From a9a0e99c4a5d938367d5bec373a09aa364688a2c Mon Sep 17 00:00:00 2001 From: Federico Di Pierro Date: Tue, 17 Sep 2024 10:56:38 +0200 Subject: [PATCH 1/3] fix(userspace/engine): improve rule json schema to account for `source` and `required_plugin_versions`. Signed-off-by: Federico Di Pierro --- userspace/engine/rule_json_schema.h | 49 +++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/userspace/engine/rule_json_schema.h b/userspace/engine/rule_json_schema.h index ae0541aa431..189f290b27d 100644 --- a/userspace/engine/rule_json_schema.h +++ b/userspace/engine/rule_json_schema.h @@ -35,6 +35,12 @@ const char rule_schema_string[] = LONG_STRING_CONST( "required_engine_version": { "type": "string" }, + "required_plugin_versions": { + "type": "array", + "items": { + "$ref": "#/definitions/RequiredPluginVersion" + } + }, "macro": { "type": "string" }, @@ -68,6 +74,9 @@ const char rule_schema_string[] = LONG_STRING_CONST( "priority": { "$ref": "#/definitions/Priority" }, + "source": { + "type": "string" + }, "exceptions": { "type": "array", "items": { @@ -166,6 +175,46 @@ const char rule_schema_string[] = LONG_STRING_CONST( }, "minProperties": 1, "title": "Override" + }, + "RequiredPluginVersion": { + "type": "object", + "additionalProperties": false, + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "alternatives": { + "type": "array", + "items": { + "$ref": "#/definitions/Alternative" + } + } + }, + "required": [ + "name", + "version" + ], + "title": "RequiredPluginVersion" + }, + "Alternative": { + "type": "object", + "additionalProperties": false, + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + } + }, + "required": [ + "name", + "version" + ], + "title": "Alternative" } } } From 640c649a3ce546df71ef0cefbe80b44432364bba Mon Sep 17 00:00:00 2001 From: Federico Di Pierro Date: Tue, 17 Sep 2024 11:31:39 +0200 Subject: [PATCH 2/3] chore(userspace/falco): deprecate `cri` related CLI options. Signed-off-by: Federico Di Pierro --- userspace/falco/app/options.cpp | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/userspace/falco/app/options.cpp b/userspace/falco/app/options.cpp index e7658736502..a9a2d7d91de 100644 --- a/userspace/falco/app/options.cpp +++ b/userspace/falco/app/options.cpp @@ -95,6 +95,16 @@ bool options::parse(int argc, char **argv, std::string &errstr) } } + if (m_cmdline_parsed.count("cri") > 0) + { + falco_logger::log(falco_logger::level::WARNING, "The --cri option is deprecated and will be removed in Falco 0.40.0. Use -o container_engines.cri.sockets[]= instead."); + } + + if (m_cmdline_parsed.count("disable-cri-async") > 0) + { + falco_logger::log(falco_logger::level::WARNING, "The --disable-cri-async option is deprecated and will be removed in Falco 0.40.0. Use -o container_engines.cri.disable_async=true instead."); + } + list_fields = m_cmdline_parsed.count("list") > 0; return true; @@ -119,8 +129,8 @@ void options::define(cxxopts::Options& opts) ("A", "Monitor all events supported by Falco and defined in rules and configs. Some events are ignored by default when -A is not specified (the -i option lists these events ignored). Using -A can impact performance. This option has no effect when reproducing events from a capture file.", cxxopts::value(all_events)->default_value("false")) ("b,print-base64", "Print data buffers in base64. This is useful for encoding binary data that needs to be used over media designed to consume this format.") #if !defined(_WIN32) && !defined(__EMSCRIPTEN__) && !defined(MINIMAL_BUILD) - ("cri", "Path to CRI socket for container metadata. Use the specified to fetch data from a CRI-compatible runtime. If not specified, built-in defaults for commonly known paths are used. This option can be passed multiple times to specify a list of sockets to be tried until a successful one is found.", cxxopts::value(cri_socket_paths), "") - ("disable-cri-async", "Turn off asynchronous CRI metadata fetching. This is useful to let the input event wait for the container metadata fetch to finish before moving forward. Async fetching, in some environments leads to empty fields for container metadata when the fetch is not fast enough to be completed asynchronously. This can have a performance penalty on your environment depending on the number of containers and the frequency at which they are created/started/stopped.", cxxopts::value(disable_cri_async)->default_value("false")) + ("cri", "DEPRECATED: use -o container_engines.cri.sockets[]= instead. Path to CRI socket for container metadata. Use the specified to fetch data from a CRI-compatible runtime. If not specified, built-in defaults for commonly known paths are used. This option can be passed multiple times to specify a list of sockets to be tried until a successful one is found.", cxxopts::value(cri_socket_paths), "") + ("disable-cri-async", "DEPRECATED: use -o container_engines.cri.disable_async=true instead. Turn off asynchronous CRI metadata fetching. This is useful to let the input event wait for the container metadata fetch to finish before moving forward. Async fetching, in some environments leads to empty fields for container metadata when the fetch is not fast enough to be completed asynchronously. This can have a performance penalty on your environment depending on the number of containers and the frequency at which they are created/started/stopped.", cxxopts::value(disable_cri_async)->default_value("false")) #endif ("disable-source", "Turn off a specific . By default, all loaded sources get enabled. Available sources are 'syscall' plus all sources defined by loaded plugins supporting the event sourcing capability. This option can be passed multiple times, but turning off all event sources simultaneously is not permitted. This option can not be mixed with --enable-source. This option has no effect when reproducing events from a capture file.", cxxopts::value(disable_sources), "") ("dry-run", "Run Falco without processing events. It can help check that the configuration and rules do not have any errors.", cxxopts::value(dry_run)->default_value("false")) From f22188a83738c66e2c972abcedf3e3b0e7a59d53 Mon Sep 17 00:00:00 2001 From: Federico Di Pierro Date: Wed, 18 Sep 2024 09:54:39 +0200 Subject: [PATCH 3/3] update(cmake): bump libs to 0.18.0 and driver to 7.3.0+driver. Signed-off-by: Federico Di Pierro --- cmake/modules/driver.cmake | 4 ++-- cmake/modules/falcosecurity-libs.cmake | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/cmake/modules/driver.cmake b/cmake/modules/driver.cmake index f70642542f7..d1ff32be247 100644 --- a/cmake/modules/driver.cmake +++ b/cmake/modules/driver.cmake @@ -34,8 +34,8 @@ else() # In case you want to test against another driver version (or branch, or commit) just pass the variable - # ie., `cmake -DDRIVER_VERSION=dev ..` if(NOT DRIVER_VERSION) - set(DRIVER_VERSION "0.18.0-rc2") - set(DRIVER_CHECKSUM "SHA256=e016ee1113eb5a14c85d9c4828244f5fba37cd663ecd38f5b58fbc4142348782") + set(DRIVER_VERSION "7.3.0+driver") + set(DRIVER_CHECKSUM "SHA256=8f572d9a83feda635a3fa53b859d61e37af127c241e35068aadee3bc50d212c0") endif() # cd /path/to/build && cmake /path/to/source diff --git a/cmake/modules/falcosecurity-libs.cmake b/cmake/modules/falcosecurity-libs.cmake index 7ffae26cfa8..8b3deb65b05 100644 --- a/cmake/modules/falcosecurity-libs.cmake +++ b/cmake/modules/falcosecurity-libs.cmake @@ -35,8 +35,8 @@ else() # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable - # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..` if(NOT FALCOSECURITY_LIBS_VERSION) - set(FALCOSECURITY_LIBS_VERSION "0.18.0-rc2") - set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=e016ee1113eb5a14c85d9c4828244f5fba37cd663ecd38f5b58fbc4142348782") + set(FALCOSECURITY_LIBS_VERSION "0.18.0") + set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=0af0d46edcf97c01e3b5307732ff451d5175e8231ee6b8eec0a498d4c48f308b") endif() # cd /path/to/build && cmake /path/to/source