diff --git a/cmake/cpack/CMakeCPackOptions.cmake b/cmake/cpack/CMakeCPackOptions.cmake index 18bc5a6ba19..11e527d57f5 100644 --- a/cmake/cpack/CMakeCPackOptions.cmake +++ b/cmake/cpack/CMakeCPackOptions.cmake @@ -1,13 +1,10 @@ -if(CPACK_GENERATOR MATCHES "DEB") +if(CPACK_GENERATOR MATCHES "DEB" OR CPACK_GENERATOR MATCHES "RPM") list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") - list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") - list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco_inject_kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") -endif() - -if(CPACK_GENERATOR MATCHES "RPM") - list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") - list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") - list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco_inject_kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") + list(APPEND CPACK_INSTALL_COMMANDS "cp -r scripts/systemd/falco-kmod-inject.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") + list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") + list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") + list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-modern-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") + list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-plugin.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") endif() if(CPACK_GENERATOR MATCHES "TGZ") diff --git a/docker/tester/Dockerfile b/docker/tester/Dockerfile index 5f8276edb66..109f0ce56d3 100644 --- a/docker/tester/Dockerfile +++ b/docker/tester/Dockerfile @@ -15,7 +15,7 @@ RUN if [ "$TARGETARCH" = "amd64" ] ; then curl -L -o grpcurl.tar.gz \ https://github.com/fullstorydev/grpcurl/releases/download/v1.8.6/grpcurl_1.8.6_linux_arm64.tar.gz; \ fi; -RUN dnf install -y python-pip python docker findutils jq unzip && dnf clean all +RUN dnf install -y python-pip python docker findutils jq unzip sed curl && dnf clean all ENV PATH="/root/.local/bin/:${PATH}" RUN pip install --user avocado-framework==69.0 RUN pip install --user avocado-framework-plugin-varianter-yaml-to-mux==69.0 diff --git a/scripts/CMakeLists.txt b/scripts/CMakeLists.txt index 61172f6fff0..e133040194c 100644 --- a/scripts/CMakeLists.txt +++ b/scripts/CMakeLists.txt @@ -15,26 +15,28 @@ # limitations under the License. # +# Systemd +file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod-inject.service" + DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd") +file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod.service" + DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd") +file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-bpf.service" + DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd") +file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-modern-bpf.service" + DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd") +file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-plugin.service" + DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd") + +# Debian configure_file(debian/postinst.in debian/postinst) configure_file(debian/postrm.in debian/postrm) configure_file(debian/prerm.in debian/prerm) -file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco.service" - DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian") - -file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco_inject_kmod.service" - DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian") - +# Rpm configure_file(rpm/postinstall.in rpm/postinstall) configure_file(rpm/postuninstall.in rpm/postuninstall) configure_file(rpm/preuninstall.in rpm/preuninstall) -file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco.service" - DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm") - -file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco_inject_kmod.service" - DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm") - configure_file(falco-driver-loader falco-driver-loader @ONLY) if(CMAKE_SYSTEM_NAME MATCHES "Linux") diff --git a/scripts/debian/falco_inject_kmod.service b/scripts/debian/falco_inject_kmod.service deleted file mode 100644 index 73639ec1ab6..00000000000 --- a/scripts/debian/falco_inject_kmod.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=Falco: Container Native Runtime Security -Documentation=https://falco.org/docs/ -Before=falco.service -Wants=falco.service - -[Service] -Type=oneshot -User=root -ExecStart=/sbin/modprobe falco - -[Install] -WantedBy=multi-user.target diff --git a/scripts/debian/postinst.in b/scripts/debian/postinst.in index d58d54c1362..0a77454c11a 100755 --- a/scripts/debian/postinst.in +++ b/scripts/debian/postinst.in @@ -15,60 +15,70 @@ # See the License for the specific language governing permissions and # limitations under the License. # -set -e -DKMS_PACKAGE_NAME="@PACKAGE_NAME@" -DKMS_VERSION="@DRIVER_VERSION@" -NAME="@PACKAGE_NAME@" +chosen_driver= -postinst_found=0 +if [ "$1" = "configure" ]; then + if [ -x /usr/bin/dialog ]; then + # If dialog is installed, create a dialog to let users choose the correct driver for them + CHOICE=$(dialog --clear --backtitle "Choose your preferred driver" --title "Falco drivers" --menu "Choose one of the following options:" 15 40 5 \ + 1 "Don't start" \ + 2 "Kmod" \ + 3 "eBPF" \ + 4 "Modern eBPF" \ + 5 "Plugin" \ + 2>&1 >/dev/tty) + if [ $? -eq 0 ]; then + case $CHOICE in + 2) + chosen_driver="kmod" + ;; + 3) + chosen_driver="bpf" + ;; + 4) + chosen_driver="modern-bpf" + ;; + 5) + chosen_driver="plugin" + ;; + esac + fi + clear + fi +fi -case "$1" in - configure) - for DKMS_POSTINST in /usr/lib/dkms/common.postinst /usr/share/$DKMS_PACKAGE_NAME/postinst; do - if [ -f $DKMS_POSTINST ]; then - $DKMS_POSTINST $DKMS_PACKAGE_NAME $DKMS_VERSION /usr/share/$DKMS_PACKAGE_NAME "" $2 - postinst_found=1 - break - fi - done - if [ "$postinst_found" -eq 0 ]; then - echo "ERROR: DKMS version is too old and $DKMS_PACKAGE_NAME was not" - echo "built with legacy DKMS support." - echo "You must either rebuild $DKMS_PACKAGE_NAME with legacy postinst" - echo "support or upgrade DKMS to a more current version." - exit 1 - fi - ;; -esac +set -e -# Based off what debhelper dh_systemd_enable/13.3.4 would have added -# ref: https://www.debian.org/doc/manuals/debmake-doc/ch05.en.html#debhelper +# If needed, try to load/compile the driver through falco-driver-loader +case "$chosen_driver" in + "kmod") + echo "[POST-INSTALL] Call 'falco-driver-loader module':" + falco-driver-loader module + ;; + "bpf") + echo "[POST-INSTALL] Call 'falco-driver-loader bpf':" + falco-driver-loader bpf + ;; +esac if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then - # This will only remove masks created by d-s-h on package removal. - deb-systemd-helper unmask 'falco.service' >/dev/null || true - - # was-enabled defaults to true, so new installations run enable. - if deb-systemd-helper --quiet was-enabled 'falco.service'; then - # Enables the unit on first installation, creates new - # symlinks on upgrades if the unit file has changed. - deb-systemd-helper enable 'falco.service' >/dev/null || true - else - # Update the statefile to add new symlinks (if any), which need to be - # cleaned up on purge. Also remove old symlinks. - deb-systemd-helper update-state 'falco.service' >/dev/null || true + if [ -n "$chosen_driver" ]; then + echo "[POST-INSTALL] Enable 'falco-$chosen_driver.service':" + systemctl --system enable "falco-$chosen_driver.service" || true + echo "[POST-INSTALL] Start 'falco-$chosen_driver.service':" + systemctl --system start "falco-$chosen_driver.service" || true fi fi if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then - if [ -d /run/systemd/system ]; then - systemctl --system daemon-reload >/dev/null || true - if [ -n "$2" ]; then - _dh_action=restart - else - _dh_action=start - fi - deb-systemd-invoke $_dh_action 'falco.service' >/dev/null || true - fi + if [ -d /run/systemd/system ]; then + echo "[POST-INSTALL] Trigger deamon-reload:" + systemctl --system daemon-reload || true + if [ -n "$chosen_driver" ]; then + echo "[POST-INSTALL] Trigger 'falco-$chosen_driver.service' condrestart:" + # restart falco on upgrade if service is already running + systemctl --system condrestart "falco-$chosen_driver.service" || true + fi + fi fi diff --git a/scripts/debian/postrm.in b/scripts/debian/postrm.in index 8134d806501..02876b5bd58 100755 --- a/scripts/debian/postrm.in +++ b/scripts/debian/postrm.in @@ -22,18 +22,12 @@ set -e if [ -d /run/systemd/system ] && [ "$1" = remove ]; then - systemctl --system daemon-reload >/dev/null || true -fi - -if [ "$1" = "remove" ]; then - if [ -x "/usr/bin/deb-systemd-helper" ]; then - deb-systemd-helper mask 'falco.service' >/dev/null || true - fi -fi + echo "[POST-REMOVE] Disable all Falco services:" + systemctl --system disable 'falco-kmod.service' || true + systemctl --system disable 'falco-bpf.service' || true + systemctl --system disable 'falco-modern-bpf.service' || true + systemctl --system disable 'falco-plugin.service' || true -if [ "$1" = "purge" ]; then - if [ -x "/usr/bin/deb-systemd-helper" ]; then - deb-systemd-helper purge 'falco.service' >/dev/null || true - deb-systemd-helper unmask 'falco.service' >/dev/null || true - fi + echo "[POST-REMOVE] Trigger deamon-reload:" + systemctl --system daemon-reload || true fi diff --git a/scripts/debian/prerm.in b/scripts/debian/prerm.in index 1a72292e119..72f1013e88c 100755 --- a/scripts/debian/prerm.in +++ b/scripts/debian/prerm.in @@ -21,12 +21,15 @@ set -e # ref: https://www.debian.org/doc/manuals/debmake-doc/ch05.en.html#debhelper # Currently running falco service uses the driver, so stop it before driver cleanup -if [ -d /run/systemd/system ] && [ "$1" = remove ]; then - deb-systemd-invoke stop 'falco.service' >/dev/null || true -fi - case "$1" in - remove|upgrade|deconfigure) - /usr/bin/falco-driver-loader --clean - ;; + remove|upgrade|deconfigure) + echo "[PRE-REMOVE] Stop all Falco services:" + systemctl --system stop 'falco-kmod.service' || true + systemctl --system stop 'falco-bpf.service' || true + systemctl --system stop 'falco-modern-bpf.service' || true + systemctl --system stop 'falco-plugin.service' || true + + echo "[PRE-REMOVE] Call 'falco-driver-loader --clean:'" + falco-driver-loader --clean + ;; esac diff --git a/scripts/falco-driver-loader b/scripts/falco-driver-loader index bbc00fa2fbe..2b6ce84c0fe 100755 --- a/scripts/falco-driver-loader +++ b/scripts/falco-driver-loader @@ -211,7 +211,13 @@ load_kernel_module_compile() { fi # Try to compile using all the available gcc versions - for CURRENT_GCC in $(which gcc) $(ls "$(dirname "$(which gcc)")"/gcc-* | grep 'gcc-[0-9]\+' | sort -n -r -k 2 -t -); do + for CURRENT_GCC in $(ls "$(dirname "$(which gcc)")"/gcc*); do + # Filter away gcc-{ar,nm,...} + # Only gcc compiler has `-print-search-dirs` option. + ${CURRENT_GCC} -print-search-dirs 2>&1 | grep "install:" + if [ "$?" -ne "0" ]; then + continue + fi echo "* Trying to dkms install ${DRIVER_NAME} module with GCC ${CURRENT_GCC}" echo "#!/usr/bin/env bash" > /tmp/falco-dkms-make echo "make CC=${CURRENT_GCC} \$@" >> /tmp/falco-dkms-make @@ -232,14 +238,19 @@ load_kernel_module_compile() { return fi echo "* ${DRIVER_NAME} module found: ${KO_FILE}" - echo "* Trying insmod" + echo "* Trying to modprobe" chcon -t modules_object_t "$KO_FILE" > /dev/null 2>&1 || true + if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then + echo "* Success: ${DRIVER_NAME} module found in dkms and loaded" + exit 0 + fi + echo "* Unable to load ${DRIVER_NAME} module" + echo "* Trying insmod" if insmod "$KO_FILE" > /dev/null 2>&1; then - echo "* Success: ${DRIVER_NAME} module found and loaded in dkms" + echo "* Success: ${DRIVER_NAME} module found in dkms and inserted" exit 0 - else - echo "* Unable to insmod ${DRIVER_NAME} module" fi + echo "* Unable to insmod ${DRIVER_NAME} module" else DKMS_LOG="/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/build/make.log" if [ -f "${DKMS_LOG}" ]; then @@ -260,12 +271,19 @@ load_kernel_module_download() { if curl -L --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" "${URL}"; then echo "* Download succeeded" chcon -t modules_object_t "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" > /dev/null 2>&1 || true + mkdir -p /lib/modules/${KERNEL_RELEASE}/kernel/drivers/falco/ || true + cp ${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME} /lib/modules/${KERNEL_RELEASE}/kernel/drivers/falco/falco.ko || true + depmod ${KERNEL_RELEASE} || true + if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then + echo "* Success: ${DRIVER_NAME} module found and loaded" + exit 0 + fi + >&2 echo "Unable to load the prebuilt ${DRIVER_NAME} module" if insmod "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}"; then echo "* Success: ${DRIVER_NAME} module found and inserted" exit 0 - else - >&2 echo "Unable to insmod the prebuilt ${DRIVER_NAME} module" - fi + fi + >&2 echo "Unable to insmod the prebuilt ${DRIVER_NAME} module" else >&2 echo "Unable to find a prebuilt ${DRIVER_NAME} module" return @@ -379,6 +397,13 @@ load_kernel_module() { if [ -f "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" ]; then echo "* Found a prebuilt ${DRIVER_NAME} module at ${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}, loading it" chcon -t modules_object_t "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" > /dev/null 2>&1 || true + mkdir -p /lib/modules/${KERNEL_RELEASE}/kernel/drivers/falco/ || true + cp ${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME} /lib/modules/${KERNEL_RELEASE}/kernel/drivers/falco/falco.ko || true + depmod ${KERNEL_RELEASE} || true + if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then + echo "* Success: ${DRIVER_NAME} module found and loaded" + exit 0 + fi insmod "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module found and inserted" exit $? fi @@ -397,7 +422,7 @@ load_kernel_module() { # Last try (might load a previous driver version) echo "* Trying to load a system ${DRIVER_NAME} module, if present" if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then - echo "* Success: ${DRIVER_NAME} module found and loaded with modprobe" + echo "* Success: ${DRIVER_NAME} module found and loaded" exit 0 fi diff --git a/scripts/rpm/falco_inject_kmod.service b/scripts/rpm/falco_inject_kmod.service deleted file mode 100644 index 73639ec1ab6..00000000000 --- a/scripts/rpm/falco_inject_kmod.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=Falco: Container Native Runtime Security -Documentation=https://falco.org/docs/ -Before=falco.service -Wants=falco.service - -[Service] -Type=oneshot -User=root -ExecStart=/sbin/modprobe falco - -[Install] -WantedBy=multi-user.target diff --git a/scripts/rpm/postinstall.in b/scripts/rpm/postinstall.in index 4848efcdd47..7dfaf3f2346 100755 --- a/scripts/rpm/postinstall.in +++ b/scripts/rpm/postinstall.in @@ -14,23 +14,54 @@ # See the License for the specific language governing permissions and # limitations under the License. # -set -e -mod_version="@DRIVER_VERSION@" -dkms add -m falco -v $mod_version --rpm_safe_upgrade -if [ `uname -r | grep -c "BOOT"` -eq 0 ] && [ -e /lib/modules/`uname -r`/build/include ]; then - dkms build -m falco -v $mod_version - dkms install --force -m falco -v $mod_version -elif [ `uname -r | grep -c "BOOT"` -gt 0 ]; then - echo -e "" - echo -e "Module build for the currently running kernel was skipped since you" - echo -e "are running a BOOT variant of the kernel." -else - echo -e "" - echo -e "Module build for the currently running kernel was skipped since the" - echo -e "kernel source for this kernel does not seem to be installed." +chosen_driver= + +if [ $1 -eq 1 ]; then + if [ -x /usr/bin/dialog ]; then + # If dialog is installed, create a dialog to let users choose the correct driver for them + CHOICE=$(dialog --clear --backtitle "Choose your preferred driver" --title "Falco drivers" --menu "Choose one of the following options:" 15 40 5 \ + 1 "Don't start" \ + 2 "Kmod" \ + 3 "eBPF" \ + 4 "Modern eBPF" \ + 5 "Plugin" \ + 2>&1 >/dev/tty) + # When user presses cancel, go on as default (don't start) + if [ $? -eq 0 ]; then + case $CHOICE in + 2) + chosen_driver="kmod" + ;; + 3) + chosen_driver="bpf" + ;; + 4) + chosen_driver="modern-bpf" + ;; + 5) + chosen_driver="plugin" + ;; + esac + fi + clear + fi fi +set -e + +# If needed, try to load/compile the driver through falco-driver-loader +case "$chosen_driver" in + "kmod") + echo "[POST-INSTALL] Call 'falco-driver-loader module':" + falco-driver-loader module + ;; + "bpf") + echo "[POST-INSTALL] Call 'falco-driver-loader bpf':" + falco-driver-loader bpf + ;; +esac + # validate rpm macros by `rpm -qp --scripts ` # RPM scriptlets: https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd # https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax @@ -38,27 +69,27 @@ fi # systemd_post macro expands to # if postinst: # `systemd-update-helper install-system-units ` -%systemd_post 'falco.service' +%systemd_post "falco-$chosen_driver.service" # post install mirrored from .deb if [ $1 -eq 1 ]; then - # This will only remove masks created on package removal. - /usr/bin/systemctl --system unmask 'falco.service' >/dev/null || true - - # enable falco on installation - # note: DEB postinstall script checks for changed symlinks - /usr/bin/systemctl --system enable 'falco.service' >/dev/null || true - - # start falco on installation - /usr/bin/systemctl --system start 'falco.service' >/dev/null || true + if [ -n "$chosen_driver" ]; then + echo "[POST-INSTALL] Enable 'falco-$chosen_driver.service':" + systemctl --system enable "falco-$chosen_driver.service" || true + echo "[POST-INSTALL] Start 'falco-$chosen_driver.service':" + systemctl --system start "falco-$chosen_driver.service" || true + fi fi # post upgrade mirrored from .deb if [ $1 -gt 1 ]; then if [ -d /run/systemd/system ]; then - /usr/bin/systemctl --system daemon-reload >/dev/null || true - - # restart falco on upgrade if service is already running - /usr/bin/systemctl --system condrestart 'falco.service' >/dev/null || true + echo "[POST-INSTALL] Trigger deamon-reload:" + systemctl --system daemon-reload || true + if [ -n "$chosen_driver" ]; then + echo "[POST-INSTALL] Trigger 'falco-$chosen_driver.service' condrestart:" + # restart falco on upgrade if service is already running + systemctl --system condrestart "falco-$chosen_driver.service" || true + fi fi fi diff --git a/scripts/rpm/postuninstall.in b/scripts/rpm/postuninstall.in index 8fd9b6924ba..8e148a5af2c 100755 --- a/scripts/rpm/postuninstall.in +++ b/scripts/rpm/postuninstall.in @@ -17,17 +17,13 @@ set -e -# post uninstall mirrored from .deb -if [ -d /run/systemd/system ] && [ "$1" = 0 ]; then - /usr/bin/systemctl --system daemon-reload >/dev/null || true - /usr/bin/systemctl --system mask 'falco.service' >/dev/null || true -fi - -# validate rpm macros by `rpm -qp --scripts ` -# RPM scriptlets: https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd -# https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax +if [ -d /run/systemd/system ] && [ $1 -eq 0 ]; then + echo "[POST-REMOVE] Disable all Falco services:" + systemctl --system disable 'falco-kmod.service'|| true + systemctl --system disable 'falco-bpf.service' || true + systemctl --system disable 'falco-modern-bpf.service' || true + systemctl --system disable 'falco-plugin.service' || true -# systemd_postun_with_restart macro expands to -# if package upgrade, not uninstall: -# `systemd-update-helper mark-restart-system-units ` -%systemd_postun_with_restart 'falco.service' + echo "[POST-REMOVE] Trigger deamon-reload:" + systemctl --system daemon-reload || true +fi diff --git a/scripts/rpm/preuninstall.in b/scripts/rpm/preuninstall.in index 4dba0180211..3039d25b8dc 100755 --- a/scripts/rpm/preuninstall.in +++ b/scripts/rpm/preuninstall.in @@ -16,14 +16,15 @@ # set -e -# pre uninstall mirrored from .deb # Currently running falco service uses the driver, so stop it before driver cleanup -if [ -d /run/systemd/system ] && [ $1 -eq 0 ]; then - # stop falco service before uninstall - /usr/bin/systemctl --system stop 'falco.service' >/dev/null || true -fi +echo "[PRE-REMOVE] Stop all Falco services:" +systemctl --system stop 'falco-kmod.service' || true +systemctl --system stop 'falco-bpf.service' || true +systemctl --system stop 'falco-modern-bpf.service' || true +systemctl --system stop 'falco-plugin.service' || true -/usr/bin/falco-driver-loader --clean +echo "[PRE-REMOVE] Call 'falco-driver-loader --clean:'" +falco-driver-loader --clean # validate rpm macros by `rpm -qp --scripts ` # RPM scriptlets: https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd @@ -32,4 +33,7 @@ fi # systemd_preun macro expands to # if preuninstall: # `systemd-update-helper remove-system-units ` -%systemd_preun 'falco.service' +%systemd_preun 'falco-kmod.service' +%systemd_preun 'falco-bpf.service' +%systemd_preun 'falco-modern-bpf.service' +%systemd_preun 'falco-plugin.service' diff --git a/scripts/rpm/falco.service b/scripts/systemd/falco-bpf.service similarity index 68% rename from scripts/rpm/falco.service rename to scripts/systemd/falco-bpf.service index 1d66d440712..de8c57e6705 100644 --- a/scripts/rpm/falco.service +++ b/scripts/systemd/falco-bpf.service @@ -1,14 +1,15 @@ [Unit] -Description=Falco: Container Native Runtime Security +Description=Falco: Container Native Runtime Security with ebpf Documentation=https://falco.org/docs/ -After=falco_inject_kmod.service -Requires=falco_inject_kmod.service +Conflicts=falco-kmod.service +Conflicts=falco-modern-bpf.service +Conflicts=falco-plugin.service [Service] Type=simple User=root +Environment=FALCO_BPF_PROBE= ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid -ExecStopPost=/sbin/rmmod falco UMask=0077 TimeoutSec=30 RestartSec=15s @@ -18,7 +19,6 @@ NoNewPrivileges=yes ProtectHome=read-only ProtectSystem=full ProtectKernelTunables=true -ReadWritePaths=/sys/module/falco RestrictRealtime=true RestrictAddressFamilies=~AF_PACKET StandardOutput=null diff --git a/scripts/systemd/falco-kmod-inject.service b/scripts/systemd/falco-kmod-inject.service new file mode 100644 index 00000000000..78de816f1e3 --- /dev/null +++ b/scripts/systemd/falco-kmod-inject.service @@ -0,0 +1,11 @@ +[Unit] +Description=Falco: Container Native Runtime Security with kmod, inject. +Documentation=https://falco.org/docs/ +PartOf=falco-kmod.service + +[Service] +Type=oneshot +RemainAfterExit=yes +User=root +ExecStart=/sbin/modprobe falco +ExecStop=/sbin/rmmod falco \ No newline at end of file diff --git a/scripts/systemd/falco-kmod.service b/scripts/systemd/falco-kmod.service new file mode 100644 index 00000000000..f62516381ef --- /dev/null +++ b/scripts/systemd/falco-kmod.service @@ -0,0 +1,29 @@ +[Unit] +Description=Falco: Container Native Runtime Security with kmod +Documentation=https://falco.org/docs/ +After=falco-kmod-inject.service +Requires=falco-kmod-inject.service +Conflicts=falco-bpf.service +Conflicts=falco-modern-bpf.service +Conflicts=falco-plugin.service + +[Service] +Type=simple +User=root +ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid +UMask=0077 +TimeoutSec=30 +RestartSec=15s +Restart=on-failure +PrivateTmp=true +NoNewPrivileges=yes +ProtectHome=read-only +ProtectSystem=full +ProtectKernelTunables=true +ReadWritePaths=/sys/module/falco +RestrictRealtime=true +RestrictAddressFamilies=~AF_PACKET +StandardOutput=null + +[Install] +WantedBy=multi-user.target diff --git a/scripts/systemd/falco-modern-bpf.service b/scripts/systemd/falco-modern-bpf.service new file mode 100644 index 00000000000..9b6825005c1 --- /dev/null +++ b/scripts/systemd/falco-modern-bpf.service @@ -0,0 +1,26 @@ +[Unit] +Description=Falco: Container Native Runtime Security with modern ebpf +Documentation=https://falco.org/docs/ +Conflicts=falco-kmod.service +Conflicts=falco-bpf.service +Conflicts=falco-plugin.service + +[Service] +Type=simple +User=root +ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid --modern-bpf +UMask=0077 +TimeoutSec=30 +RestartSec=15s +Restart=on-failure +PrivateTmp=true +NoNewPrivileges=yes +ProtectHome=read-only +ProtectSystem=full +ProtectKernelTunables=true +RestrictRealtime=true +RestrictAddressFamilies=~AF_PACKET +StandardOutput=null + +[Install] +WantedBy=multi-user.target diff --git a/scripts/debian/falco.service b/scripts/systemd/falco-plugin.service similarity index 66% rename from scripts/debian/falco.service rename to scripts/systemd/falco-plugin.service index 0e3e16ce176..84befe716ec 100644 --- a/scripts/debian/falco.service +++ b/scripts/systemd/falco-plugin.service @@ -1,14 +1,14 @@ [Unit] -Description=Falco: Container Native Runtime Security +Description=Falco: Container Native Runtime Security with plugin Documentation=https://falco.org/docs/ -After=falco_inject_kmod.service -Requires=falco_inject_kmod.service +Conflicts=falco-kmod.service +Conflicts=falco-bpf.service +Conflicts=falco-modern-bpf.service [Service] Type=simple -User=root +User=%u ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid -ExecStopPost=/sbin/rmmod falco UMask=0077 TimeoutSec=30 RestartSec=15s @@ -18,9 +18,9 @@ NoNewPrivileges=yes ProtectHome=read-only ProtectSystem=full ProtectKernelTunables=true -ReadWritePaths=/sys/module/falco RestrictRealtime=true RestrictAddressFamilies=~AF_PACKET +StandardOutput=null [Install] WantedBy=multi-user.target