falcosecurity · poiana · Sep 20, 2022 · Sep 12, 2022 · Sep 12, 2022 · Sep 16, 2022
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -114,6 +114,11 @@ set(DRIVER_NAME "falco")
 set(DRIVER_DEVICE_NAME "falco")
 set(DRIVERS_REPO "https://download.falco.org/driver")
 
+# If no path is provided, try to search the BPF probe in: `home/.falco/falco-bpf.o`
+# This is the same fallback that we had in the libraries: `SCAP_PROBE_BPF_FILEPATH`.
+set(FALCO_PROBE_BPF_FILEPATH ".${DRIVER_NAME}/${DRIVER_NAME}-bpf.o")
+add_definitions(-DFALCO_PROBE_BPF_FILEPATH="${FALCO_PROBE_BPF_FILEPATH}")
+
 if(NOT DEFINED FALCO_COMPONENT_NAME)
     set(FALCO_COMPONENT_NAME "${CMAKE_PROJECT_NAME}")
 endif()

diff --git a/cmake/modules/driver.cmake b/cmake/modules/driver.cmake
@@ -26,8 +26,8 @@ else()
   # In case you want to test against another driver version (or branch, or commit) just pass the variable -
   # ie., `cmake -DDRIVER_VERSION=dev ..`
   if(NOT DRIVER_VERSION)
-    set(DRIVER_VERSION "6599e2efebce30a95f27739d655d53f0d5f686e4")
-    set(DRIVER_CHECKSUM "SHA256=7cd84fe8a41c25bba9cd7d5d86a87d2483658e367b885ddbd3037aa45404df04")
+    set(DRIVER_VERSION "fd46dd139a8e35692a7d40ab2f0ed2016df827cf")
+    set(DRIVER_CHECKSUM "SHA256=7c14a4b5f282c9e1e4496f5416d73c3132c72954d581e1a737f82ffa0e3a6bdd")
   endif()
 
   # cd /path/to/build && cmake /path/to/source
@@ -45,4 +45,4 @@ set(DRIVER_NAME "falco")
 set(DRIVER_PACKAGE_NAME "falco")
 set(DRIVER_COMPONENT_NAME "falco-driver")
 
-add_subdirectory(${DRIVER_SOURCE_DIR} ${PROJECT_BINARY_DIR}/driver)
+add_subdirectory(${DRIVER_SOURCE_DIR} ${PROJECT_BINARY_DIR}/driver)
diff --git a/cmake/modules/falcosecurity-libs.cmake b/cmake/modules/falcosecurity-libs.cmake
@@ -27,8 +27,8 @@ else()
   # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
   # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..`
   if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "6599e2efebce30a95f27739d655d53f0d5f686e4")
-    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=7cd84fe8a41c25bba9cd7d5d86a87d2483658e367b885ddbd3037aa45404df04")
+    set(FALCOSECURITY_LIBS_VERSION "fd46dd139a8e35692a7d40ab2f0ed2016df827cf")
+    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=7c14a4b5f282c9e1e4496f5416d73c3132c72954d581e1a737f82ffa0e3a6bdd")
   endif()
 
   # cd /path/to/build && cmake /path/to/source
@@ -49,7 +49,6 @@ if(MUSL_OPTIMIZED_BUILD)
   add_definitions(-DMUSL_OPTIMIZED)
 endif()
 
-set(SCAP_BPF_PROBE_ENV_VAR_NAME "FALCO_BPF_PROBE")
 set(SCAP_HOST_ROOT_ENV_VAR_NAME "HOST_ROOT")
 
 if(NOT LIBSCAP_DIR)
@@ -85,4 +84,4 @@ endif()
 
 include(driver)
 include(libscap)
-include(libsinsp)
+include(libsinsp)
diff --git a/cmake/modules/plugins.cmake b/cmake/modules/plugins.cmake
@@ -19,11 +19,11 @@ if(NOT DEFINED PLUGINS_COMPONENT_NAME)
     set(PLUGINS_COMPONENT_NAME "${CMAKE_PROJECT_NAME}-plugins")
 endif()
 
-set(PLUGIN_K8S_AUDIT_VERSION "0.3.0")
+set(PLUGIN_K8S_AUDIT_VERSION "0.4.0-rc1")
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-    set(PLUGIN_K8S_AUDIT_HASH "214915fc2a61d147d64aaf4cb29c3fc6a513eda621dad1dfe77f2fd7099b31e1")
+    set(PLUGIN_K8S_AUDIT_HASH "9b77560861ae2b1539a32a542e0b282b4ae83e0a8c26aad7ecefd3e721e9eb99")
 else() # aarch64
-    set(PLUGIN_K8S_AUDIT_HASH "d9b4610714df581043db76ecb4caf3a41aae5494cf61ab8740a3749bfac8457e")
+    set(PLUGIN_K8S_AUDIT_HASH "9c7de9a1213dc2e125f1ad2302818e5d34a7c95bfc67532b9d37395c60785d02")
 endif()
 
 ExternalProject_Add(
@@ -39,18 +39,18 @@ install(FILES "${PROJECT_BINARY_DIR}/k8saudit-plugin-prefix/src/k8saudit-plugin/
 ExternalProject_Add(
   k8saudit-rules
   URL "https://download.falco.org/plugins/stable/k8saudit-rules-${PLUGIN_K8S_AUDIT_VERSION}.tar.gz"
-  URL_HASH "SHA256=3913a8c6095794c7de6a97a2a64953a0fa4f87caab014d11b2c8f9221eb77591"
+  URL_HASH "SHA256=f65982fd1c6bc12ae8db833c36127a70252464bd5983fd75c39b91d630eb7f40"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""
   INSTALL_COMMAND "")
 
 install(FILES "${PROJECT_BINARY_DIR}/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml" DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
 
-set(PLUGIN_CLOUDTRAIL_VERSION "0.5.0")
+set(PLUGIN_CLOUDTRAIL_VERSION "0.6.0-rc1")
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-    set(PLUGIN_CLOUDTRAIL_HASH "ca6c0d087b37090145ef0c92f10d1dd32bb2a08c7bae83cc6fb7a1ba712f3182")
+    set(PLUGIN_CLOUDTRAIL_HASH "a6c6acf16f7b4acd2b836e2be514346ee15a1e5adce936bd97ab6338d16ad6f9")
 else() # aarch64
-    set(PLUGIN_CLOUDTRAIL_HASH "f6e12d3bd16ae0f504ed2bb56d13531d15b7d55beb1b63932cbe603cff941372")
+    set(PLUGIN_CLOUDTRAIL_HASH "a6105cb3864a613b3488c60c723163630484bc36b2aa219fb1c730c7735fb5fa")
 endif()
 
 ExternalProject_Add(
@@ -66,18 +66,18 @@ install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-plugin-prefix/src/cloudtrail-plu
 ExternalProject_Add(
   cloudtrail-rules
   URL "https://download.falco.org/plugins/stable/cloudtrail-rules-${PLUGIN_CLOUDTRAIL_VERSION}.tar.gz"
-  URL_HASH "SHA256=7f88fb6b530f8ee739b65d38a36c69cdc70398576299b90118bd7324dbdb5f46"
+  URL_HASH "SHA256=4df7a0d56300d6077807bc205a8ab7ab3b45c495adcc209c5cca1e8da6fc93c6"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""
   INSTALL_COMMAND "")
 
   install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-rules-prefix/src/cloudtrail-rules/aws_cloudtrail_rules.yaml" DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
 
-set(PLUGIN_JSON_VERSION "0.5.0")
+set(PLUGIN_JSON_VERSION "0.6.0-rc1")
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-    set(PLUGIN_JSON_HASH "b422c4f08bb54ccd384a87c5922e120d5731028c87742ef657cacf936447c202")
+    set(PLUGIN_JSON_HASH "7969e4731e529c5a9d9895ee52ec1845d4d1889cfa3562170288bb7a593bf6b9")
 else() # aarch64
-    set(PLUGIN_JSON_HASH "8358f04325d8a9e9675f38fae8d13a250fb132dcf6741fd0f9830e8c39f48aed")
+    set(PLUGIN_JSON_HASH "c19fd1b64228ff95b1dc88d441143017807aa59ba57ae868a5f7db85b93bff99")
 endif()
 
 ExternalProject_Add(

diff --git a/test/falco_tests.yaml b/test/falco_tests.yaml
@@ -1098,7 +1098,7 @@ trace_files: !mux
       - rules/catchall_order.yaml
     detect_counts:
       - open_dev_null: 1
-        dev_null: 0
+        dev_null: 6
     trace_file: trace_files/cat_write.scap
 
   validate_skip_unknown_noevt:

diff --git a/test/falco_traces.yaml.in b/test/falco_traces.yaml.in
@@ -123,8 +123,10 @@ traces: !mux
   # falco-event-generator.scap so the rule is still being tested.
   run-shell-untrusted:
     trace_file: traces-positive/run-shell-untrusted.scap
-    detect: False
+    detect: True
     detect_level: DEBUG
+    detect_counts:
+      - "Run shell untrusted": 1
 
   system-binaries-network-activity:
     trace_file: traces-positive/system-binaries-network-activity.scap

diff --git a/test/plugins/test_extract.cpp b/test/plugins/test_extract.cpp
@@ -19,7 +19,7 @@ limitations under the License.
 #include <string.h>
 #include <plugin_info.h>
 
-static const char *pl_required_api_version = "1.0.0";
+static const char *pl_required_api_version = PLUGIN_API_VERSION_STR;
 static const char *pl_name_base            = "test_extract";
 static char pl_name[1024];
 static const char *pl_desc                 = "Test Plugin For Regression Tests";

diff --git a/test/plugins/test_source.cpp b/test/plugins/test_source.cpp
@@ -20,7 +20,7 @@ limitations under the License.
 
 #include <plugin_info.h>
 
-static const char *pl_required_api_version = "1.0.0";
+static const char *pl_required_api_version = PLUGIN_API_VERSION_STR;
 static uint32_t    pl_id                   = 999;
 static const char *pl_name                 = "test_source";
 static const char *pl_desc                 = "Test Plugin For Regression Tests";

diff --git a/userspace/engine/rule_loader.cpp b/userspace/engine/rule_loader.cpp
@@ -81,7 +81,7 @@ rule_loader::context::context(const YAML::Node &item,
 	init(parent.name(), position(item.Mark()), item_type, item_name, parent);
 }
 
-rule_loader::context::context(const libsinsp::filter::parser::pos_info& pos,
+rule_loader::context::context(const libsinsp::filter::ast::pos_info& pos,
 			      const std::string& condition,
 			      const context& parent)
 	: alt_content(condition)

diff --git a/userspace/engine/rule_loader.h b/userspace/engine/rule_loader.h
@@ -112,7 +112,7 @@ class rule_loader
 		//     from the YAML node containing the condition expression.
 		//   - When compiling, the condition expression has expanded
 		//     macro and list references with their values.
-		context(const libsinsp::filter::parser::pos_info& pos,
+		context(const libsinsp::filter::ast::pos_info& pos,
 			const std::string& condition,
 			const context& parent);
 

diff --git a/userspace/falco/CMakeLists.txt b/userspace/falco/CMakeLists.txt
@@ -42,6 +42,7 @@ set(
   app_actions/start_webserver.cpp
   app_actions/validate_rules_files.cpp
   app_actions/create_requested_paths.cpp
+  app_actions/configure_interesting_sets.cpp
   configuration.cpp
   logger.cpp
   falco_outputs.cpp

diff --git a/userspace/falco/app_actions/configure_interesting_sets.cpp b/userspace/falco/app_actions/configure_interesting_sets.cpp
@@ -0,0 +1,43 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "application.h"
+
+using namespace falco::app;
+
+void application::configure_interesting_sets()
+{
+	/// TODO: in the next future we need to change the interface of `enforce_simple_ppm_sc_set`
+	/// and `enforce_sinsp_state_tp` APIs, they shouldn't require an inspector to be called!
+	std::unique_ptr<sinsp> inspector(new sinsp());
+
+	/* Please note: here we fill these 2 sets because we are interested in only some features, if we leave
+	 * them empty `libsinsp` will fill them with all the available syscalls and all the available tracepoints!
+	 */
+
+	/* Here the `libsinsp` state set is not enough, we need other syscalls used in the rules,
+	 * so we use the `simple_set`, this `simple_set` contains all the syscalls of the `libsinsp` state
+	 * plus syscalls for Falco default rules.
+	 */
+	m_state->ppm_sc_of_interest = inspector->enforce_simple_ppm_sc_set();
+
+	/* In this case we get the tracepoints for the `libsinsp` state and we remove
+	 * the `sched_switch` tracepoint since it is highly noisy and not so useful
+	 * for our state/events enrichment.
+	 */
+	m_state->tp_of_interest = inspector->enforce_sinsp_state_tp();
+	m_state->tp_of_interest.erase(SCHED_SWITCH);
+}
diff --git a/userspace/falco/app_actions/init_inspectors.cpp b/userspace/falco/app_actions/init_inspectors.cpp
@@ -20,7 +20,7 @@ limitations under the License.
 
 using namespace falco::app;
 
-static void init_syscall_inspector(
+void application::init_syscall_inspector(
 		std::shared_ptr<sinsp> inspector,
 		const falco::app::cmdline_options& opts)
 {
@@ -48,12 +48,7 @@ static void init_syscall_inspector(
 
 	if(!opts.all_events)
 	{
-		// Drop EF_DROP_SIMPLE_CONS kernel side
-		inspector->set_simple_consumer();
-		// Eventually, drop any EF_DROP_SIMPLE_CONS event
-		// that reached userspace (there are some events that are not syscall-based
-		// like signaldeliver, that have the EF_DROP_SIMPLE_CONS flag)
-		inspector->set_drop_event_flags(EF_DROP_SIMPLE_CONS);
+		configure_interesting_sets();
 	}
 
 	inspector->set_hostname_and_port_resolution_mode(false);

diff --git a/userspace/falco/app_actions/load_rules_files.cpp b/userspace/falco/app_actions/load_rules_files.cpp
@@ -21,52 +21,58 @@ using namespace falco::app;
 
 void application::check_for_ignored_events()
 {
-	std::set<uint16_t> evttypes;
-	std::unique_ptr<sinsp> inspector(new sinsp());
-	sinsp_evttables* einfo = inspector->get_event_info_tables();
-	const struct ppm_event_info* etable = einfo->m_event_info;
-
+	/* Get the events from the rules. */
+	std::set<uint16_t> rule_events;
 	std::string source = falco_common::syscall_source;
-	m_state->engine->evttypes_for_ruleset(source, evttypes);
+	m_state->engine->evttypes_for_ruleset(source, rule_events);
 
-	// Save event names so we don't warn for both the enter and exit event.
-	std::set<std::string> warn_event_names;
+	/* Get the events we consider interesting from the application state `ppm_sc` codes. */
+	std::unique_ptr<sinsp> inspector(new sinsp());
+	auto interesting_events = inspector->get_event_set_from_ppm_sc_set(m_state->ppm_sc_of_interest);
+	std::unordered_set<uint32_t> ignored_events;
 
-	for(auto evtnum : evttypes)
+	for(const auto& it : rule_events)
 	{
-		if(evtnum == PPME_GENERIC_E || evtnum == PPME_GENERIC_X)
+		/* If we have the old version of the event we will have also the recent one
+		 * so we can avoid analyzing the presence of old events.
+		 */
+		if(sinsp::is_old_version_event(it))
 		{
 			continue;
 		}
 
-		if(!sinsp::simple_consumer_consider_evtnum(evtnum))
+		/* Here we are interested only in syscall events the internal events are not
+		 * altered without the `-A` flag.
+		 *
+		 * TODO: We could consider also the tracepoint events here but right now we don't have
+		 * the support from the libraries.
+		 */
+		if(!sinsp::is_syscall_event(it))
 		{
-			std::string name = etable[evtnum].name;
-			if(warn_event_names.find(name) == warn_event_names.end())
-			{
-				warn_event_names.insert(name);
-			}
+			continue;
 		}
-	}
 
-	// Print a single warning with the list of ignored events
-	if (!warn_event_names.empty())
-	{
-		std::string skipped_events;
-		bool first = true;
-		for (const auto& evtname : warn_event_names)
+		/* If the event is not in this set it is not considered by Falco. */
+		if(interesting_events.find(it) == interesting_events.end())
 		{
-			if (first)
-			{
-				skipped_events += evtname;
-				first = false;
-			} else
-			{
-				skipped_events += "," + evtname;
-			}
+			ignored_events.insert(it);
 		}
-		fprintf(stderr,"Rules match ignored syscall: warning (ignored-evttype):\n         loaded rules match the following events: %s;\n         but these events are not returned unless running falco with -A\n", skipped_events.c_str());
 	}
+
+	if(ignored_events.empty())
+	{
+		return;
+	}
+
+	/* Get the names of the ignored events and print them. */
+	auto event_names = inspector->get_events_names(ignored_events);
+	std::cerr << std::endl << "Rules match ignored syscall: warning (ignored-evttype):" << std::endl;
+	std::cerr << "Loaded rules match the following events:" << std::endl;
+	for(const auto& it : event_names)
+	{
+		std::cerr << "\t- " << it.c_str() << std::endl;
+	}
+	std::cerr << "But these events are not returned unless running falco with -A" << std::endl << std::endl;
 }
 
 application::run_result application::load_rules_files()
@@ -171,11 +177,13 @@ application::run_result application::load_rules_files()
 		m_state->engine->enable_rule_by_tag(m_options.enabled_rule_tags, true);
 	}
 
-	if(!m_options.all_events)
+	/* Reading a scap file we have no concepts of ignored events we read all we need. */
+	if(!m_options.all_events && !is_capture_mode())
 	{
-		// For syscalls, see if any event types used by the
-		// loaded rules are ones with the EF_DROP_SIMPLE_CONS
-		// label.
+		/* Here we have already initialized the application state with the interesting syscalls,
+		 * so we have to check if any event types used by the loaded rules are not considered by 
+		 * Falco interesting set.
+		 */
 		check_for_ignored_events();
 	}