From c6f3ad925977407a57e2c65ca4d74c1e34438093 Mon Sep 17 00:00:00 2001 From: Federico Aponte Date: Tue, 23 Jan 2024 23:02:27 +0100 Subject: [PATCH 1/6] fix: nlohmann_json lib include path Signed-off-by: Federico Aponte --- cmake/modules/njson.cmake | 3 ++- userspace/engine/CMakeLists.txt | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/cmake/modules/njson.cmake b/cmake/modules/njson.cmake index 4225e1d6420..dd5a332bdf4 100644 --- a/cmake/modules/njson.cmake +++ b/cmake/modules/njson.cmake @@ -19,8 +19,9 @@ if(USE_BUNDLED_NLOHMANN_JSON) CMAKE_ARGS -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=${PROJECT_BINARY_DIR}/njson-prefix -DJSON_BuildTests=OFF -DBUILD_TESTING=OFF ) - set(nlohmann_json_DIR ${PROJECT_BINARY_DIR}/njson-prefix/include) + set(nlohmann_json_INCLUDE_DIRS ${PROJECT_BINARY_DIR}/njson-prefix/include) else() find_package(nlohmann_json CONFIG REQUIRED) + get_target_property(nlohmann_json_INCLUDE_DIRS nlohmann_json::nlohmann_json INTERFACE_INCLUDE_DIRECTORIES) add_custom_target(njson) endif() diff --git a/userspace/engine/CMakeLists.txt b/userspace/engine/CMakeLists.txt index e7f21ec6948..78f681cef38 100644 --- a/userspace/engine/CMakeLists.txt +++ b/userspace/engine/CMakeLists.txt @@ -39,7 +39,7 @@ PUBLIC ${LIBSCAP_INCLUDE_DIRS} ${LIBSINSP_INCLUDE_DIRS} ${PROJECT_BINARY_DIR}/userspace/engine - ${nlohmann_json_DIR} + ${nlohmann_json_INCLUDE_DIRS} ${TBB_INCLUDE_DIR} ${YAMLCPP_INCLUDE_DIR} ) From 2078e2d210bfc8a0689b27230e9b88834a79f7c7 Mon Sep 17 00:00:00 2001 From: Melissa Kilby Date: Wed, 24 Jan 2024 00:28:18 +0000 Subject: [PATCH 2/6] fix(userspace/metric): minor fixes in new libsinsp state metrics handling Signed-off-by: Melissa Kilby --- userspace/falco/stats_writer.cpp | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/userspace/falco/stats_writer.cpp b/userspace/falco/stats_writer.cpp index 1d6de5d7aa2..cf6bf6821a7 100644 --- a/userspace/falco/stats_writer.cpp +++ b/userspace/falco/stats_writer.cpp @@ -366,9 +366,16 @@ void stats_writer::collector::get_metrics_output_fields_additional( sinsp_thread_manager* thread_manager = inspector->m_thread_manager; const scap_stats_v2* sinsp_stats_v2_snapshot = libsinsp::stats::get_sinsp_stats_v2(flags, agent_info, thread_manager, sinsp_stats_v2, buffer, &nstats, &rc); + uint32_t base_stat = 0; + // todo @incertum this needs to become better with the next proper stats refactor in libs 0.15.0 + if ((flags & PPM_SCAP_STATS_STATE_COUNTERS) && !(flags & PPM_SCAP_STATS_RESOURCE_UTILIZATION)) + { + base_stat = SINSP_STATS_V2_N_THREADS; + } + if (sinsp_stats_v2_snapshot && rc == 0 && nstats > 0) { - for(uint32_t stat = 0; stat < nstats; stat++) + for(uint32_t stat = base_stat; stat < nstats; stat++) { if (sinsp_stats_v2_snapshot[stat].name[0] == '\0') { @@ -376,6 +383,12 @@ void stats_writer::collector::get_metrics_output_fields_additional( } char metric_name[STATS_NAME_MAX] = "falco."; strlcat(metric_name, sinsp_stats_v2_snapshot[stat].name, sizeof(metric_name)); + // todo @incertum temporary fix for n_fds and n_threads, type assignment was missed in libs, will be fixed in libs 0.15.0 + if (strncmp(sinsp_stats_v2_snapshot[stat].name, "n_fds", 6) == 0 || strncmp(sinsp_stats_v2_snapshot[stat].name, "n_threads", 10) == 0) + { + output_fields[metric_name] = sinsp_stats_v2_snapshot[stat].value.u64; + } + switch(sinsp_stats_v2_snapshot[stat].type) { case STATS_VALUE_TYPE_U64: From 960336a20e795fca26c793ca8d73589b5d259f17 Mon Sep 17 00:00:00 2001 From: Melissa Kilby Date: Tue, 16 Jan 2024 16:14:22 +0000 Subject: [PATCH 3/6] update!(config): add deprecation notice for syscall_event_drops Signed-off-by: Melissa Kilby --- falco.yaml | 4 ++-- userspace/falco/app/actions/load_config.cpp | 6 ++++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/falco.yaml b/falco.yaml index a94aae35799..7ff645be557 100644 --- a/falco.yaml +++ b/falco.yaml @@ -61,7 +61,7 @@ # Falco logging / alerting / metrics related to software functioning (advanced) # output_timeout # syscall_event_timeouts -# syscall_event_drops +# syscall_event_drops [DEPRECATED] -> Use `metrics` instead, `syscall_event_drops` will be removed in Falco 0.38! # metrics # Falco performance tuning (advanced) # syscall_buf_size_preset [DEPRECATED] -> Replaced by `engine..buf_size_preset` starting Falco 0.38! @@ -793,7 +793,7 @@ output_timeout: 2000 syscall_event_timeouts: max_consecutives: 1000 -# [Stable] `syscall_event_drops` +# [Stable] `syscall_event_drops` -> Use `metrics` instead, `syscall_event_drops` will be removed in Falco 0.38! # # Generates "Falco internal: syscall event drop" rule output when `priority=debug` at minimum # diff --git a/userspace/falco/app/actions/load_config.cpp b/userspace/falco/app/actions/load_config.cpp index 8dac82f5bd2..b34cb0e2c30 100644 --- a/userspace/falco/app/actions/load_config.cpp +++ b/userspace/falco/app/actions/load_config.cpp @@ -41,6 +41,12 @@ static falco::app::run_result apply_deprecated_options(falco::app::state& s) return run_result::fatal("You can not specify more than one of -e, -g (--gvisor-config), --modern-bpf, --nodriver, and the FALCO_BPF_PROBE env var"); } + if(s.config->m_min_priority == falco_common::PRIORITY_DEBUG) + { + falco_logger::log(falco_logger::level::WARNING, + "DEPRECATION NOTICE: 'syscall_event_drops' config is deprecated and will be removed in Falco 0.38! Use 'metrics' config instead. Note that the 'syscall_event_drops' config is enabled by default when the 'priority' is set to 'debug'. You can turn it off by setting the 'priority' to any higher level\n"); + } + // Please note: is not possible to mix command line options and configs to obtain a configuration // we need to use only one method. For example, is not possible to set the gvisor-config through // the command line and the gvisor-root through the config file. For this reason, if we detect From 3a0a62d74d887a4c569be009292c86002b35cacd Mon Sep 17 00:00:00 2001 From: Melissa Kilby Date: Tue, 23 Jan 2024 17:45:31 +0000 Subject: [PATCH 4/6] cleanup(configs): adjust old stats deprecation notice Co-authored-by: Andrea Terzolo Signed-off-by: Melissa Kilby --- userspace/falco/app/actions/load_config.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/userspace/falco/app/actions/load_config.cpp b/userspace/falco/app/actions/load_config.cpp index b34cb0e2c30..903b1763750 100644 --- a/userspace/falco/app/actions/load_config.cpp +++ b/userspace/falco/app/actions/load_config.cpp @@ -44,7 +44,7 @@ static falco::app::run_result apply_deprecated_options(falco::app::state& s) if(s.config->m_min_priority == falco_common::PRIORITY_DEBUG) { falco_logger::log(falco_logger::level::WARNING, - "DEPRECATION NOTICE: 'syscall_event_drops' config is deprecated and will be removed in Falco 0.38! Use 'metrics' config instead. Note that the 'syscall_event_drops' config is enabled by default when the 'priority' is set to 'debug'. You can turn it off by setting the 'priority' to any higher level\n"); + "DEPRECATION NOTICE: 'syscall_event_drops' config is deprecated and will be removed in Falco 0.38! If you rely on this config, use 'metrics.output_rule' along with 'metrics.kernel_event_counters_enabled' to monitor the number of drops. Note that the 'syscall_event_drops' config is enabled by default when the 'priority' is set to 'debug'. You can turn it off by setting the 'priority' to any higher level\n"); } // Please note: is not possible to mix command line options and configs to obtain a configuration From fe3ceceb821c03b0bcc2906980d810715ac8b331 Mon Sep 17 00:00:00 2001 From: Melissa Kilby Date: Wed, 24 Jan 2024 16:19:26 +0000 Subject: [PATCH 5/6] update(config): soft deprecation of old stats add CHANGE NOTICE wrt syscall_event_drops Co-authored-by: Leonardo Grasso Signed-off-by: Melissa Kilby --- falco.yaml | 4 ++-- userspace/falco/app/actions/load_config.cpp | 6 ------ 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/falco.yaml b/falco.yaml index 7ff645be557..61ee59f2399 100644 --- a/falco.yaml +++ b/falco.yaml @@ -61,7 +61,7 @@ # Falco logging / alerting / metrics related to software functioning (advanced) # output_timeout # syscall_event_timeouts -# syscall_event_drops [DEPRECATED] -> Use `metrics` instead, `syscall_event_drops` will be removed in Falco 0.38! +# syscall_event_drops -> [CHANGE NOTICE] Automatic notifications will be simplified in Falco 0.38! If you depend on the detailed drop counters payload, use 'metrics.output_rule' along with 'metrics.kernel_event_counters_enabled' instead # metrics # Falco performance tuning (advanced) # syscall_buf_size_preset [DEPRECATED] -> Replaced by `engine..buf_size_preset` starting Falco 0.38! @@ -793,7 +793,7 @@ output_timeout: 2000 syscall_event_timeouts: max_consecutives: 1000 -# [Stable] `syscall_event_drops` -> Use `metrics` instead, `syscall_event_drops` will be removed in Falco 0.38! +# [Stable] `syscall_event_drops` -> [CHANGE NOTICE] Automatic notifications will be simplified in Falco 0.38! If you depend on the detailed drop counters payload, use 'metrics.output_rule' along with 'metrics.kernel_event_counters_enabled' instead # # Generates "Falco internal: syscall event drop" rule output when `priority=debug` at minimum # diff --git a/userspace/falco/app/actions/load_config.cpp b/userspace/falco/app/actions/load_config.cpp index 903b1763750..8dac82f5bd2 100644 --- a/userspace/falco/app/actions/load_config.cpp +++ b/userspace/falco/app/actions/load_config.cpp @@ -41,12 +41,6 @@ static falco::app::run_result apply_deprecated_options(falco::app::state& s) return run_result::fatal("You can not specify more than one of -e, -g (--gvisor-config), --modern-bpf, --nodriver, and the FALCO_BPF_PROBE env var"); } - if(s.config->m_min_priority == falco_common::PRIORITY_DEBUG) - { - falco_logger::log(falco_logger::level::WARNING, - "DEPRECATION NOTICE: 'syscall_event_drops' config is deprecated and will be removed in Falco 0.38! If you rely on this config, use 'metrics.output_rule' along with 'metrics.kernel_event_counters_enabled' to monitor the number of drops. Note that the 'syscall_event_drops' config is enabled by default when the 'priority' is set to 'debug'. You can turn it off by setting the 'priority' to any higher level\n"); - } - // Please note: is not possible to mix command line options and configs to obtain a configuration // we need to use only one method. For example, is not possible to set the gvisor-config through // the command line and the gvisor-root through the config file. For this reason, if we detect From eac50732ce84c5f1dc1cf4252ddeda2980a6a592 Mon Sep 17 00:00:00 2001 From: Leonardo Grasso Date: Thu, 25 Jan 2024 12:22:08 +0100 Subject: [PATCH 6/6] update(cmake/modules): bump Falco rules to 3.0 Signed-off-by: Leonardo Grasso --- cmake/modules/rules.cmake | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cmake/modules/rules.cmake b/cmake/modules/rules.cmake index 9ed29b4f5ed..1d057f77d43 100644 --- a/cmake/modules/rules.cmake +++ b/cmake/modules/rules.cmake @@ -1,6 +1,6 @@ # SPDX-License-Identifier: Apache-2.0 # -# Copyright (C) 2023 The Falco Authors. +# Copyright (C) 2024 The Falco Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at @@ -16,7 +16,7 @@ include(GNUInstallDirs) include(ExternalProject) # falco_rules.yaml -set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-3.0.0-rc1") +set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-3.0.0") set(FALCOSECURITY_RULES_FALCO_CHECKSUM "SHA256=2e91799fee49c2daf58fb482e47410a21433eb116e02cde18206f7af87449ddb") set(FALCOSECURITY_RULES_FALCO_PATH "${PROJECT_BINARY_DIR}/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml") ExternalProject_Add(