ptr<sinsp_plugin>>& plugins) const;
+	void get_json_details(const falco_rule& r,
+					const rule_loader::rule_info& ri,
+					sinsp* insp,
+					Json::Value& rule) const;
+	void get_json_details(const rule_loader::macro_info& m,
+					Json::Value& macro) const;
+	void get_json_details(const rule_loader::list_info& l,
+					Json::Value& list) const;
+	void get_json_details(libsinsp::filter::ast::expr* ast,
+					Json::Value& output) const;
+	void get_json_evt_types(libsinsp::filter::ast::expr* ast,
+					Json::Value& output) const;
 
 	rule_loader::collector m_rule_collector;
 	indexed_vector<falco_rule> m_rules;

userspace/engine/falco_engine_version.h

@@ -1,4 +1,3 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 
@@ -16,12 +15,12 @@ limitations under the License.
 */
 
 // The version of this Falco engine.
-#define FALCO_ENGINE_VERSION (26)
+#define FALCO_ENGINE_VERSION (25)
 
 // This is the result of running the following command:
 //   FALCO="falco -c ./falco.yaml"
-//   echo $($FALCO --version | grep 'Engine:' | awk '{print $2}') $(echo $($FALCO --version | grep 'Schema version:' | awk '{print $3}') $($FALCO --list --markdown | grep '^`' | sort) $($FALCO --list-events | sort) | sha256sum)
+//   echo $($FALCO --version | grep 'Engine:' | awk '{print $2}') $(echo $($FALCO --version | grep 'Schema version:' | awk '{print $3}') $($FALCO --list --markdown | grep '^`' | sort) $($FALCO --list-syscall-events | sort) | sha256sum)
 // It represents the fields supported by this version of Falco,
 // the event types, and the underlying driverevent schema. It's used to
 // detetect changes in engine version in our CI jobs.
-#define FALCO_ENGINE_CHECKSUM "98c6e665031b95c666a9ab02d5470e7008e8636bf02f4cc410912005b90dff5c"
+#define FALCO_ENGINE_CHECKSUM "41b5dc700216b243d294b40c46264d4e89d0ee00098fdc1c21bb4b1e7639da06"

userspace/engine/falco_load_result.cpp

@@ -1,6 +1,5 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2023 The Falco Authors.
+Copyright (C) 2022 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/falco_load_result.h

@@ -1,6 +1,5 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2023 The Falco Authors.
+Copyright (C) 2022 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/falco_rule.h

@@ -1,6 +1,5 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2023 The Falco Authors.
+Copyright (C) 2022 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -21,46 +20,6 @@ limitations under the License.
 #include <string>
 #include "falco_common.h"
 
-#include <filter/ast.h>
-
-/*!
-	\brief Represents a list in the Falco Engine.
-	The rule ID must be unique across all the lists loaded in the engine.
-*/
-struct falco_list
-{
-	falco_list(): used(false), id(0) { }
-	falco_list(falco_list&&) = default;
-	falco_list& operator = (falco_list&&) = default;
-	falco_list(const falco_list&) = default;
-	falco_list& operator = (const falco_list&) = default;
-	~falco_list() = default;
-
-	bool used;
-	std::size_t id;
-	std::string name;
-	std::vector<std::string> items;
-};
-
-/*!
-	\brief Represents a macro in the Falco Engine.
-	The rule ID must be unique across all the macros loaded in the engine.
-*/
-struct falco_macro
-{
-	falco_macro(): used(false), id(0) { }
-	falco_macro(falco_macro&&) = default;
-	falco_macro& operator = (falco_macro&&) = default;
-	falco_macro(const falco_macro&) = default;
-	falco_macro& operator = (const falco_macro&) = default;
-	~falco_macro() = default;
-
-	bool used;
-	std::size_t id;
-	std::string name;
-	std::shared_ptr<libsinsp::filter::ast::expr> condition;
-};
-
 /*!
 	\brief Represents a rule in the Falco Engine.
 	The rule ID must be unique across all the rules loaded in the engine.
@@ -72,7 +31,6 @@ struct falco_rule
 	falco_rule& operator = (falco_rule&&) = default;
 	falco_rule(const falco_rule&) = default;
 	falco_rule& operator = (const falco_rule&) = default;
-	~falco_rule() = default;
 
 	std::size_t id;
 	std::string source;
@@ -82,5 +40,4 @@ struct falco_rule
 	std::set<std::string> tags;
 	std::set<std::string> exception_fields;
 	falco_common::priority_type priority;
-	std::shared_ptr<libsinsp::filter::ast::expr> condition;
 };

userspace/engine/falco_source.h

@@ -1,6 +1,5 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2023 The Falco Authors.
+Copyright (C) 2022 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/falco_utils.cpp

@@ -1,4 +1,3 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2016-2018 The Falco Authors.
 

userspace/engine/falco_utils.h

@@ -1,4 +1,3 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2016-2018 The Falco Authors.
 

userspace/engine/filter_details_resolver.cpp

@@ -1,4 +1,3 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 
@@ -19,23 +18,12 @@ limitations under the License.
 
 using namespace libsinsp::filter;
 
-std::string get_field_name(const std::string& name, const std::string& arg)
-{
-	std::string fld = name;
-	if (!arg.empty())
-	{
-		fld += "[" + arg + "]";
-	}
-	return fld;
-}
-
 void filter_details::reset()
 {
 	fields.clear();
 	macros.clear();
 	operators.clear();
 	lists.clear();
-	evtnames.clear();
 }
 
 void filter_details_resolver::run(ast::expr* filter, filter_details& details)
@@ -46,7 +34,6 @@ void filter_details_resolver::run(ast::expr* filter, filter_details& details)
 
 void filter_details_resolver::visitor::visit(ast::and_expr* e)
 {
-	m_expect_macro = false;
 	for(size_t i = 0; i < e->children.size(); i++)
 	{
 		m_expect_macro = true;
@@ -57,7 +44,6 @@ void filter_details_resolver::visitor::visit(ast::and_expr* e)
 
 void filter_details_resolver::visitor::visit(ast::or_expr* e)
 {
-	m_expect_macro = false;
 	for(size_t i = 0; i < e->children.size(); i++)
 	{
 		m_expect_macro = true;
@@ -83,50 +69,35 @@ void filter_details_resolver::visitor::visit(ast::list_expr* e)
 			}
 		}
 	}
-	if (m_expect_evtname)
-	{
-		for(const auto& item : e->values)
-		{
-			if(m_details.known_lists.find(item) == m_details.known_lists.end())
-			{
-				m_details.evtnames.insert(item);
-			}
-		}
-	}
 }
 
 void filter_details_resolver::visitor::visit(ast::binary_check_expr* e)
 {
 	m_expect_macro = false;
-	m_details.fields.insert(get_field_name(e->field, e->arg));
+	m_details.fields.insert(e->field);
 	m_details.operators.insert(e->op);
 	m_expect_list = true;
-	m_expect_evtname = e->field == "evt.type" || e->field == "evt.asynctype";
 	e->value->accept(this);
-	m_expect_evtname = false;
 	m_expect_list = false;
 }
 
 void filter_details_resolver::visitor::visit(ast::unary_check_expr* e)
 {
 	m_expect_macro = false;
-	m_details.fields.insert(get_field_name(e->field, e->arg));
+	m_details.fields.insert(e->field);
 	m_details.operators.insert(e->op);
 }
 
 void filter_details_resolver::visitor::visit(ast::value_expr* e)
 {
-	if (m_expect_macro)
+	if(m_expect_macro)
 	{
-		if(m_details.known_macros.find(e->value) != m_details.known_macros.end())
+		auto it = m_details.known_macros.find(e->value);
+		if(it == m_details.known_macros.end())
 		{
-			m_details.macros.insert(e->value);
+			return;
 		}
-		// todo(jasondellaluce): should we throw an error if we
-		// encounter an unknown macro?
+
+		m_details.macros.insert(e->value);
 	}
-	else if (m_expect_evtname)
-	{
-		m_details.evtnames.insert(e->value);
-	}
-}
+}

userspace/engine/filter_details_resolver.h

@@ -1,4 +1,3 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 
@@ -33,7 +32,6 @@ struct filter_details
 	std::unordered_set<std::string> macros;
 	std::unordered_set<std::string> operators;
 	std::unordered_set<std::string> lists;
-	std::unordered_set<std::string> evtnames;
 
 	void reset();
 };
@@ -60,8 +58,7 @@ private:
 		visitor(filter_details& details) : 
 			m_details(details),
 			m_expect_list(false),
-			m_expect_macro(false),
-			m_expect_evtname(false) {}
+			m_expect_macro(false) {}
 		visitor(visitor&&) = default;
 		visitor& operator = (visitor&&) = default;
 		visitor(const visitor&) = delete;
@@ -78,6 +75,5 @@ private:
 		filter_details& m_details;
 		bool m_expect_list;
 		bool m_expect_macro;
-		bool m_expect_evtname;
 	};
 };

userspace/engine/filter_macro_resolver.cpp

@@ -1,6 +1,5 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2023 The Falco Authors.
+Copyright (C) 2022 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/filter_macro_resolver.h

@@ -1,6 +1,5 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2023 The Falco Authors.
+Copyright (C) 2022 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/filter_ruleset.h

@@ -1,6 +1,5 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2023 The Falco Authors.
+Copyright (C) 2022 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/filter_warning_resolver.cpp

@@ -1,6 +1,5 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2023 The Falco Authors.
+Copyright (C) 2022 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/filter_warning_resolver.h

@@ -1,6 +1,5 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2023 The Falco Authors.
+Copyright (C) 2022 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/formats.cpp

@@ -1,6 +1,5 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2023 The Falco Authors.
+Copyright (C) 2020 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/formats.h

@@ -1,6 +1,5 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2023 The Falco Authors.
+Copyright (C) 2020 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/indexed_vector.h

@@ -1,6 +1,5 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2023 The Falco Authors.
+Copyright (C) 2022 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/json_evt.cpp

@@ -1,6 +1,5 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2023 The Falco Authors.
+Copyright (C) 2019 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/json_evt.h

@@ -1,6 +1,5 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2023 The Falco Authors.
+Copyright (C) 2019 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/rule_loader.cpp

@@ -1,6 +1,5 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2023 The Falco Authors.
+Copyright (C) 2022 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -532,12 +531,12 @@ rule_loader::plugin_version_info::plugin_version_info(context &ctx)
 }
 
 rule_loader::list_info::list_info(context &ctx)
-	: ctx(ctx), index(0), visibility(0)
+	: ctx(ctx), used(false), index(0), visibility(0)
 {
 }
 
 rule_loader::macro_info::macro_info(context &ctx)
-	: ctx(ctx), cond_ctx(ctx), index(0), visibility(0)
+	: ctx(ctx), cond_ctx(ctx), used(false), index(0), visibility(0)
 {
 }
 

userspace/engine/rule_loader.h

@@ -1,6 +1,5 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2023 The Falco Authors.
+Copyright (C) 2022 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -273,7 +272,8 @@ namespace rule_loader
 			const indexed_vector<falco_source>& srcs,
 			const std::string& name)
 				: content(cont), sources(srcs), name(name),
-				  output_extra(), replace_output_container_info(false)
+				  default_ruleset_id(0), replace_output_container_info(false),
+				  min_priority(falco_common::PRIORITY_DEBUG)
 			{
 				res.reset(new result(name));
 			}
@@ -282,15 +282,14 @@ namespace rule_loader
 		configuration(const configuration&) = delete;
 		configuration& operator = (const configuration&) = delete;
 
-		// inputs
 		const std::string& content;
 		const indexed_vector<falco_source>& sources;
 		std::string name;
-		std::string output_extra;
-		bool replace_output_container_info;
-
-		// outputs
 		std::unique_ptr<result> res;
+		std::string output_extra;
+		uint16_t default_ruleset_id;
+		bool replace_output_container_info;
+		falco_common::priority_type min_priority;
 	};
 
 	/*!
@@ -359,6 +358,7 @@ namespace rule_loader
 		list_info& operator = (const list_info&) = default;
 
 		context ctx;
+		bool used;
 		size_t index;
 		size_t visibility;
 		std::string name;
@@ -379,10 +379,12 @@ namespace rule_loader
 
 		context ctx;
 		context cond_ctx;
+		bool used;
 		size_t index;
 		size_t visibility;
 		std::string name;
 		std::string cond;
+		std::shared_ptr<libsinsp::filter::ast::expr> cond_ast;
 	};
 
 	/*!

userspace/engine/rule_loader_collector.cpp

@@ -1,6 +1,5 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2023 The Falco Authors.
+Copyright (C) 2022 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/rule_loader_collector.h

@@ -1,6 +1,5 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2023 The Falco Authors.
+Copyright (C) 2022 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/rule_loader_compiler.cpp

@@ -1,6 +1,5 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2023 The Falco Authors.
+Copyright (C) 2022 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -29,7 +28,7 @@ limitations under the License.
 #define THROW(cond, err, ctx)    { if ((cond)) { throw rule_loader::rule_load_exception(falco::load_result::LOAD_ERR_VALIDATE, (err), (ctx)); } }
 
 static std::string s_container_info_fmt = "%container.info";
-static std::string s_default_extra_fmt  = "container_id=%container.id container_name=%container.name";
+static std::string s_default_extra_fmt  = "%container.name (id=%container.id)";
 
 using namespace libsinsp::filter;
 
@@ -160,30 +159,8 @@ static void build_rule_exception_infos(
 	}
 }
 
-static inline rule_loader::list_info* list_info_from_name(
-	const rule_loader::collector& c, const std::string& name)
-{
-	auto ret = c.lists().at(name);
-	if (!ret)
-	{
-		throw falco_exception("can't find internal list info at name: " + name);
-	}
-	return ret;
-}
-
-static inline rule_loader::macro_info* macro_info_from_name(
-	const rule_loader::collector& c, const std::string& name)
-{
-	auto ret = c.macros().at(name);
-	if (!ret)
-	{
-		throw falco_exception("can't find internal macro info at name: " + name);
-	}
-	return ret;
-}
-
 // todo(jasondellaluce): this breaks string escaping in lists
-static bool resolve_list(std::string& cnd, const falco_list& list)
+static bool resolve_list(std::string& cnd, const rule_loader::list_info& list)
 {
 	static std::string blanks = " \t\n\r";
 	static std::string delims = blanks + "(),=";
@@ -254,20 +231,18 @@ static bool resolve_list(std::string& cnd, const falco_list& list)
 }
 
 static void resolve_macros(
-	const indexed_vector<rule_loader::macro_info>& infos,
-	indexed_vector<falco_macro>& macros,
+	indexed_vector<rule_loader::macro_info>& macros,
 	std::shared_ptr<ast::expr>& ast,
 	const std::string& condition,
 	uint32_t visibility,
 	const rule_loader::context &ctx)
 {
 	filter_macro_resolver macro_resolver;
-	for (auto &m : infos)
+	for (auto &m : macros)
 	{
 		if (m.index < visibility)
 		{
-			auto macro = macros.at(m.name);
-			macro_resolver.set_macro(m.name, macro->condition);
+			macro_resolver.set_macro(m.name, m.cond_ast);
 		}
 	}
 	macro_resolver.run(ast);
@@ -296,7 +271,7 @@ static void resolve_macros(
 // note: there is no visibility order between filter conditions and lists
 static std::shared_ptr<ast::expr> parse_condition(
 	std::string condition,
-	indexed_vector<falco_list>& lists,
+	indexed_vector<rule_loader::list_info>& lists,
 	const rule_loader::context &ctx)
 {
 	for (auto &l : lists)
@@ -343,14 +318,13 @@ static void apply_output_substitutions(
 void rule_loader::compiler::compile_list_infos(
 		configuration& cfg,
 		const collector& col,
-		indexed_vector<falco_list>& out) const
+		indexed_vector<list_info>& out) const
 {
 	std::string tmp;
 	std::vector<std::string> used;
 	for (auto &list : col.lists())
 	{
-		falco_list v;
-		v.name = list.name;
+		list_info v = list;
 		v.items.clear();
 		for (auto &item : list.items)
 		{
@@ -372,8 +346,7 @@ void rule_loader::compiler::compile_list_infos(
 			}
 		}
 		v.used = false;
-		auto list_id = out.insert(v, v.name);
-		out.at(list_id)->id = list_id;
+		out.insert(v, v.name);
 	}
 	for (auto &v : used)
 	{
@@ -385,23 +358,20 @@ void rule_loader::compiler::compile_list_infos(
 void rule_loader::compiler::compile_macros_infos(
 		configuration& cfg,
 		const collector& col,
-		indexed_vector<falco_list>& lists,
-		indexed_vector<falco_macro>& out) const
+		indexed_vector<list_info>& lists,
+		indexed_vector<macro_info>& out) const
 {
 	for (auto &m : col.macros())
 	{
-		falco_macro entry;
-		entry.name = m.name;
-		entry.condition = parse_condition(m.cond, lists, m.cond_ctx);
+		macro_info entry = m;
+		entry.cond_ast = parse_condition(m.cond, lists, m.cond_ctx);
 		entry.used = false;
-		auto macro_id = out.insert(entry, m.name);
-		out.at(macro_id)->id = macro_id;
+		out.insert(entry, m.name);
 	}
 
 	for (auto &m : out)
 	{
-		auto info = macro_info_from_name(col, m.name);
-		resolve_macros(col.macros(), out, m.condition, info->cond, info->visibility, info->ctx);
+		resolve_macros(out, m.cond_ast, m.cond, m.visibility, m.ctx);
 	}
 }
 
@@ -415,8 +385,8 @@ static bool err_is_unknown_type_or_field(const std::string& err)
 void rule_loader::compiler::compile_rule_infos(
 		configuration& cfg,
 		const collector& col,
-		indexed_vector<falco_list>& lists,
-		indexed_vector<falco_macro>& macros,
+		indexed_vector<list_info>& lists,
+		indexed_vector<macro_info>& macros,
 		indexed_vector<falco_rule>& out) const
 {
 	std::string err, condition;
@@ -430,6 +400,12 @@ void rule_loader::compiler::compile_rule_infos(
 			continue;
 		}
 
+		// skip the rule if below the minimum priority
+		if (r.priority > cfg.min_priority)
+		{
+			continue;
+		}
+
 		// note: this should not be nullptr if the source is not unknown
 		auto source = cfg.sources.at(r.source);
 		THROW(!source,
@@ -446,12 +422,12 @@ void rule_loader::compiler::compile_rule_infos(
 			build_rule_exception_infos(
 				r.exceptions, rule.exception_fields, condition);
 		}
-		rule.condition = parse_condition(condition, lists, r.cond_ctx);
-		resolve_macros(col.macros(), macros, rule.condition, condition, MAX_VISIBILITY, r.ctx);
+		auto ast = parse_condition(condition, lists, r.cond_ctx);
+		resolve_macros(macros, ast, condition, MAX_VISIBILITY, r.ctx);
 
 		// check for warnings in the filtering condition
 		warn_codes.clear();
-		if (warn_resolver.run(rule.condition.get(), warn_codes))
+		if (warn_resolver.run(ast.get(), warn_codes))
 		{
 			for (auto &w : warn_codes)
 			{
@@ -466,11 +442,8 @@ void rule_loader::compiler::compile_rule_infos(
 			apply_output_substitutions(cfg, rule.output);
 		}
 
-		// validate the rule's output
 		if(!is_format_valid(*cfg.sources.at(r.source), rule.output, err))
 		{
-			// skip the rule silently if skip_if_unknown_filter is true and
-			// we encountered some specific kind of errors
 			if (err_is_unknown_type_or_field(err) && r.skip_if_unknown_filter)
 			{
 				cfg.res->add_warning(
@@ -485,18 +458,30 @@ void rule_loader::compiler::compile_rule_infos(
 				r.output_ctx);
 		}
 
-		// validate the rule's condition: we compile it into a sinsp filter
-		// on-the-fly and we throw an exception with details on failure
-		sinsp_filter_compiler compiler(cfg.sources.at(r.source)->filter_factory, rule.condition.get());
-		try
-		{
-			compiler.compile();
+		// construct rule definition and compile it to a filter
+		rule.name = r.name;
+		rule.source = r.source;
+		rule.description = r.desc;
+		rule.priority = r.priority;
+		rule.tags = r.tags;
+
+		auto rule_id = out.insert(rule, rule.name);
+		out.at(rule_id)->id = rule_id;
+
+		// This also compiles the filter, and might throw a
+		// falco_exception with details on the compilation
+		// failure.
+		sinsp_filter_compiler compiler(cfg.sources.at(r.source)->filter_factory, ast.get());
+		try {
+			std::shared_ptr<gen_event_filter> filter(compiler.compile());
+			source->ruleset->add(*out.at(rule_id), filter, ast);
 		}
 		catch (const sinsp_exception& e)
 		{
-			// skip the rule silently if skip_if_unknown_filter is true and
-			// we encountered some specific kind of errors
+			// Allow errors containing "nonexistent field" if
+			// skip_if_unknown_filter is true
 			std::string err = e.what();
+
 			if (err_is_unknown_type_or_field(err) && r.skip_if_unknown_filter)
 			{
 				cfg.res->add_warning(
@@ -505,6 +490,7 @@ void rule_loader::compiler::compile_rule_infos(
 					r.cond_ctx);
 				continue;
 			}
+
 			rule_loader::context ctx(compiler.get_pos(), condition, r.cond_ctx);
 			throw rule_loader::rule_load_exception(
 				falco::load_result::load_result::LOAD_ERR_COMPILE_CONDITION,
@@ -512,10 +498,20 @@ void rule_loader::compiler::compile_rule_infos(
 				ctx);
 		}
 
-		// populate set of event types and emit an special warning
-		if(r.source == falco_common::syscall_source)
+		// By default rules are enabled/disabled for the default ruleset
+		if(r.enabled)
 		{
-			auto evttypes = libsinsp::filter::ast::ppm_event_codes(rule.condition.get());
+			source->ruleset->enable(rule.name, true, cfg.default_ruleset_id);
+		}
+		else
+		{
+			source->ruleset->disable(rule.name, true, cfg.default_ruleset_id);
+		}
+
+		// populate set of event types and emit an special warning
+		if(rule.source == falco_common::syscall_source)
+		{
+			auto evttypes = libsinsp::filter::ast::ppm_event_codes(ast.get());
 			if ((evttypes.empty() || evttypes.size() > 100) && r.warn_evttypes)
 			{
 				cfg.res->add_warning(
@@ -524,29 +520,23 @@ void rule_loader::compiler::compile_rule_infos(
 					r.ctx);
 			}
 		}
-
-		// finalize the rule definition and add it to output
-		rule.name = r.name;
-		rule.source = r.source;
-		rule.description = r.desc;
-		rule.priority = r.priority;
-		rule.tags = r.tags;
-		auto rule_id = out.insert(rule, rule.name);
-		out.at(rule_id)->id = rule_id;
 	}
 }
 
 void rule_loader::compiler::compile(
 		configuration& cfg,
 		const collector& col,
-		compile_output& out) const
+		indexed_vector<falco_rule>& out) const
 {
+	indexed_vector<list_info> lists;
+	indexed_vector<macro_info> macros;
+
 	// expand all lists, macros, and rules
 	try
 	{
-		compile_list_infos(cfg, col, out.lists);
-		compile_macros_infos(cfg, col, out.lists, out.macros);
-		compile_rule_infos(cfg, col, out.lists, out.macros, out.rules);
+		compile_list_infos(cfg, col, lists);
+		compile_macros_infos(cfg, col, lists, macros);
+		compile_rule_infos(cfg, col, lists, macros, out);
 	}
 	catch(rule_load_exception &e)
 	{
@@ -555,24 +545,24 @@ void rule_loader::compiler::compile(
 	}
 
 	// print info on any dangling lists or macros that were not used anywhere
-	for (auto &m : out.macros)
+	for (auto &m : macros)
 	{
 		if (!m.used)
 		{
 			cfg.res->add_warning(
 				falco::load_result::load_result::LOAD_UNUSED_MACRO,
 				"Macro not referred to by any other rule/macro",
-				macro_info_from_name(col, m.name)->ctx);
+				m.ctx);
 		}
 	}
-	for (auto &l : out.lists)
+	for (auto &l : lists)
 	{
 		if (!l.used)
 		{
 			cfg.res->add_warning(
 				falco::load_result::LOAD_UNUSED_LIST,
 				"List not referred to by any other rule/macro",
-				list_info_from_name(col, l.name)->ctx);
+				l.ctx);
 		}
 	}
 }

userspace/engine/rule_loader_compiler.h

@@ -1,6 +1,5 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2023 The Falco Authors.
+Copyright (C) 2022 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -31,23 +30,6 @@ namespace rule_loader
 class compiler
 {
 public:
-	/*!
-		\brief The output of a compilation.
-	*/
-	struct compile_output
-	{
-		compile_output() = default;
-		virtual ~compile_output() = default;
-		compile_output(compile_output&&) = default;
-		compile_output& operator = (compile_output&&) = default;
-		compile_output(const compile_output&) = default;
-		compile_output& operator = (const compile_output&) = default;
-
-		indexed_vector<falco_list> lists;
-		indexed_vector<falco_macro> macros;
-		indexed_vector<falco_rule> rules;
-	};
-
 	compiler() = default;
 	virtual ~compiler() = default;
 	compiler(compiler&&) = default;
@@ -61,25 +43,25 @@ public:
 	virtual void compile(
 		configuration& cfg,
 		const collector& col,
-		compile_output& out) const;
+		indexed_vector<falco_rule>& out) const;
 
 private:
 	void compile_list_infos(
 		configuration& cfg,
 		const collector& col,
-		indexed_vector<falco_list>& out) const;
+		indexed_vector<list_info>& out) const;
 
 	void compile_macros_infos(
 		configuration& cfg,
 		const collector& col,
-		indexed_vector<falco_list>& lists,
-		indexed_vector<falco_macro>& out) const;
+		indexed_vector<list_info>& lists,
+		indexed_vector<macro_info>& out) const;
 
 	void compile_rule_infos(
 		configuration& cfg,
 		const collector& col,
-		indexed_vector<falco_list>& lists,
-		indexed_vector<falco_macro>& macros,
+		indexed_vector<list_info>& lists,
+		indexed_vector<macro_info>& macros,
 		indexed_vector<falco_rule>& out) const;
 };
 

userspace/engine/rule_loader_reader.cpp

@@ -1,6 +1,5 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2023 The Falco Authors.
+Copyright (C) 2022 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/rule_loader_reader.h

@@ -1,6 +1,5 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2023 The Falco Authors.
+Copyright (C) 2022 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -43,4 +42,4 @@ public:
 	virtual bool read(configuration& cfg, collector& loader);
 };
 
-}; // namespace rule_loader
+}; // namespace rule_loader

userspace/engine/stats_manager.cpp

@@ -1,6 +1,5 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2023 The Falco Authors.
+Copyright (C) 2022 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/stats_manager.h

@@ -1,6 +1,5 @@
-// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2023 The Falco Authors.
+Copyright (C) 2022 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -71,4 +70,4 @@ private:
 	std::atomic<uint64_t> m_total;
 	std::vector<std::unique_ptr<std::atomic<uint64_t>>> m_by_priority;
 	std::vector<std::unique_ptr<std::atomic<uint64_t>>> m_by_rule_id;
-};
+};

userspace/falco/CMakeLists.txt

@@ -1,6 +1,5 @@
-# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2023 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at