diff --git a/CMakeLists.txt b/CMakeLists.txt index 5883441e78e..d3588eb4ca7 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -27,6 +27,14 @@ if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64" AND CMAKE_SYSTEM_NAME MATCHES "Linux endif() endif() +# Modern BPF is not supported on not Linux systems and in MINIMAL_BUILD +if(CMAKE_SYSTEM_NAME MATCHES "Linux" AND NOT MINIMAL_BUILD) + option(BUILD_FALCO_MODERN_BPF "Build modern BPF support for Falco" OFF) + if(BUILD_FALCO_MODERN_BPF) + add_definitions(-DHAS_MODERN_BPF) + endif() +endif() + # We shouldn't need to set this, see https://gitlab.kitware.com/cmake/cmake/-/issues/16419 option(EP_UPDATE_DISCONNECTED "ExternalProject update disconnected" OFF) if (${EP_UPDATE_DISCONNECTED}) diff --git a/cmake/modules/driver.cmake b/cmake/modules/driver.cmake index 9d56ce26316..90fea39e119 100644 --- a/cmake/modules/driver.cmake +++ b/cmake/modules/driver.cmake @@ -26,8 +26,8 @@ else() # In case you want to test against another driver version (or branch, or commit) just pass the variable - # ie., `cmake -DDRIVER_VERSION=dev ..` if(NOT DRIVER_VERSION) - set(DRIVER_VERSION "fd46dd139a8e35692a7d40ab2f0ed2016df827cf") - set(DRIVER_CHECKSUM "SHA256=7c14a4b5f282c9e1e4496f5416d73c3132c72954d581e1a737f82ffa0e3a6bdd") + set(DRIVER_VERSION "0c280ca6847d7fbb616f152bb6cffd5b4d74452d") + set(DRIVER_CHECKSUM "SHA256=63577357e43cade45e76fb5f4522493195dcde1a6cfed3768ba5d51a67ab50ab") endif() # cd /path/to/build && cmake /path/to/source diff --git a/cmake/modules/falcosecurity-libs.cmake b/cmake/modules/falcosecurity-libs.cmake index 0e51c3ebb55..5112b39ff67 100644 --- a/cmake/modules/falcosecurity-libs.cmake +++ b/cmake/modules/falcosecurity-libs.cmake @@ -27,8 +27,8 @@ else() # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable - # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..` if(NOT FALCOSECURITY_LIBS_VERSION) - set(FALCOSECURITY_LIBS_VERSION "fd46dd139a8e35692a7d40ab2f0ed2016df827cf") - set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=7c14a4b5f282c9e1e4496f5416d73c3132c72954d581e1a737f82ffa0e3a6bdd") + set(FALCOSECURITY_LIBS_VERSION "0c280ca6847d7fbb616f152bb6cffd5b4d74452d") + set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=63577357e43cade45e76fb5f4522493195dcde1a6cfed3768ba5d51a67ab50ab") endif() # cd /path/to/build && cmake /path/to/source @@ -60,6 +60,9 @@ set(LIBSINSP_DIR "${FALCOSECURITY_LIBS_SOURCE_DIR}") # configure gVisor support set(BUILD_LIBSCAP_GVISOR ${BUILD_FALCO_GVISOR} CACHE BOOL "") +# configure modern BPF support +set(BUILD_LIBSCAP_MODERN_BPF ${BUILD_FALCO_MODERN_BPF} CACHE BOOL "") + # explicitly disable the tests/examples of this dependency set(CREATE_TEST_TARGETS OFF CACHE BOOL "") set(BUILD_LIBSCAP_EXAMPLES OFF CACHE BOOL "") diff --git a/userspace/falco/app_actions/open_inspector.cpp b/userspace/falco/app_actions/open_inspector.cpp index 7ba5d5fc1a3..1042d176f8c 100644 --- a/userspace/falco/app_actions/open_inspector.cpp +++ b/userspace/falco/app_actions/open_inspector.cpp @@ -75,6 +75,11 @@ application::run_result application::open_live_inspector( falco_logger::log(LOG_INFO, "Enabled event collection from gVisor. Configuration path: " + m_options.gvisor_config); inspector->open_gvisor(m_options.gvisor_config, m_options.gvisor_root); } + else if(m_options.modern_bpf) /* modern BPF engine. */ + { + falco_logger::log(LOG_INFO, "Starting capture with modern BPF probe."); + inspector->open_modern_bpf(m_state->syscall_buffer_bytes_size, m_state->ppm_sc_of_interest, m_state->tp_of_interest); + } else if(getenv(FALCO_BPF_ENV_VARIABLE) != NULL) /* BPF engine. */ { const char *bpf_probe_path = std::getenv(FALCO_BPF_ENV_VARIABLE); diff --git a/userspace/falco/app_cmdline_options.cpp b/userspace/falco/app_cmdline_options.cpp index 99978f5d95f..3fc1c1fa91b 100644 --- a/userspace/falco/app_cmdline_options.cpp +++ b/userspace/falco/app_cmdline_options.cpp @@ -31,6 +31,7 @@ cmdline_options::cmdline_options() : event_buffer_format(sinsp_evt::PF_NORMAL), gvisor_config(""), list_plugins(false), + modern_bpf(false), m_cmdline_opts("falco", "Falco - Cloud Native Runtime Security") { define(); @@ -168,6 +169,9 @@ void cmdline_options::define() ("g,gvisor-config", "Parse events from gVisor using the specified configuration file. A falco-compatible configuration file can be generated with --gvisor-generate-config and can be used for both runsc and Falco.", cxxopts::value(gvisor_config), "") ("gvisor-generate-config", "Generate a configuration file that can be used for gVisor.", cxxopts::value(gvisor_generate_config_with_socket)->implicit_value("/run/falco/gvisor.sock"), "") ("gvisor-root", "gVisor root directory for storage of container state. Equivalent to runsc --root flag.", cxxopts::value(gvisor_root), "") +#endif +#ifdef HAS_MODERN_BPF + ("modern-bpf", "[EXPERIMENTAL] Use BPF modern probe to capture system events.", cxxopts::value(modern_bpf)->default_value("false")) #endif ("i", "Print all events that are ignored by default (i.e. without the -A flag) and exit.", cxxopts::value(print_ignored_events)->default_value("false")) #ifndef MINIMAL_BUILD diff --git a/userspace/falco/app_cmdline_options.h b/userspace/falco/app_cmdline_options.h index 0af763bc9c5..ac226c91a38 100644 --- a/userspace/falco/app_cmdline_options.h +++ b/userspace/falco/app_cmdline_options.h @@ -79,6 +79,7 @@ class cmdline_options { bool verbose; bool print_version_info; bool print_page_size; + bool modern_bpf; bool parse(int argc, char **argv, std::string &errstr);