update!: bump libs to latest and deprecation of k8s metadata options and configs

CMakeLists.txt

@@ -123,9 +123,6 @@ include(njson)
 include(yaml-cpp)
 
 if(NOT WIN32 AND NOT APPLE AND NOT MINIMAL_BUILD AND NOT EMSCRIPTEN)
-  # jq
-  include(jq)
-
   # OpenSSL
   include(openssl)
 
@@ -144,8 +141,8 @@ if (NOT EMSCRIPTEN)
   include(tbb)
 endif()
 
+include(zlib)
 if (NOT MINIMAL_BUILD)
-  include(zlib)
   if (NOT WIN32 AND NOT APPLE AND NOT EMSCRIPTEN)
     include(cares)
     include(protobuf)

cmake/modules/driver.cmake

@@ -34,8 +34,8 @@ else()
   # In case you want to test against another driver version (or branch, or commit) just pass the variable -
   # ie., `cmake -DDRIVER_VERSION=dev ..`
   if(NOT DRIVER_VERSION)
-    set(DRIVER_VERSION "6.0.1+driver")
-    set(DRIVER_CHECKSUM "SHA256=2b4412b5053c8ed5bd1a9de745faa16ec0210dc65dc858af65951d4c8d22207c")
+    set(DRIVER_VERSION "7cbc03a535ead9d530f7b77ffd68766d5e22da74")
+    set(DRIVER_CHECKSUM "SHA256=94d110ad1738cce2635fd15d41701bea5e061fd9a5a4be3f2ee8ec7a28fe50cc")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

cmake/modules/falcosecurity-libs.cmake

@@ -35,8 +35,8 @@ else()
   # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
   # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..` 
   if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "00fa5c5196edf5858daf229ec8a96756d22fa854")
-    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=d7fd77830f97406828e7dd41bcd3178d54075c91638a8e40492d4e864457548a")
+    set(FALCOSECURITY_LIBS_VERSION "7cbc03a535ead9d530f7b77ffd68766d5e22da74")
+    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=94d110ad1738cce2635fd15d41701bea5e061fd9a5a4be3f2ee8ec7a28fe50cc")
   endif()
 
   # cd /path/to/build && cmake /path/to/source
@@ -88,6 +88,8 @@ set(USE_BUNDLED_B64 ON CACHE BOOL "")
 set(USE_BUNDLED_JSONCPP ON CACHE BOOL "")
 set(USE_BUNDLED_VALIJSON ON CACHE BOOL "")
 set(USE_BUNDLED_RE2 ON CACHE BOOL "")
+set(USE_BUNDLED_UTHASH ON CACHE BOOL "")
+set(USE_BUNDLED_TINYDIR ON CACHE BOOL "")
 
 list(APPEND CMAKE_MODULE_PATH "${FALCOSECURITY_LIBS_SOURCE_DIR}/cmake/modules")
 

falco.yaml

@@ -67,9 +67,6 @@
 #     syscall_drop_failed_exit
 #     base_syscalls
 #     modern_bpf.cpus_for_each_syscall_buffer
-# Falco cloud orchestration systems integration
-#     metadata_download
-#     (Guidance for Kubernetes container engine command-line args settings)
 
 
 ################################
@@ -170,11 +167,10 @@ rules_file:
 #
 # Please note that if your intention is to enrich Falco syscall logs with fields
 # such as `k8s.ns.name`, `k8s.pod.name`, and `k8s.pod.*`, you do not need to use
-# the `k8saudit` plugin nor the `-k`/`-K` Kubernetes metadata enrichment. This
-# information is automatically extracted from the container runtime socket. The
-# `k8saudit` plugin is specifically designed to integrate with Kubernetes audit
-# logs and is not required for basic enrichment of syscall logs with
-# Kubernetes-related fields.
+# the `k8saudit` plugin. This information is automatically extracted from
+# the container runtime socket. The `k8saudit` plugin is specifically designed
+# to integrate with Kubernetes audit logs and is not required for basic enrichment
+# of syscall logs with Kubernetes-related fields.
 #
 # --- [Usage]
 #
@@ -1035,35 +1031,6 @@ base_syscalls:
 modern_bpf:
   cpus_for_each_syscall_buffer: 2
 
-
-#################################################
-# Falco cloud orchestration systems integration #
-#################################################
-
-# [Stable] `metadata_download`
-#
-# When connected to an orchestrator like Kubernetes, Falco has the capability to
-# collect metadata and enrich system call events with contextual data. The
-# parameters mentioned here control the downloading process of this metadata.
-#
-# Please note that support for Mesos is deprecated, so these parameters
-# currently apply only to Kubernetes. When using Falco with Kubernetes, you can
-# enable this functionality by using the `-k` or `-K` command-line flag.
-#
-# However, it's worth mentioning that for important Kubernetes metadata fields
-# such as namespace or pod name, these fields are automatically extracted from
-# the container runtime, providing the necessary enrichment for common use cases
-# of syscall-based threat detection.
-#
-# In summary, the `-k` flag is typically not required for most scenarios involving
-# Kubernetes workload owner enrichment. The `-k` flag is primarily used when
-# additional metadata is required beyond the standard fields, catering to more
-# specific use cases, see https://falco.org/docs/reference/rules/supported-fields/#field-class-k8s.
-metadata_download:
-  max_mb: 100
-  chunk_wait_us: 1000
-  watch_freq_sec: 1
-
 # [Stable] Guidance for Kubernetes container engine command-line args settings
 #
 # Modern cloud environments, particularly Kubernetes, heavily rely on

unit_tests/engine/test_rulesets.cpp

@@ -23,9 +23,9 @@ limitations under the License.
 #define RULESET_2 2
 
 /* Helpers methods */
-static std::shared_ptr<gen_event_filter_factory> create_factory()
+static std::shared_ptr<gen_event_filter_factory> create_factory(filter_check_list& list)
 {
-	std::shared_ptr<gen_event_filter_factory> ret(new sinsp_filter_factory(NULL));
+	std::shared_ptr<gen_event_filter_factory> ret(new sinsp_filter_factory(NULL, list));
 	return ret;
 }
 
@@ -53,7 +53,8 @@ static std::shared_ptr<gen_event_filter> create_filter(
 
 TEST(Ruleset, enable_disable_rules_using_names)
 {
-	auto f = create_factory();
+	sinsp_filter_check_list filterlist;
+	auto f = create_factory(filterlist);
 	auto r = create_ruleset(f);
 	auto ast = create_ast(f);
 	auto filter = create_filter(f, ast);
@@ -119,7 +120,8 @@ TEST(Ruleset, enable_disable_rules_using_names)
 
 TEST(Ruleset, enable_disable_rules_using_tags)
 {
-	auto f = create_factory();
+	sinsp_filter_check_list filterlist;
+	auto f = create_factory(filterlist);
 	auto r = create_ruleset(f);
 	auto ast = create_ast(f);
 	auto filter = create_filter(f, ast);

unit_tests/falco/app/actions/test_configure_interesting_sets.cpp

@@ -77,11 +77,12 @@ static std::shared_ptr<falco_engine> mock_engine_from_filters(const strset_t& fi
 	}
 
 	// create a falco engine and load the ruleset
+	sinsp_filter_check_list filterlist;
 	std::shared_ptr<falco_engine> res(new falco_engine());
 	auto filter_factory = std::shared_ptr<gen_event_filter_factory>(
-			new sinsp_filter_factory(nullptr));
+			new sinsp_filter_factory(nullptr, filterlist));
 	auto formatter_factory = std::shared_ptr<gen_event_formatter_factory>(
-			new sinsp_evt_formatter_factory(nullptr));
+			new sinsp_evt_formatter_factory(nullptr, filterlist));
 	res->add_source(s_sample_source, filter_factory, formatter_factory);
 	res->load_rules(dummy_rules, "dummy_rules.yaml");
 	res->enable_rule("", true, s_sample_ruleset);

userspace/engine/CMakeLists.txt

@@ -35,8 +35,7 @@ endif()
 
 add_dependencies(falco_engine yamlcpp njson)
 
-if(MINIMAL_BUILD)
-  target_include_directories(
+target_include_directories(
     falco_engine
     PUBLIC
       "${NJSON_INCLUDE}"
@@ -45,16 +44,5 @@ if(MINIMAL_BUILD)
       "${LIBSINSP_INCLUDE_DIRS}"
       "${YAMLCPP_INCLUDE_DIR}"
       "${PROJECT_BINARY_DIR}/userspace/engine")
-else()
-  target_include_directories(
-    falco_engine
-    PUBLIC
-      "${NJSON_INCLUDE}"
-      "${TBB_INCLUDE_DIR}"
-      "${LIBSCAP_INCLUDE_DIRS}"
-      "${LIBSINSP_INCLUDE_DIRS}"
-      "${YAMLCPP_INCLUDE_DIR}"
-      "${PROJECT_BINARY_DIR}/userspace/engine")
-endif()
 
 target_link_libraries(falco_engine "${FALCO_SINSP_LIBRARY}" "${YAMLCPP_LIB}")

userspace/engine/falco_engine_version.h

@@ -20,7 +20,7 @@ limitations under the License.
 
 // The version of this Falco engine
 #define FALCO_ENGINE_VERSION_MAJOR 0
-#define FALCO_ENGINE_VERSION_MINOR 26
+#define FALCO_ENGINE_VERSION_MINOR 27
 #define FALCO_ENGINE_VERSION_PATCH 0
 
 #define FALCO_ENGINE_VERSION \
@@ -34,4 +34,4 @@ limitations under the License.
 // It represents the fields supported by this version of Falco,
 // the event types, and the underlying driverevent schema. It's used to
 // detetect changes in engine version in our CI jobs.
-#define FALCO_ENGINE_CHECKSUM "df5b0b40d3e1dafc0de13459a4b889f8680ec154690f445952e74799920ae380"
+#define FALCO_ENGINE_CHECKSUM "dbc34e88ab420320994d85f155dee6baff2dd018aacc00e249f897edc8b1e0f4"

userspace/falco/CMakeLists.txt

@@ -26,7 +26,6 @@ set(
   app/actions/pidfile.cpp
   app/actions/init_falco_engine.cpp
   app/actions/init_inspectors.cpp
-  app/actions/init_clients.cpp
   app/actions/init_outputs.cpp
   app/actions/list_fields.cpp
   app/actions/list_plugins.cpp

userspace/falco/app/actions/actions.h

@@ -30,7 +30,6 @@ falco::app::run_result configure_syscall_buffer_num(falco::app::state& s);
 falco::app::run_result create_requested_paths(falco::app::state& s);
 falco::app::run_result create_signal_handlers(falco::app::state& s);
 falco::app::run_result pidfile(falco::app::state& s);
-falco::app::run_result init_clients(falco::app::state& s);
 falco::app::run_result init_falco_engine(falco::app::state& s);
 falco::app::run_result init_inspectors(falco::app::state& s);
 falco::app::run_result init_outputs(falco::app::state& s);

userspace/falco/app/app.cpp

@@ -82,7 +82,6 @@ bool falco::app::run(falco::app::state& s, bool& restart, std::string& errstr)
 		falco::app::actions::create_signal_handlers,
 		falco::app::actions::create_requested_paths,
 		falco::app::actions::pidfile,
-		falco::app::actions::init_clients,
 		falco::app::actions::configure_interesting_sets,
 		falco::app::actions::configure_syscall_buffer_size,
 		falco::app::actions::configure_syscall_buffer_num,

userspace/falco/app/options.cpp

@@ -194,11 +194,6 @@ void options::define(cxxopts::Options& opts)
 		("modern-bpf",				  "Use the BPF modern probe driver to instrument the kernel and observe 'syscall' events.", cxxopts::value(modern_bpf)->default_value("false"))
 #endif
 		("i",                             "Print those events that are ignored by default for performance reasons and exit. See -A for more details.", cxxopts::value(print_ignored_events)->default_value("false"))
-#if !defined(_WIN32) && !defined(__EMSCRIPTEN__) && !defined(MINIMAL_BUILD)
-		("k,k8s-api",                     "Enable Kubernetes metadata support by connecting to the given API server <URL>\n(e.g. \"http://admin:password@127.0.0.1:8080\". The API server can also be specified via the environment variable FALCO_K8S_API.", cxxopts::value(k8s_api), "<URL>")
-		("K,k8s-api-cert",                "Use the provided file names to authenticate the user and (optionally) verify the K8S API server identity. Each entry must specify the full (absolute or relative to the current directory) path to the respective file. Passing a private key password is optional (unless the key is password-protected). CA certificate is optional. For all files, only the PEM file format is supported. Specifying the CA certificate only is obsoleted - when a single entry is provided for this option, it will be interpreted as the name of a file containing the bearer token. Note that the format of this command-line option prohibits the use of files whose names contain ':' or '#' characters in the file name. This option has effect only when used in conjunction with -k.", cxxopts::value(k8s_api_cert), "(<bt_file> | <cert_file>:<key_file[#password]>[:<ca_cert_file>])")
-		("k8s-node",                      "Filter Kubernetes metadata for a specified <node_name>. The node name will be used as a filter when requesting metadata of pods to the API server. Usually, this should be set to the current node on which Falco is running. No filter is set if empty, which may have a performance penalty on large clusters. This option has effect only when used in conjunction with -k.", cxxopts::value(k8s_node_name), "<node_name>")
-#endif
 		("L",                             "Show the name and description of all rules and exit. If json_output is set to true, it prints details about all rules, macros, and lists in JSON format.", cxxopts::value(describe_all_rules)->default_value("false"))
 		("l",                             "Show the name and description of the rule specified <rule> and exit. If json_output is set to true, it prints details about the rule in JSON format.", cxxopts::value(describe_rule), "<rule>")
 		("list",                          "List all defined fields and exit. If <source> is provided, only list those fields for the source <source>. Current values for <source> are \"syscall\" or any source from a configured plugin with event sourcing capability.", cxxopts::value(list_source_fields)->implicit_value(""), "<source>")

userspace/falco/app/options.h

@@ -51,9 +51,6 @@ class options {
 	std::string gvisor_config;
 	std::string gvisor_generate_config_with_socket;
 	std::string gvisor_root;
-	std::string k8s_api;
-	std::string k8s_api_cert;
-	std::string k8s_node_name;
 	bool describe_all_rules;
 	std::string describe_rule;
 	bool print_ignored_events;

userspace/falco/configuration.cpp

@@ -63,9 +63,6 @@ falco_configuration::falco_configuration():
 	m_syscall_evt_drop_max_burst(1),
 	m_syscall_evt_simulate_drops(false),
 	m_syscall_evt_timeout_max_consecutives(1000),
-	m_metadata_download_max_mb(100),
-	m_metadata_download_chunk_wait_us(1000),
-	m_metadata_download_watch_freq_sec(1),
 	m_syscall_buf_size_preset(4),
 	m_cpus_for_each_syscall_buffer(2),
 	m_syscall_drop_failed_exit(false),
@@ -365,18 +362,6 @@ void falco_configuration::load_yaml(const std::string& config_name, const yaml_h
 		throw std::logic_error("Error reading config file(" + config_name + "): the maximum consecutive timeouts without an event must be an unsigned integer > 0");
 	}
 
-	m_metadata_download_max_mb = config.get_scalar<uint32_t>("metadata_download.max_mb", 100);
-	if(m_metadata_download_max_mb > 1024)
-	{
-		throw std::logic_error("Error reading config file(" + config_name + "): metadata download maximum size should be < 1024 Mb");
-	}
-	m_metadata_download_chunk_wait_us = config.get_scalar<uint32_t>("metadata_download.chunk_wait_us", 1000);
-	m_metadata_download_watch_freq_sec = config.get_scalar<uint32_t>("metadata_download.watch_freq_sec", 1);
-	if(m_metadata_download_watch_freq_sec == 0)
-	{
-		throw std::logic_error("Error reading config file(" + config_name + "): metadata download watch frequency seconds must be an unsigned integer > 0");
-	}
-
 	/* We put this value in the configuration file because in this way we can change the dimension at every reload.
 	 * The default value is `4` -> 8 MB.
 	 */

userspace/falco/configuration.h

@@ -103,10 +103,6 @@ class falco_configuration
 
 	uint32_t m_syscall_evt_timeout_max_consecutives;
 
-	uint32_t m_metadata_download_max_mb;
-	uint32_t m_metadata_download_chunk_wait_us;
-	uint32_t m_metadata_download_watch_freq_sec;
-
 	// Index corresponding to the syscall buffer dimension.
 	uint16_t m_syscall_buf_size_preset;
 

userspace/falco/stats_writer.cpp

@@ -356,7 +356,6 @@ void stats_writer::collector::get_metrics_output_fields_additional(
 		double stats_snapshot_time_delta_sec, const std::string& src)
 {
 	const scap_agent_info* agent_info = inspector->get_agent_info();
-	const scap_machine_info* machine_info = inspector->get_machine_info();
 
 #if !defined(MINIMAL_BUILD) and !defined(__EMSCRIPTEN__)
 	/* Resource utilization, CPU and memory usage etc. */
@@ -431,7 +430,7 @@ void stats_writer::collector::get_metrics_output_fields_additional(
 	{
 		flags |= PPM_SCAP_STATS_KERNEL_COUNTERS;
 	}
-	if (m_writer->m_config->m_metrics_libbpf_stats_enabled && (inspector->check_current_engine(BPF_ENGINE) || inspector->check_current_engine(MODERN_BPF_ENGINE)) && (machine_info->flags & PPM_BPF_STATS_ENABLED))
+	if (m_writer->m_config->m_metrics_libbpf_stats_enabled && (inspector->check_current_engine(BPF_ENGINE) || inspector->check_current_engine(MODERN_BPF_ENGINE)))
 	{
 		flags |= PPM_SCAP_STATS_LIBBPF_STATS;
 	}