libsinsp, libscap, the kernel module driver, and the eBPF driver sources

Overview

falcosecurity/libs

As per the OSS Libraries Contribution Plan, this repository has been chosen to be the new home for libsinsp, libscap, the kernel module driver and the eBPF driver sources which Sysdig Inc. has contributed to the Falco project.

Those libraries and drivers have been originally developed as part of the draios/sysdig repository.

Issues
  • chore(cmake/modules) Bump bundled GRPC version to 1.44.0

    chore(cmake/modules) Bump bundled GRPC version to 1.44.0

    What type of PR is this?

    Uncomment one (or more) /kind <> lines:

    /kind bug

    /kind cleanup

    /kind design

    /kind documentation

    /kind failing-test

    /kind feature

    Any specific area of the project related to this PR?

    Uncomment one (or more) /area <> lines:

    /area build

    /area driver-kmod

    /area driver-ebpf

    /area libscap

    /area libsinsp

    /area tests

    /area proposals

    What this PR does / why we need it:

    While running make sinsp using the bundled dependencies in a Fedora 35 container with GCC 11.2.1, compilation of the GRPC dependency was failing with the following message:

    error: no matching function for call to ‘max(long int, int)’
    [build] /workspaces/libs/build/grpc-prefix/src/grpc/third_party/abseil-cpp/absl/debugging/failure_signal_handler.cc: In function ‘bool absl::lts_20210324::SetupAlternateStackOnce()’:
    [build] /workspaces/libs/build/grpc-prefix/src/grpc/third_party/abseil-cpp/absl/debugging/failure_signal_handler.cc:139:32: error: no matching function for call to ‘max(long int, int)’
    [build]   139 |   size_t stack_size = (std::max(SIGSTKSZ, 65536) + page_mask) & ~page_mask;
    [build]       |                        ~~~~~~~~^~~~~~~~~~~~~~~~~
    [build] In file included from /usr/include/c++/11/algorithm:61,
    [build]                  from /workspaces/libs/build/grpc-prefix/src/grpc/third_party/abseil-cpp/absl/debugging/failure_signal_handler.cc:36:
    [build] /usr/include/c++/11/bits/stl_algobase.h:254:5: note: candidate: ‘template<class _Tp> const _Tp& std::max(const _Tp&, const _Tp&)’
    [build]   254 |     max(const _Tp& __a, const _Tp& __b)
    [build]       |     ^~~
    [build] /usr/include/c++/11/bits/stl_algobase.h:254:5: note:   template argument deduction/substitution failed:
    [build] /workspaces/libs/build/grpc-prefix/src/grpc/third_party/abseil-cpp/absl/debugging/failure_signal_handler.cc:139:32: note:   deduced conflicting types for parameter ‘const _Tp’ (‘long int’ and ‘int’)
    [build]   139 |   size_t stack_size = (std::max(SIGSTKSZ, 65536) + page_mask) & ~page_mask;
    [build]       |                        ~~~~~~~~^~~~~~~~~~~~~~~~~
    [build] In file included from /usr/include/c++/11/algorithm:61,
    [build]                  from /workspaces/libs/build/grpc-prefix/src/grpc/third_party/abseil-cpp/absl/debugging/failure_signal_handler.cc:36:
    [build] /usr/include/c++/11/bits/stl_algobase.h:300:5: note: candidate: ‘template<class _Tp, class _Compare> const _Tp& std::max(const _Tp&, const _Tp&, _Compare)’
    [build]   300 |     max(const _Tp& __a, const _Tp& __b, _Compare __comp)
    [build]       |     ^~~
    [build] /usr/include/c++/11/bits/stl_algobase.h:300:5: note:   template argument deduction/substitution failed:
    [build] /workspaces/libs/build/grpc-prefix/src/grpc/third_party/abseil-cpp/absl/debugging/failure_signal_handler.cc:139:32: note:   deduced conflicting types for parameter ‘const _Tp’ (‘long int’ and ‘int’)
    [build]   139 |   size_t stack_size = (std::max(SIGSTKSZ, 65536) + page_mask) & ~page_mask;
    [build]       |                        ~~~~~~~~^~~~~~~~~~~~~~~~~
    [build] In file included from /usr/include/c++/11/algorithm:62,
    [build]                  from /workspaces/libs/build/grpc-prefix/src/grpc/third_party/abseil-cpp/absl/debugging/failure_signal_handler.cc:36:
    [build] /usr/include/c++/11/bits/stl_algo.h:3461:5: note: candidate: ‘template<class _Tp> _Tp std::max(std::initializer_list<_Tp>)’
    [build]  3461 |     max(initializer_list<_Tp> __l)
    [build]       |     ^~~
    [build] /usr/include/c++/11/bits/stl_algo.h:3461:5: note:   template argument deduction/substitution failed:
    [build] /workspaces/libs/build/grpc-prefix/src/grpc/third_party/abseil-cpp/absl/debugging/failure_signal_handler.cc:139:32: note:   mismatched types ‘std::initializer_list<_Tp>’ and ‘long int’
    [build]   139 |   size_t stack_size = (std::max(SIGSTKSZ, 65536) + page_mask) & ~page_mask;
    [build]       |                        ~~~~~~~~^~~~~~~~~~~~~~~~~
    [build] In file included from /usr/include/c++/11/algorithm:62,
    [build]                  from /workspaces/libs/build/grpc-prefix/src/grpc/third_party/abseil-cpp/absl/debugging/failure_signal_handler.cc:36:
    [build] /usr/include/c++/11/bits/stl_algo.h:3467:5: note: candidate: ‘template<class _Tp, class _Compare> _Tp std::max(std::initializer_list<_Tp>, _Compare)’
    [build]  3467 |     max(initializer_list<_Tp> __l, _Compare __comp)
    [build]       |     ^~~
    [build] /usr/include/c++/11/bits/stl_algo.h:3467:5: note:   template argument deduction/substitution failed:
    [build] /workspaces/libs/build/grpc-prefix/src/grpc/third_party/abseil-cpp/absl/debugging/failure_signal_handler.cc:139:32: note:   mismatched types ‘std::initializer_list<_Tp>’ and ‘long int’
    [build]   139 |   size_t stack_size = (std::max(SIGSTKSZ, 65536) + page_mask) & ~page_mask;
    [build]       |                        ~~~~~~~~^~~~~~~~~~~~~~~~~
    [build] gmake[6]: *** [third_party/abseil-cpp/absl/debugging/CMakeFiles/absl_failure_signal_handler.dir/build.make:76: third_party/abseil-cpp/absl/debugging/CMakeFiles/absl_failure_signal_handler.dir/failure_signal_handler.cc.o] Error 1
    [build] gmake[5]: *** [CMakeFiles/Makefile2:2001: third_party/abseil-cpp/absl/debugging/CMakeFiles/absl_failure_signal_handler.dir/all] Error 2
    [build] gmake[5]: *** Waiting for unfinished jobs....
    

    After doing some research, it looks like this has already been addressed by the abseil-cpp project and the change is present in GRPC's tag v1.44.0, in turn bumping to that version fixes the compilation error.

    Dockerfile I'm using as a devcontainer just in case it is useful
    FROM fedora:35
    
    RUN dnf install -y \
        gcc \
        gcc-c++ \
        git \
        make \
        cmake \
        autoconf \
        automake \
        pkg-config \
        patch \
        ncurses-devel \
        libtool \
        elfutils-libelf-devel \
        diffutils \
        which \
        perl-core \
        clang && \
        kernel_version=$(uname -r) && \
        ln -s "/host/lib/modules/$kernel_version" "/lib/modules/$kernel_version" && \
        ln -s "/host/usr/src/kernels/$kernel_version" "/usr/src/kernels/$kernel_version"
    

    Which issue(s) this PR fixes:

    Fixes #

    Special notes for your reviewer:

    /cc @leogr /cc @FedeDP

    Does this PR introduce a user-facing change?:

    NONE
    
    dco-signoff: yes release-note-none size/S lgtm approved kind/cleanup area/build ok-to-test 
    opened by Molter73 28
  • do not clear dns cache until last sinsp instance

    do not clear dns cache until last sinsp instance

    as sinsp is not a singleton there are cases when multiple instances of sinsp with diff lifetimes exist. Currently, each instance of sinsp destructor will kill the DNS manager refresher thread and invalidate the DNS cache, this PR introduces the instance counter to prohibit unintended and premature DNS cache destruction.

    /kind bug

    Any specific area of the project related to this PR?

    Uncomment one (or more) /area <> lines:

    /area libsinsp

    What this PR does / why we need it: Fix DNS cache unintended clearing

    Which issue(s) this PR fixes: Fix DNS cache unintended clearing

    fix: correct DNS cache unintended clearing
    
    kind/bug release-note dco-signoff: yes size/S lgtm approved area/libsinsp ok-to-test 
    opened by VadimZy 25
  • Lookup retry on asynchronous container engines

    Lookup retry on asynchronous container engines

    What type of PR is this?

    /kind bug

    /kind feature

    Any specific area of the project related to this PR?

    /area libsinsp

    What this PR does / why we need it: In Docker and in CRI-O (when started with cri_timeout 0 or with async false) it happens to have the lookup without any metadata for some containers (e.g. OWASP Juice Shop):

    Debug, cri (fa94c3cc2006): Performing lookup
    Debug, cri (fa94c3cc2006): Status from ContainerStatus: (could not find container "fa94c3cc2006": specified container fa94c3cc20063363a52ece696999e974d7472d4c76395ca5f19f55c883c8080a is not yet created)
    Debug, cri (fa94c3cc2006): id is neither a container nor a pod sandbox
    Debug, cri_async (fa94c3cc2006): Failed to get CRI metadata, returning successful=false
    Debug, cri_async (fa94c3cc2006): Source callback result=2
    Debug, notify_new_container (fa94c3cc2006): created CONTAINER_JSON event, queuing to inspector
    Debug, Parsing Container JSON={"container":{"Mounts":[],"User":"<NA>","cpu_period":100000,"cpu_quota":0,"cpu_shares":1024,"cpuset_cpu_count":0,"created_time":28467688,"env":[],"full_id":"","id":"fa94c3cc2006","image":"","imagedigest":"","imageid":"","imagerepo":"","imagetag":"","ip":"0.0.0.0","is_pod_sandbox":false,"labels":null,"lookup_state":2,"memory_limit":0,"metadata_deadline":0,"name":"","port_mappings":[],"privileged":false,"swap_limit":0,"type":8}}
    

    While it is advantageous to have the container in the container manager as soon as possible to track its activity, we would eventually need its metadata.

    Implement a lookup retry with delays of 125, 250, and 500 ms.

    Which issue(s) this PR fixes:

    Fixes #

    Special notes for your reviewer:

    Does this PR introduce a user-facing change?:

    fix(userspace/libsinsp): improve situation with CRI containers being discovered late
    update(userspace/libsinsp)!: deprecated sinsp::set_cri_delay
    update(userspace/libsinsp): add retry to failed Docker containers lookups
    
    kind/bug kind/feature release-note dco-signoff: yes size/XXL lgtm approved area/libsinsp ok-to-test 
    opened by deepskyblue86 24
  • BPF issue on amazon linux 2 since we upgraded from 0.29.1 to 0.30 (not working on all kernel 4.1X and 5.X and using clang 7 or clang 11)

    BPF issue on amazon linux 2 since we upgraded from 0.29.1 to 0.30 (not working on all kernel 4.1X and 5.X and using clang 7 or clang 11)

    Describe the bug We are encountering issue with the BPF module since we upgrade from falco 0.29.1 to 0.30. We are building the bpf probe using our own docker image (as an init container), we have been using the default clang llvm version for long (11) and we had to switch to clang7 since 0.29 if my memory is correct. But now, it does not seems to work with both clang version We are getting some stacktrace like this

    math between map_value pointer and register with unbounded min value is not allowed
    2021-11-15T15:22:14+0000: Runtime error: bpf_load_program() err=22 event=filler/sys_read_x message=0: (bf) r6 = r1
    

    How to reproduce it Using EKS v1.18 with amazon linux 2 and clang 7 or clang 11 (latest from amazon repo)

    Environment OS: amazon linux 2 (kernel : 4.14.219-161.340.amzn2.x86_64 but we also use 5.X kernel and the issue is the same) Using EKS (AWS kubernetes) 1.18 Clang + LLVM : 7 and 11 (from amazon package repo)

    • Falco version:
    • 0.30
    • System info:
    • Cloud provider or hardware configuration:
    • OS:
    • Kernel:
    • Installation method:

    Additional context We also tried to use the latest version of this repository, especially following this issue

    kind/bug 
    opened by JoupainMD 24
  • Detect valijson on the system and use it when requested

    Detect valijson on the system and use it when requested

    What type of PR is this?

    /kind feature

    Any specific area of the project related to this PR?

    /area build

    What this PR does / why we need it:

    When not building valijson ourselves, it automatically detects where valijson is installed on the system. Before that, it was necessary to specify the install prefix during configuration.

    Which issue(s) this PR fixes:

    Special notes for your reviewer:

    Does this PR introduce a user-facing change?:

    NONE
    
    kind/feature dco-signoff: yes release-note-none lgtm approved size/M area/build ok-to-test 
    opened by ovalenti 23
  • new(modern_bpf): add support for `open` family syscalls

    new(modern_bpf): add support for `open` family syscalls

    What type of PR is this?

    /kind feature

    Any specific area of the project related to this PR?

    /area driver-modern-bpf

    /area libpman

    /area tests

    Does this PR require a change in the driver versions?

    What this PR does / why we need it:

    This PR is part of a series https://github.com/falcosecurity/libs/issues/513, the final aim is to support the most important syscalls also in the new probe. This PR introduces:

    • open
    • openat
    • openat2
    • open_by_handle_at

    Which issue(s) this PR fixes:

    Special notes for your reviewer:

    Does this PR introduce a user-facing change?:

    new(modern_bpf): add support for `open` family syscalls
    
    kind/feature release-note dco-signoff: yes size/XXL lgtm approved area/tests area/driver-modern-bpf area/libpman 
    opened by Andreagit97 21
  • fix(ci): fixed checkout action fetch depth.

    fix(ci): fixed checkout action fetch depth.

    What type of PR is this?

    /kind bug

    Any specific area of the project related to this PR?

    /area CI

    What this PR does / why we need it:

    This PR address the issue that CI jobs are not able to compute libs version during cmake configure step; see here for example (https://github.com/falcosecurity/libs/runs/7652420577?check_suite_focus=true)

    -- Libs version: 0.0.0 -- Driver version: 0.0.0 -- Driver API version 2.0.0 -- Driver schema version 2.0.0

    Which issue(s) this PR fixes:

    Fixes #

    Special notes for your reviewer:

    Does this PR introduce a user-facing change?:

    NONE
    
    kind/bug dco-signoff: yes release-note-none size/S lgtm approved 
    opened by FedeDP 20
  • [part 1/n] Introduce vtable-based dispatch

    [part 1/n] Introduce vtable-based dispatch

    What type of PR is this?

    Uncomment one (or more) /kind <> lines:

    /kind bug

    /kind cleanup

    /kind design

    /kind documentation

    /kind failing-test

    /kind feature

    Any specific area of the project related to this PR?

    Uncomment one (or more) /area <> lines:

    /area build

    /area driver-kmod

    /area driver-ebpf

    /area libscap

    /area libsinsp

    /area tests

    /area proposals

    What this PR does / why we need it:

    This is the first in a series of PRs that aim to encapsulate all engine-specific behavior of libscap behind a series of vtables, instead of ifs and #ifdefs.

    The motivation is:

    • to clean up the code and make it more maintainable
    • to enable alternative instrumentation engines

    Special notes for your reviewer:

    This PR (temporarily) makes things much uglier and is just the first one in a series. With this PR, the most important scap functions are routed through a vtable, if present. This PR creates separate implementations for the nodriver, source_plugin and udig engines. eBPF, kmod and savefile are still TODO, as are additional vtables, which are used mostly at initialization time.

    Does this PR introduce a user-facing change?:

    NONE
    
    dco-signoff: yes size/XXL release-note-none lgtm approved kind/cleanup area/libscap kind/design 
    opened by gnosek 20
  • new(driver-bpf,driver-kmod,libscap,libscap-engine-bpf,libscap-engine-kmod): extend buffer event drop metrics

    new(driver-bpf,driver-kmod,libscap,libscap-engine-bpf,libscap-engine-kmod): extend buffer event drop metrics

    Signed-off-by: incertum [email protected]

    What type of PR is this?

    /kind feature

    Any specific area of the project related to this PR?

    /area driver-bpf /area libscap /area libscap-engine-bpf

    What this PR does / why we need it:

    • Add n_drops_buffer_* stats for categories of system calls when the perf buffer between kernel and userspace is full (eBPF).
    • Proposed changes hold the potential to more accurately measure the impact of future optimizations that address kernel side event drops than is currently possible solely based on the total n_drops_buffer.
    • Breakdown of event drops per system call category can serve as reflection of the servers / clusters workload footprint, e.g. expect higher drops for open system calls, because this is a more high volume system call. However, the ratios between the categories vary significantly across workloads. For instance for the open system call category we observed ratios of 2000:1 or 5:3 (open system call drops:next highest category drops).

    Kicking off a discussion around possible future optimizations to reduce kernel side event drops:

    • When using Falco on bare-metal production servers with 50-60% average load in simpleconsumer mode event drops likely won't be much of an issue. On the other hand bare-metal servers with higher average loads and/or unique workloads may experience event drops on a fraction of the fleet.
    • Several issues in the past around event drops have been raised. However, it appears more work needs to be done to address the issue of kernel side event drops in order to prevent them from happening even under the most extreme conditions.
    • More specifically, would like to re-start a conversation around buffer size (e.g. see https://github.com/falcosecurity/falco/issues/813), but tailored towards eBPF. eBPF driver currently uses a perf buffer
      • perf_map of type BPF_MAP_TYPE_PERF_EVENT_ARRAY, see https://github.com/falcosecurity/libs/blob/master/driver/bpf/maps.h#L23 (note that .max_entries is set to number of cpus in userspace)
      • per-CPU buffer size is specified in userspace, see https://github.com/falcosecurity/libs/blob/master/userspace/libscap/engine/bpf/scap_bpf.c#L149 and defined as:
      	static const int BUF_SIZE_PAGES = 2048;
      
      	int page_size = getpagesize();
      	int ring_size = page_size * BUF_SIZE_PAGES;
      	int header_size = page_size;
      	int total_size = ring_size * 2 + header_size;
      
      • Assuming page_size is 4096 bytes we get a total of ~16.78 MB hard-coded buffer size [(4096 bytes * 2048 * 2) + 4096 bytes]
      • What experiments led to the choice of the current default settings? What are the trade-offs of increasing / decreasing buffer size with respect to both
        • (1) throughput rate and
        • (2) CPU utilization?
      • Would there be appetite to make BUF_SIZE_PAGES (aka number of pages, needs to be power of 2) configurable over a cmdline flag like suggested in the earlier issue listed above? That way end-users could optimize deployments for both bare-metal and the world of hypervisors where Falco runs in each guest OS (VMs, micro-VMs etc). At the same time, recommendations and crowd-sourced experimental results for choosing the right buffer size in a particular environment would be awesome to guide decision making.
      • Alternative of BPF_MAP_TYPE_RINGBUF got introduced in kernel 5.8, therefore still a bit forward leaning, but could initial experimental results of the benefits be shared beyond @fntlnz post?
    • Finally, besides adjusting buffer size pushing targeted pre-filters into the kernel (eBPF option) beyond simpleconsumer mode may be another viable alternative in order to drop the uninteresting portion of events for the system calls of interest before mapping to userspace while not generating unnecessary overhead in the kernel program - looking into it.

    Special notes for your reviewer:

    • Finalized by https://github.com/falcosecurity/falco/pull/2079.
    • Possibly more categories could be added or different buckets of system calls can be implemented instead.

    Does this PR introduce a user-facing change?:

    NONE
    

    How was this tested?:

    Deployed to a production environment - working as expected, generates useful insights.

    Related / Tracking:

    • https://github.com/falcosecurity/falco/issues/1403
    kind/feature dco-signoff: yes release-note-none lgtm approved area/driver-kmod area/driver-bpf area/libscap ok-to-test size/XL area/libscap-engine-bpf area/libscap-engine-kmod 
    opened by incertum 19
  • fix(userspace/libscap): fix windows and macos linking of binaries.

    fix(userspace/libscap): fix windows and macos linking of binaries.

    What type of PR is this?

    Uncomment one (or more) /kind <> lines:

    /kind bug

    Any specific area of the project related to this PR?

    /area build

    /area libscap

    Does this PR require a change in the driver versions?

    /version driver-API-version-major

    /version driver-API-version-minor

    /version driver-API-version-patch

    /version driver-SCHEMA-version-major

    /version driver-SCHEMA-version-minor

    /version driver-SCHEMA-version-patch

    What this PR does / why we need it:

    Which issue(s) this PR fixes:

    Fixes #

    Special notes for your reviewer:

    Does this PR introduce a user-facing change?:

    NONE
    
    kind/bug dco-signoff: yes release-note-none lgtm approved size/M area/build area/libscap 
    opened by FedeDP 18
  • Scaffolding modern BPF probe

    Scaffolding modern BPF probe

    What type of PR is this?

    /kind design

    /kind feature

    Any specific area of the project related to this PR?

    /area build

    /area driver-modern-bpf

    /area libscap-engine-modern-bpf

    /area libscap

    /area libpman

    What this PR does / why we need it:

    This is the first PR regarding the modern BPF probe presented in the public proposal.

    Sorry for the huge number of lines, but apart from the autogenerated vmlinux.h (more than 280k lines of code), I think that the rest of the code should be put together since it is strictly related. Anyway, I tried to document everything as much as possible, if something is unclear, please feel free to leave a comment under this PR.

    The rationale here is to introduce all the necessary scaffolding for the modern BPF probe and also to support the first syscall: mkdir. In this PR, I used some workarounds to build the new probe over the v-table architecture, as the state of the v-table progresses we will refactor this code. Along with the code, you can find some README.md files that try to explain the implementation choices. Given the dimensions, I did not insert the test framework in this PR, so I will introduce it in one of the next steps. Right now, the only way to test the modern probe is using the scap-open example. Please, look at the updated project README to build and run it!

    Please note: Since this modern probe is obviously not ready to be used in production, it is completely compiled out unless you use the CMake option -DUSE_MODERN_BPF=ON.

    This is a brief summary of what this PR introduces:

    BPF-side

    • [x] autogenerated vmlinux.h for ARM64 and x86 architectures.
    • [x] missing kernel definitions. Since we use the vmlinux and no more kernel headers we need to report all macro definitions.
    • [x] necessary helpers in the /helpers folder.
    • [x] GPL license.
    • [x] shared definitions between bpf-side and userspace-side
    • [x] BPF maps definitions
    • [x] dimensions for fixed-size events.
    • [x] BPF programs directly attached into the kernel (syscall dispatchers)
    • [x] BPF programs tail-called by syscall dispatchers (right now only 2 events mkdir_e and mkdir_x)

    Userspace library "libpman" (lib-probe-management)

    • [x] libpman includes
    • [x] libpman source code:
      • [x] internal state
      • [x] bpf prog table
      • [x] capture logic
      • [x] configuration logic
      • [x] lifecycle logic
      • [x] maps logic
      • [x] programs logic
      • [x] ringbuffer logic

    Userspace engine (modern_bpf)

    • [x] add a new engine called modern_bpf
    • [x] introduce a new scap_mode -> SCAP_MODE_MODERN_BPF to use this engine. Please note this is only a tmp workaround until the v-table architecture will be completed.
    • [x] introduce a dedicated function scap_open_modern_bpf_int to open and initialize the engine.
    • [x] configure the scap-open example to use the modern bpf probe

    Build (CMAKE)

    • [x] build modern probe skeleton
    • [x] build libpman
    • [x] build modern_bpf engine
    • [x] adapt scap to build the engine only with cmake option -DUSE_MODERN_BPF=ON.

    Documentation

    • [x] Update project README with info on how to build the modern probe.
    • [x] Add Falco copyright
    • [x] Add libpman area to PULL_REQUEST template

    Which issue(s) this PR fixes:

    Special notes for your reviewer:

    Does this PR introduce a user-facing change?:

    NONE
    
    kind/feature dco-signoff: yes size/XXL release-note-none lgtm approved area/build area/libscap kind/design area/driver-modern-bpf area/libscap-engine-modern-bpf area/libpman 
    opened by Andreagit97 18
Releases(0.8.0)
  • 0.8.0(Jul 20, 2022)

    What's Changed

    • fix(libscap): add EF_OLD_VERSION for older versions of events by @LucaGuerra in https://github.com/falcosecurity/libs/pull/474
    • new(userspace/libsinsp): extend filter/display fields by @incertum in https://github.com/falcosecurity/libs/pull/468
    • new(ci): port to github actions. Added a windows and macos CI too. by @FedeDP in https://github.com/falcosecurity/libs/pull/453
    • docs: add libpman label by @Andreagit97 in https://github.com/falcosecurity/libs/pull/475
    • fix(install): install the 10 libscap related libraries by @terylt in https://github.com/falcosecurity/libs/pull/467
    • fix(ci): fixed github actions from master branch by @FedeDP in https://github.com/falcosecurity/libs/pull/478
    • refactor!: move parts of libsinsp under the chisel directory by @jasondellaluce in https://github.com/falcosecurity/libs/pull/249
    • chore: fix gtest fatal error by @Andreagit97 in https://github.com/falcosecurity/libs/pull/457
    • fix(curl-https-fail): Removing 2 configuration flags for lib curl by @Lowaiz in https://github.com/falcosecurity/libs/pull/442
    • Refactor freeing of devices in scap by @Molter73 in https://github.com/falcosecurity/libs/pull/427
    • refactor(userspace): re-implement plugin loader in C and split it in its own package by @jasondellaluce in https://github.com/falcosecurity/libs/pull/392
    • fix(libscap): fix call to ioctl when getting proclist by @loresuso in https://github.com/falcosecurity/libs/pull/481
    • update(OWNERS): add Mauro Moltrasio (Molter73) to OWNERS by @Molter73 in https://github.com/falcosecurity/libs/pull/480
    • fix(userspace/libscap): solve compilation warnings and errors by @jasondellaluce in https://github.com/falcosecurity/libs/pull/483
    • docs: fix order of eBPF warning and gVisor paragraph by @loresuso in https://github.com/falcosecurity/libs/pull/476

    New Contributors

    • @Lowaiz made their first contribution in https://github.com/falcosecurity/libs/pull/442

    Full Changelog: https://github.com/falcosecurity/libs/compare/0.7.0...0.8.0

    Source code(tar.gz)
    Source code(zip)
  • 0.7.0(Jul 8, 2022)

    What's Changed

    • new(libsinsp): add is_gvisor() by @LucaGuerra in https://github.com/falcosecurity/libs/pull/417
    • new(gvisor): retrieve procfs state from gvisor by @loresuso in https://github.com/falcosecurity/libs/pull/412
    • update(build): upgrade OpenSSL to 1.1.1p by @LucaGuerra in https://github.com/falcosecurity/libs/pull/422
    • chore(userspace/libsinsp): make k8s bad node name error more informative by @jasondellaluce in https://github.com/falcosecurity/libs/pull/424
    • fix(gvisor): initialize missing variables by @Molter73 in https://github.com/falcosecurity/libs/pull/420
    • Add async key value unit tests by @mstemm in https://github.com/falcosecurity/libs/pull/419
    • build: reorganize driver cmake vars by @leogr in https://github.com/falcosecurity/libs/pull/423
    • update(gvisor): fill also tinfo uid and gid by @loresuso in https://github.com/falcosecurity/libs/pull/426
    • update(libsinsp): add a way to generate gVisor trace session config file by @loresuso in https://github.com/falcosecurity/libs/pull/425
    • fix(libsinsp): Don't overwrite good container metadata with bad by @gnosek in https://github.com/falcosecurity/libs/pull/428
    • update(gvisor): implement parsing for procfs regular files by @loresuso in https://github.com/falcosecurity/libs/pull/430
    • new(gvisor): get socket from configuration file, fix tests by @LucaGuerra in https://github.com/falcosecurity/libs/pull/429
    • cleanup(gvisor): use SYS_ macros instead of syscall numbers by @LucaGuerra in https://github.com/falcosecurity/libs/pull/431
    • update(build): upgrade libcurl to 7.84.0 by @LucaGuerra in https://github.com/falcosecurity/libs/pull/432
    • fix(gvisor): fix off-by-one in json parsing eating the last character by @LucaGuerra in https://github.com/falcosecurity/libs/pull/434
    • new(gvisor): missing syscalls by @loresuso in https://github.com/falcosecurity/libs/pull/433
    • feature(sinsp-example): print info about all threads by @Molter73 in https://github.com/falcosecurity/libs/pull/437
    • update(gvisor): introduce default root path by @loresuso in https://github.com/falcosecurity/libs/pull/444
    • new(gvisor): add new syscalls (update to gvisor 45b06bbb) by @LucaGuerra in https://github.com/falcosecurity/libs/pull/438
    • fix(libscap): bump minimum schema version to 2.0.0 by @Molter73 in https://github.com/falcosecurity/libs/pull/445
    • fix(libsinsp/k8s): set api url path to "apps/v1" by @alacuku in https://github.com/falcosecurity/libs/pull/447
    • fix(userspace/libscap,userspace/libsinsp): fix windows build by @geraldcombs in https://github.com/falcosecurity/libs/pull/451
    • fix(userspace/libscap): propagate scap open errors by @jasondellaluce in https://github.com/falcosecurity/libs/pull/456
    • fix(userspace/libsinsp): avoid crashing in TYPE_RESSTR when an EF_CREATES_FD event has no "fd" param by @FedeDP in https://github.com/falcosecurity/libs/pull/455
    • fix(gvisor): fix epoll use-after-free by @loresuso in https://github.com/falcosecurity/libs/pull/458
    • update(gvisor): implement get_stats for gVisor by @loresuso in https://github.com/falcosecurity/libs/pull/463
    • update(gvisor): do not count unsupported messages for stats by @LucaGuerra in https://github.com/falcosecurity/libs/pull/464
    • fix(build): set gtest tag instead of using main by @LucaGuerra in https://github.com/falcosecurity/libs/pull/466
    • fix(userspace/libsinsp): reduce mem allocs for filter comparisons by @jasondellaluce in https://github.com/falcosecurity/libs/pull/368
    • fix(userspace/libsinsp): avoid string copy in plugin extraction by @jasondellaluce in https://github.com/falcosecurity/libs/pull/370
    • new(userspace/libscap): [part 1/n] Introduce vtable-based dispatchby @gnosek in https://github.com/falcosecurity/libs/pull/213
    • fix(userspace/libsinsp): reduce mem allocs for field extraction in chisels and formatting by @jasondellaluce in https://github.com/falcosecurity/libs/pull/369
    • docs: update PULL_REQUEST_TEMPLATE.md by @Andreagit97 in https://github.com/falcosecurity/libs/pull/372
    • update(driver,libsinsp): inode numbers in file events by @yo348 in https://github.com/falcosecurity/libs/pull/302
    • refactor(userspace/libsinsp): remove unused check_id from events by @jasondellaluce in https://github.com/falcosecurity/libs/pull/376
    • fix(libscap): call vtable->free_handle at shutdown by @LucaGuerra in https://github.com/falcosecurity/libs/pull/380
    • fix(userspace/libsinsp): define HAVE_PWD_H and HAVE_GRP_H on every non-windows system by @jasondellaluce in https://github.com/falcosecurity/libs/pull/383
    • refactor(userspace/libsinsp)!: split plugin creation and initialization phases by @jasondellaluce in https://github.com/falcosecurity/libs/pull/378
    • new(userspace/libscap): [part 2/n] Move kmod and BPF engines to vtables by @gnosek in https://github.com/falcosecurity/libs/pull/374
    • fix(userspace/libsinsp): Fix helgrind errors for async_key_value_source by @mstemm in https://github.com/falcosecurity/libs/pull/384
    • update(build): Move CMAKE_THREAD_LIBS_INIT to after gtest when linking by @mstemm in https://github.com/falcosecurity/libs/pull/387
    • fix(build): make codebase more robust to __STDC_FORMAT_MACROS definitions by @jasondellaluce in https://github.com/falcosecurity/libs/pull/390
    • chore(userspace/libsinsp): improve messages of plugin version errors by @jasondellaluce in https://github.com/falcosecurity/libs/pull/389
    • new(libscap): add gVisor scap engine by @LucaGuerra @loresuso @Molter73 in https://github.com/falcosecurity/libs/pull/328
    • fix(libscap): bpf probe was not correctly loaded by @Andreagit97 in https://github.com/falcosecurity/libs/pull/396
    • fix(libscap): fix debug mode assert by @LucaGuerra in https://github.com/falcosecurity/libs/pull/397
    • update(userspace/libscap): support scaps stats in source plugin engine by @jasondellaluce in https://github.com/falcosecurity/libs/pull/400
    • update(libscap): improve scap-open example by @Andreagit97 in https://github.com/falcosecurity/libs/pull/371
    • update(libscap): Add a macOS platform directory by @geraldcombs in https://github.com/falcosecurity/libs/pull/398
    • new(userspace,driver): Better support for dup syscall family by @alacuku in https://github.com/falcosecurity/libs/pull/385
    • new(libscap): add /proc scan vtable functions, wire them to gvisor implementation by @LucaGuerra in https://github.com/falcosecurity/libs/pull/404
    • new(libscap): gVisor sandboxes trace session set up with runsc by @loresuso in https://github.com/falcosecurity/libs/pull/393
    • fix(gvisor): use strlcpy to copy unix path strings by @LucaGuerra in https://github.com/falcosecurity/libs/pull/406
    • fix(scap_open): avoid segmentation faults when the path is missing by @Andreagit97 in https://github.com/falcosecurity/libs/pull/409
    • update(gvisor): only build on x86_64 by @LucaGuerra in https://github.com/falcosecurity/libs/pull/408
    • fix(gvisor): handle empty root path or socket by @LucaGuerra in https://github.com/falcosecurity/libs/pull/407
    • new(build): sets FALCOSECURITY_LIBS_VERSION on the checked-out git ref by @andreabonanno in https://github.com/falcosecurity/libs/pull/196
    • docs: initial release.md by @leogr in https://github.com/falcosecurity/libs/pull/405
    • fix(gvisor): add DEPENDS to proto generation command by @LucaGuerra in https://github.com/falcosecurity/libs/pull/415
    • build: versioning system by @leogr in https://github.com/falcosecurity/libs/pull/413

    Full Changelog: https://github.com/falcosecurity/libs/compare/0.7.0-alpha...0.7.0

    Source code(tar.gz)
    Source code(zip)
  • 0.7.0-rc4(Jul 6, 2022)

  • 2.0.0+driver(Jul 4, 2022)

    What's Changed

    • build: reorganize driver cmake vars by @leogr in https://github.com/falcosecurity/libs/pull/423
    • fix(driver): fixed kmod build on linux kernels >= 5.18. by @FedeDP in https://github.com/falcosecurity/libs/pull/411
    • fix(scap_engine_bpf): enable _64BIT_ARGS_SINGLE_REGISTER on ARM64 by @Andreagit97 in https://github.com/falcosecurity/libs/pull/418
    • chore(drivers): add a warning for not officially supported archs by @Andreagit97 in https://github.com/falcosecurity/libs/pull/421
    • update(driver): bump SCHEMA_VERSION to 2.0.0 by @leogr in https://github.com/falcosecurity/libs/pull/436
    • Support execve exit events and clone child exit events on ARM64 by @Andreagit97 in https://github.com/falcosecurity/libs/pull/416
    • fix(driver): fix pt_regs missing definition by @loresuso in https://github.com/falcosecurity/libs/pull/450
    • fix(bpf): fix compilation issue on 4.18.0-193.75.1.el8_2.x86_64 by @Andreagit97 in https://github.com/falcosecurity/libs/pull/448
    • Better support for dup syscall family by @alacuku in https://github.com/falcosecurity/libs/pull/385
    • fix(driver): io_uring_params features attribute by @deepskyblue86 in https://github.com/falcosecurity/libs/pull/379
    • fix(driver): drop EF_USES_FD and EF_MODIFIES_STATE flags for enter events generated by uring syscalls by @alacuku in https://github.com/falcosecurity/libs/pull/395
    • fix(driver): check rename family syscalls are defined by @Andreagit97 in https://github.com/falcosecurity/libs/pull/401
    • fix(driver): 'declaration changes meaning' error when compiling in C++ by @yo348 in https://github.com/falcosecurity/libs/pull/440

    Full Changelog: https://github.com/falcosecurity/libs/compare/1.0.0-alpha+driver...2.0.0+driver

    Source code(tar.gz)
    Source code(zip)
  • 0.7.0-rc3(Jul 5, 2022)

  • 2.0.0-rc1+driver(Jun 30, 2022)

  • 0.7.0-rc2(Jul 1, 2022)

  • 0.7.0-rc1(Jun 30, 2022)

  • 1.0.0-alpha2+driver(Jun 23, 2022)

  • 0.7.0-alpha2(Jun 23, 2022)

  • 1.0.0-alpha+driver(Jun 21, 2022)

  • 0.7.0-alpha(Jun 21, 2022)

Owner
Falco
Falco is Container Native Runtime Security
Falco
Source-code based coverage for eBPF programs actually running in the Linux kernel

bpfcov Source-code based coverage for eBPF programs actually running in the Linux kernel This project provides 2 main components: libBPFCov.so - an ou

elastic 110 Aug 4, 2022
Linux Application Level Firewall based on eBPF and NFQUEUE.

eBPFSnitch eBPFSnitch is a Linux Application Level Firewall based on eBPF and NFQUEUE. It is inspired by OpenSnitch, and Douane, but utilizing modern

Harpo Roeder 650 Aug 3, 2022
eBPF bytecode assembler and compiler

An eBPF bytecode assembler and compiler that * Assembles the bytecode to object code. * Compiles the bytecode to C macro preprocessors. Symbolic

Emil Masoumi 6 Jan 23, 2022
A Rust crate that simplifies the integration of Rust and eBPF programs written in C.

This crate simplifies the compilation of eBPF programs written in C integrating clang with Rust and the cargo build system with functions that can be

Simone Margaritelli 19 Mar 16, 2022
ebpfkit-monitor is a tool that detects and protects against eBPF powered rootkits

ebpfkit-monitor ebpfkit-monitor is an utility that you can use to statically analyse eBPF bytecode or monitor suspicious eBPF activity at runtime. It

Guillaume Fournier 64 Aug 4, 2022
bpflock - eBPF driven security for locking and auditing Linux machines

bpflock - Lock Linux machines bpflock - eBPF driven security for locking and auditing Linux machines. This is a Work In Progress: bpflock is currently

The Linux lock machine projects 88 Aug 9, 2022
Parca-agent - eBPF based always-on profiler auto-discovering targets in Kubernetes and systemd, zero code changes or restarts needed!

Parca Agent Parca Agent is an always-on sampling profiler that uses eBPF to capture raw profiling data with very low overhead. It observes user-space

Parca 174 Aug 12, 2022
This is a kernel module for FreeBSD to support WireGuard

WireGuard for FreeBSD This is a kernel module for FreeBSD to support WireGuard. It is being developed here before its eventual submission to FreeBSD 1

WireGuard 30 Jul 28, 2022
Example how to run eBPF probes without a usermode process using fentry

Pinning eBPF Probes Simple example to demonstrate how to pin kernel function and syscall probes. Overview From my reading of the kernel code, KProbe a

pat_h/to/file 3 Jun 7, 2021
eBPF implementation that runs on top of Windows

eBPF for Windows eBPF is a well-known technology for providing programmability and agility, especially for extending an OS kernel, for use cases such

Microsoft 1.5k Aug 11, 2022
A very basic eBPF Load Balancer in a few lines of C

An eBPF Load Balancer from scratch As seen at eBPF Summit 2021. This is not production ready :-) This uses libbpf as a git submodule. If you clone thi

Liz Rice 140 Jul 16, 2022
skbtracer on ebpf

skbtracer skbtracer 基于 ebpf 技术的 skb 网络包路径追踪利器, 实现代码基于 BCC (required Linux Kernel 4.15+) 使用样例 skbtracer.py # trace

DavadDi 45 Jun 18, 2022
some experiments with ebpf

Learning eBPF and some kernel tracing, probe DNS + TCP connection with portable bpf prog. DevEnv Ubuntu 20.04 Install go Install make, clang, llvm Ins

null 11 Aug 4, 2022
Small utility that leverages eBPF to dump the traffic of a unix domain socket

UnixDump UnixDump is a small eBPF powered utility that can be used to dump unix socket traffic. System requirements This project was developed on a Ub

Guillaume Fournier 5 Dec 1, 2021
Tool for Preventing Data Exfiltration with eBPF

bouheki: Tool for Preventing Data Exfiltration with eBPF bouheki is a KSRI implementation using LSM Hook by eBPF. Flexibility to apply restricted netw

mrtc0 44 Aug 3, 2022
The Beginner's Guide to eBPF Programming for Networking

The Beginner's Guide to eBPF Programming for Networking As seen at Cloud Native eBPF Day 2021. Setup Create a container that we can issue curl request

Liz Rice 72 Aug 9, 2022
Dectect syscall hooking using eBPF

BPF-HookDetect Detect Kernel Rootkits hooking syscalls Overview Details To Build To Run Example Test Resources Overview Kernel Rootkits such as Diamor

pat_h/to/file 82 Jul 31, 2022
A collection of eBPF programs demonstrating bad behavior

Bad BPF A collection of malicious eBPF programs that make use of eBPF's ability to read and write user data in between the usermode program and the ke

pat_h/to/file 234 Aug 10, 2022
A list of network measurement sketch algorithms implemented in eBPF

eBPF Sketches This repository contains a list of the most famous sketches implemented within the eBPF/XDP subsystem. In particular, we have: Count Ske

null 11 May 22, 2022