falcosecurity · poiana · Dec 15, 2022 · Oct 10, 2022 · Oct 12, 2022 · Oct 12, 2022
diff --git a/cmake/cpack/CMakeCPackOptions.cmake b/cmake/cpack/CMakeCPackOptions.cmake
@@ -1,13 +1,10 @@
-if(CPACK_GENERATOR MATCHES "DEB")
+if(CPACK_GENERATOR MATCHES "DEB" OR CPACK_GENERATOR MATCHES "RPM")
 	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco_inject_kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-endif()
-
-if(CPACK_GENERATOR MATCHES "RPM")
-	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco_inject_kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp -r scripts/systemd/falco-kmod-inject.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-modern-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-plugin.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
 endif()
 
 if(CPACK_GENERATOR MATCHES "TGZ")

diff --git a/docker/tester/Dockerfile b/docker/tester/Dockerfile
@@ -15,7 +15,7 @@ RUN if [ "$TARGETARCH" = "amd64" ] ; then curl -L -o grpcurl.tar.gz \
     https://github.com/fullstorydev/grpcurl/releases/download/v1.8.6/grpcurl_1.8.6_linux_arm64.tar.gz; \
     fi;
 
-RUN dnf install -y python-pip python docker findutils jq unzip && dnf clean all
+RUN dnf install -y python-pip python docker findutils jq unzip sed curl && dnf clean all
 ENV PATH="/root/.local/bin/:${PATH}"
 RUN pip install --user avocado-framework==69.0
 RUN pip install --user avocado-framework-plugin-varianter-yaml-to-mux==69.0

diff --git a/scripts/CMakeLists.txt b/scripts/CMakeLists.txt
@@ -15,26 +15,28 @@
 # limitations under the License.
 #
 
+# Systemd
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod-inject.service"
+		DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod.service"
+		DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-bpf.service"
+		DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-modern-bpf.service"
+		DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-plugin.service"
+		DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
+
+# Debian
 configure_file(debian/postinst.in debian/postinst)
 configure_file(debian/postrm.in debian/postrm)
 configure_file(debian/prerm.in debian/prerm)
 
-file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco.service"
-	DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")
-
-file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco_inject_kmod.service"
-	DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")
-
+# Rpm
 configure_file(rpm/postinstall.in rpm/postinstall)
 configure_file(rpm/postuninstall.in rpm/postuninstall)
 configure_file(rpm/preuninstall.in rpm/preuninstall)
 
-file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco.service"
-	DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")
-
-file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco_inject_kmod.service"
-	DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")
-
 configure_file(falco-driver-loader falco-driver-loader @ONLY)
 
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")

diff --git a/scripts/debian/falco_inject_kmod.service b/scripts/debian/falco_inject_kmod.service
diff --git a/scripts/debian/postinst.in b/scripts/debian/postinst.in
@@ -15,60 +15,70 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-set -e
 
-DKMS_PACKAGE_NAME="@PACKAGE_NAME@"
-DKMS_VERSION="@DRIVER_VERSION@"
-NAME="@PACKAGE_NAME@"
+chosen_driver=
 
-postinst_found=0
+if [ "$1" = "configure" ]; then
+        if [ -x /usr/bin/dialog ]; then
+          # If dialog is installed, create a dialog to let users choose the correct driver for them
+          CHOICE=$(dialog --clear --backtitle "Choose your preferred driver" --title "Falco drivers" --menu "Choose one of the following options:" 15 40 5 \
+                1 "Don't start" \
+                2 "Kmod" \
+                3 "eBPF" \
+                4 "Modern eBPF" \
+                5 "Plugin" \
+                2>&1 >/dev/tty)
+            if [ $? -eq 0 ]; then
+              case $CHOICE in
+                  2)
+                      chosen_driver="kmod"
+                      ;;
+                  3)
+                      chosen_driver="bpf"
+                      ;;
+                  4)
+                      chosen_driver="modern-bpf"
+                      ;;
+                  5)
+                      chosen_driver="plugin"
+                      ;;
+              esac
+            fi
+            clear
+        fi
+fi
 
-case "$1" in
-	configure)
-		for DKMS_POSTINST in /usr/lib/dkms/common.postinst /usr/share/$DKMS_PACKAGE_NAME/postinst; do
-			if [ -f $DKMS_POSTINST ]; then
-				$DKMS_POSTINST $DKMS_PACKAGE_NAME $DKMS_VERSION /usr/share/$DKMS_PACKAGE_NAME "" $2
-				postinst_found=1
-				break
-			fi
-		done
-		if [ "$postinst_found" -eq 0 ]; then
-			echo "ERROR: DKMS version is too old and $DKMS_PACKAGE_NAME was not"
-			echo "built with legacy DKMS support."
-			echo "You must either rebuild $DKMS_PACKAGE_NAME with legacy postinst"
-			echo "support or upgrade DKMS to a more current version."
-			exit 1
-		fi
-	;;
-esac
+set -e
 
-# Based off what debhelper dh_systemd_enable/13.3.4 would have added
-# ref: https://www.debian.org/doc/manuals/debmake-doc/ch05.en.html#debhelper
+# If needed, try to load/compile the driver through falco-driver-loader
+case "$chosen_driver" in
+    "kmod")
+      echo "[POST-INSTALL] Call 'falco-driver-loader module':"
+      falco-driver-loader module
+      ;;
+    "bpf")
+      echo "[POST-INSTALL] Call 'falco-driver-loader bpf':"
+      falco-driver-loader bpf
+      ;;
+esac
 
 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
-        # This will only remove masks created by d-s-h on package removal.
-        deb-systemd-helper unmask 'falco.service' >/dev/null || true
-
-        # was-enabled defaults to true, so new installations run enable.
-        if deb-systemd-helper --quiet was-enabled 'falco.service'; then
-                # Enables the unit on first installation, creates new
-                # symlinks on upgrades if the unit file has changed.
-                deb-systemd-helper enable 'falco.service' >/dev/null || true
-        else
-                # Update the statefile to add new symlinks (if any), which need to be
-                # cleaned up on purge. Also remove old symlinks.
-                deb-systemd-helper update-state 'falco.service' >/dev/null || true
+        if [ -n "$chosen_driver" ]; then
+            echo "[POST-INSTALL] Enable 'falco-$chosen_driver.service':"
+            systemctl --system enable "falco-$chosen_driver.service" || true
+            echo "[POST-INSTALL] Start 'falco-$chosen_driver.service':"
+            systemctl --system start "falco-$chosen_driver.service" || true
         fi
 fi
 
 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
-        if [ -d /run/systemd/system ]; then
-                systemctl --system daemon-reload >/dev/null || true
-                if [ -n "$2" ]; then
-                        _dh_action=restart
-                else
-                        _dh_action=start
-                fi
-                deb-systemd-invoke $_dh_action 'falco.service' >/dev/null || true
-        fi
+    if [ -d /run/systemd/system ]; then
+      echo "[POST-INSTALL] Trigger deamon-reload:"
+      systemctl --system daemon-reload || true
+      if [ -n "$chosen_driver" ]; then
+        echo "[POST-INSTALL] Trigger 'falco-$chosen_driver.service' condrestart:"
+        # restart falco on upgrade if service is already running
+        systemctl --system condrestart "falco-$chosen_driver.service" || true
+      fi
+    fi
 fi
diff --git a/scripts/debian/postrm.in b/scripts/debian/postrm.in
@@ -22,18 +22,12 @@
 set -e
 
 if [ -d /run/systemd/system ] && [ "$1" = remove ]; then
-        systemctl --system daemon-reload >/dev/null || true
-fi
-
-if [ "$1" = "remove" ]; then
-        if [ -x "/usr/bin/deb-systemd-helper" ]; then
-                deb-systemd-helper mask 'falco.service' >/dev/null || true
-        fi
-fi
+        echo "[POST-REMOVE] Disable all Falco services:"
+        systemctl --system disable 'falco-kmod.service' || true
+        systemctl --system disable 'falco-bpf.service' || true
+        systemctl --system disable 'falco-modern-bpf.service' || true
+        systemctl --system disable 'falco-plugin.service' || true
 
-if [ "$1" = "purge" ]; then
-        if [ -x "/usr/bin/deb-systemd-helper" ]; then
-                deb-systemd-helper purge 'falco.service' >/dev/null || true
-                deb-systemd-helper unmask 'falco.service' >/dev/null || true
-        fi
+        echo "[POST-REMOVE] Trigger deamon-reload:"
+        systemctl --system daemon-reload || true
 fi
diff --git a/scripts/debian/prerm.in b/scripts/debian/prerm.in
@@ -21,12 +21,15 @@ set -e
 # ref: https://www.debian.org/doc/manuals/debmake-doc/ch05.en.html#debhelper
 # Currently running falco service uses the driver, so stop it before driver cleanup
 
-if [ -d /run/systemd/system ] && [ "$1" = remove ]; then
-        deb-systemd-invoke stop 'falco.service' >/dev/null || true
-fi
-
 case "$1" in
-	remove|upgrade|deconfigure)
-		/usr/bin/falco-driver-loader --clean
-	;;
+    remove|upgrade|deconfigure)
+      echo "[PRE-REMOVE] Stop all Falco services:"
+      systemctl --system stop 'falco-kmod.service' || true
+      systemctl --system stop 'falco-bpf.service' || true
+      systemctl --system stop 'falco-modern-bpf.service' || true
+      systemctl --system stop 'falco-plugin.service' || true
+
+      echo "[PRE-REMOVE] Call 'falco-driver-loader --clean:'"
+      falco-driver-loader --clean
+    ;;
 esac
diff --git a/scripts/falco-driver-loader b/scripts/falco-driver-loader
@@ -211,7 +211,13 @@ load_kernel_module_compile() {
 	fi
 
 	# Try to compile using all the available gcc versions
-	for CURRENT_GCC in $(which gcc) $(ls "$(dirname "$(which gcc)")"/gcc-* | grep 'gcc-[0-9]\+' | sort -n -r -k 2 -t -); do
+	for CURRENT_GCC in $(ls "$(dirname "$(which gcc)")"/gcc*); do
+		# Filter away gcc-{ar,nm,...}
+		# Only gcc compiler has `-print-search-dirs` option.
+		${CURRENT_GCC} -print-search-dirs 2>&1 | grep "install:"
+		if [ "$?" -ne "0" ]; then
+			continue
+		fi
 		echo "* Trying to dkms install ${DRIVER_NAME} module with GCC ${CURRENT_GCC}"
 		echo "#!/usr/bin/env bash" > /tmp/falco-dkms-make
 		echo "make CC=${CURRENT_GCC} \$@" >> /tmp/falco-dkms-make
@@ -232,14 +238,19 @@ load_kernel_module_compile() {
 				return
 			fi
 			echo "* ${DRIVER_NAME} module found: ${KO_FILE}"
-			echo "* Trying insmod"
+			echo "* Trying to modprobe"
 			chcon -t modules_object_t "$KO_FILE" > /dev/null 2>&1 || true
+			if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then
+				echo "* Success: ${DRIVER_NAME} module found in dkms and loaded"
+				exit 0
+			fi
+			echo "* Unable to load ${DRIVER_NAME} module"
+			echo "* Trying insmod"
 			if insmod "$KO_FILE" > /dev/null 2>&1; then
-				echo "* Success: ${DRIVER_NAME} module found and loaded in dkms"
+				echo "* Success: ${DRIVER_NAME} module found in dkms and inserted"
 				exit 0
-			else
-				echo "* Unable to insmod ${DRIVER_NAME} module"
 			fi
+			echo "* Unable to insmod ${DRIVER_NAME} module"
 		else
 			DKMS_LOG="/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/build/make.log"
 			if [ -f "${DKMS_LOG}" ]; then
@@ -260,12 +271,19 @@ load_kernel_module_download() {
 	if curl -L --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" "${URL}"; then
 		echo "* Download succeeded"
 		chcon -t modules_object_t "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" > /dev/null 2>&1 || true
+		mkdir -p /lib/modules/${KERNEL_RELEASE}/kernel/drivers/falco/ || true
+		cp ${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME} /lib/modules/${KERNEL_RELEASE}/kernel/drivers/falco/falco.ko || true
+		depmod ${KERNEL_RELEASE} || true
+		if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then
+			echo "* Success: ${DRIVER_NAME} module found and loaded"
+			exit 0
+		fi
+		>&2 echo "Unable to load the prebuilt ${DRIVER_NAME} module"
 		if insmod "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}"; then
 			echo "* Success: ${DRIVER_NAME} module found and inserted"
 			exit 0
-		else
-			>&2 echo "Unable to insmod the prebuilt ${DRIVER_NAME} module"
-		fi	
+		fi
+		>&2 echo "Unable to insmod the prebuilt ${DRIVER_NAME} module"
 	else
 		>&2 echo "Unable to find a prebuilt ${DRIVER_NAME} module"
 		return
@@ -379,6 +397,13 @@ load_kernel_module() {
 	if [ -f "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" ]; then
 		echo "* Found a prebuilt ${DRIVER_NAME} module at ${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}, loading it"
 		chcon -t modules_object_t "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" > /dev/null 2>&1 || true
+		mkdir -p /lib/modules/${KERNEL_RELEASE}/kernel/drivers/falco/ || true
+		cp ${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME} /lib/modules/${KERNEL_RELEASE}/kernel/drivers/falco/falco.ko || true
+		depmod ${KERNEL_RELEASE} || true
+		if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then
+			echo "* Success: ${DRIVER_NAME} module found and loaded"
+			exit 0
+		fi
 		insmod "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module found and inserted"
 		exit $?
 	fi
@@ -397,7 +422,7 @@ load_kernel_module() {
 	# Last try (might load a previous driver version)
 	echo "* Trying to load a system ${DRIVER_NAME} module, if present"
 	if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then
-		echo "* Success: ${DRIVER_NAME} module found and loaded with modprobe"
+		echo "* Success: ${DRIVER_NAME} module found and loaded"
 		exit 0
 	fi
 

diff --git a/scripts/rpm/falco_inject_kmod.service b/scripts/rpm/falco_inject_kmod.service