From 00cd1dbb7333e40dc22e20d1a8eb0cd8367b7879 Mon Sep 17 00:00:00 2001 From: JenTing Hsiao Date: Fri, 16 Oct 2020 13:31:14 +0800 Subject: [PATCH 1/5] Migrate from init to systemd in rpm package Signed-off-by: JenTing Hsiao --- cmake/cpack/CMakeCPackOptions.cmake | 4 +- cmake/modules/CPackConfig.cmake | 7 +- scripts/CMakeLists.txt | 2 +- scripts/rpm/falco | 127 ---------------------------- scripts/rpm/falco.service | 30 +++++++ scripts/rpm/postinstall.in | 2 - scripts/rpm/postuninstall.in | 6 +- scripts/rpm/preuninstall.in | 7 +- 8 files changed, 38 insertions(+), 147 deletions(-) delete mode 100755 scripts/rpm/falco create mode 100644 scripts/rpm/falco.service diff --git a/cmake/cpack/CMakeCPackOptions.cmake b/cmake/cpack/CMakeCPackOptions.cmake index 5d50761d73e..0a9201e16a8 100644 --- a/cmake/cpack/CMakeCPackOptions.cmake +++ b/cmake/cpack/CMakeCPackOptions.cmake @@ -4,8 +4,8 @@ if(CPACK_GENERATOR MATCHES "DEB") endif() if(CPACK_GENERATOR MATCHES "RPM") - list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/rc.d/init.d/") - list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/rc.d/init.d") + list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") + list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") endif() if(CPACK_GENERATOR MATCHES "TGZ") diff --git a/cmake/modules/CPackConfig.cmake b/cmake/modules/CPackConfig.cmake index 9cacedeb4f8..32ad1ca00c2 100644 --- a/cmake/modules/CPackConfig.cmake +++ b/cmake/modules/CPackConfig.cmake @@ -46,8 +46,9 @@ set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA ) set(CPACK_RPM_PACKAGE_LICENSE "Apache v2.0") +set(CPACK_RPM_PACKAGE_ARCHITECTURE, "amd64") set(CPACK_RPM_PACKAGE_URL "https://www.falco.org") -set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, ncurses") +set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, ncurses, systemd") set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postinstall") set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/preuninstall") set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postuninstall") @@ -59,9 +60,7 @@ set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION /etc /usr /usr/bin - /usr/share - /etc/rc.d - /etc/rc.d/init.d) + /usr/share) set(CPACK_RPM_PACKAGE_RELOCATABLE "OFF") include(CPack) diff --git a/scripts/CMakeLists.txt b/scripts/CMakeLists.txt index 1b5ff731e37..7367282a8ae 100644 --- a/scripts/CMakeLists.txt +++ b/scripts/CMakeLists.txt @@ -26,7 +26,7 @@ configure_file(rpm/postinstall.in rpm/postinstall) configure_file(rpm/postuninstall.in rpm/postuninstall) configure_file(rpm/preuninstall.in rpm/preuninstall) -file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco" +file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco.service" DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm") configure_file(falco-driver-loader falco-driver-loader @ONLY) diff --git a/scripts/rpm/falco b/scripts/rpm/falco deleted file mode 100755 index 05bbc5fe04a..00000000000 --- a/scripts/rpm/falco +++ /dev/null @@ -1,127 +0,0 @@ -#!/bin/sh - -# -# Copyright (C) 2019 The Falco Authors. -# -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -# -# falco syscall monitoring agent -# -# chkconfig: 2345 55 45 -# description: Falco syscall monitoring agent -# - -### BEGIN INIT INFO -# Provides: -# Required-Start: -# Required-Stop: -# Should-Start: -# Should-Stop: -# Default-Start: -# Default-Stop: -# Short-Description: -# Description: -### END INIT INFO - -# Source function library. -. /etc/rc.d/init.d/functions - -exec="/usr/bin/falco" -prog="falco" -# config="" - -[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog - -lockfile=/var/lock/subsys/$prog -pidfile="/var/run/falco.pid" - -start() { - [ -x $exec ] || exit 5 - # [ -f $config ] || exit 6 - echo -n $"Starting $prog: " - daemon $exec --daemon --pidfile=$pidfile - if [ ! -d /sys/module/falco ]; then - /sbin/modprobe falco || return $? - fi - retval=$? - echo - [ $retval -eq 0 ] && touch $lockfile - return $retval -} - -stop() { - echo -n $"Stopping $prog: " - killproc -p $pidfile - retval=$? - echo - /sbin/rmmod falco - [ $retval -eq 0 ] && rm -f $lockfile - return $retval -} - -restart() { - stop - start -} - -reload() { - restart -} - -force_reload() { - restart -} - -rh_status() { - status -p $pidfile $prog -} - -rh_status_q() { - rh_status >/dev/null 2>&1 -} - - -case "$1" in - start) - rh_status_q && exit 0 - $1 - ;; - stop) - rh_status_q || exit 0 - $1 - ;; - restart) - $1 - ;; - reload) - rh_status_q || exit 7 - $1 - ;; - force-reload) - force_reload - ;; - status) - rh_status - ;; - condrestart|try-restart) - rh_status_q || exit 0 - restart - ;; - *) - echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}" - exit 2 -esac -exit $? diff --git a/scripts/rpm/falco.service b/scripts/rpm/falco.service new file mode 100644 index 00000000000..973d31f97ed --- /dev/null +++ b/scripts/rpm/falco.service @@ -0,0 +1,30 @@ +[Unit] +Description=Falco: Container Native Runtime Security + +[Service] +Type=simple +User=root +ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid +UMask=0077 +TimeoutSec=30 +RestartSec=15s +#Restart=always +Restart=on-failure +PrivateTmp=true +NoNewPrivileges=yes +PrivateTmp=true +ProtectHome=read-only +ProtectSystem=full +ProtectKernelTunables=true +RestrictRealtime=true +#RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictAddressFamilies=~AF_PACKET +SystemCallFilter=~@debug @mount @cpu-emulation @obsolete @privileged +# FIXME! +# PANIC: unprotected error in call to Lua API (runtime code generation failed, restricted kernel?) +# https://www.freelists.org/post/luajit/luajit-crashes-with-grsec-kernel,1 +# MemoryDenyWriteExecute=true +# PrivateMounts=true + +[Install] +WantedBy=multi-user.target diff --git a/scripts/rpm/postinstall.in b/scripts/rpm/postinstall.in index 699c27d54c6..eeaa46ec59d 100755 --- a/scripts/rpm/postinstall.in +++ b/scripts/rpm/postinstall.in @@ -29,5 +29,3 @@ else echo -e "Module build for the currently running kernel was skipped since the" echo -e "kernel source for this kernel does not seem to be installed." fi - -/sbin/chkconfig --add falco diff --git a/scripts/rpm/postuninstall.in b/scripts/rpm/postuninstall.in index 1d0f68092ae..0792e13c2df 100755 --- a/scripts/rpm/postuninstall.in +++ b/scripts/rpm/postuninstall.in @@ -1,5 +1,5 @@ # -# Copyright (C) 2019 The Falco Authors. +# Copyright (C) 2020 The Falco Authors. # # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -14,7 +14,3 @@ # See the License for the specific language governing permissions and # limitations under the License. # - -if [ "$1" -ge "1" ]; then - /sbin/service falco condrestart > /dev/null 2>&1 -fi diff --git a/scripts/rpm/preuninstall.in b/scripts/rpm/preuninstall.in index 3e3362ae192..3dc58232afe 100755 --- a/scripts/rpm/preuninstall.in +++ b/scripts/rpm/preuninstall.in @@ -1,5 +1,5 @@ # -# Copyright (C) 2019 The Falco Authors. +# Copyright (C) 2020 The Falco Authors. # # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -15,10 +15,5 @@ # limitations under the License. # -if [ $1 = 0 ]; then - /sbin/service falco stop > /dev/null 2>&1 - /sbin/chkconfig --del falco -fi - mod_version="@PROBE_VERSION@" dkms remove -m falco -v $mod_version --all --rpm_safe_upgrade From 29c3e56485c70c3a99c1b1a09992795c44e4c1a4 Mon Sep 17 00:00:00 2001 From: JenTing Hsiao Date: Mon, 19 Oct 2020 09:22:44 +0800 Subject: [PATCH 2/5] Migrate from init to systemd in debian package Signed-off-by: JenTing Hsiao --- cmake/cpack/CMakeCPackOptions.cmake | 4 +- scripts/CMakeLists.txt | 2 +- scripts/debian/falco | 176 ---------------------------- scripts/debian/falco.service | 29 +++++ scripts/debian/postinst.in | 7 +- scripts/debian/postrm.in | 9 +- scripts/debian/prerm.in | 12 +- scripts/rpm/falco.service | 1 - 8 files changed, 35 insertions(+), 205 deletions(-) delete mode 100755 scripts/debian/falco create mode 100644 scripts/debian/falco.service diff --git a/cmake/cpack/CMakeCPackOptions.cmake b/cmake/cpack/CMakeCPackOptions.cmake index 0a9201e16a8..bbb37a77780 100644 --- a/cmake/cpack/CMakeCPackOptions.cmake +++ b/cmake/cpack/CMakeCPackOptions.cmake @@ -1,6 +1,6 @@ if(CPACK_GENERATOR MATCHES "DEB") - list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/init.d/") - list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/init.d") + list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") + list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") endif() if(CPACK_GENERATOR MATCHES "RPM") diff --git a/scripts/CMakeLists.txt b/scripts/CMakeLists.txt index 7367282a8ae..890ccb5003d 100644 --- a/scripts/CMakeLists.txt +++ b/scripts/CMakeLists.txt @@ -19,7 +19,7 @@ configure_file(debian/postinst.in debian/postinst) configure_file(debian/postrm.in debian/postrm) configure_file(debian/prerm.in debian/prerm) -file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco" +file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco.service" DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian") configure_file(rpm/postinstall.in rpm/postinstall) diff --git a/scripts/debian/falco b/scripts/debian/falco deleted file mode 100755 index f173166e608..00000000000 --- a/scripts/debian/falco +++ /dev/null @@ -1,176 +0,0 @@ -#! /bin/sh -# -# Copyright (C) 2020 The Falco Authors. -# -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -### BEGIN INIT INFO -# Provides: falco -# Required-Start: $remote_fs $syslog -# Required-Stop: $remote_fs $syslog -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: Falco syscall activity monitoring agent -# Description: Falco is a system activity monitoring agent -# driven by system calls with support for containers. -### END INIT INFO - -# Author: The Falco Authors - -# Do NOT "set -e" - -# PATH should only include /usr/* if it runs after the mountnfs.sh script -PATH=/sbin:/usr/sbin:/bin:/usr/bin -DESC="Falco" -NAME=falco -DAEMON=/usr/bin/$NAME -PIDFILE=/var/run/$NAME.pid -DAEMON_ARGS="--daemon --pidfile=$PIDFILE" -SCRIPTNAME=/etc/init.d/$NAME - -# Exit if the package is not installed -[ -x "$DAEMON" ] || exit 0 - -# Read configuration variable file if it is present -[ -r /etc/default/$NAME ] && . /etc/default/$NAME - -# Load the VERBOSE setting and other rcS variables -. /lib/init/vars.sh - -# Define LSB log_* functions. -# Depend on lsb-base (>= 3.2-14) to ensure that this file is present -# and status_of_proc is working. -. /lib/lsb/init-functions - -# -# Function that starts the daemon/service -# -do_start() -{ - # Return - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started - start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ - || return 1 - if [ ! -d /sys/module/falco ]; then - /sbin/modprobe falco || exit 1 - fi - start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \ - $DAEMON_ARGS \ - || return 2 - # Add code here, if necessary, that waits for the process to be ready - # to handle requests from services started subsequently which depend - # on this one. As a last resort, sleep for some time. -} - -# -# Function that stops the daemon/service -# -do_stop() -{ - # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME - RETVAL="$?" - [ "$RETVAL" = 2 ] && return 2 - # Wait for children to finish too if this is a daemon that forks - # and if the daemon is only ever run from this initscript. - # If the above conditions are not satisfied then add some other code - # that waits for the process to drop all resources that could be - # needed by services started subsequently. A last resort is to - # sleep for some time. - start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON - [ "$?" = 2 ] && return 2 - /sbin/rmmod falco - # Many daemons don't delete their pidfiles when they exit. - rm -f $PIDFILE - return "$RETVAL" -} - -# -# Function that sends a SIGHUP to the daemon/service -# -do_reload() { - # - # If the daemon can reload its configuration without - # restarting (for example, when it is sent a SIGHUP), - # then implement that here. - # - start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME - return 0 -} - -case "$1" in - start) - [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" - do_start - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - stop) - [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" - do_stop - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - status) - status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? - ;; - #reload|force-reload) - # - # If do_reload() is not implemented then leave this commented out - # and leave 'force-reload' as an alias for 'restart'. - # - #log_daemon_msg "Reloading $DESC" "$NAME" - #do_reload - #log_end_msg $? - #;; - restart|force-reload) - # - # If the "reload" option is implemented then remove the - # 'force-reload' alias - # - log_daemon_msg "Restarting $DESC" "$NAME" - do_stop - case "$?" in - 0|1) - do_start - case "$?" in - 0) log_end_msg 0 ;; - 1) log_end_msg 1 ;; # Old process is still running - *) log_end_msg 1 ;; # Failed to start - esac - ;; - *) - # Failed to stop - log_end_msg 1 - ;; - esac - ;; - *) - #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 - echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 - exit 3 - ;; -esac - -: diff --git a/scripts/debian/falco.service b/scripts/debian/falco.service new file mode 100644 index 00000000000..1a179f3ebc1 --- /dev/null +++ b/scripts/debian/falco.service @@ -0,0 +1,29 @@ +[Unit] +Description=Falco: Container Native Runtime Security + +[Service] +Type=simple +User=root +ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid +UMask=0077 +TimeoutSec=30 +RestartSec=15s +#Restart=always +Restart=on-failure +NoNewPrivileges=yes +PrivateTmp=true +ProtectHome=read-only +ProtectSystem=full +ProtectKernelTunables=true +RestrictRealtime=true +#RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictAddressFamilies=~AF_PACKET +SystemCallFilter=~@debug @mount @cpu-emulation @obsolete @privileged +# FIXME! +# PANIC: unprotected error in call to Lua API (runtime code generation failed, restricted kernel?) +# https://www.freelists.org/post/luajit/luajit-crashes-with-grsec-kernel,1 +# MemoryDenyWriteExecute=true +# PrivateMounts=true + +[Install] +WantedBy=multi-user.target diff --git a/scripts/debian/postinst.in b/scripts/debian/postinst.in index c73611e177b..26314162bb0 100755 --- a/scripts/debian/postinst.in +++ b/scripts/debian/postinst.in @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (C) 2019 The Falco Authors. +# Copyright (C) 2020 The Falco Authors. # # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -41,8 +41,3 @@ case "$1" in fi ;; esac - -if [ -x "/etc/init.d/$NAME" ]; then - update-rc.d $NAME defaults >/dev/null -fi - diff --git a/scripts/debian/postrm.in b/scripts/debian/postrm.in index 1dd2783d05c..0d0dea3ae1f 100755 --- a/scripts/debian/postrm.in +++ b/scripts/debian/postrm.in @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (C) 2019 The Falco Authors. +# Copyright (C) 2020 The Falco Authors. # # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -15,10 +15,3 @@ # See the License for the specific language governing permissions and # limitations under the License. # -set -e - -NAME=falco - -if [ "$1" = "purge" ] ; then - update-rc.d $NAME remove >/dev/null -fi diff --git a/scripts/debian/prerm.in b/scripts/debian/prerm.in index 62625c5e5e9..81d8c8b862c 100755 --- a/scripts/debian/prerm.in +++ b/scripts/debian/prerm.in @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (C) 2019 The Falco Authors. +# Copyright (C) 2020 The Falco Authors. # # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -17,16 +17,6 @@ # set -e -NAME="@PACKAGE_NAME@" - -if [ -x "/etc/init.d/$NAME" ]; then - if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then - invoke-rc.d $NAME stop || exit $? - else - /etc/init.d/$NAME stop || exit $? - fi -fi - DKMS_PACKAGE_NAME="@PACKAGE_NAME@" DKMS_VERSION="@PROBE_VERSION@" diff --git a/scripts/rpm/falco.service b/scripts/rpm/falco.service index 973d31f97ed..1a179f3ebc1 100644 --- a/scripts/rpm/falco.service +++ b/scripts/rpm/falco.service @@ -10,7 +10,6 @@ TimeoutSec=30 RestartSec=15s #Restart=always Restart=on-failure -PrivateTmp=true NoNewPrivileges=yes PrivateTmp=true ProtectHome=read-only From a0043aa1d985ee1b686b0340e77f30731304a971 Mon Sep 17 00:00:00 2001 From: JenTing Hsiao Date: Sun, 13 Dec 2020 08:14:49 +0800 Subject: [PATCH 3/5] Removes the comments in systemd service files Signed-off-by: JenTing Hsiao --- scripts/debian/falco.service | 9 +-------- scripts/rpm/falco.service | 9 +-------- 2 files changed, 2 insertions(+), 16 deletions(-) diff --git a/scripts/debian/falco.service b/scripts/debian/falco.service index 1a179f3ebc1..0163e02b09e 100644 --- a/scripts/debian/falco.service +++ b/scripts/debian/falco.service @@ -8,22 +8,15 @@ ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid UMask=0077 TimeoutSec=30 RestartSec=15s -#Restart=always Restart=on-failure -NoNewPrivileges=yes PrivateTmp=true +NoNewPrivileges=yes ProtectHome=read-only ProtectSystem=full ProtectKernelTunables=true RestrictRealtime=true -#RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX RestrictAddressFamilies=~AF_PACKET SystemCallFilter=~@debug @mount @cpu-emulation @obsolete @privileged -# FIXME! -# PANIC: unprotected error in call to Lua API (runtime code generation failed, restricted kernel?) -# https://www.freelists.org/post/luajit/luajit-crashes-with-grsec-kernel,1 -# MemoryDenyWriteExecute=true -# PrivateMounts=true [Install] WantedBy=multi-user.target diff --git a/scripts/rpm/falco.service b/scripts/rpm/falco.service index 1a179f3ebc1..0163e02b09e 100644 --- a/scripts/rpm/falco.service +++ b/scripts/rpm/falco.service @@ -8,22 +8,15 @@ ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid UMask=0077 TimeoutSec=30 RestartSec=15s -#Restart=always Restart=on-failure -NoNewPrivileges=yes PrivateTmp=true +NoNewPrivileges=yes ProtectHome=read-only ProtectSystem=full ProtectKernelTunables=true RestrictRealtime=true -#RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX RestrictAddressFamilies=~AF_PACKET SystemCallFilter=~@debug @mount @cpu-emulation @obsolete @privileged -# FIXME! -# PANIC: unprotected error in call to Lua API (runtime code generation failed, restricted kernel?) -# https://www.freelists.org/post/luajit/luajit-crashes-with-grsec-kernel,1 -# MemoryDenyWriteExecute=true -# PrivateMounts=true [Install] WantedBy=multi-user.target From 05e594dda9d7a321b5f01754951b21ff06ec9d61 Mon Sep 17 00:00:00 2001 From: JenTing Hsiao Date: Thu, 4 Feb 2021 14:26:14 +0800 Subject: [PATCH 4/5] Modprobe/rmmod at systemd service start/stop Signed-off-by: JenTing Hsiao --- scripts/debian/falco.service | 3 ++- scripts/rpm/falco.service | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/scripts/debian/falco.service b/scripts/debian/falco.service index 0163e02b09e..871a8deeb1f 100644 --- a/scripts/debian/falco.service +++ b/scripts/debian/falco.service @@ -4,7 +4,9 @@ Description=Falco: Container Native Runtime Security [Service] Type=simple User=root +ExecStartPre=/sbin/modprobe falco ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid +ExecStopPost=/sbin/rmmod falco UMask=0077 TimeoutSec=30 RestartSec=15s @@ -16,7 +18,6 @@ ProtectSystem=full ProtectKernelTunables=true RestrictRealtime=true RestrictAddressFamilies=~AF_PACKET -SystemCallFilter=~@debug @mount @cpu-emulation @obsolete @privileged [Install] WantedBy=multi-user.target diff --git a/scripts/rpm/falco.service b/scripts/rpm/falco.service index 0163e02b09e..871a8deeb1f 100644 --- a/scripts/rpm/falco.service +++ b/scripts/rpm/falco.service @@ -4,7 +4,9 @@ Description=Falco: Container Native Runtime Security [Service] Type=simple User=root +ExecStartPre=/sbin/modprobe falco ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid +ExecStopPost=/sbin/rmmod falco UMask=0077 TimeoutSec=30 RestartSec=15s @@ -16,7 +18,6 @@ ProtectSystem=full ProtectKernelTunables=true RestrictRealtime=true RestrictAddressFamilies=~AF_PACKET -SystemCallFilter=~@debug @mount @cpu-emulation @obsolete @privileged [Install] WantedBy=multi-user.target From 389060a2aa5ffde0a62d3d39ca818e02bfca8cde Mon Sep 17 00:00:00 2001 From: JenTing Hsiao Date: Thu, 4 Feb 2021 14:38:51 +0800 Subject: [PATCH 5/5] Bump year to 2021 Signed-off-by: JenTing Hsiao --- cmake/modules/CPackConfig.cmake | 2 +- scripts/CMakeLists.txt | 2 +- scripts/debian/falco.service | 1 + scripts/debian/postinst.in | 2 +- scripts/debian/postrm.in | 2 +- scripts/debian/prerm.in | 2 +- scripts/rpm/falco.service | 1 + scripts/rpm/postinstall.in | 2 +- scripts/rpm/postuninstall.in | 2 +- scripts/rpm/preuninstall.in | 2 +- 10 files changed, 10 insertions(+), 8 deletions(-) diff --git a/cmake/modules/CPackConfig.cmake b/cmake/modules/CPackConfig.cmake index 32ad1ca00c2..98987d7be74 100644 --- a/cmake/modules/CPackConfig.cmake +++ b/cmake/modules/CPackConfig.cmake @@ -1,5 +1,5 @@ # -# Copyright (C) 2020 The Falco Authors. +# Copyright (C) 2021 The Falco Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at diff --git a/scripts/CMakeLists.txt b/scripts/CMakeLists.txt index 890ccb5003d..099a8ef4f31 100644 --- a/scripts/CMakeLists.txt +++ b/scripts/CMakeLists.txt @@ -1,5 +1,5 @@ # -# Copyright (C) 2020 The Falco Authors. +# Copyright (C) 2021 The Falco Authors. # # # Licensed under the Apache License, Version 2.0 (the "License"); diff --git a/scripts/debian/falco.service b/scripts/debian/falco.service index 871a8deeb1f..35ae6ba8fe9 100644 --- a/scripts/debian/falco.service +++ b/scripts/debian/falco.service @@ -1,5 +1,6 @@ [Unit] Description=Falco: Container Native Runtime Security +Documentation=https://falco.org/docs/ [Service] Type=simple diff --git a/scripts/debian/postinst.in b/scripts/debian/postinst.in index 26314162bb0..e77ca742fc4 100755 --- a/scripts/debian/postinst.in +++ b/scripts/debian/postinst.in @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (C) 2020 The Falco Authors. +# Copyright (C) 2021 The Falco Authors. # # # Licensed under the Apache License, Version 2.0 (the "License"); diff --git a/scripts/debian/postrm.in b/scripts/debian/postrm.in index 0d0dea3ae1f..d56605b0ef9 100755 --- a/scripts/debian/postrm.in +++ b/scripts/debian/postrm.in @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (C) 2020 The Falco Authors. +# Copyright (C) 2021 The Falco Authors. # # # Licensed under the Apache License, Version 2.0 (the "License"); diff --git a/scripts/debian/prerm.in b/scripts/debian/prerm.in index 81d8c8b862c..1559c860449 100755 --- a/scripts/debian/prerm.in +++ b/scripts/debian/prerm.in @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (C) 2020 The Falco Authors. +# Copyright (C) 2021 The Falco Authors. # # # Licensed under the Apache License, Version 2.0 (the "License"); diff --git a/scripts/rpm/falco.service b/scripts/rpm/falco.service index 871a8deeb1f..35ae6ba8fe9 100644 --- a/scripts/rpm/falco.service +++ b/scripts/rpm/falco.service @@ -1,5 +1,6 @@ [Unit] Description=Falco: Container Native Runtime Security +Documentation=https://falco.org/docs/ [Service] Type=simple diff --git a/scripts/rpm/postinstall.in b/scripts/rpm/postinstall.in index eeaa46ec59d..16fefa48623 100755 --- a/scripts/rpm/postinstall.in +++ b/scripts/rpm/postinstall.in @@ -1,5 +1,5 @@ # -# Copyright (C) 2020 The Falco Authors. +# Copyright (C) 2021 The Falco Authors. # # # Licensed under the Apache License, Version 2.0 (the "License"); diff --git a/scripts/rpm/postuninstall.in b/scripts/rpm/postuninstall.in index 0792e13c2df..447c50d0c60 100755 --- a/scripts/rpm/postuninstall.in +++ b/scripts/rpm/postuninstall.in @@ -1,5 +1,5 @@ # -# Copyright (C) 2020 The Falco Authors. +# Copyright (C) 2021 The Falco Authors. # # # Licensed under the Apache License, Version 2.0 (the "License"); diff --git a/scripts/rpm/preuninstall.in b/scripts/rpm/preuninstall.in index 3dc58232afe..fa8c610696e 100755 --- a/scripts/rpm/preuninstall.in +++ b/scripts/rpm/preuninstall.in @@ -1,5 +1,5 @@ # -# Copyright (C) 2020 The Falco Authors. +# Copyright (C) 2021 The Falco Authors. # # # Licensed under the Apache License, Version 2.0 (the "License");