From 42c91b63ed63e6906309b18f5b5f0fcd6b62bd5c Mon Sep 17 00:00:00 2001
From: Andrea Terzolo <andrea.terzolo@polito.it>
Date: Mon, 10 Oct 2022 09:20:12 +0000
Subject: [PATCH 1/2] fix(falco_service): falco service needs to write under
 `/sys/module/falco`

Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
---
 scripts/debian/falco.service | 1 +
 scripts/rpm/falco.service    | 1 +
 2 files changed, 2 insertions(+)

diff --git a/scripts/debian/falco.service b/scripts/debian/falco.service
index 35ae6ba8fe9..d86401b07bd 100644
--- a/scripts/debian/falco.service
+++ b/scripts/debian/falco.service
@@ -17,6 +17,7 @@ NoNewPrivileges=yes
 ProtectHome=read-only
 ProtectSystem=full
 ProtectKernelTunables=true
+ReadWritePaths=/sys/module
 RestrictRealtime=true
 RestrictAddressFamilies=~AF_PACKET
 
diff --git a/scripts/rpm/falco.service b/scripts/rpm/falco.service
index ede6c2e356d..29894e419e3 100644
--- a/scripts/rpm/falco.service
+++ b/scripts/rpm/falco.service
@@ -17,6 +17,7 @@ NoNewPrivileges=yes
 ProtectHome=read-only
 ProtectSystem=full
 ProtectKernelTunables=true
+ReadWritePaths=/sys/module
 RestrictRealtime=true
 RestrictAddressFamilies=~AF_PACKET
 StandardOutput=null

From e2821d150628263a0c42d842645495d1a4682b9d Mon Sep 17 00:00:00 2001
From: Andrea Terzolo <andrea.terzolo@polito.it>
Date: Mon, 10 Oct 2022 12:51:03 +0000
Subject: [PATCH 2/2] feature(falco_service): add a service unit to inject the
 kmod

Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
---
 cmake/cpack/CMakeCPackOptions.cmake      |  2 ++
 scripts/CMakeLists.txt                   |  6 ++++++
 scripts/debian/falco.service             |  5 +++--
 scripts/debian/falco_inject_kmod.service | 16 ++++++++++++++++
 scripts/rpm/falco.service                |  5 +++--
 scripts/rpm/falco_inject_kmod.service    | 16 ++++++++++++++++
 6 files changed, 46 insertions(+), 4 deletions(-)
 create mode 100644 scripts/debian/falco_inject_kmod.service
 create mode 100644 scripts/rpm/falco_inject_kmod.service

diff --git a/cmake/cpack/CMakeCPackOptions.cmake b/cmake/cpack/CMakeCPackOptions.cmake
index e28dfa10ede..18bc5a6ba19 100644
--- a/cmake/cpack/CMakeCPackOptions.cmake
+++ b/cmake/cpack/CMakeCPackOptions.cmake
@@ -1,11 +1,13 @@
 if(CPACK_GENERATOR MATCHES "DEB")
 	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
 	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco_inject_kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
 endif()
 
 if(CPACK_GENERATOR MATCHES "RPM")
 	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
 	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco_inject_kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
 endif()
 
 if(CPACK_GENERATOR MATCHES "TGZ")
diff --git a/scripts/CMakeLists.txt b/scripts/CMakeLists.txt
index 676044ac126..61172f6fff0 100644
--- a/scripts/CMakeLists.txt
+++ b/scripts/CMakeLists.txt
@@ -22,6 +22,9 @@ configure_file(debian/prerm.in debian/prerm)
 file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco.service"
 	DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")
 
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco_inject_kmod.service"
+	DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")
+
 configure_file(rpm/postinstall.in rpm/postinstall)
 configure_file(rpm/postuninstall.in rpm/postuninstall)
 configure_file(rpm/preuninstall.in rpm/preuninstall)
@@ -29,6 +32,9 @@ configure_file(rpm/preuninstall.in rpm/preuninstall)
 file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco.service"
 	DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")
 
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco_inject_kmod.service"
+	DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")
+
 configure_file(falco-driver-loader falco-driver-loader @ONLY)
 
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")
diff --git a/scripts/debian/falco.service b/scripts/debian/falco.service
index d86401b07bd..0e3e16ce176 100644
--- a/scripts/debian/falco.service
+++ b/scripts/debian/falco.service
@@ -1,11 +1,12 @@
 [Unit]
 Description=Falco: Container Native Runtime Security
 Documentation=https://falco.org/docs/
+After=falco_inject_kmod.service
+Requires=falco_inject_kmod.service
 
 [Service]
 Type=simple
 User=root
-ExecStartPre=/sbin/modprobe falco
 ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
 ExecStopPost=/sbin/rmmod falco
 UMask=0077
@@ -17,7 +18,7 @@ NoNewPrivileges=yes
 ProtectHome=read-only
 ProtectSystem=full
 ProtectKernelTunables=true
-ReadWritePaths=/sys/module
+ReadWritePaths=/sys/module/falco
 RestrictRealtime=true
 RestrictAddressFamilies=~AF_PACKET
 
diff --git a/scripts/debian/falco_inject_kmod.service b/scripts/debian/falco_inject_kmod.service
new file mode 100644
index 00000000000..204e695f923
--- /dev/null
+++ b/scripts/debian/falco_inject_kmod.service
@@ -0,0 +1,16 @@
+[Unit]
+Description=Falco: Container Native Runtime Security
+Documentation=https://falco.org/docs/
+Before=falco.service
+Wants=falco.service
+
+[Service]
+Type=oneshot
+User=root
+ExecStart=/sbin/modprobe falco
+Restart=on-failure
+TimeoutSec=30s
+RestartSec=15s
+
+[Install]
+WantedBy=multi-user.target
diff --git a/scripts/rpm/falco.service b/scripts/rpm/falco.service
index 29894e419e3..1d66d440712 100644
--- a/scripts/rpm/falco.service
+++ b/scripts/rpm/falco.service
@@ -1,11 +1,12 @@
 [Unit]
 Description=Falco: Container Native Runtime Security
 Documentation=https://falco.org/docs/
+After=falco_inject_kmod.service
+Requires=falco_inject_kmod.service
 
 [Service]
 Type=simple
 User=root
-ExecStartPre=/sbin/modprobe falco
 ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
 ExecStopPost=/sbin/rmmod falco
 UMask=0077
@@ -17,7 +18,7 @@ NoNewPrivileges=yes
 ProtectHome=read-only
 ProtectSystem=full
 ProtectKernelTunables=true
-ReadWritePaths=/sys/module
+ReadWritePaths=/sys/module/falco
 RestrictRealtime=true
 RestrictAddressFamilies=~AF_PACKET
 StandardOutput=null
diff --git a/scripts/rpm/falco_inject_kmod.service b/scripts/rpm/falco_inject_kmod.service
new file mode 100644
index 00000000000..204e695f923
--- /dev/null
+++ b/scripts/rpm/falco_inject_kmod.service
@@ -0,0 +1,16 @@
+[Unit]
+Description=Falco: Container Native Runtime Security
+Documentation=https://falco.org/docs/
+Before=falco.service
+Wants=falco.service
+
+[Service]
+Type=oneshot
+User=root
+ExecStart=/sbin/modprobe falco
+Restart=on-failure
+TimeoutSec=30s
+RestartSec=15s
+
+[Install]
+WantedBy=multi-user.target