update(cmake,scripts): bumped falcoctl to v0.8.0-rc1 and set modern eBPF as default driver + enable automatic driver selection logic

cmake/modules/falcoctl.cmake

@@ -16,14 +16,14 @@ include(ExternalProject)
 
 string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} FALCOCTL_SYSTEM_NAME)
 
-set(FALCOCTL_VERSION "0.7.2")
+set(FALCOCTL_VERSION "0.8.0-rc1")
 
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
     set(FALCOCTL_SYSTEM_PROC_GO "amd64")
-    set(FALCOCTL_HASH "abbbef2beefceb3d518a638fbad220ca6002840d33a20a7f1de9b358c4dbef45")
+    set(FALCOCTL_HASH "120a45be26be26ed9795926e3d382440ce010b8ec31fda8a0118ec3d42fc7bc7")
 else() # aarch64
     set(FALCOCTL_SYSTEM_PROC_GO "arm64")
-    set(FALCOCTL_HASH "8dafef99948355febfa311bb940f8c714af631a249f4ae05ffd7d4c5f181e2c4")
+    set(FALCOCTL_HASH "f2c15e7a4c210ee9e3a521f4b6f6ed3096db6bf52426d369a9fe2a1cd3a4a4c2")
 endif()
 
 ExternalProject_Add(

docker/driver-loader-legacy/docker-entrypoint.sh

@@ -24,8 +24,10 @@ print_usage() {
 	echo "  docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader-legacy:latest [driver] [options]"
 	echo ""
 	echo "Available drivers:"
-	echo "  kmod           kernel module (default)"
+	echo "  auto	       leverage automatic driver selection logic (default)"
+	echo "	modern_ebpf    modern eBPF CORE probe"
 	echo "  ebpf           eBPF probe"
+	echo "  kmod           kernel module"
 	echo ""
 	echo "Options:"
 	echo "  --help           show this help message"
@@ -63,7 +65,9 @@ while test $# -gt 0; do
 				print_usage
 				exit 1
 			else
-				/usr/bin/falcoctl driver config --type $1
+				if [ "$1" != "auto" ]; then
+					/usr/bin/falcoctl driver config --type $1
+				fi
 				has_driver="true"
 			fi
 			;;

docker/driver-loader/docker-entrypoint.sh

@@ -24,8 +24,10 @@ print_usage() {
 	echo "  docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader:latest [driver] [options]"
 	echo ""
 	echo "Available drivers:"
-	echo "  kmod           kernel module (default)"
+	echo "  auto	       leverage automatic driver selection logic (default)"
+	echo "	modern_ebpf    modern eBPF CORE probe"
 	echo "  ebpf           eBPF probe"
+	echo "  kmod           kernel module"
 	echo ""
 	echo "Options:"
 	echo "  --help                   show this help message"
@@ -61,13 +63,15 @@ extra_args=
 
 while test $# -gt 0; do
 	case "$1" in
-		kmod|ebpf)
+		auto|kmod|ebpf|modern_ebpf)
 			if [ -n "$has_driver" ]; then
 				>&2 echo "Only one driver per invocation"
 				print_usage
 				exit 1
 			else
-				/usr/bin/falcoctl driver config --type $1
+				if [ "$1" != "auto" ]; then
+					/usr/bin/falcoctl driver config --type $1
+				fi
 				has_driver="true"
 			fi
 			;;

docker/falco/docker-entrypoint.sh

@@ -23,9 +23,11 @@ print_usage() {
 	echo "Usage:"
 	echo "  docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro -e 'FALCO_DRIVER_LOADER_OPTIONS=[driver] [options]' falcosecurity/falco:latest"
 	echo ""
-	echo "Available FALCO_DRIVER_LOADER_OPTIONS drivers:"
-	echo "  kmod           kernel module (default)"
+	echo "Available drivers:"
+	echo "  auto	       leverage automatic driver selection logic (default)"
+	echo "	modern_ebpf    modern eBPF CORE probe"
 	echo "  ebpf           eBPF probe"
+	echo "  kmod           kernel module"
 	echo ""
 	echo "FALCO_DRIVER_LOADER_OPTIONS options:"
 	echo "  --help           show this help message"
@@ -71,7 +73,9 @@ if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
                     print_usage
                     exit 1
                 else
-                    /usr/bin/falcoctl driver config --type $opt
+                    if [ "$opt" != "auto" ]; then
+			/usr/bin/falcoctl driver config --type $opt
+		    fi
                     has_driver="true"
                 fi
                 ;;

falco.yaml

@@ -322,7 +322,7 @@ rules_file:
 # buffers (higher `cpus_for_each_buffer`) can lower the memory footprint.
 #
 engine:
-  kind: kmod
+  kind: modern_ebpf
   kmod:
     buf_size_preset: 4
     drop_failed_exit: false

scripts/CMakeLists.txt

@@ -47,7 +47,18 @@ endif()
 if (NOT WIN32 AND NOT APPLE AND NOT EMSCRIPTEN AND NOT MUSL_OPTIMIZED_BUILD)
 	if(NOT DEFINED FALCOCTL_ETC_DIR)
 		set(FALCOCTL_ETC_DIR "${CMAKE_INSTALL_FULL_SYSCONFDIR}/falcoctl")
+    endif()
+    set(FALCOCTL_DRIVER_TYPES_LIST "")
+	if (BUILD_FALCO_MODERN_BPF)
+		list(APPEND FALCOCTL_DRIVER_TYPES_LIST "modern_ebpf")
 	endif()
+	if (BUILD_BPF)
+		list(APPEND FALCOCTL_DRIVER_TYPES_LIST "ebpf")
+	endif()
+	if (BUILD_DRIVER)
+		list(APPEND FALCOCTL_DRIVER_TYPES_LIST "kmod")
+	endif()
+	string(REPLACE ";" ", " FALCOCTL_DRIVER_TYPES "${FALCOCTL_DRIVER_TYPES_LIST}")
 	configure_file(${CMAKE_CURRENT_SOURCE_DIR}/falcoctl/falcoctl.yaml.in ${PROJECT_BINARY_DIR}/scripts/falcoctl/falcoctl.yaml)
 	install(FILES ${PROJECT_BINARY_DIR}/scripts/falcoctl/falcoctl.yaml DESTINATION "${FALCOCTL_ETC_DIR}" COMPONENT "${FALCO_COMPONENT_NAME}")
 endif()

scripts/debian/postinst.in

@@ -17,7 +17,8 @@
 # limitations under the License.
 #
 
-chosen_driver=
+# By default, we use the automatic selection for drivers
+chosen_driver="auto"
 chosen_unit=
 CHOICE=
 
@@ -38,43 +39,56 @@ systemctl --system disable 'falcoctl-artifact-follow.service' || true
 systemctl --system unmask falcoctl-artifact-follow.service || true
 
 if [ "$1" = "configure" ]; then
+	# "auto" case is not managed here since it is already the default, so no CHOICE=2
         case $FALCO_DRIVER_CHOICE in
+              none)
+                  CHOICE=1
+                  ;;
               kmod)
-                  CHOICE=2
+                  CHOICE=3
                   ;;
               ebpf)
-                  CHOICE=3
+                  CHOICE=4
                   ;;
               modern_ebpf)
-                  CHOICE=4
+                  CHOICE=5
                   ;;
         esac     
         if [ -z $CHOICE ] && [ -x /usr/bin/dialog ] && [ "${FALCO_FRONTEND}" != "noninteractive" ]; then          
             # If dialog is installed, create a dialog to let users choose the correct driver for them
             CHOICE=$(dialog --clear --title "Falco drivers" --menu "Choose your preferred driver:" 12 55 4 \
                     1 "Manual configuration (no unit is started)" \
-                    2 "Kmod" \
-                    3 "eBPF" \
-                    4 "Modern eBPF" \
+                    2 "Automatic selection" \
+                    3 "Kmod" \
+                    4 "eBPF" \
+                    5 "Modern eBPF" \
                     2>&1 >/dev/tty)
-        fi         
+        fi
+        # "auto" case is not managed here since it is already the default, so no CHOICE=2
         case $CHOICE in
-            2)
-                chosen_driver="kmod"
-                chosen_unit="kmod"
+            1)
+                chosen_driver=""
                 ;;
             3)
-                chosen_driver="ebpf"
-                chosen_unit="bpf"
+                chosen_driver="kmod"
                 ;;
             4)
+                chosen_driver="ebpf"
+                ;;
+            5)
                 chosen_driver="modern_ebpf"
-                chosen_unit="modern-bpf"
                 ;;
         esac
-        if [ -n "$CHOICE" ]; then
+        if [ -n "$chosen_driver" ]; then
             echo "[POST-INSTALL] Configure falcoctl driver type:"
-            falcoctl driver config --type $chosen_driver
+            if [ "$chosen_driver" = "auto" ];  then
+                # Configure falcoctl to enable all drivers
+                falcoctl driver config --type "modern_ebpf" --type "ebpf" --type "kmod"
+                # Load the actually automatic chosen driver
+                chosen_driver=$(falcoctl driver printenv | grep DRIVER= | cut -d'"' -f2)
+            else
+                falcoctl driver config --type "$chosen_driver"
+            fi
             CHOICE=
             case $FALCOCTL_ENABLED in
                 no)
@@ -108,10 +122,15 @@ case "$chosen_driver" in
       # Only compile for kmod, in this way we use dkms
       echo "[POST-INSTALL] Call 'falcoctl driver install for kmod:"
       falcoctl driver install --download=false
+      chosen_unit="kmod"
       ;;
     "ebpf")
       echo "[POST-INSTALL] Call 'falcoctl driver install for ebpf':"
       falcoctl driver install
+      chosen_unit="bpf"
+      ;;
+    "modern_ebpf")
+      chosen_unit="modern-bpf"
       ;;
 esac
 

scripts/falcoctl/falcoctl.yaml.in

@@ -1,5 +1,5 @@
 driver:
-    type: "kmod"
+    type: [@FALCOCTL_DRIVER_TYPES@]
     name: "@DRIVER_NAME@"
     repos:
         - "@DRIVERS_REPO@"

scripts/rpm/postinstall.in

@@ -16,7 +16,8 @@
 # limitations under the License.
 #
 
-chosen_driver=
+# By default, we use the automatic selection for drivers
+chosen_driver="auto"
 chosen_unit=
 CHOICE=
 
@@ -37,43 +38,55 @@ systemctl --system disable 'falcoctl-artifact-follow.service' || true
 systemctl --system unmask falcoctl-artifact-follow.service || true
 
 if [ $1 -ge 1 ]; then
+	# "auto" case is not managed here since it is already the default, so no CHOICE=2
         case $FALCO_DRIVER_CHOICE in
+              none)
+                  CHOICE=1
+                  ;;
               kmod)
-                  CHOICE=2
+                  CHOICE=3
                   ;;
               ebpf)
-                  CHOICE=3
+                  CHOICE=4
                   ;;
               modern_ebpf)
-                  CHOICE=4
+                  CHOICE=5
                   ;;
         esac     
         if [ -z $CHOICE ] && [ -x /usr/bin/dialog ] && [ "${FALCO_FRONTEND}" != "noninteractive" ]; then          
             # If dialog is installed, create a dialog to let users choose the correct driver for them
             CHOICE=$(dialog --clear --title "Falco drivers" --menu "Choose your preferred driver:" 12 55 4 \
                     1 "Manual configuration (no unit is started)" \
-                    2 "Kmod" \
-                    3 "eBPF" \
-                    4 "Modern eBPF" \
+                    2 "Automatic selection" \
+                    3 "Kmod" \
+                    4 "eBPF" \
+                    5 "Modern eBPF" \
                     2>&1 >/dev/tty)
-        fi         
+        fi
+        # "auto" case is not managed here since it is already the default, so no CHOICE=2
         case $CHOICE in
-            2)
-                chosen_driver="kmod"
-                chosen_unit="kmod"
+            1)
+                chosen_driver=""
                 ;;
             3)
-                chosen_driver="ebpf"
-                chosen_unit="bpf"
+                chosen_driver="kmod"
                 ;;
             4)
+                chosen_driver="ebpf"
+                ;;
+            5)
                 chosen_driver="modern_ebpf"
-                chosen_unit="modern-bpf"
                 ;;
         esac
-        if [ -n "$CHOICE" ]; then
-            echo "[POST-INSTALL] Configure falcoctl driver type:"
-            falcoctl driver config --type $chosen_driver
+        if [ -n "$chosen_driver" ]; then
+            if [ "$chosen_driver" = "auto" ];  then
+                # Configure falcoctl to enable all drivers
+                falcoctl driver config --type "modern_ebpf" --type "ebpf" --type "kmod"
+                # Load the actually automatic chosen driver
+                chosen_driver=$(falcoctl driver printenv | grep DRIVER= | cut -d'"' -f2)
+            else
+                falcoctl driver config --type "$chosen_driver"
+            fi
             CHOICE=
             case $FALCOCTL_ENABLED in
                 no)
@@ -105,12 +118,17 @@ systemctl --system daemon-reload || true
 case "$chosen_driver" in
     "kmod")
       # Only compile for kmod, in this way we use dkms
-       echo "[POST-INSTALL] Call 'falcoctl driver install for kmod:"
-       falcoctl driver install --download=false
+      echo "[POST-INSTALL] Call 'falcoctl driver install for kmod:"
+      falcoctl driver install --download=false
+      chosen_unit="kmod"
       ;;
     "ebpf")
       echo "[POST-INSTALL] Call 'falcoctl driver install for ebpf':"
       falcoctl driver install
+      chosen_unit="bpf"
+      ;;
+    "modern_ebpf")
+      chosen_unit="modern-bpf"
       ;;
 esac