falcosecurity
/
libs
mirror of https://github.com/falcosecurity/libs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: falcosecurity:master
Branches Tags
falcosecurity:master
falcosecurity:ekoops/isolate-modern-toctou
falcosecurity:update/lseek-conversion
falcosecurity:wip/test
falcosecurity:release/0.21.x
falcosecurity:fix/modern_bpf_maps_const
falcosecurity:wip/rawarg_madness_sanitizer
falcosecurity:fix/valijson_ci_cmake_ver
falcosecurity:chore/use_driverkit_image_latest_kernel
falcosecurity:chore/e2e_ci_arm64
falcosecurity:Andreagit97/fix_hotplug_2
falcosecurity:new/homemade_bpf_loop
falcosecurity:release/0.20.x
falcosecurity:chore/enable_lto
falcosecurity:release/0.19.x
falcosecurity:new/expose_category
falcosecurity:release/0.18.x
falcosecurity:new/sinsp_state_entry_observer
falcosecurity:wip/test_tbbmem
falcosecurity:cleanup/container-manager-unused-code
falcosecurity:test/download-zig
falcosecurity:test/shared-lib-fix-0.17.3
falcosecurity:chore/improve_e2e_ci
falcosecurity:chore/zig_build
falcosecurity:fix-fs-path-openat
falcosecurity:wip/test_benchmarks
falcosecurity:cleanup/drop_jsoncpp_use_njson
falcosecurity:release/0.17.x
falcosecurity:test/ci
falcosecurity:indexing-filterchecks
falcosecurity:release/0.16.x
falcosecurity:chore/fix_typo
falcosecurity:indexing-filterchecks-backup
falcosecurity:fix/recvfrom_bpf_filler
falcosecurity:release/0.15.x
falcosecurity:chore/set_perf_event_attr_size
falcosecurity:release/0.14.x
falcosecurity:new/check-milestone-action
falcosecurity:LucaGuerra-patch-1
falcosecurity:bug_in_the_queue
falcosecurity:release/0.13.x
falcosecurity:PR1400
falcosecurity:build/upgrade-grpc-and-friends
falcosecurity:remove_b64
falcosecurity:symlink_new
falcosecurity:release/0.12.x
falcosecurity:update/jsoncpp_1.9.5
falcosecurity:update/tinydir_1.2.5
falcosecurity:PR1229
falcosecurity:wip/scap-specification
falcosecurity:release/0.11.x
falcosecurity:allow-pmatch-to-expand-globs-backup
falcosecurity:maintainers/tmp_sinsp_branch
falcosecurity:new/codechecker
falcosecurity:fix_drivers_ppid
falcosecurity:update/protobuf
falcosecurity:release/0.10.x
falcosecurity:maintainers/tmp_cpp17
falcosecurity:chore/bump_schema_vers
falcosecurity:sync/release/0.10.5
falcosecurity:new/merge_ppm_sc_ppm_tp
falcosecurity:maintainers/899-testing
falcosecurity:maintainers/unit_test_libscap
falcosecurity:release/0.10.0
falcosecurity:maintainers/support_test_1
falcosecurity:fix/use_head_gha
falcosecurity:new/kmod_name_as_param
falcosecurity:hashes
falcosecurity:hashes-fields
falcosecurity:release/0.9.2
falcosecurity:test_feat
falcosecurity:release/0.9.0
falcosecurity:prova
falcosecurity:make-container-engines-configurable
falcosecurity:enum_to_bitmask
falcosecurity:thread-lookup-improvements
falcosecurity:change_names
falcosecurity:experiment/remove-HAS_CAPTURE
falcosecurity:add_default_args
falcosecurity:add_new_tracepoints
falcosecurity:test/fix/falco/1909
falcosecurity:cleanup/unify_simpleconsumer_simpledriver
falcosecurity:temp_cleanup_simple_consumer
falcosecurity:add-position-ast-compiler
falcosecurity:fix/fd_errno_pid_fdlist_int32
falcosecurity:open_syscalls
falcosecurity:remove-fntlnz
falcosecurity:fix/bpf_res_or_fd_crash
falcosecurity:test-arm64
falcosecurity:fix/container_sync_add_container
falcosecurity:vtable-rebased
falcosecurity:chore/improvements
falcosecurity:skip-libs-deps-install
falcosecurity:minor_improvements
falcosecurity:PR266
falcosecurity:store_userlist
falcosecurity:patch-cherry-pick
falcosecurity:scap-seek-buffer
falcosecurity:expose_plugin_schema_infos
falcosecurity:fix-plugins-issue-56
falcosecurity:mac
falcosecurity:container-json-test
falcosecurity:detect-strlcpy-better
falcosecurity:new/plugin-system-api-additions
falcosecurity:new/plugin-system-api-additions-prerebase
falcosecurity:use-openssl-1-0-2
falcosecurity:gen-events-falco-engine
falcosecurity:validate-evt-type-filterchecks
falcosecurity:new/plugin-system-api-additions-async-experiments
falcosecurity:windows-build-improvements-prerebase
falcosecurity:new/plugin-system
falcosecurity:new/plugin-system-preaddlchanges
falcosecurity:build/upgrade-deps-testing2
falcosecurity:build/upgrade-deps-testing
falcosecurity:track-container-user-names
falcosecurity:build/upgrade-grpc-deps
falcosecurity:driver/libbpf-porting
falcosecurity:refactor/sub-components
falcosecurity:build/ci-testing-basic
falcosecurity:leodido-pullrequests-template
falcosecurity:0.21.0
falcosecurity:0.21.0-rc2
falcosecurity:8.1.0+driver
falcosecurity:0.21.0-rc1
falcosecurity:0.20.0
falcosecurity:8.0.0+driver
falcosecurity:0.20.0-rc2
falcosecurity:0.20.0-rc1
falcosecurity:0.19.0
falcosecurity:0.18.2
falcosecurity:0.18.1
falcosecurity:7.3.0+driver
falcosecurity:0.18.0
falcosecurity:0.18.0-rc2
falcosecurity:0.18.0-rc1
falcosecurity:0.17.3
falcosecurity:0.17.3-rc2
falcosecurity:0.17.3-rc1
falcosecurity:7.2.1+driver
falcosecurity:0.17.2
falcosecurity:0.17.1
falcosecurity:7.2.0+driver
falcosecurity:0.17.0-rc2
falcosecurity:0.17.0
falcosecurity:0.17.0-rc1
falcosecurity:7.1.0+driver
falcosecurity:0.16.0-rc4
falcosecurity:0.16.0
falcosecurity:0.16.0-rc3
falcosecurity:0.16.0-rc2
falcosecurity:7.1.0+driver-rc1
falcosecurity:0.16.0-rc1
falcosecurity:0.15.1
falcosecurity:0.15.0
falcosecurity:0.15.0-rc1
falcosecurity:0.14.3
falcosecurity:0.14.2
falcosecurity:0.14.1
falcosecurity:0.14.0
falcosecurity:7.0.0+driver
falcosecurity:0.13.4
falcosecurity:0.13.3
falcosecurity:0.13.2
falcosecurity:0.13.2-rc1
falcosecurity:0.13.1-rc1
falcosecurity:0.13.1
falcosecurity:0.13.0
falcosecurity:6.0.1+driver
falcosecurity:0.13.0-rc2
falcosecurity:0.13.0-rc1
falcosecurity:6.0.0+driver
falcosecurity:5.1.0+driver
falcosecurity:0.12.0
falcosecurity:0.12.0-rc3
falcosecurity:0.12.0-rc2
falcosecurity:0.12.0-rc1
falcosecurity:0.11.3
falcosecurity:0.11.2
falcosecurity:0.11.1
falcosecurity:0.11.0
falcosecurity:5.0.1+driver
falcosecurity:0.11.0-rc5
falcosecurity:0.11.0-rc4
falcosecurity:0.11.0-rc3
falcosecurity:0.11.0-rc2
falcosecurity:0.11.0-rc1
falcosecurity:5.0.0+driver
falcosecurity:0.10.5
falcosecurity:4.0.1+driver
falcosecurity:0.10.4
falcosecurity:0.10.3
falcosecurity:0.10.2
falcosecurity:0.10.1
falcosecurity:0.10.0
falcosecurity:4.0.0+driver
falcosecurity:4.0.0-rc1+driver
falcosecurity:0.10.0-rc1
falcosecurity:0.9.2
falcosecurity:0.9.1
falcosecurity:0.9.0
falcosecurity:3.0.1+driver
falcosecurity:3.0.0+driver
falcosecurity:3.0.0-rc1+driver
falcosecurity:0.9.0-rc1
falcosecurity:0.8.0
falcosecurity:0.7.0
falcosecurity:0.7.0-rc4
falcosecurity:0.7.0-rc3
falcosecurity:2.0.0+driver
falcosecurity:0.7.0-rc2
falcosecurity:2.0.0-rc1+driver
falcosecurity:0.7.0-rc1
falcosecurity:1.0.0-alpha2+driver
falcosecurity:0.7.0-alpha2
falcosecurity:1.0.0-alpha+driver
falcosecurity:0.7.0-alpha
..
compare: falcosecurity:0.15.0-rc1
Branches Tags
falcosecurity:ekoops/isolate-modern-toctou
falcosecurity:master
falcosecurity:update/lseek-conversion
falcosecurity:wip/test
falcosecurity:release/0.21.x
falcosecurity:fix/modern_bpf_maps_const
falcosecurity:wip/rawarg_madness_sanitizer
falcosecurity:fix/valijson_ci_cmake_ver
falcosecurity:chore/use_driverkit_image_latest_kernel
falcosecurity:chore/e2e_ci_arm64
falcosecurity:Andreagit97/fix_hotplug_2
falcosecurity:new/homemade_bpf_loop
falcosecurity:release/0.20.x
falcosecurity:chore/enable_lto
falcosecurity:release/0.19.x
falcosecurity:new/expose_category
falcosecurity:release/0.18.x
falcosecurity:new/sinsp_state_entry_observer
falcosecurity:wip/test_tbbmem
falcosecurity:cleanup/container-manager-unused-code
falcosecurity:test/download-zig
falcosecurity:test/shared-lib-fix-0.17.3
falcosecurity:chore/improve_e2e_ci
falcosecurity:chore/zig_build
falcosecurity:fix-fs-path-openat
falcosecurity:wip/test_benchmarks
falcosecurity:cleanup/drop_jsoncpp_use_njson
falcosecurity:release/0.17.x
falcosecurity:test/ci
falcosecurity:indexing-filterchecks
falcosecurity:release/0.16.x
falcosecurity:chore/fix_typo
falcosecurity:indexing-filterchecks-backup
falcosecurity:fix/recvfrom_bpf_filler
falcosecurity:release/0.15.x
falcosecurity:chore/set_perf_event_attr_size
falcosecurity:release/0.14.x
falcosecurity:new/check-milestone-action
falcosecurity:LucaGuerra-patch-1
falcosecurity:bug_in_the_queue
falcosecurity:release/0.13.x
falcosecurity:PR1400
falcosecurity:build/upgrade-grpc-and-friends
falcosecurity:remove_b64
falcosecurity:symlink_new
falcosecurity:release/0.12.x
falcosecurity:update/jsoncpp_1.9.5
falcosecurity:update/tinydir_1.2.5
falcosecurity:PR1229
falcosecurity:wip/scap-specification
falcosecurity:release/0.11.x
falcosecurity:allow-pmatch-to-expand-globs-backup
falcosecurity:maintainers/tmp_sinsp_branch
falcosecurity:new/codechecker
falcosecurity:fix_drivers_ppid
falcosecurity:update/protobuf
falcosecurity:release/0.10.x
falcosecurity:maintainers/tmp_cpp17
falcosecurity:chore/bump_schema_vers
falcosecurity:sync/release/0.10.5
falcosecurity:new/merge_ppm_sc_ppm_tp
falcosecurity:maintainers/899-testing
falcosecurity:maintainers/unit_test_libscap
falcosecurity:release/0.10.0
falcosecurity:maintainers/support_test_1
falcosecurity:fix/use_head_gha
falcosecurity:new/kmod_name_as_param
falcosecurity:hashes
falcosecurity:hashes-fields
falcosecurity:release/0.9.2
falcosecurity:test_feat
falcosecurity:release/0.9.0
falcosecurity:prova
falcosecurity:make-container-engines-configurable
falcosecurity:enum_to_bitmask
falcosecurity:thread-lookup-improvements
falcosecurity:change_names
falcosecurity:experiment/remove-HAS_CAPTURE
falcosecurity:add_default_args
falcosecurity:add_new_tracepoints
falcosecurity:test/fix/falco/1909
falcosecurity:cleanup/unify_simpleconsumer_simpledriver
falcosecurity:temp_cleanup_simple_consumer
falcosecurity:add-position-ast-compiler
falcosecurity:fix/fd_errno_pid_fdlist_int32
falcosecurity:open_syscalls
falcosecurity:remove-fntlnz
falcosecurity:fix/bpf_res_or_fd_crash
falcosecurity:test-arm64
falcosecurity:fix/container_sync_add_container
falcosecurity:vtable-rebased
falcosecurity:chore/improvements
falcosecurity:skip-libs-deps-install
falcosecurity:minor_improvements
falcosecurity:PR266
falcosecurity:store_userlist
falcosecurity:patch-cherry-pick
falcosecurity:scap-seek-buffer
falcosecurity:expose_plugin_schema_infos
falcosecurity:fix-plugins-issue-56
falcosecurity:mac
falcosecurity:container-json-test
falcosecurity:detect-strlcpy-better
falcosecurity:new/plugin-system-api-additions
falcosecurity:new/plugin-system-api-additions-prerebase
falcosecurity:use-openssl-1-0-2
falcosecurity:gen-events-falco-engine
falcosecurity:validate-evt-type-filterchecks
falcosecurity:new/plugin-system-api-additions-async-experiments
falcosecurity:windows-build-improvements-prerebase
falcosecurity:new/plugin-system
falcosecurity:new/plugin-system-preaddlchanges
falcosecurity:build/upgrade-deps-testing2
falcosecurity:build/upgrade-deps-testing
falcosecurity:track-container-user-names
falcosecurity:build/upgrade-grpc-deps
falcosecurity:driver/libbpf-porting
falcosecurity:refactor/sub-components
falcosecurity:build/ci-testing-basic
falcosecurity:leodido-pullrequests-template
falcosecurity:0.21.0
falcosecurity:0.21.0-rc2
falcosecurity:8.1.0+driver
falcosecurity:0.21.0-rc1
falcosecurity:0.20.0
falcosecurity:8.0.0+driver
falcosecurity:0.20.0-rc2
falcosecurity:0.20.0-rc1
falcosecurity:0.19.0
falcosecurity:0.18.2
falcosecurity:0.18.1
falcosecurity:7.3.0+driver
falcosecurity:0.18.0
falcosecurity:0.18.0-rc2
falcosecurity:0.18.0-rc1
falcosecurity:0.17.3
falcosecurity:0.17.3-rc2
falcosecurity:0.17.3-rc1
falcosecurity:7.2.1+driver
falcosecurity:0.17.2
falcosecurity:0.17.1
falcosecurity:7.2.0+driver
falcosecurity:0.17.0-rc2
falcosecurity:0.17.0
falcosecurity:0.17.0-rc1
falcosecurity:7.1.0+driver
falcosecurity:0.16.0-rc4
falcosecurity:0.16.0
falcosecurity:0.16.0-rc3
falcosecurity:0.16.0-rc2
falcosecurity:7.1.0+driver-rc1
falcosecurity:0.16.0-rc1
falcosecurity:0.15.1
falcosecurity:0.15.0
falcosecurity:0.15.0-rc1
falcosecurity:0.14.3
falcosecurity:0.14.2
falcosecurity:0.14.1
falcosecurity:0.14.0
falcosecurity:7.0.0+driver
falcosecurity:0.13.4
falcosecurity:0.13.3
falcosecurity:0.13.2
falcosecurity:0.13.2-rc1
falcosecurity:0.13.1-rc1
falcosecurity:0.13.1
falcosecurity:0.13.0
falcosecurity:6.0.1+driver
falcosecurity:0.13.0-rc2
falcosecurity:0.13.0-rc1
falcosecurity:6.0.0+driver
falcosecurity:5.1.0+driver
falcosecurity:0.12.0
falcosecurity:0.12.0-rc3
falcosecurity:0.12.0-rc2
falcosecurity:0.12.0-rc1
falcosecurity:0.11.3
falcosecurity:0.11.2
falcosecurity:0.11.1
falcosecurity:0.11.0
falcosecurity:5.0.1+driver
falcosecurity:0.11.0-rc5
falcosecurity:0.11.0-rc4
falcosecurity:0.11.0-rc3
falcosecurity:0.11.0-rc2
falcosecurity:0.11.0-rc1
falcosecurity:5.0.0+driver
falcosecurity:0.10.5
falcosecurity:4.0.1+driver
falcosecurity:0.10.4
falcosecurity:0.10.3
falcosecurity:0.10.2
falcosecurity:0.10.1
falcosecurity:0.10.0
falcosecurity:4.0.0+driver
falcosecurity:4.0.0-rc1+driver
falcosecurity:0.10.0-rc1
falcosecurity:0.9.2
falcosecurity:0.9.1
falcosecurity:0.9.0
falcosecurity:3.0.1+driver
falcosecurity:3.0.0+driver
falcosecurity:3.0.0-rc1+driver
falcosecurity:0.9.0-rc1
falcosecurity:0.8.0
falcosecurity:0.7.0
falcosecurity:0.7.0-rc4
falcosecurity:0.7.0-rc3
falcosecurity:2.0.0+driver
falcosecurity:0.7.0-rc2
falcosecurity:2.0.0-rc1+driver
falcosecurity:0.7.0-rc1
falcosecurity:1.0.0-alpha2+driver
falcosecurity:0.7.0-alpha2
falcosecurity:1.0.0-alpha+driver
falcosecurity:0.7.0-alpha

No commits in common. "master" and "0.15.0-rc1" have entirely different histories.
master ... 0.15.0-rc1

1373 changed files with 99917 additions and 138311 deletions
Show Stats Expand all files Collapse all files

38
.clang-format
View File

@ -1,36 +1,16 @@
---
Language: Cpp
BasedOnStyle: Google
AccessModifierOffset: -4
BreakBeforeBraces: Attach
AllowAllArgumentsOnNextLine: false
AllowAllConstructorInitializersOnNextLine: false
AllowAllParametersOfDeclarationOnNextLine: false
AllowShortFunctionsOnASingleLine: Inline
AllowShortIfStatementsOnASingleLine: Never
AllowShortLoopsOnASingleLine: false
BinPackArguments: false
BinPackParameters: false
ColumnLimit: 100
DerivePointerBinding: false
IndentCaseLabels: false
IndentWidth: 4
SpaceAfterTemplateKeyword: false
TabWidth: 4
UseTab: ForIndentation
BasedOnStyle: LLVM
AccessModifierOffset: -8
BreakBeforeBraces: Allman
BreakConstructorInitializers: AfterColon
ColumnLimit: 120
ConstructorInitializerIndentWidth: 8
ContinuationIndentWidth: 8
DerivePointerAlignment: true
SortIncludes: Never
IndentWidth: 8
SortIncludes: false
SpaceAfterTemplateKeyword: false
SpaceBeforeCtorInitializerColon: false
SpaceBeforeParens: Never
InsertNewlineAtEOF: true
---
Language: Proto
DisableFormat: true
---
Language: JavaScript
DisableFormat: true
---
Language: Java
DisableFormat: true
UseTab: Always

16
.clang-format-ignore
View File

@ -1,16 +0,0 @@
# All vmlinux autogenerated headers are not formatted
driver/modern_bpf/definitions/aarch64/vmlinux.h
driver/modern_bpf/definitions/ppc64le/vmlinux.h
driver/modern_bpf/definitions/s390x/vmlinux.h
driver/modern_bpf/definitions/x86_64/vmlinux.h
# Autogenerated events dimensions file for modern probe is not formatted
driver/modern_bpf/definitions/events_dimensions.h
# All syscall_compat autogenerated headers are not formatted
driver/syscall_compat_aarch64.h
driver/syscall_compat_loongarch64.h
driver/syscall_compat_ppc64le.h
driver/syscall_compat_riscv64.h
driver/syscall_compat_s390x.h
driver/syscall_compat_x86_64.h
driver/syscall_ia32_64_map.c
driver/syscall_table.c

16
.clang-tidy
View File

@ -1,16 +0,0 @@
Checks:
- clang-diagnostic-*
- clang-analyzer-*
- clang-analyzer-core.*
- clang-analyzer-cplusplus.*
- clang-analyzer-nullability.*
- clang-analyzer-unix.*
- performance-*
- bugprone-use-after-move
- bugprone-move-forwarding-reference
- cppcoreguidelines-rvalue-reference-param-not-moved
- misc-unused-parameters
WarningsAsErrors: 'bugprone-use-after-move'
# UseColor true causes sarif conversion and reviewdog fail
UseColor: false
ExtraArgsBefore: ['-Wno-unknown-warning-option']

254
.cmake-format.json
View File

@ -1,254 +0,0 @@
{
"_help_format": "Options affecting formatting.",
"format": {
"_help_disable": [
"Disable formatting entirely, making cmake-format a no-op"
],
"disable": false,
"_help_line_width": [
"How wide to allow formatted cmake files"
],
"line_width": 100,
"_help_tab_size": [
"How many spaces to tab for indent"
],
"tab_size": 4,
"_help_use_tabchars": [
"If true, lines are indented using tab characters (utf-8",
"0x09) instead of <tab_size> space characters (utf-8 0x20).",
"In cases where the layout would require a fractional tab",
"character, the behavior of the fractional indentation is",
"governed by <fractional_tab_policy>"
],
"use_tabchars": true,
"_help_fractional_tab_policy": [
"If <use_tabchars> is True, then the value of this variable",
"indicates how fractional indentions are handled during",
"whitespace replacement. If set to 'use-space', fractional",
"indentation is left as spaces (utf-8 0x20). If set to",
"`round-up` fractional indentation is replaced with a single",
"tab character (utf-8 0x09) effectively shifting the column",
"to the next tabstop"
],
"fractional_tab_policy": "use-space",
"_help_max_subgroups_hwrap": [
"If an argument group contains more than this many sub-groups",
"(parg or kwarg groups) then force it to a vertical layout."
],
"max_subgroups_hwrap": 2,
"_help_max_pargs_hwrap": [
"If a positional argument group contains more than this many",
"arguments, then force it to a vertical layout."
],
"max_pargs_hwrap": 6,
"_help_max_rows_cmdline": [
"If a cmdline positional group consumes more than this many",
"lines without nesting, then invalidate the layout (and nest)"
],
"max_rows_cmdline": 2,
"_help_separate_ctrl_name_with_space": [
"If true, separate flow control names from their parentheses",
"with a space"
],
"separate_ctrl_name_with_space": false,
"_help_separate_fn_name_with_space": [
"If true, separate function names from parentheses with a",
"space"
],
"separate_fn_name_with_space": false,
"_help_dangle_parens": [
"If a statement is wrapped to more than one line, than dangle",
"the closing parenthesis on its own line."
],
"dangle_parens": true,
"_help_dangle_align": [
"If the trailing parenthesis must be 'dangled' on its on",
"line, then align it to this reference: `prefix`: the start",
"of the statement, `prefix-indent`: the start of the",
"statement, plus one indentation level, `child`: align to",
"the column of the arguments"
],
"dangle_align": "prefix",
"_help_min_prefix_chars": [
"If the statement spelling length (including space and",
"parenthesis) is smaller than this amount, then force reject",
"nested layouts."
],
"min_prefix_chars": 4,
"_help_max_prefix_chars": [
"If the statement spelling length (including space and",
"parenthesis) is larger than the tab width by more than this",
"amount, then force reject un-nested layouts."
],
"max_prefix_chars": 10,
"_help_max_lines_hwrap": [
"If a candidate layout is wrapped horizontally but it exceeds",
"this many lines, then reject the layout."
],
"max_lines_hwrap": 2,
"_help_line_ending": [
"What style line endings to use in the output."
],
"line_ending": "unix",
"_help_command_case": [
"Format command names consistently as 'lower' or 'upper' case"
],
"command_case": "canonical",
"_help_keyword_case": [
"Format keywords consistently as 'lower' or 'upper' case"
],
"keyword_case": "unchanged",
"_help_always_wrap": [
"A list of command names which should always be wrapped"
],
"always_wrap": [],
"_help_enable_sort": [
"If true, the argument lists which are known to be sortable",
"will be sorted lexicographicall"
],
"enable_sort": true,
"_help_autosort": [
"If true, the parsers may infer whether or not an argument",
"list is sortable (without annotation)."
],
"autosort": false,
"_help_require_valid_layout": [
"By default, if cmake-format cannot successfully fit",
"everything into the desired linewidth it will apply the",
"last, most agressive attempt that it made. If this flag is",
"True, however, cmake-format will print error, exit with non-",
"zero status code, and write-out nothing"
],
"require_valid_layout": false,
"_help_layout_passes": [
"A dictionary mapping layout nodes to a list of wrap",
"decisions. See the documentation for more information."
],
"layout_passes": {}
},
"_help_markup": "Options affecting comment reflow and formatting.",
"markup": {
"_help_bullet_char": [
"What character to use for bulleted lists"
],
"bullet_char": "*",
"_help_enum_char": [
"What character to use as punctuation after numerals in an",
"enumerated list"
],
"enum_char": ".",
"_help_first_comment_is_literal": [
"If comment markup is enabled, don't reflow the first comment",
"block in each listfile. Use this to preserve formatting of",
"your copyright/license statements."
],
"first_comment_is_literal": false,
"_help_literal_comment_pattern": [
"If comment markup is enabled, don't reflow any comment block",
"which matches this (regex) pattern. Default is `None`",
"(disabled)."
],
"literal_comment_pattern": null,
"_help_fence_pattern": [
"Regular expression to match preformat fences in comments",
"default= ``r'^\\s*([`~]{3}[`~]*)(.*)$'``"
],
"fence_pattern": "^\\s*([`~]{3}[`~]*)(.*)$",
"_help_ruler_pattern": [
"Regular expression to match rulers in comments default=",
"``r'^\\s*[^\\w\\s]{3}.*[^\\w\\s]{3}$'``"
],
"ruler_pattern": "^\\s*[^\\w\\s]{3}.*[^\\w\\s]{3}$",
"_help_explicit_trailing_pattern": [
"If a comment line matches starts with this pattern then it",
"is explicitly a trailing comment for the preceeding",
"argument. Default is '#<'"
],
"explicit_trailing_pattern": "#<",
"_help_hashruler_min_length": [
"If a comment line starts with at least this many consecutive",
"hash characters, then don't lstrip() them off. This allows",
"for lazy hash rulers where the first hash char is not",
"separated by space"
],
"hashruler_min_length": 10,
"_help_canonicalize_hashrulers": [
"If true, then insert a space between the first hash char and",
"remaining hash chars in a hash ruler, and normalize its",
"length to fill the column"
],
"canonicalize_hashrulers": true,
"_help_enable_markup": [
"enable comment markup parsing and reflow"
],
"enable_markup": true
},
"_help_lint": "Options affecting the linter",
"lint": {
"_help_disabled_codes": [
"a list of lint codes to disable"
],
"disabled_codes": [],
"_help_function_pattern": [
"regular expression pattern describing valid function names"
],
"function_pattern": "[0-9a-z_]+",
"_help_macro_pattern": [
"regular expression pattern describing valid macro names"
],
"macro_pattern": "[0-9A-Z_]+",
"_help_global_var_pattern": [
"regular expression pattern describing valid names for",
"variables with global (cache) scope"
],
"global_var_pattern": "[A-Z][0-9A-Z_]+",
"_help_internal_var_pattern": [
"regular expression pattern describing valid names for",
"variables with global scope (but internal semantic)"
],
"internal_var_pattern": "_[A-Z][0-9A-Z_]+",
"_help_local_var_pattern": [
"regular expression pattern describing valid names for",
"variables with local scope"
],
"local_var_pattern": "[a-z][a-z0-9_]+",
"_help_private_var_pattern": [
"regular expression pattern describing valid names for",
"privatedirectory variables"
],
"private_var_pattern": "_[0-9a-z_]+",
"_help_public_var_pattern": [
"regular expression pattern describing valid names for public",
"directory variables"
],
"public_var_pattern": "[A-Z][0-9A-Z_]+",
"_help_argument_var_pattern": [
"regular expression pattern describing valid names for",
"function/macro arguments and loop variables."
],
"argument_var_pattern": "[a-z][a-z0-9_]+",
"_help_keyword_pattern": [
"regular expression pattern describing valid names for",
"keywords used in functions or macros"
],
"keyword_pattern": "[A-Z][0-9A-Z_]+",
"_help_max_conditionals_custom_parser": [
"In the heuristic for C0201, how many conditionals to match",
"within a loop in before considering the loop a parser."
],
"max_conditionals_custom_parser": 2,
"_help_min_statement_spacing": [
"Require at least this many newlines between statements"
],
"min_statement_spacing": 1,
"_help_max_statement_spacing": [
"Require no more than this many newlines between statements"
],
"max_statement_spacing": 2,
"max_returns": 6,
"max_branches": 12,
"max_arguments": 5,
"max_localvars": 15,
"max_statements": 50
}
}

16
.git-blame-ignore-revs
View File

@ -1,16 +0,0 @@
# These commits altered the blame only to change types
89ec22f38ce06145a10d52fd9be2cb1b872bfd11
4dd9c8a2517dcda5aab0fc7a26197e74bf557fd6
9326b1dd23efd095908a723a1d94acbe91032cab
c8b971ecbff766003c736f01c0455e73dbd0efb3
a5730f7a18e2e81b270105c2f81cf6c6a0201feb
56b6e591cf8bf6849c27adfccc1557835daa1529
93240ff1106f54add1e620e861bdfe890cf99108
5c9b3cd3eb485ff8e4a3c364383f246d79146194
0736581e22da38f260e01b64a9c73a4d66c7c02a
2bea7ba762ed916eaf283066b20ad989b77276a6
# This commit formatted the libs code for the first time.
215db2d9de0cb15061873a2e3bea33f731a54cab
# This commit has completely rewritten the history of file `userspace/libscap/engine/savefile/scap_savefile.c`.
# https://github.com/falcosecurity/libs/commit/a6df8fc90e3be0209c5a5f9bb0443077cd5d0967
a6df8fc90e3be0209c5a5f9bb0443077cd5d0967

2
.github/PULL_REQUEST_TEMPLATE.md vendored
View File

@ -20,8 +20,6 @@
> /kind failing-test
> /kind test
> /kind feature
<!--

92
.github/actions/composite-perf/action.yml vendored
View File

@ -1,92 +0,0 @@
name: 'libs-perf'
description: 'Run multiple perf tests on libs.'
outputs:
perf_tests:
description: "Unit tests perf.data"
value: ${{ steps.store-outputs.outputs.perf_tests }}
perf_scap:
description: "Scap file perf.data"
value: ${{ steps.store-outputs.outputs.perf_scap }}
heaptrack_tests:
description: "Unit tests heaptrack data"
value: ${{ steps.store-outputs.outputs.heaptrack_tests }}
heaptrack_scap:
description: "Scap file heaptrack data"
value: ${{ steps.store-outputs.outputs.heaptrack_scap }}
gbench_json:
description: "Google benchmarks json data"
value: ${{ steps.store-outputs.outputs.gbench_json }}
runs:
using: "composite"
steps:
- name: Install deps ⛓️
shell: bash
run: |
sudo apt update && sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libtbb-dev libjq-dev libjsoncpp-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-tools-common linux-tools-generic linux-tools-`uname -r` heaptrack coreutils util-linux
sudo .github/install-deps.sh
- name: Build
shell: bash
run: |
mkdir -p build
cd build && cmake -DUSE_BUNDLED_DEPS=False -DCMAKE_BUILD_TYPE=Debug -DENABLE_BENCHMARKS=True ../
make unit-test-libsinsp -j4
make bench -j4
make sinsp-example -j4
- name: Download scap file
shell: bash
run: |
cd build
wget https://download.falco.org/fixtures/trace-files/traces-positive.zip
unzip traces-positive.zip
- name: Run - perf unit tests
shell: bash
run: |
cd build
sudo perf record --call-graph dwarf -o perf_tests.data -q libsinsp/test/unit-test-libsinsp
# First empty run to stabilize disk IO (scap file read) perf
- name: Run - load scap file
shell: bash
run: |
cd build
sudo ./libsinsp/examples/sinsp-example -s traces-positive/falco-event-generator.scap &> /dev/null
- name: Run - perf scap file
shell: bash
run: |
cd build
sudo perf record --call-graph dwarf -o perf_scap.data -q ./libsinsp/examples/sinsp-example -s traces-positive/falco-event-generator.scap
- name: Run - heaptrack unit tests
shell: bash
run: |
cd build
sudo heaptrack -o heaptrack_tests.data libsinsp/test/unit-test-libsinsp
- name: Run - heaptrack scap file
shell: bash
run: |
cd build
sudo heaptrack -o heaptrack_scap.data ./libsinsp/examples/sinsp-example -s traces-positive/falco-event-generator.scap
- name: Run - gbench
shell: bash
run: |
cd build
./benchmark/bench --benchmark_repetitions=20 --benchmark_report_aggregates_only --benchmark_out=gbench_data.json --benchmark_out_format=json
- name: Set Outputs
id: store-outputs
shell: bash
run: |
cd build
echo "perf_tests=$(realpath perf_tests.data)" >> $GITHUB_OUTPUT
echo "perf_scap=$(realpath perf_scap.data)" >> $GITHUB_OUTPUT
echo "heaptrack_tests=$(realpath heaptrack_tests.data.zst)" >> $GITHUB_OUTPUT
echo "heaptrack_scap=$(realpath heaptrack_scap.data.zst)" >> $GITHUB_OUTPUT
echo "gbench_json=$(realpath gbench_data.json)" >> $GITHUB_OUTPUT

43
.github/actions/install-zig/action.yml vendored
View File

@ -1,43 +0,0 @@
name: 'install-zig'
description: 'Install zig compiler and make it available in PATH.'
runs:
using: "composite"
steps:
- name: Store zig version as local output
shell: bash
id: store
env:
ZIG_VERSION: '0.14.1'
run: |
echo "zig_version=${ZIG_VERSION}" >> "$GITHUB_OUTPUT"
- name: Download zig
shell: bash
run: |
curl -L -o zig.tar.xz https://ziglang.org/download/${{ steps.store.outputs.zig_version }}/zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}.tar.xz
tar -xvf zig.tar.xz
cat > zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/zig-cc <<EOF
#!/bin/bash
exec zig cc -target $(uname -m)-linux-gnu.2.17 -mcpu=baseline "\$@"
EOF
chmod +x zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/zig-cc
cat > zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/zig-c++ <<EOF
#!/bin/bash
exec zig c++ -target $(uname -m)-linux-gnu.2.17 -mcpu=baseline "\$@"
EOF
chmod +x zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/zig-c++
mv zig-$(uname -m)-linux-${{ steps.store.outputs.zig_version }}/ zig
- name: Setup zig
shell: bash
id: zig
run: |
echo "$(pwd)/zig" >> $GITHUB_PATH
echo "CC=zig-cc" >> $GITHUB_ENV
echo "CXX=zig-c++" >> $GITHUB_ENV
echo "AR=zig ar" >> $GITHUB_ENV
echo "RANLIB=zig ranlib" >> $GITHUB_ENV

12
.github/dependabot.yaml vendored
View File

@ -1,12 +0,0 @@
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
groups:
actions:
update-types:
- "minor"
- "patch"

5
.github/install-deps.sh vendored
View File

@ -66,8 +66,3 @@ popd
echo "=== Downloading uthash.h (1.9.8) ==="
wget -P "/usr/include" "https://raw.githubusercontent.com/troydhanson/uthash/v1.9.8/src/uthash.h"
# === BS_thread_pool ===
echo "=== Downloading BS_thread_pool.h (4.1.0) ==="
wget -P "/usr/include" "https://github.com/bshoshany/thread-pool/raw/v4.1.0/include/BS_thread_pool.hpp"

184
.github/workflows/ci.yml vendored
View File

@ -16,40 +16,32 @@ concurrency:
jobs:
build-libs-linux:
name: build-libs-linux-${{ matrix.arch }} 😁 (${{ matrix.name }})
runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
runs-on: ${{ (matrix.arch == 'arm64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-22.04' }}
strategy:
fail-fast: false
matrix:
arch: [amd64, arm64]
name: [system_deps, bundled_deps, sanitizers, zig]
name: [system_deps, bundled_deps, system_deps_w_chisels, system_deps_minimal, sanitizers]
include:
- name: system_deps
cmake_opts: -DBUILD_WARNINGS_AS_ERRORS=On -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=False
- name: bundled_deps
cmake_opts: -DBUILD_WARNINGS_AS_ERRORS=On -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=True
- name: system_deps_w_chisels
cmake_opts: -DBUILD_WARNINGS_AS_ERRORS=On -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=False -DWITH_CHISEL=True
- name: system_deps_minimal
cmake_opts: -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=False -DMINIMAL_BUILD=True
- name: sanitizers
cmake_opts: -DUSE_ASAN=On -DUSE_UBSAN=On -DUSE_BUNDLED_DEPS=False
- name: zig
cmake_opts: -DUSE_BUNDLED_DEPS=True
container:
image: debian:buster
steps:
- name: Install deps ⛓️
run: |
# Use 20250630T203427Z debian apt snapshot as it still contains support for buster.
printf "deb http://snapshot.debian.org/archive/debian/20250630T203427Z buster main\ndeb http://snapshot.debian.org/archive/debian-security/20250630T203427Z buster/updates main\ndeb http://snapshot.debian.org/archive/debian/20250630T203427Z buster-updates main" > /etc/apt/sources.list
apt update && apt install -y --no-install-recommends curl ca-certificates build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libtbb-dev libjq-dev libjsoncpp-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-headers-${{ matrix.arch }}
- name: Install a recent version of CMake ⛓️
run: |
curl -L -o /tmp/cmake.tar.gz https://github.com/Kitware/CMake/releases/download/v3.22.5/cmake-3.22.5-linux-$(uname -m).tar.gz
gzip -d /tmp/cmake.tar.gz
tar -xpf /tmp/cmake.tar --directory=/tmp
cp -R /tmp/cmake-3.22.5-linux-$(uname -m)/* /usr
rm -rf /tmp/cmake-3.22.5-linux-$(uname -m)/
apt update && apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libgtest-dev libprotobuf-dev liblua5.2-dev linux-headers-${{ matrix.arch }}
- name: Checkout Libs ⤵️
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
@ -61,39 +53,15 @@ jobs:
run: |
git config --global --add safe.directory $GITHUB_WORKSPACE
- name: Install zig
if: matrix.name == 'zig'
uses: ./.github/actions/install-zig
- name: Build and test 🏗️🧪
env:
UBSAN_OPTIONS: print_stacktrace=1
run: |
mkdir -p build
cd build && cmake ${{ matrix.cmake_opts }} -DENABLE_THREAD_POOL=ON ../
cd build && cmake ${{ matrix.cmake_opts }} ../
KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4
make run-unit-tests
- name: Test sinsp-example and .scap files
run: |
cd build && make sinsp-example
libsinsp/examples/sinsp-example -s ../test/libsinsp_e2e/resources/captures/curl_google.scap | grep --extended-regexp --invert-match '^(Time spent|Events/ms): ' > /tmp/curl_google.txt
libsinsp/examples/sinsp-example -s ../test/libsinsp_e2e/resources/captures/curl_google_comments.scap | grep --extended-regexp --invert-match '^(Time spent|Events/ms): ' > /tmp/curl_google_comments.txt
diff -u /tmp/curl_google.txt /tmp/curl_google_comments.txt
# On zig, build also sinsp-example and check the glibc linked versions
# to make sure we are actually using the correct glibc version.
- name: Test zig build glibc version
if: matrix.name == 'zig'
run: |
cd build
objdump -T libsinsp/test/unit-test-libsinsp | grep -Eo 'GLIBC_\S+' | sort -u -t "." -k1,1n -k2,2n -k3,3n
linked_glibc=$(objdump -T libsinsp/test/unit-test-libsinsp | grep -Eo 'GLIBC_\S+' | sort -u -t "." -k1,1n -k2,2n -k3,3n | tail -n1 | tr -d ')')
if [ "$linked_glibc" != "GLIBC_2.17" ]; then
echo "Expected glibc 2.17; found $linked_glibc"
exit 1
fi
build-libs-linux-amd64-static:
name: build-libs-linux-amd64-static 🎃
runs-on: ubuntu-latest
@ -102,14 +70,10 @@ jobs:
steps:
- name: Install deps ⛓️
run: |
apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils clang llvm
git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
cd bpftool
git submodule update --init
cd src && make install
apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils bpftool clang
- name: Checkout Libs ⤵️
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@v3
with:
fetch-depth: 0
@ -120,28 +84,32 @@ jobs:
- name: Build and test 🏗️🧪
run: |
mkdir -p build
cd build && cmake -DBUILD_BPF=On -DBUILD_DRIVER=Off -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DUSE_SHARED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On -DENABLE_THREAD_POOL=ON ../
cd build && cmake -DBUILD_BPF=On -DBUILD_DRIVER=Off -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DUSE_SHARED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On ../
make run-unit-tests -j4
build-shared-libs-linux-amd64:
name: build-shared-libs-linux-amd64 🧐
runs-on: ubuntu-22.04
runs-on: ubuntu-latest
steps:
- name: Checkout Libs ⤵️
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- name: Git safe directory
run: |
git config --global --add safe.directory $GITHUB_WORKSPACE
- name: Install deps ⛓️
run: |
sudo apt update
sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libre2-dev libtbb-dev libjq-dev libjsoncpp-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-headers-$(uname -r)
sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libre2-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libgtest-dev libprotobuf-dev liblua5.2-dev linux-headers-$(uname -r)
sudo .github/install-deps.sh
- name: Build and test 🏗️🧪
run: |
mkdir -p build
cd build && cmake -DBUILD_SHARED_LIBS=True -DUSE_BUNDLED_DEPS=False -DCMAKE_INSTALL_PREFIX=/tmp/libs-test -DENABLE_THREAD_POOL=ON ../
cd build && cmake -DBUILD_SHARED_LIBS=True -DUSE_BUNDLED_DEPS=False -DMINIMAL_BUILD=True -DCMAKE_INSTALL_PREFIX=/tmp/libs-test ../
make -j4
make run-unit-tests
@ -154,7 +122,7 @@ jobs:
run: |
cd userspace/libsinsp/examples
export PKG_CONFIG_PATH=/tmp/libs-test/lib/pkgconfig
g++ -o sinsp-example *.cpp $(pkg-config --cflags --libs libsinsp)
g++ -o sinsp-example test.cpp util.cpp $(pkg-config --cflags --libs libsinsp)
- name: Test sinsp-example runtime linker
run: |
@ -174,22 +142,24 @@ jobs:
runs-on: ${{ matrix.os }}
steps:
- name: Checkout Libs ⤵️
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- name: Build and test 🏗️🧪
run: |
mkdir -p build
cd build && cmake -DUSE_BUNDLED_DEPS=ON -DCMAKE_BUILD_TYPE=Release -DCMAKE_MSVC_RUNTIME_LIBRARY=${{ matrix.crt }} -DCREATE_TEST_TARGETS=ON -DENABLE_THREAD_POOL=ON ..
cmake --build . --config Release --parallel 4 && make run-unit-tests || libsinsp\test\Release\unit-test-libsinsp.exe
cd build && cmake -DUSE_BUNDLED_DEPS=ON -DCMAKE_BUILD_TYPE=Release -DCMAKE_MSVC_RUNTIME_LIBRARY=${{ matrix.crt }} -DCREATE_TEST_TARGETS=ON -DMINIMAL_BUILD=ON -DWITH_CHISEL=ON ..
cmake --build . --config Release && make run-unit-tests || libsinsp\test\Release\unit-test-libsinsp.exe
build-shared-libs-macos-amd64:
name: build-shared-libs-macos-amd64 😨
strategy:
fail-fast: false
runs-on: macos-latest
steps:
- name: Checkout Libs ⤵️
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
@ -200,8 +170,8 @@ jobs:
- name: Build 🏗️
run: |
mkdir -p build
cd build && cmake -DBUILD_SHARED_LIBS=True -DUSE_BUNDLED_DEPS=False -DUSE_BUNDLED_VALIJSON=ON -DUSE_BUNDLED_BS_THREADPOOL=ON -DENABLE_THREAD_POOL=ON -DCMAKE_BUILD_TYPE=Release -DCREATE_TEST_TARGETS=OFF -DCMAKE_INSTALL_PREFIX=/tmp/libs-test ..
cmake --build . --config Release --parallel $(getconf _NPROCESSORS_ONLN)
cd build && cmake -DBUILD_SHARED_LIBS=True -DUSE_BUNDLED_DEPS=False -DUSE_BUNDLED_VALIJSON=ON -DCMAKE_BUILD_TYPE=Release -DCREATE_TEST_TARGETS=OFF -DMINIMAL_BUILD=ON -DCMAKE_INSTALL_PREFIX=/tmp/libs-test ..
cmake --build . --config Release
- name: Install
run: |
@ -226,7 +196,7 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout Libs ⤵️
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
@ -258,15 +228,93 @@ jobs:
diff -u expected_ldd_out.txt ldd_out.txt
run-e2e-tests-amd64:
uses: ./.github/workflows/reusable_e2e_tests.yaml
with:
libsversion: ${{ github.sha }}
secrets: inherit
name: run-e2e-tests-amd64
strategy:
fail-fast: false
matrix:
name: [system_deps, bundled_deps, system_deps_w_chisels, asan]
include:
- name: system_deps
cmake_opts: -DUSE_BUNDLED_DEPS=False
- name: bundled_deps
cmake_opts: -DUSE_BUNDLED_DEPS=True
- name: system_deps_w_chisels
cmake_opts: -DUSE_BUNDLED_DEPS=False -DWITH_CHISEL=True
- name: asan
cmake_opts: -DUSE_BUNDLED_DEPS=True -DCMAKE_C_FLAGS=-fsanitize=address -DCMAKE_CXX_FLAGS=-fsanitize=address
runs-on: ubuntu-22.04
steps:
- name: Install deps ⛓️
run: |
sudo apt-get update && sudo apt-get install -y --no-install-recommends \
ca-certificates \
cmake \
build-essential \
clang-14 llvm-14 \
git \
clang \
llvm \
pkg-config \
autoconf \
automake \
libtool \
libelf-dev \
wget \
libc-ares-dev \
libbpf-dev \
libcap-dev \
libcurl4-openssl-dev \
libssl-dev \
libtbb-dev \
libjq-dev \
libjsoncpp-dev \
libgrpc++-dev \
protobuf-compiler-grpc \
libgtest-dev \
libprotobuf-dev \
liblua5.2-dev \
"linux-headers-$(uname -r)"
sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
sudo update-alternatives --install /usr/bin/llc llc /usr/bin/llc-14 90
- name: Checkout Libs ⤵️
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- name: Install deps ⛓️
run: |
sudo .github/install-deps.sh
- name: Git safe directory
run: |
git config --global --add safe.directory $GITHUB_WORKSPACE
- name: Build and test 🏗️🧪
run: |
mkdir -p build && cd build
cmake -DBUILD_BPF=ON \
-DBUILD_LIBSCAP_MODERN_BPF=ON \
-DBUILD_LIBSCAP_GVISOR=OFF \
${{ matrix.cmake_opts }} \
-DUSE_BUNDLED_LIBBPF=ON \
..
make -j$(nproc) sinsp-example driver bpf
sudo make e2e-install-deps
sudo ../test/e2e/scripts/run_tests.sh
- name: Archive test reports
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
if: failure()
with:
name: ${{ matrix.name }}_report
path: |
${{ github.workspace }}/build/report/
build-libs-emscripten:
name: build-libs-emscripten 🧐
runs-on: ubuntu-22.04
runs-on: ubuntu-latest
steps:
- name: Install deps ⛓️
run: |
@ -274,10 +322,14 @@ jobs:
sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 llvm-14 git pkg-config autoconf automake libtool libelf-dev libcap-dev linux-headers-$(uname -r) emscripten
- name: Checkout Libs ⤵️
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- name: Git safe directory
run: |
git config --global --add safe.directory $GITHUB_WORKSPACE
- name: Build and test 🏗️🧪
run: |
mkdir -p build

87
.github/workflows/create-comment-kernel-testing.yml vendored
View File

@ -1,87 +0,0 @@
# NOTE: This has read-write repo token and access to secrets, so this must
# not run any untrusted code.
# see: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
name: Comment with Kernel testing results on pull requests
on:
workflow_run:
workflows: ["Drivers CI Build"]
types:
- completed
jobs:
upload:
runs-on: ubuntu-latest
if: github.event.workflow_run.event == 'pull_request'
steps:
- name: 'Download artifact'
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: ${{github.event.workflow_run.id }},
});
var matchArtifacts = artifacts.data.artifacts.filter((artifact) => {
return artifact.name == "pr-kernel-testing"
});
if (!Array.isArray(matchArtifacts) || !matchArtifacts.length) {
var process = require('process');
process.exit();
}
var matchArtifact = matchArtifacts[0];
var download = await github.rest.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchArtifact.id,
archive_format: 'zip',
});
var fs = require('fs');
fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data));
- name: 'Unpack artifact'
run: |
if [ -f pr.zip ]; then
unzip pr.zip
fi
- name: 'Comment on PR'
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
# Taken from https://github.com/actions/github-script/blob/main/.github/workflows/pull-request-test.yml
script: |
var fs = require('fs');
if (!fs.existsSync('./NR')) {
var process = require('process');
process.exit();
}
var issue_number = Number(fs.readFileSync('./NR'));
var comment_body = fs.readFileSync('./COMMENT');
// Get the existing comments.
const {data: comments} = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: issue_number,
});
// Find any comment already made by the bot.
const botComment = comments.find(comment => comment.user.id === 41898282 && comment.body.includes('# X64 kernel testing matrix'));
if (botComment) {
await github.rest.issues.updateComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: botComment.id,
body: comment_body.toString('utf8')
});
} else {
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: issue_number,
body: comment_body.toString('utf8')
});
}

87
.github/workflows/create-comment-perf.yml vendored
View File

@ -1,87 +0,0 @@
# NOTE: This has read-write repo token and access to secrets, so this must
# not run any untrusted code.
# see: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
name: Comment with Perf diff on pull requests
on:
workflow_run:
workflows: ["Perf CI"]
types:
- completed
jobs:
upload:
runs-on: ubuntu-latest
if: github.event.workflow_run.event == 'pull_request'
steps:
- name: 'Download artifact'
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: ${{github.event.workflow_run.id }},
});
var matchArtifacts = artifacts.data.artifacts.filter((artifact) => {
return artifact.name == "pr-perf"
});
if (!Array.isArray(matchArtifacts) || !matchArtifacts.length) {
var process = require('process');
process.exit();
}
var matchArtifact = matchArtifacts[0];
var download = await github.rest.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchArtifact.id,
archive_format: 'zip',
});
var fs = require('fs');
fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data));
- name: 'Unpack artifact'
run: |
if [ -f pr.zip ]; then
unzip pr.zip
fi
- name: 'Comment on PR'
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
# Taken from https://github.com/actions/github-script/blob/main/.github/workflows/pull-request-test.yml
script: |
var fs = require('fs');
if (!fs.existsSync('./NR')) {
var process = require('process');
process.exit();
}
var issue_number = Number(fs.readFileSync('./NR'));
var comment_body = fs.readFileSync('./COMMENT');
// Get the existing comments.
const {data: comments} = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: issue_number,
});
// Find any comment already made by the bot.
const botComment = comments.find(comment => comment.user.id === 41898282 && comment.body.includes('# Perf diff from master'));
if (botComment) {
await github.rest.issues.updateComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: botComment.id,
body: comment_body.toString('utf8')
});
} else {
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: issue_number,
body: comment_body.toString('utf8')
});
}

14
.github/workflows/driver-api-version.yml vendored
View File

@ -6,12 +6,8 @@ name: Driver API_VERSION checks
on:
pull_request_target:
paths:
- 'userspace/libscap/engine/bpf/**'
- 'userspace/libscap/engine/modern_bpf/**'
- 'userspace/libscap/engine/kmod/**'
- 'driver/ppm_events_public.h'
- 'driver/bpf/maps.h'
- 'driver/modern_bpf/maps/maps.h'
- 'driver/ppm_fillers.c'
- 'driver/bpf/fillers.h'
jobs:
paths-filter:
@ -19,8 +15,8 @@ jobs:
outputs:
driver_api_changed: ${{ steps.filter.outputs.driver_api }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
id: filter
with:
filters: |
@ -35,7 +31,7 @@ jobs:
if: needs.paths-filter.outputs.driver_api_changed == 'false'
steps:
- name: Check driver API_VERSION
uses: mshick/add-pr-comment@b8f338c590a895d50bcbfa6c5859251edc8952fc # v2.8.2
uses: mshick/add-pr-comment@7c0890544fb33b0bdd2e59467fbacb62e028a096 # v2.8.1
with:
message: |
Please double check **driver/API_VERSION** file. See [versioning](https://github.com/falcosecurity/libs/blob/master/driver/README.VERSION.md#api-version-number).

12
.github/workflows/driver-schema-version.yml vendored
View File

@ -6,8 +6,6 @@ name: Driver SCHEMA_VERSION checks
on:
pull_request_target:
paths:
- 'driver/ppm_fillers.c'
- 'driver/bpf/fillers.h'
- 'driver/event_table.c'
- 'driver/ppm_events_public.h'
- 'driver/event_stats.h'
@ -19,8 +17,8 @@ jobs:
outputs:
driver_schema_changed: ${{ steps.filter.outputs.driver_schema }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
id: filter
with:
filters: |
@ -34,14 +32,14 @@ jobs:
needs: paths-filter
if: needs.paths-filter.outputs.driver_schema_changed == 'false'
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Check driver SCHEMA_VERSION
uses: mshick/add-pr-comment@b8f338c590a895d50bcbfa6c5859251edc8952fc # v2.8.2
uses: mshick/add-pr-comment@7c0890544fb33b0bdd2e59467fbacb62e028a096 # v2.8.1
with:
message: |
Please double check **driver/SCHEMA_VERSION** file. See [versioning](https://github.com/falcosecurity/libs/blob/master/driver/README.VERSION.md#schema-version-number).
/hold
- name: Trigger failure

4
.github/workflows/driverkit.yml vendored
View File

@ -37,7 +37,7 @@ jobs:
- name: Test drivers build on ${{ matrix.name }}
run: |
driverkit docker --kernelrelease ${{ matrix.kernelrelease }} --target ${{ matrix.target }} --output-module /tmp/libs.ko --output-probe /tmp/libs.o --driverversion $GITHUB_SHA --loglevel debug --kernelurls ${{ matrix.kernelurls }}
build-drivers-arm64:
strategy:
matrix:
@ -55,7 +55,7 @@ jobs:
kernelrelease: 6.4.1-1.el9.elrepo.aarch64
target: centos
kernelurls: https://download.falco.org/fixtures/libs/kernel-ml-devel-6.4.1-1.el9.elrepo.aarch64.rpm
runs-on: ubuntu-24.04-arm
runs-on: ubuntu-latest
container:
image: falcosecurity/driverkit:latest
steps:

259
.github/workflows/drivers_ci.yml vendored
View File

@ -20,12 +20,10 @@ jobs:
paths-filter:
runs-on: ubuntu-latest
outputs:
driver: ${{ steps.filter.outputs.driver }}
libscap: ${{ steps.filter.outputs.libscap }}
libpman: ${{ steps.filter.outputs.libpman }}
driver_needs_rebuild: ${{ steps.filter.outputs.driver == 'true' }} || ${{ steps.filter.outputs.libscap == 'true' }} || ${{ steps.filter.outputs.libpman == 'true' }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
id: filter
with:
filters: |
@ -39,7 +37,7 @@ jobs:
# This job run all engine tests and scap-open
test-scap:
name: test-scap-${{ matrix.arch }} 😆 (bundled_deps)
runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-24.04-arm') || 'ubuntu-24.04' }}
runs-on: ${{ (matrix.arch == 'arm64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-22.04' }}
needs: paths-filter
strategy:
matrix:
@ -48,48 +46,60 @@ jobs:
- arch: amd64
enable_gvisor: True
- arch: amd64
enable_gvisor: False
fail-fast: false
enable_gvisor: False
fail-fast: false
steps:
- name: Checkout Libs ⤵️
# We need to skip each step because of https://github.com/orgs/community/discussions/9141.
# This avoids having a skipped job whose name is not the resolved matrix name, like "test-scap-${{ matrix.arch }} 😆 (bundled_deps)"
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
if: needs.paths-filter.outputs.driver_needs_rebuild
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- name: Install deps ⛓️
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
if: needs.paths-filter.outputs.driver_needs_rebuild
run: |
sudo apt update
sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang llvm git pkg-config autoconf automake libtool libelf-dev libcap-dev linux-headers-$(uname -r)
sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 llvm-14 git pkg-config autoconf automake libtool libelf-dev libcap-dev
sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
sudo update-alternatives --install /usr/bin/llc llc /usr/bin/llc-14 90
git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
cd bpftool
git submodule update --init
cd src && sudo make install
- name: Install kernel headers (actuated)
uses: self-actuated/get-kernel-sources@master
if: (needs.paths-filter.outputs.driver_needs_rebuild) && matrix.arch == 'arm64'
- name: Install kernel headers
if: (needs.paths-filter.outputs.driver_needs_rebuild) && matrix.arch == 'amd64'
run: |
sudo apt install -y --no-install-recommends linux-headers-$(uname -r)
- name: Build scap-open and drivers 🏗️
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
if: needs.paths-filter.outputs.driver_needs_rebuild
run: |
mkdir -p build
cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=On -DBUILD_DRIVER=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DBUILD_BPF=On -DBUILD_LIBSCAP_GVISOR=${{ matrix.enable_gvisor }} -DCREATE_TEST_TARGETS=On -DENABLE_LIBSCAP_TESTS=On -DUSE_ASAN=On -DUSE_UBSAN=On ../
cd build && cmake -DUSE_BUNDLED_DEPS=On -DBUILD_DRIVER=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DBUILD_BPF=On -DBUILD_LIBSCAP_GVISOR=${{ matrix.enable_gvisor }} -DCREATE_TEST_TARGETS=On -DENABLE_LIBSCAP_TESTS=On ../
make scap-open driver bpf libscap_test -j6
- name: Run scap-open with modern bpf 🏎️
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
if: needs.paths-filter.outputs.driver_needs_rebuild
run: |
cd build
sudo ./libscap/examples/01-open/scap-open --modern_bpf --num_events 10
- name: Run scap-open with bpf 🏎️
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
if: needs.paths-filter.outputs.driver_needs_rebuild
run: |
cd build
sudo ./libscap/examples/01-open/scap-open --bpf ./driver/bpf/probe.o --num_events 10
- name: Run scap-open with kmod 🏎️
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
if: needs.paths-filter.outputs.driver_needs_rebuild
run: |
cd build
sudo insmod ./driver/scap.ko
@ -97,21 +107,14 @@ jobs:
sudo rmmod scap
- name: Run libscap_test 🏎️
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
if: needs.paths-filter.outputs.driver_needs_rebuild
run: |
cd build
sudo ./test/libscap/libscap_test
- name: Validate scap-open with modern bpf
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
uses: Andreagit97/bpfvalidator@v0.3.0
with:
args: |
--config=$GITHUB_WORKSPACE/driver/modern_bpf/bpfvalidator_config.yaml --cmd="$GITHUB_WORKSPACE/build/libscap/examples/01-open/scap-open --modern_bpf --num_events 10"
test-drivers:
name: test-drivers-${{ matrix.arch }} 😇 (bundled_deps)
runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
runs-on: ${{ (matrix.arch == 'arm64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-22.04' }}
needs: paths-filter
strategy:
matrix:
@ -119,133 +122,107 @@ jobs:
fail-fast: false
steps:
- name: Checkout Libs ⤵️
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
if: needs.paths-filter.outputs.driver_needs_rebuild
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- name: Install deps ⛓️
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
if: needs.paths-filter.outputs.driver_needs_rebuild
run: |
sudo apt update
sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git pkg-config autoconf automake libelf-dev libcap-dev clang llvm libtool linux-headers-$(uname -r)
sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git pkg-config autoconf automake libelf-dev libcap-dev clang-14 llvm-14 libtool
sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
sudo update-alternatives --install /usr/bin/llc llc /usr/bin/llc-14 90
git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
cd bpftool
git submodule update --init
cd src && sudo make install
- name: Install multilib compilers for ia32 tests
if: (needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true') && matrix.arch == 'amd64'
- name: Install kernel headers (actuated)
uses: self-actuated/get-kernel-sources@master
if: (needs.paths-filter.outputs.driver_needs_rebuild) && matrix.arch == 'arm64'
- name: Install kernel headers and gcc
if: (needs.paths-filter.outputs.driver_needs_rebuild) && matrix.arch == 'amd64'
run: |
sudo apt install -y --no-install-recommends gcc-multilib g++-multilib
sudo apt install -y --no-install-recommends linux-headers-$(uname -r) gcc-multilib g++-multilib
- name: Build drivers tests 🏗️
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
if: needs.paths-filter.outputs.driver_needs_rebuild
run: |
mkdir -p build
cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=ON -DENABLE_DRIVERS_TESTS=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_DEBUG_MODE=ON -DBUILD_BPF=True -DBUILD_LIBSCAP_GVISOR=OFF ../
cd build && cmake -DUSE_BUNDLED_DEPS=ON -DENABLE_DRIVERS_TESTS=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_DEBUG_MODE=ON -DBUILD_BPF=True -DBUILD_LIBSCAP_GVISOR=OFF ../
make drivers_test driver bpf -j6
- name: Run drivers_test with modern bpf 🏎️
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
if: needs.paths-filter.outputs.driver_needs_rebuild
run: |
cd build
sudo ./test/drivers/drivers_test -m
- name: Run drivers_test with bpf 🏎️
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
if: needs.paths-filter.outputs.driver_needs_rebuild
run: |
cd build
sudo ./test/drivers/drivers_test -b
- name: Run drivers_test with kmod 🏎️
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
if: needs.paths-filter.outputs.driver_needs_rebuild
run: |
cd build
sudo ./test/drivers/drivers_test -k
test-drivers-ppc64le:
name: test-drivers-ppc64le 😁 (system_deps,custom node)
runs-on: ubuntu-22.04
# Avoid running on forks since this job uses a private secret
# not available on forks, leading to failures.
if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == 'falcosecurity/libs'
needs: paths-filter
steps:
- name: Extract branch name
run: echo "GIT_BRANCH=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_ENV
- name: Build and test drivers on ppc64le node via ssh
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
uses: appleboy/ssh-action@2ead5e36573f08b82fbfce1504f1a4b05a647c6f # v1.2.2
with:
host: ${{ secrets.PPC64LE_HOST }}
username: ${{ secrets.PPC64LE_USERNAME }}
key: ${{ secrets.PPC64LE_KEY }}
port: ${{ secrets.PPC64LE_PORT }}
envs: GIT_BRANCH,GITHUB_REPOSITORY,GITHUB_SERVER_URL
command_timeout: 60m
script: |
sudo dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake libbpf-devel
# Remove, if present, any libs clone created by a previous job run.
rm -rf libs
git clone -b $GIT_BRANCH $GITHUB_SERVER_URL/$GITHUB_REPOSITORY.git libs
cd libs
mkdir -p build
cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=ON -DENABLE_DRIVERS_TESTS=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_DEBUG_MODE=ON -DBUILD_BPF=True -DBUILD_LIBSCAP_GVISOR=OFF -DUSE_BUNDLED_LIBELF=OFF ../
make drivers_test driver bpf -j6
sudo ./test/drivers/drivers_test -m
rc_modern=$?
sudo ./test/drivers/drivers_test -b
rc_bpf=$?
sudo ./test/drivers/drivers_test -k
rc_kmod=$?
exit $(($rc_modern + $rc_bpf +$rc_kmod))
build-drivers-s390x:
name: build-drivers-s390x 😁 (system_deps)
build-drivers-s390x-ppc64le:
name: build-drivers-${{ matrix.arch }} 😁 (system_deps)
runs-on: ubuntu-22.04
needs: paths-filter
strategy:
matrix:
arch: [s390x, ppc64le]
fail-fast: false
env:
PLATFORM: ${{ matrix.arch == 'ppc64le' && 'powerpc64le' || 's390x' }}
steps:
- name: Checkout Libs ⤵️
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
if: needs.paths-filter.outputs.driver_needs_rebuild
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- uses: uraimo/run-on-arch-action@d94c13912ea685de38fccc1109385b83fd79427d # v3.0.1
name: Run s390x build 🏗️
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
- uses: uraimo/run-on-arch-action@4ed76f16f09d12e83abd8a49e1ac1e5bf08784d4 # v2.5.1
name: Run ${{ matrix.arch }} build 🏗️
if: needs.paths-filter.outputs.driver_needs_rebuild
with:
arch: s390x
arch: ${{ matrix.arch }}
distro: ubuntu22.04
githubToken: ${{ github.token }}
install: |
apt update && apt install -y --no-install-recommends ca-certificates cmake build-essential clang llvm git pkg-config autoconf automake libtool libelf-dev wget libtbb-dev libjq-dev libjsoncpp-dev libcap-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-headers-generic
apt update && apt install -y --no-install-recommends ca-certificates cmake build-essential clang llvm git pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libcap-dev libgtest-dev libprotobuf-dev linux-headers-generic
git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
cd bpftool
git submodule update --init
cd src && make install
cd ../../
git clone https://github.com/libbpf/libbpf.git --branch v1.3.0 --single-branch
cd libbpf/src && BUILD_STATIC_ONLY=y DESTDIR=/ make install install_uapi_headers
ln -s /usr/lib64/libbpf.a /usr/lib/s390x-linux-gnu/
ln -s /usr/include/bpf /usr/include/s390x-linux-gnu/
cd libbpf/src && BUILD_STATIC_ONLY=y DESTDIR=/ make install
ln -s /usr/lib64/libbpf.a /usr/lib/${{env.PLATFORM}}-linux-gnu/
# Please note: we cannot inject the BPF probe inside QEMU, so right now, we only build it
run: |
git config --global --add safe.directory $GITHUB_WORKSPACE
.github/install-deps.sh
mkdir -p build
cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=OFF -DMODERN_PROBE_INCLUDE="-I/usr/include/s390x-linux-gnu" -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_DEBUG_MODE=ON -DENABLE_DRIVERS_TESTS=On -DCREATE_TEST_TARGETS=On -DBUILD_LIBSCAP_GVISOR=OFF ../
cd build && cmake -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=OFF -DMODERN_PROBE_INCLUDE="-I/usr/include/${{env.PLATFORM}}-linux-gnu" -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_DEBUG_MODE=ON -DENABLE_DRIVERS_TESTS=On -DCREATE_TEST_TARGETS=On -DBUILD_LIBSCAP_GVISOR=OFF ../
KERNELDIR=/lib/modules/$(ls /lib/modules)/build make driver bpf drivers_test -j6
build-modern-bpf-skeleton:
needs: paths-filter
# See https://github.com/actions/runner/issues/409#issuecomment-1158849936
runs-on: 'ubuntu-latest'
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
container: fedora:41
runs-on: ${{ (inputs.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-latest' }}
if: needs.paths-filter.outputs.driver_needs_rebuild
container: fedora:latest
steps:
# Always install deps before invoking checkout action, to properly perform a full clone.
- name: Install build dependencies
@ -253,7 +230,7 @@ jobs:
dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake libbpf-devel
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Build modern BPF skeleton
run: |
@ -262,39 +239,49 @@ jobs:
make ProbeSkeleton -j6
- name: Upload skeleton
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: bpf_probe_x86_64.skel.h
name: bpf_probe_${{ inputs.arch }}.skel.h
path: skeleton-build/skel_dir/bpf_probe.skel.h
retention-days: 1
build-scap-open-w-extern-bpf-skeleton:
env:
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
needs: [paths-filter,build-modern-bpf-skeleton]
runs-on: 'ubuntu-latest'
if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
needs: [paths-filter,build-modern-bpf-skeleton]
# See https://github.com/actions/runner/issues/409#issuecomment-1158849936
runs-on: ${{ (inputs.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-latest' }}
if: needs.paths-filter.outputs.driver_needs_rebuild
container: centos:7
steps:
# Always install deps before invoking checkout action, to properly perform a full clone.
- name: Install build dependencies
run: |
sudo apt update
sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 llvm-14 git pkg-config autoconf automake libtool libelf-dev libcap-dev
sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
sudo update-alternatives --install /usr/bin/llc llc /usr/bin/llc-14 90
yum -y install centos-release-scl
yum -y install devtoolset-9-gcc devtoolset-9-gcc-c++
source /opt/rh/devtoolset-9/enable
yum install -y wget git make m4 rpm-build perl-IPC-Cmd
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# It is not possible to upgrade the checkout action to versions >= v4.0.0 because of incompatibilities with centos 7's libc.
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: Download skeleton
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: bpf_probe_x86_64.skel.h
name: bpf_probe_${{ inputs.arch }}.skel.h
path: /tmp
- name: Install updated cmake
run: |
curl -L -o /tmp/cmake.tar.gz https://github.com/Kitware/CMake/releases/download/v3.22.5/cmake-3.22.5-linux-$(uname -m).tar.gz
gzip -d /tmp/cmake.tar.gz
tar -xpf /tmp/cmake.tar --directory=/tmp
cp -R /tmp/cmake-3.22.5-linux-$(uname -m)/* /usr
rm -rf /tmp/cmake-3.22.5-linux-$(uname -m)
- name: Prepare project
run: |
mkdir build && cd build
source /opt/rh/devtoolset-9/enable
cmake \
-DCMAKE_BUILD_TYPE=Release \
-DUSE_BUNDLED_DEPS=On \
@ -307,57 +294,5 @@ jobs:
- name: Build project
run: |
cd build
make scap-open -j6
# Only runs on pull request since on master branch it is already triggered by pages CI.
kernel-tests-dev:
needs: paths-filter
# Avoid running on forks since this job uses a private secret
# not available on forks, leading to failures.
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'falcosecurity/libs' && (needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true')
uses: ./.github/workflows/reusable_kernel_tests.yaml
with:
# Use real branch's HEAD sha, not the merge commit
libsversion: ${{ github.event.pull_request.head.sha }}
secrets: inherit
kernel-tests-pr-info-upload:
needs: kernel-tests-dev
# Avoid running on forks since this job uses a private secret
# not available on forks, leading to failures.
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'falcosecurity/libs' && (needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true')
runs-on: ubuntu-latest
steps:
- name: Download X64 matrix
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: matrix_X64
path: matrix_X64
- name: Download ARM64 matrix
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: matrix_ARM64
path: matrix_ARM64
- name: Save PR info
run: |
mkdir -p ./pr
echo ${{ github.event.number }} > ./pr/NR
touch ./pr/COMMENT
echo "# X64 kernel testing matrix" >> ./pr/COMMENT
echo "$(head -n $(grep -n -v -m1 '^|' matrix_X64/matrix.md | awk -F':' '{ print $1 }') matrix_X64/matrix.md)" >> ./pr/COMMENT
echo "" >> ./pr/COMMENT
echo "# ARM64 kernel testing matrix" >> ./pr/COMMENT
echo "$(head -n $(grep -n -v -m1 '^|' matrix_ARM64/matrix.md | awk -F':' '{ print $1 }') matrix_ARM64/matrix.md)" >> ./pr/COMMENT
echo Uploading PR info...
cat ./pr/COMMENT
echo ""
- name: Upload PR info as artifact
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: pr-kernel-testing
path: pr/
retention-days: 1
if-no-files-found: warn
source /opt/rh/devtoolset-9/enable
make scap-open -j6

110
.github/workflows/e2e_ci.yml vendored
View File

@ -1,10 +1,11 @@
name: libsinsp e2e CI
name: e2e CI
on:
pull_request:
push:
branches:
- master
- 'release/**'
- 'maintainers/**'
workflow_dispatch:
# Checks if any concurrent jobs under the same pull request or branch are being executed
@ -13,16 +14,17 @@ concurrency:
cancel-in-progress: true
jobs:
build-test-e2e:
name: build-test-e2e-${{ matrix.arch }} 😇 (bundled_deps)
runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
test-e2e:
name: test-e2e-${{ matrix.arch }} 😇 (bundled_deps)
runs-on: ${{ (matrix.arch == 'arm64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-22.04' }}
strategy:
matrix:
arch: [amd64, arm64]
driver: [ {name: kmod, option: -k}, {name: bpf, option: -b}, {name: modern-bpf, option: -m} ]
fail-fast: false
steps:
- name: Checkout Libs ⤵️
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
@ -32,10 +34,9 @@ jobs:
ca-certificates \
cmake \
build-essential \
clang \
llvm \
clang-14 llvm-14 \
git \
ccache \
clang \
llvm \
pkg-config \
autoconf \
@ -43,38 +44,42 @@ jobs:
libtool \
libelf-dev \
wget \
libc-ares-dev \
libbpf-dev \
libcap-dev \
libcurl4-openssl-dev \
libssl-dev \
libtbb-dev \
libjq-dev \
libjsoncpp-dev \
libgrpc++-dev \
protobuf-compiler-grpc \
libgtest-dev \
libprotobuf-dev \
protobuf-compiler \
linux-headers-$(uname -r)
liblua5.2-dev
sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
sudo update-alternatives --install /usr/bin/llc llc /usr/bin/llc-14 90
sudo .github/install-deps.sh
git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
cd bpftool
git submodule update --init
cd src && sudo make install
- name: Install multilib compilers for ia32 tests
- name: Install kernel headers (actuated)
uses: self-actuated/get-kernel-sources@master
if: matrix.arch == 'arm64'
- name: Install kernel headers and gcc
if: matrix.arch == 'amd64'
run: |
sudo apt install -y --no-install-recommends gcc-multilib g++-multilib
- name: Run sccache-cache
uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9
sudo apt install -y --no-install-recommends linux-headers-$(uname -r) gcc-multilib g++-multilib
- name: Build e2e tests 🏗️
env:
SCCACHE_GHA_ENABLED: "true"
run: |
mkdir -p build
cd build && \
cmake \
-DCMAKE_C_COMPILER_LAUNCHER=sccache \
-DCMAKE_CXX_COMPILER_LAUNCHER=sccache \
-DBUILD_BPF=ON \
-DUSE_BUNDLED_DEPS=ON \
-DUSE_ASAN=ON \
@ -85,70 +90,7 @@ jobs:
-DUSE_BUNDLED_LIBBPF=ON \
-DUSE_BUNDLED_GTEST=ON \
..
make -j6 libsinsp_e2e_tests
sudo rm -vfr test/libsinsp_e2e/resources/_proc
cd ..
- name: Cache build
uses: actions/cache/save@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
if: always()
id: cache
with:
path: build
key: build-e2e-${{ matrix.arch }}-${{ github.run_id }}
test-e2e:
name: test-e2e-${{ matrix.arch }}-${{ matrix.driver.name }} 😇 (bundled_deps)
needs: [build-test-e2e]
runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
strategy:
matrix:
arch: [amd64, arm64]
driver: [ {name: kmod, option: -k}, {name: bpf, option: -b}, {name: modern-bpf, option: -m} ]
fail-fast: false
steps:
- name: Checkout Libs ⤵️
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- name: Restore build
id: cache
uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
with:
path: build
key: build-e2e-${{ matrix.arch }}-${{ github.run_id }}
restore-keys: build-e2e-
- name: Fix kernel mmap rnd bits
# Asan in llvm 14 provided in ubuntu 22.04 is incompatible with
# high-entropy ASLR in much newer kernels that GitHub runners are
# using leading to random crashes: https://reviews.llvm.org/D148280
run: sudo sysctl vm.mmap_rnd_bits=28
- name: Update apt index
run: |
sudo apt update
- name: Install multilib compilers for ia32 tests
if: matrix.arch == 'amd64'
run: |
sudo apt install -y --no-install-recommends gcc-multilib g++-multilib
- name: Install deps
run: |
sudo apt install -y --no-install-recommends clang gcc llvm build-essential cmake python3 quota linux-headers-$(uname -r)
# We have no guarantees that the kernel version is the same for the
# different workers, so we rebuild the drivers.
- name: Rebuild drivers
run: |
pushd build
make -B driver bpf
pushd test/libsinsp_e2e/resources/
sudo tar xzf fake-proc.tar.gz
popd
popd
make -j6
- name: Run e2e tests with ${{ matrix.driver.name }} 🏎️
if: matrix.arch == 'amd64'
@ -158,7 +100,7 @@ jobs:
cd build/test/libsinsp_e2e/
sudo -E ./libsinsp_e2e_tests ${{ matrix.driver.option }}
# the arm64 workers don't have the CONFIG_QFMT_V2 flag
# the actuated arm64 workers doesn't have the CONFIG_QFMT_V2 flag
# which is needed for the quotactl_ok test (cmd=QQUOTA_ON + id=QFMT_VFS_V0).
- name: Run e2e tests with ${{ matrix.driver.name }} 🏎️
if: matrix.arch == 'arm64'

38
.github/workflows/format.yml vendored
View File

@ -1,38 +0,0 @@
name: Format code
on:
pull_request:
push:
branches:
- master
- "release/**"
jobs:
format:
name: format code 🐲
runs-on: ubuntu-22.04
steps:
- name: Checkout repository 🎉
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- name: Install deps ⛓️
run: |
sudo apt update -y
sudo apt install -y --no-install-recommends ca-certificates pip git
pip install pre-commit
- name: Run pre-commit ©️
run: |
pre-commit run --show-diff-on-failure --color=always --all-files
- name: Generate the git-diff 🚒
if: failure()
run: git diff > format_diff.patch
- name: Upload the git diff artifact 📦
if: failure()
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: format_diff.patch
path: ./format_diff.patch

87
.github/workflows/latest-kernel.yml vendored
View File

@ -11,23 +11,26 @@ on:
- cron: '0 8 * * *' # every day at 8am
jobs:
compute-latest-version:
outputs:
latest_vers: ${{ steps.latest-version.outputs.latest_vers }}
runs-on: 'ubuntu-latest'
build-latest-kernel:
name: build-latest-kernel
runs-on: ubuntu-latest
container:
image: falcosecurity/driverkit:latest
steps:
- name: Checkout Archlinux mainline package ⤵️
run: |
apk update && apk add git
git clone https://aur.archlinux.org/linux-mainline.git linux/
- name: Generate driverkit config
id: latest-version
# Note: in case we are building latest mainline,
# we grep the linux-mainline aur PKGBUILD "_tag" line, that is made like: "_tag=v6.4-rc1"
# We then need to extract the part after the "=" and finally remove the starting "v".
run: |
run: |
cd linux/
echo "kernelversion: 1" > dk.yaml
echo "architecture: amd64" >> dk.yaml
echo "driverversion: ${{ github.sha }}" >> dk.yaml
echo "output:" >> dk.yaml
echo " module: mod.ko" >> dk.yaml
@ -42,80 +45,26 @@ jobs:
echo "target: arch" >> dk.yaml
fi
echo "latest_vers=$(grep kernelrelease dk.yaml | awk -F": " '{print $2}')" >> $GITHUB_OUTPUT
- name: Upload driverkit config
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: driverkit_config.yaml
path: linux/dk.yaml
build-latest-kernel-amd64:
needs: 'compute-latest-version'
outputs:
build: ${{ steps.build.outcome }}
runs-on: 'ubuntu-latest'
steps:
- name: Download driverkit config
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: driverkit_config.yaml
- name: Download latest driverkit artifact
uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
with:
fileName: driverkit_*_linux_amd64.tar.gz
latest: true
repository: falcosecurity/driverkit
tarBall: false
zipBall: false
extract: true
- name: Test drivers build
id: build
run: |
echo "Testing build of drivers against: ${{ needs.compute-latest-version.outputs.latest_vers }}"
chmod +x driverkit
./driverkit docker -c dk.yaml -l debug --timeout 300
build-latest-kernel-arm64:
needs: 'compute-latest-version'
outputs:
build: ${{ steps.build.outcome }}
runs-on: 'ubuntu-22.04-arm'
steps:
- name: Download driverkit config
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: driverkit_config.yaml
- name: Download latest driverkit artifact
uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
with:
fileName: driverkit_*_linux_arm64.tar.gz
latest: true
repository: falcosecurity/driverkit
tarBall: false
zipBall: false
extract: true
- name: Test drivers build
id: build
run: |
echo "Testing build of drivers against: ${{ needs.compute-latest-version.outputs.latest_vers }}"
chmod +x driverkit
./driverkit docker -c dk.yaml -l debug --timeout 300
badge-latest-kernel:
if: always() && github.event_name == 'schedule'
runs-on: 'ubuntu-latest'
needs: [compute-latest-version,build-latest-kernel-amd64,build-latest-kernel-arm64]
steps:
echo "Testing build of drivers against: ${{ steps.latest-version.outputs.latest_vers }}"
driverkit docker -c linux/dk.yaml -l debug
- name: Update README badge
uses: schneegans/dynamic-badges-action@e9a478b16159b4d31420099ba146cdc50f134483 # v1.7.0
if: always() && github.event_name == 'schedule'
with:
auth: ${{ secrets.FEDEDP_GIST_SECRET }}
gistID: 1cbc5d42edf8e3a02fb75e76625f1072
filename: kernel.json
label: Drivers build
message: ${{ needs.compute-latest-version.outputs.latest_vers }}
color: ${{ (needs.build-latest-kernel-amd64.outputs.build != 'success' || needs.build-latest-kernel-arm64.outputs.build != 'success') && 'red' || 'brightgreen' }}
message: ${{ steps.latest-version.outputs.latest_vers }}
color: ${{ steps.build.outcome != 'success' && 'red' || 'brightgreen' }}

115
.github/workflows/pages.yml vendored
View File

@ -2,7 +2,7 @@ name: Deploy Github Pages
on:
push:
branches: [master]
permissions:
contents: read
pages: write
@ -17,128 +17,47 @@ jobs:
uses: ./.github/workflows/reusable_kernel_tests.yaml
secrets: inherit
perf-libs-master:
runs-on: [ "self-hosted", "linux", "X64" ]
steps:
- name: Checkout Libs ⤵️
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Run perf
id: perf
uses: ./.github/actions/composite-perf
- name: Archive master perf report
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: perf_report
retention-days: 30 # 30 days because this is the artifact on master; we need to retain it to be able to properly diff it
path: |
${{ steps.perf.outputs.perf_tests }}
${{ steps.perf.outputs.perf_scap }}
${{ steps.perf.outputs.heaptrack_tests }}
${{ steps.perf.outputs.heaptrack_scap }}
${{ steps.perf.outputs.gbench_json }}
if-no-files-found: error
- name: Checkout Flamegraph ⤵️
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
repository: 'brendangregg/FlameGraph'
path: flamegraph
ref: master
- name: Generate svg file - perf unit tests
run: |
sudo perf script --dsos unit-test-libsinsp -i ${{ steps.perf.outputs.perf_tests }} > perf_tests.perf
./flamegraph/stackcollapse-perf.pl perf_tests.perf > perf_tests.folded
./flamegraph/flamegraph.pl perf_tests.folded > perf_tests.svg
- name: Generate svg file - perf scap file
run: |
sudo perf script --dsos sinsp-example -i ${{ steps.perf.outputs.perf_scap }} > perf_scap.perf
./flamegraph/stackcollapse-perf.pl perf_scap.perf > perf_scap.folded
./flamegraph/flamegraph.pl perf_scap.folded > perf_scap.svg
- name: Generate svg file - heaptrack unit tests
run: |
heaptrack_print ${{ steps.perf.outputs.heaptrack_tests }} -F stacks.txt
./flamegraph/flamegraph.pl stacks.txt > heaptrack_tests.svg
rm -rf stacks.txt
- name: Generate svg file - heaptrack scap file
run: |
heaptrack_print ${{ steps.perf.outputs.heaptrack_scap }} -F stacks.txt
./flamegraph/flamegraph.pl stacks.txt > heaptrack_scap.svg
rm -rf stacks.txt
- name: Upload svg files
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: perf_svg
path: '*.svg'
if-no-files-found: error
deploy-pages:
needs: [kernel-tests-master,perf-libs-master]
needs: [kernel-tests-master]
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Download matrix X64
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: matrix_X64
- name: Move X64 matrix under docs
run: mv matrix.md docs/matrix_X64.md
- name: Download matrix ARM64
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: matrix_ARM64
- name: Move ARM64 matrix under docs
run: mv matrix.md docs/matrix_ARM64.md
run: mv matrix.md docs/matrix_ARM64.md
- name: Disable Table Of Content for matrixes pages
run: |
sed -i '1s/^/---\nhide:\n- toc\n---\n\n/' docs/matrix_X64.md
sed -i '1s/^/---\nhide:\n- toc\n---\n\n/' docs/matrix_ARM64.md
- name: Download perf svg files
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: perf_svg
- name: Generate perf pages
run: |
mv perf_tests.svg docs/
echo '<object data="../perf_tests.svg" type="image/svg+xml" id="perf_unit_tests"></object>' > docs/perf_unit_tests.md
sed -i '1s/^/---\nhide:\n- toc\n---\n\n/' docs/perf_unit_tests.md
mv perf_scap.svg docs/
echo '<object data="../perf_scap.svg" type="image/svg+xml" id="perf_scap_file"></object>' > docs/perf_scap_file.md
sed -i '1s/^/---\nhide:\n- toc\n---\n\n/' docs/perf_scap_file.md
mv heaptrack_tests.svg docs/
echo '<object data="../heaptrack_tests.svg" type="image/svg+xml" id="heaptrack_unit_tests"></object>' > docs/heaptrack_unit_tests.md
sed -i '1s/^/---\nhide:\n- toc\n---\n\n/' docs/heaptrack_unit_tests.md
mv heaptrack_scap.svg docs/
echo '<object data="../heaptrack_scap.svg" type="image/svg+xml" id="heaptrack_scap_file"></object>' > docs/heaptrack_scap_file.md
sed -i '1s/^/---\nhide:\n- toc\n---\n\n/' docs/heaptrack_scap_file.md
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
- uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
with:
python-version: 3.x
- run: pip install mkdocs mkdocs-material
- run: mkdocs build
- uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
- uses: actions/upload-pages-artifact@a753861a5debcf57bf8b404356158c8e1e33150c # v2.0.0
with:
path: 'site'
- id: deployment
uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
uses: actions/deploy-pages@9dbe3824824f8a1377b8e298bafde1a50ede43e5 # v2.0.4

168
.github/workflows/perf.yml vendored
View File

@ -1,168 +0,0 @@
name: Perf CI
on:
pull_request:
workflow_dispatch:
# Checks if any concurrent jobs under the same pull request or branch are being executed
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}-perf
cancel-in-progress: true
jobs:
perf-libs-linux-amd64:
runs-on: [ "self-hosted", "linux", "X64" ]
steps:
- name: Checkout Libs ⤵️
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Checkout Google benchmark ⤵️
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
repository: 'google/benchmark'
ref: 'v1.9.0'
path: google-benchmark/
- name: Run perf
id: perf
uses: ./.github/actions/composite-perf
- name: Download latest master report
uses: dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 # v11
with:
branch: master
event: push
name: perf_report
workflow: pages.yml
- name: Diff from master - perf unit tests
run: |
sudo perf diff perf_tests.data ${{ steps.perf.outputs.perf_tests }} -d unit-test-libsinsp -b -o 1 --percentage relative -q &> perf_tests_diff.txt
- name: Diff from master - perf scap file
run: |
sudo perf diff perf_scap.data ${{ steps.perf.outputs.perf_scap }} -d sinsp-example -b -o 1 --percentage relative -q &> perf_scap_diff.txt
- name: Diff from master - heaptrack unit tests
run: |
sudo heaptrack_print heaptrack_tests.data.zst -d ${{ steps.perf.outputs.heaptrack_tests }} &> heaptrack_tests_diff.txt
- name: Diff from master - heaptrack scap file
run: |
sudo heaptrack_print heaptrack_scap.data.zst -d ${{ steps.perf.outputs.heaptrack_scap }} &> heaptrack_scap_diff.txt
- name: Diff from master - gbench
run: |
pip3 install -r google-benchmark/tools/requirements.txt
python3 google-benchmark/tools/compare.py --no-color benchmarks gbench_data.json ${{ steps.perf.outputs.gbench_json }} &> gbench_diff.txt
- name: Archive perf diff
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: perf_diff
path: '*_diff.txt'
if-no-files-found: error
- name: Save PR info
run: |
mkdir -p ./pr
echo ${{ github.event.number }} > ./pr/NR
touch ./pr/COMMENT
echo "# Perf diff from master - unit tests" >> ./pr/COMMENT
echo "\`\`\`" >> ./pr/COMMENT
head -n10 "perf_tests_diff.txt" >> ./pr/COMMENT
echo "\`\`\`" >> ./pr/COMMENT
echo "" >> ./pr/COMMENT
# Drop unstable perf results!
# echo "# Perf diff from master - scap file" >> ./pr/COMMENT
# echo "\`\`\`" >> ./pr/COMMENT
# head -n10 "perf_scap_diff.txt" >> ./pr/COMMENT
# echo "\`\`\`" >> ./pr/COMMENT
# echo "" >> ./pr/COMMENT
echo "# Heap diff from master - unit tests" >> ./pr/COMMENT
echo "\`\`\`" >> ./pr/COMMENT
tail -n3 "heaptrack_tests_diff.txt" >> ./pr/COMMENT
echo "\`\`\`" >> ./pr/COMMENT
echo "" >> ./pr/COMMENT
echo "# Heap diff from master - scap file" >> ./pr/COMMENT
echo "\`\`\`" >> ./pr/COMMENT
tail -n3 "heaptrack_scap_diff.txt" >> ./pr/COMMENT
echo "\`\`\`" >> ./pr/COMMENT
echo "# Benchmarks diff from master" >> ./pr/COMMENT
echo "\`\`\`" >> ./pr/COMMENT
cat "gbench_diff.txt" >> ./pr/COMMENT
echo "\`\`\`" >> ./pr/COMMENT
echo Uploading PR info...
cat ./pr/COMMENT
echo ""
- name: Upload PR info as artifact
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: pr-perf
path: pr/
retention-days: 1
if-no-files-found: warn
# Check will fail if sum of all differences is >= 1%.
# But we will always comment with the perf diff from master
- name: Check >= 5% threshold - perf unit tests
if: always()
run: |
sum=$(awk '{sum+=sprintf("%f",$2)}END{printf "%.6f\n",sum}' perf_tests_diff.txt | tr ',' '.')
if (( $(echo "$sum >= 5.0" | bc -l) )); then
exit 1
fi
# Check will fail if sum of all differences is >= 1%.
# But we will always comment with the perf diff from master
# CHECK DISABLED: UNSTABLE PERF TEST.
# - name: Check >= 1% threshold - perf scap file
# if: always() # Even if other threshold checks failed
# run: |
# sum=$(awk '{sum+=sprintf("%f",$2)}END{printf "%.6f\n",sum}' perf_scap_diff.txt | tr ',' '.')
# if (( $(echo "$sum >= 1.0" | bc -l) )); then
# exit 1
# fi
# Check will fail if there is any heap memory usage difference >= 1M,
# or if there is new memory leaked.
- name: Check >= 1M threshold or new leaked mem - heaptrack unit tests
if: always() # Even if other threshold checks failed
run: |
tail -n 3 heaptrack_tests_diff.txt | grep "peak heap memory consumption" | awk -F': ' '{print $2 }' | tr '.' ',' | numfmt --from=iec | awk '{if (substr($1,RSTART+RLENGTH)+0 >= 1048576) print }' &> heaptrack_tests_diff_above_thresh.txt
if [ -s heaptrack_tests_diff_above_thresh.txt ]; then
exit 1
fi
tail -n 3 heaptrack_scap_diff.txt | grep "total memory leaked" | awk -F': ' '{print $2 }' | tr '.' ',' | numfmt --from=iec | awk '{if (substr($1,RSTART+RLENGTH)+0 > 0) print }' &> heaptrack_scap_diff_above_thresh.txt
if [ -s heaptrack_scap_diff_above_thresh.txt ]; then
exit 2
fi
# Check will fail if there is any heap memory usage difference >= 1M,
# or if there is new memory leaked.
- name: Check >= 1M threshold or new leaked mem - heaptrack scap file
if: always() # Even if other threshold checks failed
run: |
tail -n 3 heaptrack_scap_diff.txt | grep "peak heap memory consumption" | awk -F': ' '{print $2 }' | tr '.' ',' | numfmt --from=iec | awk '{if (substr($1,RSTART+RLENGTH)+0 >= 1048576) print }' &> heaptrack_scap_diff_above_thresh.txt
if [ -s heaptrack_scap_diff_above_thresh.txt ]; then
exit 1
fi
tail -n 3 heaptrack_scap_diff.txt | grep "total memory leaked" | awk -F': ' '{print $2 }' | tr '.' ',' | numfmt --from=iec | awk '{if (substr($1,RSTART+RLENGTH)+0 > 0) print }' &> heaptrack_scap_diff_above_thresh.txt
if [ -s heaptrack_scap_diff_above_thresh.txt ]; then
exit 2
fi
# Check will fail if there any google benchmark is slowed more than 5%
- name: Check >= 5% slowdown on google benchmarks
if: always() # Even if other threshold checks failed
run: |
# Remove first 3 lines and last line that are no tests results
tail -n+4 gbench_diff.txt | head -n -1 | while read p; do
test_name=$(echo "$p" | awk '{print $1}')
if [[ "$test_name" =~ _mean$ ]]; then
diff_pct=$(echo "$p" | awk '{print $3}' | tr -d '+')
if (( $(echo "$diff_pct >= 5.0" | bc -l) )); then
exit 1
fi
fi
done

125
.github/workflows/release-body-driver.yml vendored Normal file
View File

@ -0,0 +1,125 @@
name: Generate release body for driver
on:
release:
types: [published]
# Checks if any concurrent jobs is running for driver release CI and eventually cancel it.
concurrency:
group: driver-release
cancel-in-progress: true
jobs:
release-settings:
runs-on: ubuntu-latest
outputs:
is_latest: ${{ steps.get_settings.outputs.is_latest }}
steps:
- name: Get latest release
uses: rez0n/actions-github-release@27a57820ee808f8fd940c8a9d1f7188f854aa2b5 # v2.0
id: latest_release
env:
token: ${{ secrets.GITHUB_TOKEN }}
repository: ${{ github.repository }}
type: "stable"
- name: Get settings for this release
id: get_settings
shell: python
run: |
import os
import re
import sys
semver_no_meta = '''^(?P<major>0|[1-9]\d*)\.(?P<minor>0|[1-9]\d*)\.(?P<patch>0|[1-9]\d*)\+driver(?:-(?P<prerelease>(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?$'''
tag_name = '${{ github.event.release.tag_name }}'
is_valid_version = re.match(semver_no_meta, tag_name) is not None
if not is_valid_version:
print(f'Release version {tag_name} is not a valid full or pre-release. See RELEASE.md for more information.')
sys.exit(1)
is_prerelease = '-' in tag_name
# Safeguard: you need to both set "latest" in GH and not have suffixes to overwrite latest
is_latest = '${{ steps.latest_release.outputs.release }}' == tag_name and not is_prerelease
with open(os.environ['GITHUB_OUTPUT'], 'a') as ofp:
print(f'is_latest={is_latest}'.lower(), file=ofp)
kernel-tests-release:
needs: [release-settings]
if: ${{ needs.release-settings.outputs.is_latest == 'true' }} # only for latest releases
uses: ./.github/workflows/reusable_kernel_tests.yaml
with:
libsversion: ${{ github.event.release.tag_name }}
secrets: inherit
release-body-driver:
needs: [release-settings, kernel-tests-release]
if: ${{ needs.release-settings.outputs.is_latest == 'true' }} # only for latest releases
permissions:
contents: write
runs-on: ubuntu-latest
steps:
- name: Clone libs repo
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Create release body file
run: |
touch release-body.md
- name: Extract API and SCHEMA versions
run: |
touch release-body.md
API_VERS=$(cat driver/API_VERSION)
SCHEMA_VERS=$(cat driver/SCHEMA_VERSION)
echo '!'"[API](https://img.shields.io/badge/API-${API_VERS}-yellow)" >> release-body.md
echo '!'"[SCHEMA](https://img.shields.io/badge/SCHEMA-${SCHEMA_VERS}-yellow)" >> release-body.md
echo "" >> release-body.md
- name: Download matrix X64
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: matrix_X64
- name: Download matrix ARM64
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: matrix_ARM64
# Steps:
# Remove everything after the table (ie: since the first line that starts with "# ",
# ie: a markdown section start.
# Remove links to the markdown sections in the table too.
# Then, add a small title to each matrix
# Finally, merge them together
- name: Append matrixes to create release body
run: |
sed -i -n '/# /q;p' matrix_X64.md
sed -i -n '/# /q;p' matrix_ARM64.md
sed -i 's/\[\(.\)\]([^)]*)/\1/g' matrix_X64.md
sed -i 's/\[\(.\)\]([^)]*)/\1/g' matrix_ARM64.md
sed -i '1s/^/# Driver Testing Matrix amd64\n\n/' matrix_X64.md
sed -i '1s/^/# Driver Testing Matrix arm64\n\n/' matrix_ARM64.md
cat matrix_X64.md matrix_ARM64.md >> release-body.md
- name: Generate release notes
uses: leodido/rn2md@9c351d81278644c0e17b1ca68edbdba305276c73
with:
milestone: ${{ github.event.release.tag_name }}
output: ./notes.md
- name: Merge release notes to pre existent body
run: cat notes.md >> release-body.md
- name: Attach release creator to release body
run: |
echo "" >> release-body.md
echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md
- name: Release
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
with:
body_path: ./release-body.md
tag_name: ${{ github.event.release.tag_name }}
name: ${{ github.event.release.name }}

101
.github/workflows/release-body-libs.yml vendored Normal file
View File

@ -0,0 +1,101 @@
name: Generate release body for libs
on:
release:
types: [published]
# Checks if any concurrent jobs is running for libs release CI and eventually cancel it.
concurrency:
group: libs-release
cancel-in-progress: true
jobs:
release-settings:
runs-on: ubuntu-latest
outputs:
is_latest: ${{ steps.get_settings.outputs.is_latest }}
steps:
- name: Get latest release
uses: rez0n/actions-github-release@27a57820ee808f8fd940c8a9d1f7188f854aa2b5 # v2.0
id: latest_release
env:
token: ${{ secrets.GITHUB_TOKEN }}
repository: ${{ github.repository }}
type: "stable"
- name: Get settings for this release
id: get_settings
shell: python
run: |
import os
import re
import sys
semver_no_meta = '''^(?P<major>0|[1-9]\d*)\.(?P<minor>0|[1-9]\d*)\.(?P<patch>0|[1-9]\d*)(?:-(?P<prerelease>(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?$'''
tag_name = '${{ github.event.release.tag_name }}'
is_valid_version = re.match(semver_no_meta, tag_name) is not None
if not is_valid_version:
print(f'Release version {tag_name} is not a valid full or pre-release. See RELEASE.md for more information.')
sys.exit(1)
is_prerelease = '-' in tag_name
# Safeguard: you need to both set "latest" in GH and not have suffixes to overwrite latest
is_latest = '${{ steps.latest_release.outputs.release }}' == tag_name and not is_prerelease
with open(os.environ['GITHUB_OUTPUT'], 'a') as ofp:
print(f'is_latest={is_latest}'.lower(), file=ofp)
release-body-libs:
needs: [release-settings]
if: ${{ needs.release-settings.outputs.is_latest == 'true' }} # only for latest releases
permissions:
contents: write
runs-on: ubuntu-latest
steps:
- name: Clone repo
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Create release body file
run: |
touch release-body.md
- name: Extract MIN_API version
run: |
MIN_API_VER=$(grep SCAP_MINIMUM_DRIVER_API_VERSION userspace/libscap/scap.h)
prefix="#define SCAP_MINIMUM_DRIVER_API_VERSION PPM_API_VERSION"
MIN_API_VER=${MIN_API_VER/#$prefix}
MIN_API_VER=$(echo $MIN_API_VER | tr -d "(" | tr -d ")")
MIN_API_VER=$(echo $MIN_API_VER | sed -r 's/, /./g')
echo '!'"[MIN_DRIVER_API](https://img.shields.io/badge/MIN_DRIVER_API-${MIN_API_VER}-yellow)" >> release-body.md
- name: Extract MIN_SCHEMA version
run: |
MIN_SCHEMA_VER=$(grep SCAP_MINIMUM_DRIVER_SCHEMA_VERSION userspace/libscap/scap.h)
prefix="#define SCAP_MINIMUM_DRIVER_SCHEMA_VERSION PPM_API_VERSION"
MIN_SCHEMA_VER=${MIN_SCHEMA_VER/#$prefix}
MIN_SCHEMA_VER=$(echo $MIN_SCHEMA_VER | tr -d "(" | tr -d ")")
MIN_SCHEMA_VER=$(echo $MIN_SCHEMA_VER | sed -r 's/, /./g')
echo '!'"[MIN_DRIVER_SCHEMA](https://img.shields.io/badge/MIN_DRIVER_SCHEMA-${MIN_SCHEMA_VER}-yellow)" >> release-body.md
echo "" >> release-body.md
- name: Generate release notes
uses: leodido/rn2md@9c351d81278644c0e17b1ca68edbdba305276c73
with:
milestone: ${{ github.event.release.tag_name }}
output: ./notes.md
- name: Merge release notes to pre existent body
run: cat notes.md >> release-body.md
- name: Attach release creator to release body
run: |
echo "" >> release-body.md
echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md
- name: Release
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
with:
body_path: ./release-body.md
tag_name: ${{ github.event.release.tag_name }}
name: ${{ github.event.release.name }}

210
.github/workflows/release-body.yml vendored
View File

@ -1,210 +0,0 @@
name: Generate release body for published releases
on:
release:
types: [published]
# Checks if any concurrent jobs is running for driver release CI and eventually wait for it.
concurrency:
group: release
cancel-in-progress: false
jobs:
release-settings:
runs-on: ubuntu-latest
outputs:
is_latest: ${{ steps.get_settings.outputs.is_latest }}
is_driver: ${{ steps.get_settings.outputs.is_driver }}
steps:
- name: Get latest release
uses: rez0n/actions-github-release@27a57820ee808f8fd940c8a9d1f7188f854aa2b5 # v2.0
id: latest_release
env:
token: ${{ secrets.GITHUB_TOKEN }}
repository: ${{ github.repository }}
type: "stable"
- name: Get settings for this release
id: get_settings
shell: python
run: |
import os
import re
import sys
semver_no_meta = '''^(?P<major>0|[1-9]\d*)\.(?P<minor>0|[1-9]\d*)\.(?P<patch>0|[1-9]\d*)(?:-(?P<prerelease>(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+(?P<buildmetadata>[0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$'''
tag_name = '${{ github.event.release.tag_name }}'
is_valid_version = re.match(semver_no_meta, tag_name) is not None
if not is_valid_version:
print(f'Release version {tag_name} is not a valid full or pre-release. See RELEASE.md for more information.')
sys.exit(1)
is_prerelease = '-' in tag_name
# Safeguard: you need to both set "latest" in GH and not have suffixes to overwrite latest
is_latest = '${{ steps.latest_release.outputs.release }}' == tag_name and not is_prerelease
is_driver = "+driver" in tag_name
with open(os.environ['GITHUB_OUTPUT'], 'a') as ofp:
print(f'is_latest={is_latest}'.lower(), file=ofp)
print(f'is_driver={is_driver}'.lower(), file=ofp)
release-body-libs:
needs: [release-settings]
if: ${{ needs.release-settings.outputs.is_latest == 'true' && needs.release-settings.outputs.is_driver == 'false' }} # only for latest releases and not driver ones
permissions:
contents: write
runs-on: ubuntu-latest
steps:
- name: Clone repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Create release body file
run: |
touch release-body.md
- name: Extract MIN_API version
run: |
MIN_API_VER=$(grep SCAP_MINIMUM_DRIVER_API_VERSION userspace/libscap/scap.h)
prefix="#define SCAP_MINIMUM_DRIVER_API_VERSION PPM_API_VERSION"
MIN_API_VER=${MIN_API_VER/#$prefix}
MIN_API_VER=$(echo $MIN_API_VER | tr -d "(" | tr -d ")")
MIN_API_VER=$(echo $MIN_API_VER | sed -r 's/, /./g')
echo '!'"[MIN_DRIVER_API](https://img.shields.io/badge/MIN_DRIVER_API-${MIN_API_VER}-yellow)" >> release-body.md
- name: Extract MIN_SCHEMA version
run: |
MIN_SCHEMA_VER=$(grep SCAP_MINIMUM_DRIVER_SCHEMA_VERSION userspace/libscap/scap.h)
prefix="#define SCAP_MINIMUM_DRIVER_SCHEMA_VERSION PPM_API_VERSION"
MIN_SCHEMA_VER=${MIN_SCHEMA_VER/#$prefix}
MIN_SCHEMA_VER=$(echo $MIN_SCHEMA_VER | tr -d "(" | tr -d ")")
MIN_SCHEMA_VER=$(echo $MIN_SCHEMA_VER | sed -r 's/, /./g')
echo '!'"[MIN_DRIVER_SCHEMA](https://img.shields.io/badge/MIN_DRIVER_SCHEMA-${MIN_SCHEMA_VER}-yellow)" >> release-body.md
echo "" >> release-body.md
- name: Generate release notes
uses: leodido/rn2md@9c351d81278644c0e17b1ca68edbdba305276c73
with:
milestone: ${{ github.event.release.tag_name }}
output: ./notes.md
- name: Merge release notes to pre existent body
run: cat notes.md >> release-body.md
- name: Attach release creator to release body
run: |
echo "" >> release-body.md
echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md
- name: Release
uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2
with:
body_path: ./release-body.md
tag_name: ${{ github.event.release.tag_name }}
name: ${{ github.event.release.name }}
kernel-tests-release:
needs: [release-settings]
if: ${{ needs.release-settings.outputs.is_latest == 'true' && needs.release-settings.outputs.is_driver == 'true' }} # only for latest driver releases
uses: ./.github/workflows/reusable_kernel_tests.yaml
with:
libsversion: ${{ github.event.release.tag_name }}
secrets: inherit
release-body-driver:
needs: [release-settings, kernel-tests-release]
if: ${{ needs.release-settings.outputs.is_latest == 'true' && needs.release-settings.outputs.is_driver == 'true' }} # only for latest driver releases
permissions:
contents: write
runs-on: ubuntu-latest
steps:
- name: Clone libs repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Create release body file
run: |
touch release-body.md
- name: Extract API and SCHEMA versions
run: |
touch release-body.md
API_VERS=$(cat driver/API_VERSION)
SCHEMA_VERS=$(cat driver/SCHEMA_VERSION)
echo '!'"[API](https://img.shields.io/badge/API-${API_VERS}-yellow)" >> release-body.md
echo '!'"[SCHEMA](https://img.shields.io/badge/SCHEMA-${SCHEMA_VERS}-yellow)" >> release-body.md
echo "" >> release-body.md
- name: Push badge to latest kernel release
run: |
wget https://gist.githubusercontent.com/FedeDP/1cbc5d42edf8e3a02fb75e76625f1072/raw/kernel.json
# 6.15-rc2 -> 6.15
# 6.10.6 -> 6.10
# 6.10 -> 6.10
KVER=$(cat kernel.json | jq '.message' | tr -d '"' | grep -oE -- '[0-9]+.[0-9]+')
SUCCESS=$(cat kernel.json | jq '.color' | tr -d '"')
# If latest run was not successful,
# revert back to previous kernel release.
# Of course, the fallback logic is bugged in case minor is 0,
# as we cannot know which was the previous version.
# It should not matter until kernel 7.0 :P
if [[ "$SUCCESS" = "red" ]]; then
n=${KVER//[!0-9]/ }
a=(${n//\./ })
KVER=$(echo "${a[0]}.$((a[1] - 1))")
fi
echo '!'"[Latest Compatible Kernel](https://img.shields.io/badge/KERNEL-${KVER}-brightgreen)" >> release-body.md
echo "" >> release-body.md
- name: Download matrix X64
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: matrix_X64
- name: Rename X64 matrix
run: mv matrix.md matrix_X64.md
- name: Download matrix ARM64
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: matrix_ARM64
- name: Rename ARM64 matrix
run: mv matrix.md matrix_ARM64.md
# Steps:
# Remove everything after the table (ie: since the first line that starts with "# ",
# ie: a markdown section start.
# Remove links to the markdown sections in the table too.
# Then, add a small title to each matrix
# Finally, merge them together
- name: Append matrixes to create release body
run: |
sed -i -n '/# /q;p' matrix_X64.md
sed -i -n '/# /q;p' matrix_ARM64.md
sed -i 's/\[\(.\)\]([^)]*)/\1/g' matrix_X64.md
sed -i 's/\[\(.\)\]([^)]*)/\1/g' matrix_ARM64.md
sed -i '1s/^/# Driver Testing Matrix amd64\n\n/' matrix_X64.md
sed -i '1s/^/# Driver Testing Matrix arm64\n\n/' matrix_ARM64.md
cat matrix_X64.md matrix_ARM64.md >> release-body.md
- name: Generate release notes
uses: leodido/rn2md@9c351d81278644c0e17b1ca68edbdba305276c73 # main
with:
milestone: ${{ github.event.release.tag_name }}
output: ./notes.md
- name: Merge release notes to pre existent body
run: cat notes.md >> release-body.md
- name: Attach release creator to release body
run: |
echo "" >> release-body.md
echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md
- name: Release
uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2
with:
body_path: ./release-body.md
tag_name: ${{ github.event.release.tag_name }}
name: ${{ github.event.release.name }}

137
.github/workflows/reusable_e2e_tests.yaml vendored
View File

@ -1,137 +0,0 @@
name: Run libs e2e tests python framework
on:
workflow_call:
inputs:
container_plugin_artifact_name:
description: 'use a previously built custom container plugin; artifact name to be downloaded, or empty'
type: string
required: false
default: ''
test-docker:
description: "Whether to run tests with docker socket"
type: boolean
required: false
default: true
test-podman:
description: "Whether to run tests with podman socket"
type: boolean
required: false
default: true
libsversion:
description: 'libs version to be tested, eg: master'
type: string
required: false
default: 'master'
libsrepo:
description: 'libs repo to be tested, eg: falcosecurity/libs'
type: string
required: false
default: 'falcosecurity/libs'
jobs:
test-e2e:
if: inputs.test-docker || inputs.test-podman
strategy:
fail-fast: false
matrix:
name: [ system_deps, bundled_deps, asan ]
include:
- name: system_deps
cmake_opts: -DUSE_BUNDLED_DEPS=False
- name: bundled_deps
cmake_opts: -DUSE_BUNDLED_DEPS=True
- name: asan
cmake_opts: -DUSE_BUNDLED_DEPS=True -DCMAKE_C_FLAGS=-fsanitize=address -DCMAKE_CXX_FLAGS=-fsanitize=address
runs-on: ubuntu-24.04
steps:
- name: Install deps ⛓️
run: |
sudo apt-get update && sudo apt-get install -y --no-install-recommends \
ca-certificates \
cmake \
build-essential \
git \
clang \
llvm \
pkg-config \
autoconf \
automake \
libtool \
libelf-dev \
wget \
libbpf-dev \
libcap-dev \
libtbb-dev \
libjq-dev \
libjsoncpp-dev \
libgtest-dev \
libprotobuf-dev \
protobuf-compiler \
"linux-headers-$(uname -r)"
- name: Checkout Libs ⤵️
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
repository: ${{ inputs.libsrepo }}
ref: ${{ inputs.libsversion }}
- name: Install deps ⛓️
run: |
sudo .github/install-deps.sh
- name: Build tests 🏗️
run: |
mkdir -p build && cd build
cmake -DBUILD_BPF=ON \
-DBUILD_LIBSCAP_MODERN_BPF=ON \
-DBUILD_LIBSCAP_GVISOR=OFF \
-DENABLE_E2E_TESTS=ON \
${{ matrix.cmake_opts }} \
-DUSE_BUNDLED_LIBBPF=ON \
..
make -j$(nproc) sinsp-example driver bpf container_plugin
sudo -E make e2e-install-deps
- name: Download overriding custom container plugin
if: inputs.container_plugin_artifact_name != ''
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: ${{ inputs.container_plugin_artifact_name }}
path: build/test/e2e/container_plugin-prefix/src/container_plugin/
- name: Run tests - docker 🧪
if: inputs.test-docker
working-directory: build
run: |
sudo -E ../test/e2e/scripts/run_tests.sh
- name: Archive test reports - docker
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
if: inputs.test-docker && failure()
with:
name: ${{ matrix.name }}_docker_report
path: |
/tmp/report/
- name: Run tests - podman 🧪
if: inputs.test-podman && always()
working-directory: build
env:
# Set DOCKER_HOST pointing to podman socket
DOCKER_HOST: unix://run/podman/podman.sock
run: |
# Cleanup docker tests generated report folder
sudo rm -rf /tmp/report
# Podman tests require podman socket
sudo systemctl start podman
sudo -E ../test/e2e/scripts/run_tests.sh
- name: Archive test reports - podman
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
if: inputs.test-podman && failure()
with:
name: ${{ matrix.name }}_podman_report
path: |
/tmp/report/

14
.github/workflows/reusable_kernel_tests.yaml vendored
View File

@ -13,7 +13,7 @@ on:
type: string
required: false
default: 'falcosecurity/libs'
workflow_call:
workflow_call:
inputs:
libsversion:
description: 'libs version to be tested, eg: master'
@ -29,17 +29,15 @@ on:
concurrency:
group: kernel-tests
cancel-in-progress: false
jobs:
test-kernels:
strategy:
fail-fast: false
matrix:
architecture: [X64, ARM64]
runs-on: [ "self-hosted", "linux", "${{matrix.architecture}}" ]
runs-on: [ "self-hosted", "linux", "${{matrix.architecture}}" ]
steps:
# We need to use v0.3.2 instead of the hash because the tagname is
# used by the action to download release tagged images.
- uses: falcosecurity/kernel-testing@v0.3.2
id: kernel_tests
with:
@ -47,12 +45,12 @@ jobs:
libsrepo: ${{ inputs.libsrepo }}
build_matrix: 'true'
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
- uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: ansible_output_${{matrix.architecture}}
path: ${{ steps.kernel_tests.outputs.ansible_output }}
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
- uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: matrix_${{matrix.architecture}}
path: ${{ steps.kernel_tests.outputs.matrix_output }}

8
.github/workflows/semgrep_checks.yml vendored
View File

@ -11,10 +11,10 @@ jobs:
name: check-insecure-api
runs-on: ubuntu-latest
container:
image: docker.io/semgrep/semgrep:1.85.0@sha256:b4c2272e0a2e59ca551ff96d3bbae657bd2b7356e339af557b27a96d9e751544
image: returntocorp/semgrep:1.41.0
steps:
- name: Checkout Libs ⤵️
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- name: Scan PR for insecure API usage 🕵️
@ -29,10 +29,10 @@ jobs:
name: check-absolute-include-paths
runs-on: ubuntu-latest
container:
image: docker.io/semgrep/semgrep:1.85.0@sha256:b4c2272e0a2e59ca551ff96d3bbae657bd2b7356e339af557b27a96d9e751544
image: returntocorp/semgrep:1.41.0
steps:
- name: Checkout Libs ⤵️
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- name: Scan PR for libs relateive include paths 🕵️

46
.github/workflows/test_coverage_ci.yml vendored
View File

@ -1,46 +0,0 @@
name: Test Coverage CI
on:
pull_request:
push:
branches:
- master
# Checks if any concurrent jobs under the same pull request or branch are being executed
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
jobs:
unit-test-libsinsp-coverage:
name: unit-test-libsinsp-coverage 🧐
runs-on: 'ubuntu-22.04'
steps:
- name: Checkout Libs ⤵️
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- name: Install deps ⛓️
run: |
sudo apt-get update && sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libre2-dev libtbb-dev libjq-dev libjsoncpp-dev protobuf-compiler libgtest-dev libprotobuf-dev linux-headers-$(uname -r) gpg gpg-agent gcovr
sudo .github/install-deps.sh
- name: Build and test 🏗️🧪
run: |
mkdir -p build
cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=True -DENABLE_COVERAGE=True -DUSE_BUNDLED_DEPS=False ../
KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4
make run-unit-tests
- name: Generate libsinsp coverage report
run: |
gcovr --xml -o ./libsinsp.coverage.xml
- name: Upload to codecov
uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
with:
fail_ci_if_error: true
files: ./libsinsp.coverage.xml
token: ${{ secrets.CODECOV_TOKEN }}
verbose: true
flags: libsinsp

6
.github/workflows/update-syscalls.yml vendored
View File

@ -13,18 +13,18 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: master
path: libs
- name: Bump syscalls
uses: falcosecurity/syscalls-bumper@main # should be pointing to main
uses: falcosecurity/syscalls-bumper@main
with:
repo-root: ${{ github.workspace }}/libs
- name: Create Pull Request
uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2
with:
path: libs
signoff: true

1
.gitignore vendored
View File

@ -28,4 +28,3 @@ cscope.out
tags
third_party
*.vagrant*
.DS_Store

23
.pre-commit-config.yaml
View File

@ -1,23 +0,0 @@
# See https://pre-commit.com for more information
# See https://pre-commit.com/hooks.html for more hooks
fail_fast: false
minimum_pre_commit_version: '0'
repos:
- repo: https://github.com/cheshirekow/cmake-format-precommit
rev: v0.6.13
hooks:
- id: cmake-format
stages: [pre-commit]
- repo: https://github.com/pre-commit/mirrors-clang-format
rev: v18.1.8
hooks:
- id: clang-format
types_or: [c++, c]
stages: [pre-commit]
- repo: local
hooks:
- id: dco-hook-local
name: DCO hook local
entry: ./tools/local_hooks/dco-pre-commit-msg.sh
language: script
stages: [prepare-commit-msg]

83
CMakeLists.txt
View File

@ -2,32 +2,33 @@
#
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Prior to doing anything, we make sure that we aren't trying to run cmake in-tree.
# Prior to doing anything, we make sure that we aren't trying to
# run cmake in-tree.
if(EXISTS ${CMAKE_CURRENT_BINARY_DIR}/CMakeLists.txt)
message(
FATAL_ERROR
"Looks like you are trying to run CMake from the base source directory.\n"
"** RUNNING CMAKE FROM THE BASE DIRECTORY WILL NOT WORK **\n"
"To Fix:\n"
" 1. Remove the CMakeCache.txt file in this directory. ex: rm CMakeCache.txt\n"
" 2. Create a build directory from here. ex: mkdir build\n"
" 3. cd into that directory. ex: cd build\n"
" 4. Run cmake from the build directory. ex: cmake ..\n"
" 5. Run make from the build directory. ex: make\n"
"Full paste-able example:\n"
"( rm -f CMakeCache.txt; mkdir build; cd build; cmake ..; make )"
)
message(FATAL_ERROR
"Looks like you are trying to run CMake from the base source directory.\n"
"** RUNNING CMAKE FROM THE BASE DIRECTORY WILL NOT WORK **\n"
"To Fix:\n"
" 1. Remove the CMakeCache.txt file in this directory. ex: rm CMakeCache.txt\n"
" 2. Create a build directory from here. ex: mkdir build\n"
" 3. cd into that directory. ex: cd build\n"
" 4. Run cmake from the build directory. ex: cmake ..\n"
" 5. Run make from the build directory. ex: make\n"
"Full paste-able example:\n"
"( rm -f CMakeCache.txt; mkdir build; cd build; cmake ..; make )")
endif()
cmake_minimum_required(VERSION 3.12)
@ -37,8 +38,8 @@ if(POLICY CMP0042)
cmake_policy(SET CMP0042 NEW)
endif()
# Enable CMAKE_MSVC_RUNTIME_LIBRARY on Windows + CMake >= 3.15 and link with the static
# (MultiThreaded) CRT unless instructed otherwise.
# Enable CMAKE_MSVC_RUNTIME_LIBRARY on Windows + CMake >= 3.15 and link
# with the static (MultiThreaded) CRT unless instructed otherwise.
if(NOT (CMAKE_MSVC_RUNTIME_LIBRARY OR BUILD_SHARED_LIBS))
set(CMAKE_MSVC_RUNTIME_LIBRARY "MultiThreaded$<$<CONFIG:Debug>:Debug>")
endif()
@ -53,19 +54,16 @@ endif()
project(falcosecurity-libs)
option(USE_BUNDLED_DEPS "Enable bundled dependencies instead of using the system ones" ON)
option(MINIMAL_BUILD "Produce a minimal build with only the essential features (no container metadata)" OFF)
option(MUSL_OPTIMIZED_BUILD "Enable if you want a musl optimized build" OFF)
option(USE_BUNDLED_DRIVER
"Use the driver/ subdirectory in the build process (only available in Linux)" ON
)
option(ENABLE_E2E_TESTS "Enable e2e tests" OFF)
option(USE_BUNDLED_DRIVER "Use the driver/ subdirectory in the build process (only available in Linux)" ON)
option(ENABLE_DRIVERS_TESTS "Enable driver tests (bpf, kernel module, modern bpf)" OFF)
option(ENABLE_LIBSCAP_TESTS "Enable libscap unit tests" OFF)
option(ENABLE_LIBSINSP_E2E_TESTS "Enable libsinsp e2e tests" OFF)
option(BUILD_SHARED_LIBS "Build libscap and libsinsp as shared libraries" OFF)
option(ENABLE_VM_TESTS "Enable driver sanity tests" OFF)
option(USE_ASAN "Build with AddressSanitizer" OFF)
option(USE_UBSAN "Build with UndefinedBehaviorSanitizer" OFF)
option(USE_TSAN "Build with ThreadSanitizer" OFF)
option(ENABLE_COVERAGE "Build with code coverage" OFF)
option(UBSAN_HALT_ON_ERROR "Halt on error when building with UBSan" ON)
if(${CMAKE_VERSION} VERSION_LESS "3.1.0" AND BUILD_SHARED_LIBS)
@ -76,7 +74,8 @@ endif()
include(GNUInstallDirs)
# Add path for custom CMake modules.
list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules")
list(APPEND CMAKE_MODULE_PATH
"${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules")
include(versions)
@ -106,13 +105,15 @@ set(LIBS_PACKAGE_NAME "falcosecurity")
include(CompilerFlags)
option(WITH_CHISEL "Include chisel implementation" OFF)
option(CREATE_TEST_TARGETS "Enable make-targets for unit testing" ON)
if(CREATE_TEST_TARGETS)
include(gtest)
endif()
if(BUILD_SHARED_LIBS)
if (BUILD_SHARED_LIBS)
get_shared_libs_versions(FALCOSECURITY_SHARED_LIBS_VERSION FALCOSECURITY_SHARED_LIBS_SOVERSION)
message(STATUS "Shared library version: ${FALCOSECURITY_SHARED_LIBS_VERSION}")
message(STATUS "Shared library soversion: ${FALCOSECURITY_SHARED_LIBS_SOVERSION}")
@ -122,13 +123,14 @@ include(libscap)
include(libsinsp)
if(CREATE_TEST_TARGETS)
# Add command to run all unit tests at once via the make system. This is preferred vs using
# ctest's add_test because it will build the code and output to stdout.
add_custom_target(run-unit-tests COMMAND ${CMAKE_MAKE_PROGRAM} run-unit-test-libsinsp)
# Add command to run all unit tests at once via the make system.
# This is preferred vs using ctest's add_test because it will build
# the code and output to stdout.
add_custom_target(run-unit-tests
COMMAND ${CMAKE_MAKE_PROGRAM} run-unit-test-libsinsp
)
if(ENABLE_E2E_TESTS)
add_subdirectory(test/e2e)
endif()
add_subdirectory(test/e2e)
if(ENABLE_DRIVERS_TESTS)
add_subdirectory(test/drivers)
@ -144,9 +146,8 @@ if(CREATE_TEST_TARGETS)
add_subdirectory(test/libsinsp_e2e/resources)
endif()
endif()
if(ENABLE_VM_TESTS)
add_subdirectory(test/vm)
endif()
option(ENABLE_BENCHMARKS "Enable Benchmarks" OFF)
if(ENABLE_BENCHMARKS)
add_subdirectory(benchmark)
endif()

37
CMakeListsGtestInclude.cmake
View File

@ -2,15 +2,17 @@
#
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
cmake_minimum_required(VERSION 3.12)
@ -18,15 +20,14 @@ cmake_minimum_required(VERSION 3.12)
project(googletest-download NONE)
include(ExternalProject)
ExternalProject_Add(
googletest
GIT_REPOSITORY https://github.com/google/googletest.git
GIT_TAG "release-1.12.1"
SOURCE_DIR "${PROJECT_BINARY_DIR}/googletest-src"
BINARY_DIR "${PROJECT_BINARY_DIR}/googletest-build"
CONFIGURE_COMMAND ""
BUILD_COMMAND ""
INSTALL_COMMAND ""
UPDATE_COMMAND ""
TEST_COMMAND ""
ExternalProject_Add(googletest
GIT_REPOSITORY https://github.com/google/googletest.git
GIT_TAG "release-1.12.1"
SOURCE_DIR "${PROJECT_BINARY_DIR}/googletest-src"
BINARY_DIR "${PROJECT_BINARY_DIR}/googletest-build"
CONFIGURE_COMMAND ""
BUILD_COMMAND ""
INSTALL_COMMAND ""
UPDATE_COMMAND ""
TEST_COMMAND ""
)

47
CMakePresets.json
View File

@ -1,47 +0,0 @@
{
"version": 3,
"configurePresets": [
{
"name": "base",
"hidden": true,
"generator": "Unix Makefiles",
"cacheVariables": {
"CMAKE_BUILD_TYPE": "Release",
"CMAKE_EXPORT_COMPILE_COMMANDS": "ON",
"BUILD_DRIVER": "ON",
"BUILD_BPF": "ON",
"BUILD_WARNINGS_AS_ERRORS": "ON"
}
},
{
"name": "scap-drivers",
"inherits": "base",
"displayName": "Build scap drivers and their tests",
"description": "Build all scap drivers (modern eBPF, legacy eBPF, kmod) and their tests",
"binaryDir": "${sourceDir}/build-scap-drivers",
"cacheVariables": {
"USE_BUNDLED_DEPS": "ON",
"ENABLE_DRIVERS_TESTS": "ON",
"MODERN_BPF_DEBUG_MODE": "ON",
"BUILD_LIBSCAP_MODERN_BPF": "ON",
"BUILD_LIBSCAP_GVISOR": "OFF",
"CREATE_TEST_TARGETS": "ON",
"ENABLE_LIBSCAP_TESTS": "ON",
"SCAP_FILES_SUITE_ENABLE": "OFF"
}
},
{
"name": "sinsp-minimal",
"inherits": "base",
"displayName": "Build minimal sinsp",
"description": "Build sinsp without gvisor and protobuf deps",
"binaryDir": "${sourceDir}/build-sinsp-minimal",
"cacheVariables": {
"USE_BUNDLED_DEPS": "ON",
"BUILD_LIBSCAP_GVISOR": "OFF",
"CREATE_TEST_TARGETS": "ON",
"SCAP_FILES_SUITE_ENABLE": "OFF"
}
}
]
}

207
Contributing.md
View File

@ -1,207 +0,0 @@
# How to contribute
## Enforce coding style 💻
### Introduction
This document introduces the coding style that will be applied in this repository.
This coding style involves all the following files: `.c`, `.h`, `.cpp`, `.cmake`, `CMakeLists.txt`. To enforce it we rely on two main tools:
1. `clang-format` version `18.1.8`.
2. `cmake-format` version `0.6.13`.
> __Please note__: tools versions are important! Different versions will enforce slightly different changes on the code. For example `clang-format-18` will produce a slightly different output respect to `clang-format-17` always respecting the imposed style.
The coding style is expressed through the 2 configuration file that you find in this repo: `.clang-format`, `.cmake-format.json`.
### Enforce the style locally
There are many ways to enforce the style locally, here we will describe two of them:
1. Use `pre-commit` framework.
2. Use the repo `Makefile`.
#### 1.Pre-commit framework (suggested if you don't have the 2 tools already installed on your machine)
The `pre-commit` framework allows you to automatically install different `git-hooks` that will run at every new commit. More precisely, if you use the `.pre-commit-config.yaml` in this repo you will install 3 different hooks:
1. The `clang-format` hook: this is a `pre-commit` git hook that runs `clang-format` on your staged changes.
2. The `cmake-format` hook: this is a `pre-commit` git hook that runs `cmake-format` on your staged changes.
3. The `DCO signed-off` hook: this is a `pre-commit-msg` git hook that adds the `DCO` on your commit if not present. This hook is not strictly related to the coding style so we will talk about it in a separate section: [Add DCO signed-off to your commits](#add-dco-signed-off-to-your-commits).
Now let's see what we need to use `pre-commit` framework.
##### Step 1
Install `pre-commit` framework following the [official documentation](https://pre-commit.com/#installation).
> __Please note__: you have to follow only the "Installation" section.
##### Step 2
Once you have installed `pre-commit`, you don't need to install anything else! This is the good point of using a framework like `pre-commit`, all the tools necessary to format your code will be directly managed by the framework. But in order to be ready, you need to install the git hooks in your local repo.
This simple command allows you to install the two `pre-commit` git hooks, `clang-format` and `cmake-format`.
```bash
pre-commit install --install-hooks --hook-type pre-commit --overwrite
```
If you want to install also the `pre-commit-msg` git hook for the DCO you have to type the following command, but be sure to have configured all you need as said in the [dedicated section]((#add-dco-signed-off-to-your-commits))
```bash
pre-commit install --install-hooks --hook-type prepare-commit-msg --overwrite
```
You have done, at every new commit, this hook will check that your patch respects the coding style of this repo!
If you want to detach the git hooks, you can simply type:
```bash
pre-commit uninstall --hook-type prepare-commit-msg
pre-commit uninstall --hook-type pre-commit
```
#### 2.Makefile
##### Step 1
In order to use the repo `Makefile`, you need to install on your local machine the two aforementioned tools:
__clang-format v18.1.8__
One of the easiest ways to install `clang-format` could be directly downloading its static binary from [here](https://github.com/muttleyxd/clang-tools-static-binaries).
There are other ways for example you can download the package for your distro or you can also build it from sources.
__cmake-format v0.6.13__
To install `cmake-format` you can follow the official documentation [here](https://cmake-format.readthedocs.io/en/latest/installation.html).
> __NOTE__: Please check the versions of the two tool with `clang-format --version` and `cmake-format --version`.
##### Step 2
Once you have installed the __right__ versions of the 2 tools, you can simply type `make format-all` from the root directory of the project (`/libs`) to format all your code according to the coding style.
Remember to do that before submitting a new patch upstream! 😁
#### Other solutions
Obviously, you can also install the 2 tools locally and enable some extension of your favorite IDE (like `VScode`) to format your code every time you save your files!
## Add DCO signed-off to your commits 🔏
### Introduction
Another requirement for contributing to the `libs` repository, is applying the [DCO](https://cert-manager.io/docs/contributing/sign-off/) to every commit you want to push upstream.
Before doing this you have to configure your git user `name` and `email` if you haven't already done it. To check your actual `name` and `email` type:
```bash
git config --get user.name
git config --get user.email
```
If they are correct you have done, otherwise, you have to set them:
```bash
git config user.name <full-name>
git config user.email <mail-used_with-GitHub-profile>
```
>__Please note__: If you have problems in doing this you can read the full documentation [here](https://docs.github.com/en/get-started/getting-started-with-git/setting-your-username-in-git).
### Enforce the DCO locally
Now you are ready to sign your commits! You have two main ways to do this:
1. Manually with `git` tool.
2. Use the `pre-commit-msg` hook quoted before.
### Manually
To do this you just need to remember the `-s` while performing your commits:
```bash
git commit -s
```
or with the inline message:
```bash
git commit -s -m "my first commit"
```
### Use `pre-commit` hook
Here if you have already added the hook in the [previous section](#step-2), you have to do nothing otherwise you have to simply install the DCO hook with:
```bash
pre-commit install --install-hooks --hook-type prepare-commit-msg --overwrite
```
And you have done! Now you don't have to remember the `-s` option every time you commit something, the DCO hook will automatically add the DCO if you forget it! 😄
## Some best practices 📏
### Class variables
To know whether a variable belongs to a `class` or a `function`, we start member variables with `m_`.
Example:
```c
public int32_t m_counter;
```
### Global variables
To know whether the variable is global or not, we start globals with `g_`.
Example:
```c
int g_nplugins;
```
### Capitalization
The naming convention is camel-cased "Unix" style, i.e. always lower case. Words are separated by underscores.
Example:
```c
int32_t g_global_bean_counter;
int32_t count_beans();
```
and not,
```c
int32_t GlobalBeanCounter;
int32_t CountBeans();
```
### Packed Structures
Packed structures should use the GCC and MSVC-style supported `pragma`:
Example:
```c
#pragma pack(push,1)
struct frame_control
{
struct fields....
};
#pragma pack(pop)
```
### 64-bit constants
Put an `LL` at the end of your `64-bit` constants. Without the `LL`, some platform compilers try to interpret the constant on the right-hand side as a `long integer` instead of a `long long` and this could lead to an error at building time.
Example:
```c
x=0X00FF00000000000LL
```

81
Makefile
View File

@ -1,81 +0,0 @@
#
# Copyright (C) 2024 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# mofidy the following variables to match your paths
CLANG_FORMAT_EXE ?= clang-format
CLANG_FORMAT_VERSION = "$(shell ${CLANG_FORMAT_EXE} --version | grep -o '[0-9]*\.[0-9]*\.[0-9]*')"
CLANG_FORMAT_DESIRED_VERSION ="18.1.8"
CMAKE_FORMAT_EXE ?= cmake-format
CMAKE_FORMAT_VERSION = "$(shell ${CMAKE_FORMAT_EXE} --version | grep -o '[0-9]*\.[0-9]*\.[0-9]*')"
CMAKE_FORMAT_DESIRED_VERSION = "0.6.13"
PROJECT_ROOT_DIR = $(shell git rev-parse --show-toplevel)
######################
# Clang-format #
######################
.PHONY: clang-format-install
clang-format-install:
ifeq (, $(shell ${CLANG_FORMAT_EXE} --version))
@echo "${CLANG_FORMAT_EXE} is not installed. Please read the 'coding style' doc to get more info."
@exit 1
endif
ifneq ($(CLANG_FORMAT_VERSION), $(CLANG_FORMAT_DESIRED_VERSION))
@echo "${CLANG_FORMAT_EXE} version is not '${CLANG_FORMAT_DESIRED_VERSION}'. Actual version is '${CLANG_FORMAT_VERSION}'"
@exit 1
endif
.PHONY: format-clang
format-clang: clang-format-install
git ls-files --directory ${PROJECT_ROOT_DIR} | grep -E '\.(cpp|h|c)$$' | xargs ${CLANG_FORMAT_EXE} -Werror --style=file:${PROJECT_ROOT_DIR}/.clang-format -i
.PHONY: check-clang
check-clang: clang-format-install
git ls-files --directory ${PROJECT_ROOT_DIR} | grep -E '\.(cpp|h|c)$$' | xargs ${CLANG_FORMAT_EXE} -Werror --style=file:${PROJECT_ROOT_DIR}/.clang-format -n
######################
# Cmake-format #
######################
.PHONY: cmake-format-install
cmake-format-install:
ifeq (, $(shell ${CMAKE_FORMAT_EXE} --version))
@echo "${CMAKE_FORMAT_EXE} is not installed. Please read the 'coding style' doc to get more info."
@exit 1
endif
ifneq ($(CMAKE_FORMAT_VERSION), $(CMAKE_FORMAT_DESIRED_VERSION))
@echo "${CMAKE_FORMAT_EXE} version is not '${CMAKE_FORMAT_DESIRED_VERSION}'. Actual version is '${CMAKE_FORMAT_VERSION}'"
@exit 1
endif
.PHONY: format-cmake
format-cmake: cmake-format-install
git ls-files --directory ${PROJECT_ROOT_DIR} | grep -E '\.(cmake)$$|CMakeLists.txt$$' | xargs ${CMAKE_FORMAT_EXE} --config-files ${PROJECT_ROOT_DIR}/.cmake-format.json -i
.PHONY: check-cmake
check-cmake: cmake-format-install
git ls-files --directory ${PROJECT_ROOT_DIR} | grep -E '\.(cmake)$$|CMakeLists.txt$$' | xargs ${CMAKE_FORMAT_EXE} --config-files ${PROJECT_ROOT_DIR}/.cmake-format.json --check
# Add new formatters here...
.PHONY: format-all
format-all: format-clang format-cmake
.PHONY: check-all
check-all: check-clang check-cmake

3
OWNERS
View File

@ -7,11 +7,10 @@ approvers:
- molter73
- lucaguerra
- jasondellaluce
- ekoops
- incertum
reviewers:
- hbrueckner
emeritus_approvers:
- fntlnz
- leodido
- ldegio
- incertum

64
README.md
View File

@ -11,7 +11,7 @@ This repository contains **libsinsp**, **libscap**, the **kernel module** and th
These components are at the foundation of [Falco](https://github.com/falcosecurity/falco) and other projects that work with the same kind of data.
This component stack mainly operates on syscall events. We monitor syscalls using either a kernel module or an eBPF probe, which we call *drivers*. On top of the drivers, `libscap` manages the data capture process, while `libsinsp` enriches the data, and provides a rich set of API to consume the data. Furthermore, these two libraries also implement a [plugin](https://github.com/falcosecurity/plugins) framework that extends this stack to potentially any other data sources. For further details, please refer to Falco's [official documentation](https://falco.org/docs/).
This component stack mainly operates on syscall events. We monitor syscalls using either a kernel module or an eBPF probe, which we call *drivers*. On top of the drivers, `libscap` manages the data capture process, while `libsinsp` enriches the data, and provides a rich set of API to consume the data. Furthermore, these two libraries also implement a [plugin](https://github.com/falcosecurity/plugins) framework that extends this stack to potentially any other data sources. For further details, please refer to the [official documentation](https://falco.org/docs/).
An image is worth a thousand words, they say:
@ -22,7 +22,8 @@ An image is worth a thousand words, they say:
* [_driver/_](./driver) contains kernel module and eBPF probe source code,
so-called **drivers**.
* [_userspace/_](./userspace) contains libscap and libsinsp libraries code.
* [_userspace/_](./userspace) contains libscap and libsinsp libraries code,
plus chisels related code and common utilities.
* **libscap** (aka lib for *System CAPture*) is the userspace library
that directly communicates with the drivers, reading syscall events from
the ring buffer (where drivers place them), and forwarding them
@ -32,6 +33,9 @@ so-called **drivers**.
libscap and enriches them with machine state: moreover, it performs
events filtering with rule evaluation through its internal rule engine.
Finally, it manages outputs.
* **chisels** are just little Lua scripts to analyze an event stream
and perform useful actions. In this subfolder, the backend code for
chisels support can be found.
* [_proposals/_](./proposals) unexpectedly contains the list of proposals.
* [_cmake/modules/_](./cmake/modules) contains modules to build
external dependencies, plus the libscap and libsinsp ones; consumers
@ -41,13 +45,13 @@ external dependencies, plus the libscap and libsinsp ones; consumers
Our drivers officially support the following architectures:
| | Kernel module | eBPF probe | Modern eBPF probe | Status |
| ----------- |----------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------| ----------------- | ------ |
| **x86_64** | >= 2.6 | >= 4.14 | >= 5.8 | _STABLE_ |
| **aarch64** | >= [3.16](https://github.com/torvalds/linux/commit/055b1212d141f1f398fca548f8147787c0b6253f) | >= 4.17 | >= 5.8 | _STABLE_ |
| **s390x** | >= 2.6 | >= [5.5](https://github.com/torvalds/linux/commit/6ae08ae3dea) | >= 5.8 | _EXPERIMENTAL_ |
| **riscv64** | >= [5.0](https://github.com/torvalds/linux/commit/5aeb1b36cedd3a1dfdbfe368629fed52dee34103) | N/A | N/A | _EXPERIMENTAL_ |
| **ppc64le** | >= 2.6 | >= [5.1](https://github.com/torvalds/linux/commit/ed1cd6deb013a11959d17a94e35ce159197632da) | >= 5.8 | _STABLE_ |
| | Kernel module | eBPF probe | Modern eBPF probe | Status |
| ----------- |----------------------------------------------------------------------------------------------| ---------- | ----------------- | ------ |
| **x86_64** | >= 2.6 | >= 4.14 | >= 5.8 | _STABLE_ |
| **aarch64** | >= [3.16](https://github.com/torvalds/linux/commit/055b1212d141f1f398fca548f8147787c0b6253f) | >= 4.17 | >= 5.8 | _STABLE_ |
| **s390x** | >= 2.6 | >= [5.5](https://github.com/torvalds/linux/commit/6ae08ae3dea) | >= 5.8 | _EXPERIMENTAL_ |
| **riscv64** | >= [5.0](https://github.com/torvalds/linux/commit/5aeb1b36cedd3a1dfdbfe368629fed52dee34103) | N/A | N/A | _EXPERIMENTAL_ |
| **ppc64le** | >=2.6 | >=4.18 | >= 5.8 | _EXPERIMENTAL_ |
To access up-to-date status reports on Falco drivers kernel testing, please visit this [page](https://falcosecurity.github.io/libs/). It provides a list of supported syscalls as well as the [report](https://falcosecurity.github.io/libs/report/).
@ -104,13 +108,13 @@ If you are building this project outside of a Git working directory, or if you w
<details>
<summary>Expand Build Instructions</summary>
For your convenience, we have included the instructions for building the `libs` modules here, in addition to the information available in Falco's [official documentation](https://falco.org/docs/install-operate/source/). These instructions are designed for building and testing `libs` on your own Linux development machine. However, if you intend to adopt CI or build within containers, there are additional considerations to take into account. The official [website]((https://falco.org/docs/install-operate/source/)) continually extends its guidance in this respect.
For your convenience, we have included the instructions for building the `libs` modules here, in addition to the information available in the [official documentation](https://falco.org/docs/install-operate/source/). These instructions are designed for building and testing `libs` on your own Linux development machine. However, if you intend to adopt CI or build within containers, there are additional considerations to take into account. The official [website]((https://falco.org/docs/install-operate/source/)) continually extends its guidance in this respect.
The project utilizes the `cmake` build system, and the key `make` targets are as follows:
* `driver` -> build the kmod
* `bpf` -> build the legacy `ebpf` probe
* `scap` -> build libscap (`modern_ebpf` driver will be bundled into `scap` if enabled)
* `bpf` -> build the eBPF probe
* `scap` -> build libscap (`modern_bpf` driver will be bundled into `scap` if enabled)
* `sinsp` -> build libsinsp (depends upon `scap` target)
* `scap-open` -> build a small example binary for `libscap` to test the drivers (dependent on `scap`)
* `sinsp-example` -> build a small example binary for `libsinsp` to test the drivers and/or `libsinsp` functionality (dependent on `scap` and `sinsp`)
@ -135,7 +139,7 @@ make sinsp
### Build userspace using system deps
To build using the system deps instead, first, make sure to have all the needed packages installed. Refer to Falco's [official documentation](https://falco.org/docs/install-operate/source/).
To build using the system deps instead, first, make sure to have all the needed packages installed. Refer to the [official documentation](https://falco.org/docs/install-operate/source/).
```bash
cmake -DUSE_BUNDLED_DEPS=OFF ../;
@ -146,27 +150,29 @@ make sinsp
### Build driver - kmod
To build the kmod driver, you need your kernel headers installed. Check out Falco's [official documentation](https://falco.org/docs/install-operate/source/).
To build the kmod driver, you need your kernel headers installed. Check out the [official documentation](https://falco.org/docs/install-operate/source/).
```bash
make driver
# Verify the kmod binary object file was created, uses `.ko` extension.
# Verify the kmod object code was created, uses `.ko` extension.
ls -l driver/src/scap.ko;
```
### Build driver - eBPF probe
To build the eBPF probe, you need `clang` and `llvm` packages and you also need your kernel headers installed. Check out Falco's [official documentation](https://falco.org/docs/install-operate/source/).
To build the eBPF probe, you need `clang` and `llvm` packages and you also need your kernel headers installed. Check out the [official documentation](https://falco.org/docs/install-operate/source/).
```bash
cmake -DBUILD_BPF=ON ../;
make bpf
# Verify the eBPF bytecode file was created, uses `.o` extension.
# Verify the eBPF object code was created, uses `.o` extension.
ls -l driver/bpf/probe.o;
```
>__WARNING__: **clang-7** is the oldest supported version to build our BPF probe.
Initial guidance for CI and building within containers: To build either the kmod or eBPF probe in a container, you will need to make the extracted kernel headers available. The [test/vm](test/vm/) directory contains example [scripts](test/vm/scripts/compile_drivers.sh) demonstrating how to pass them to the `make` command using the argument `KERNELDIR=${EXTRACTED_KERNEL_HEADERS_DIR}`. You can also use the [falcosecurity/driverkit](https://github.com/falcosecurity/driverkit) or explore the scripts within the driverkit repository. The mentioned resources also provide candidate builder containers.
### Build driver - modern eBPF probe
To build the modern eBPF probe, further prerequisites are necessary:
@ -191,13 +197,13 @@ To build the modern eBPF probe, further prerequisites are necessary:
> __NOTE:__ These are not the requirements to use the modern BPF probe, but rather for building it from source.
Regarding the previously discussed legacy eBPF driver, it generates kernel-specific bytecode (`driver/bpf/probe.o`) tailored to your machine's kernel release (`uname -r`). The location of the bytecode file can then be passed as an argument for testing with the `scap-open` and `sinsp-example` binaries.
Regarding the previously discussed bpf drivers, they create a kernel-specific object code (`driver/bpf/probe.o`) for your machine's kernel release (`uname -r`). This object code is then used as an argument for testing with `scap-open` and `sinsp-example` binaries.
However, the modern eBPF driver build process doesn't require kernel headers, and it isn't tied to your kernel release. This is enabled by the CO-RE (Compile Once - Run Everywhere) feature of the modern eBPF driver.
However, the modern BPF driver operates differently. It doesn't require kernel headers, and its build isn't tied to your kernel release. This is enabled by the CO-RE (Compile Once - Run Everywhere) feature of the modern BPF driver. CO-RE allows the driver to work on kernels with backported BTF (BPF Type Format) support or kernel versions >= 5.8.
CO-RE allows the driver to work on kernels with backported BTF (BPF Type Format) support or kernel versions >= 5.8. The way the driver interprets kernel data structures without direct knowledge of the running kernel is not magic — it leverages predefined type information and BTF-based relocations. We maintain a [vmlinux.h](driver/modern_bpf/definitions/vmlinux.h) file containing essential kernel data structure definitions, allowing the eBPF program to reference fields dynamically. Additionally, for cases where macros or functions from system headers are required, we redefine them in [struct_flavors.h](driver/modern_bpf/definitions/struct_flavors.h). Combined with CO-RE (Compile Once, Run Everywhere), this enables the driver to remain portable across different kernel versions.
To comprehend how the driver understands kernel data structures without knowledge of the kernel it runs on, there's no black magic involved. We maintain a [vmlinux.h](driver/modern_bpf/definitions/vmlinux.h) file in our project containing all necessary kernel data structure definitions. Additionally, we sometimes rely on macros or functions typically found in system header files, which we redefine in [struct_flavors.h](driver/modern_bpf/definitions/struct_flavors.h).
The modern eBPF driver build process produces an eBPF header skeleton file using `bpftool`. The skeleton file is a C header file that embeds the compiled eBPF program as bytecode.
That being said, the modern BPF driver still produces an object file, which you can create using the target below. Nevertheless, we ultimately include it in `scap` regardless. Hence, when modern BPF is enabled, building `scap` will already cover this step for you.
```bash
cmake \
@ -205,15 +211,13 @@ cmake \
-DBUILD_LIBSCAP_MODERN_BPF=ON ../;
make ProbeSkeleton
# Verify the modern eBPF bytecode / final composed header file including all `.o` modern_ebpf files was created, uses `.h` extension.
# Verify the modern eBPF object code / final composed header file including all `.o` modern_bpf files was created, uses `.h` extension.
ls -l skel_dir/bpf_probe.skel.h;
# Now includes skel_dir/bpf_probe.skel.h in `scap` during the linking process.
make scap
```
Since modern eBPF is included in `scap`, running `make scap` automatically covers the `make ProbeSkeleton` build step.
You can also split the build process and specify the directory containing the `bpf_probe.skel.h` file.
Initial guidance for CI and building within containers: The Falco Project, for instance, compiles the final Falco userspace binary within older centos7 [falco-builder](https://falco.org/docs/install-operate/source/#build-using-falco-builder-container) containers with bundled dependencies. This ensures compatibility across supported systems, mainly due to GLIBC versions and other intricacies. However, you won't be able to compile the modern BPF driver on such old systems or builder containers. One solution is to build `skel_dir/bpf_probe.skel.h` in a more recent builder container. For example, you can refer to this [container](test/vm/containers/ubuntu2310.Dockerfile) as a guide. Subsequently, you can provide the modern BPF header file as an artifact to `scap` during building in an older builder container. As an illustrative example, we use `/tmp/skel-dir` containing the `bpf_probe.skel.h` file.
```bash
cmake \
@ -243,7 +247,7 @@ This repository includes convenient test example binaries for both `scap` and `s
When developing new features, you would run either one depending on what you're working on, in order to test and validate your changes.
> __NOTE:__ When you're working on driver development, it can be quite useful to make use of the kernel's built-in `printk` functionality. However, for the traditional bpf driver, you'll need to uncomment a line in the [bpf Makefile](driver/bpf/Makefile) first and use a dedicated build flag `BPF_DEBUG`. For modern eBPF, use the build flag `MODERN_BPF_DEBUG_MODE`. Any logs generated by `bpf_printk()` will be written to `/sys/kernel/debug/tracing/trace_pipe`. Just make sure you have the right permissions set up for this.
> __NOTE:__ When you're working on driver development, it can be quite useful to make use of the kernel's built-in `printk` functionality. However, for the traditional bpf driver, you'll need to uncomment a line in the [bpf Makefile](driver/bpf/Makefile) first and use a dedicated build flag `BPF_DEBUG`. For modern BPF, use the build flag `MODERN_BPF_DEBUG_MODE`. Any logs generated by `bpf_printk()` will be written to `/sys/kernel/debug/tracing/trace_pipe`. Just make sure you have the right permissions set up for this.
Here's an example of a `cmake` command that will enable everything you need for all tests and components. By default, the following flags are disabled, with the exception of `USE_BUNDLED_DEPS` and `CREATE_TEST_TARGETS` (they are enabled by default).
@ -259,7 +263,8 @@ cmake \
-DCREATE_TEST_TARGETS=ON \
-DENABLE_LIBSCAP_TESTS=ON \
-DENABLE_DRIVERS_TESTS=ON \
-DENABLE_LIBSINSP_E2E_TESTS=ON ../;
-DENABLE_LIBSINSP_E2E_TESTS=ON \
-DENABLE_VM_TESTS=ON ../;
```
> __NOTE:__ The `ENABLE_LIBSINSP_E2E_TESTS` flag enables the new e2e tests for libsinsp. Please keep in mind these tests are currently in heavy development and need some extra steps (see in the section below) to run correctly.
@ -301,10 +306,9 @@ sudo ./test/drivers/drivers_test -m;
The tests mentioned below expand beyond the scope of "unit tests". In this context as well, we are dedicated to making sure they run smoothly on your `localhost` for pre-PR testing, to the best of our ability:
- [test/e2e](test/e2e) - enforced by our CI
- [test/vm](test/vm) - our CI includes comparable tests, but it employs a distinct framework. For current status reports on Falco drivers kernel testing, please visit this [page](https://falcosecurity.github.io/libs/).
For current status reports on the CI powered Falco drivers kernel testing, please visit this [page](https://falcosecurity.github.io/libs/).
In general, The Falco Project's `libs` repository includes numerous CI-powered checks. For the most current information, please refer to the CI definitions under the [workflows](.github/workflows/) directory.
As mentioned earlier, The Falco Project's `libs` repository includes numerous CI-powered checks. For the most current information, please refer to the CI definitions under the [workflows](.github/workflows/) directory.
### [EXPERIMENTAL] Run libsinsp e2e tests

33
benchmark/CMakeLists.txt
View File

@ -1,33 +0,0 @@
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (C) 2024 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
#
message(STATUS "Benchmarks enabled")
include(googleBenchmark)
set(BENCHMARK_SOURCES ./main.cpp)
set(BENCHMARK_DEPENDENCIES sinsp)
set(BENCHMARK_LIBRARIES benchmark::benchmark sinsp)
set(BENCHMARK_INCLUDE PRIVATE "${LIBSINSP_INCLUDE_DIRS}")
file(GLOB_RECURSE SINSP_SUITE "${CMAKE_CURRENT_SOURCE_DIR}/libsinsp/*.cpp")
list(APPEND BENCHMARK_SOURCES ${SINSP_SUITE})
add_compile_options(${FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS})
add_link_options(${FALCOSECURITY_LIBS_USERSPACE_LINK_FLAGS})
add_executable(bench ${BENCHMARK_SOURCES})
target_link_libraries(bench ${BENCHMARK_LIBRARIES})
target_include_directories(bench ${BENCHMARK_INCLUDE})
add_dependencies(bench ${BENCHMARK_DEPENDENCIES})

14
benchmark/README.md
View File

@ -1,14 +0,0 @@
# Benchmarks
## Build
```bash
cmake -DENABLE_BENCHMARKS=ON ..
make bench
```
## Run
```bash
sudo ./benchmark/bench
```

55
benchmark/libsinsp/utils.cpp
View File

@ -1,55 +0,0 @@
// SPDX-License-Identifier: Apache-2.0
/*
Copyright (C) 2024 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#include <libsinsp/utils.h>
#include <benchmark/benchmark.h>
static void BM_sinsp_split(benchmark::State& state) {
for(auto _ : state) {
std::string str = "hello,world,";
benchmark::DoNotOptimize(sinsp_split(str, ','));
}
}
BENCHMARK(BM_sinsp_split);
static void BM_sinsp_concatenate_paths_relative_path(benchmark::State& state) {
for(auto _ : state) {
std::string path1 = "/tmp/";
std::string path2 = "foo/bar";
benchmark::DoNotOptimize(sinsp_utils::concatenate_paths(path1, path2));
}
}
BENCHMARK(BM_sinsp_concatenate_paths_relative_path);
static void BM_sinsp_concatenate_paths_empty_path(benchmark::State& state) {
for(auto _ : state) {
std::string path1 = "/tmp/";
std::string path2 = "";
benchmark::DoNotOptimize(sinsp_utils::concatenate_paths(path1, path2));
}
}
BENCHMARK(BM_sinsp_concatenate_paths_empty_path);
static void BM_sinsp_concatenate_paths_absolute_path(benchmark::State& state) {
for(auto _ : state) {
std::string path1 = "/tmp/";
std::string path2 = "/foo/bar";
benchmark::DoNotOptimize(sinsp_utils::concatenate_paths(path1, path2));
}
}
BENCHMARK(BM_sinsp_concatenate_paths_absolute_path);

138
cmake/modules/BuildPkgConfigDependencies.cmake
View File

@ -1,138 +0,0 @@
# Get all dependencies for ${lib} and add them to ${LIBDIRS_VAR} and ${LIBS_VAR}. Ignore any
# dependencies in the list ${ignored} to: - avoid infinite recursion - avoid libscap dependencies in
# libsinsp.pc (which requires libscap.pc and pulls them in that way)
function(add_pkgconfig_library LIBDIRS_VAR LIBS_VAR lib ignored)
message(DEBUG "[add_pkgconfig_library] processing lib \"${lib}\"")
# if it's not a target, it doesn't have dependencies we know or care about
if(NOT TARGET ${lib})
return()
endif()
# get the libraries that ${lib} links to
get_target_property(PKGCONFIG_LIBRARIES ${lib} LINK_LIBRARIES)
if("${PKGCONFIG_LIBRARIES}" STREQUAL "PKGCONFIG_LIBRARIES-NOTFOUND")
return()
endif()
message(DEBUG "[add_pkgconfig_library] LINK_LIBRARIES property: \"${PKGCONFIG_LIBRARIES}\"")
get_property(
target_type
TARGET ${lib}
PROPERTY TYPE
)
message(DEBUG "[add_pkgconfig_library] ignored list: \"${ignored}\"")
foreach(dep ${PKGCONFIG_LIBRARIES})
# XXX: We use a (very) loose match as we are potentially comparing absolute library file
# names (dep) to pkg-config library names to be ignored. The only alternative I can think
# of would be to maintain a map associating pkg-config names to their library file name.
get_filename_component(dep_base ${dep} NAME_WE)
string(REGEX REPLACE "^lib" "" dep_name ${dep_base})
# For CMake imported targets, keep only the suffix, e.g. gRPC::grpc -> grpc.
string(REGEX REPLACE "[^:]*::" "" dep_name ${dep_base})
message(DEBUG "[add_pkgconfig_library] processing dep ${dep}")
string(FIND "${ignored}" "${dep_name}" find_result)
if(NOT ${find_result} EQUAL -1)
message(DEBUG "[add_pkgconfig_library] \"${dep}\" ignored")
continue()
endif()
if(${target_type} STREQUAL "SHARED_LIBRARY")
# for shared libraries, do not add static libraries as dependencies
if(TARGET ${dep})
# skip static libraries which are CMake targets
get_property(
dep_target_type
TARGET ${dep}
PROPERTY TYPE
)
if(NOT ${dep_target_type} STREQUAL "SHARED_LIBRARY")
continue()
endif()
else()
# skip static libraries which are just file paths
get_filename_component(ext ${dep} LAST_EXT)
if("${ext}" STREQUAL "${CMAKE_STATIC_LIBRARY_SUFFIX}")
continue()
endif()
endif()
elseif(${target_type} STREQUAL "STATIC_LIBRARY")
# for static libraries which are not CMake targets, redirect them to
# ${libdir}/${LIBS_PACKAGE_NAME} note that ${libdir} is not a CMake variable, but a
# pkgconfig variable, so we quote it and end up with a literal ${libdir} in the
# pkgconfig file
if(NOT TARGET ${dep})
get_filename_component(filename ${dep} NAME)
set(dep "\${libdir}/${LIBS_PACKAGE_NAME}/${filename}")
else()
get_property(
dep_target_type
TARGET ${dep}
PROPERTY TYPE
)
if(${dep_target_type} STREQUAL "OBJECT_LIBRARY")
# skip object libraries
continue()
endif()
# if the library is imported, use the IMPORTED_LOCATION instead
get_property(
dep_imported_location
TARGET ${dep}
PROPERTY IMPORTED_LOCATION
)
if(NOT ${dep_imported_location} STREQUAL "")
get_filename_component(filename ${dep_imported_location} NAME)
set(dep "\${libdir}/${LIBS_PACKAGE_NAME}/${filename}")
endif()
endif()
endif()
add_pkgconfig_dependency(${LIBDIRS_VAR} ${LIBS_VAR} ${dep} "${ignored}")
endforeach()
# Remove duplicate search paths. We cannot remove duplicates from ${LIBS_VAR} because the order
# of libraries is important.
list(REMOVE_DUPLICATES ${LIBDIRS_VAR})
set(${LIBS_VAR}
${${LIBS_VAR}}
PARENT_SCOPE
)
set(${LIBDIRS_VAR}
${${LIBDIRS_VAR}}
PARENT_SCOPE
)
endfunction()
function(add_pkgconfig_dependency LIBDIRS_VAR LIBS_VAR lib ignored)
if(${lib} IN_LIST ignored)
# already processed, avoid infinite recursion
elseif(${lib} MATCHES "^-")
# We have a flag. Pass it through unchanged.
list(APPEND ${LIBS_VAR} ${lib})
elseif(${lib} MATCHES "/")
# We have a path. Convert it to -L<dir> + -l<lib>.
get_filename_component(lib_dir ${lib} DIRECTORY)
list(APPEND ${LIBDIRS_VAR} -L${lib_dir})
get_filename_component(lib_base ${lib} NAME_WE)
string(REGEX REPLACE "^lib" "" lib_base ${lib_base})
list(APPEND ${LIBS_VAR} -l${lib_base})
else()
# Assume we have a plain library name. Prefix it with "-l". Then recurse into its
# dependencies but ignore the library itself, so we don't end up in an infinite loop with
# cyclic dependencies
list(APPEND ${LIBS_VAR} -l${lib})
list(APPEND ignored ${lib})
add_pkgconfig_library(${LIBDIRS_VAR} ${LIBS_VAR} ${lib} "${ignored}")
endif()
set(${LIBS_VAR}
${${LIBS_VAR}}
PARENT_SCOPE
)
set(${LIBDIRS_VAR}
${${LIBDIRS_VAR}}
PARENT_SCOPE
)
endfunction()

100
cmake/modules/CompilerFlags.cmake
View File

@ -2,15 +2,14 @@
#
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags")
@ -33,78 +32,45 @@ if(NOT MSVC)
set(FALCOSECURITY_LIBS_COMMON_FLAGS "-Wall -ggdb")
set(FALCOSECURITY_LIBS_DEBUG_FLAGS "-Og -D_DEBUG")
set(FALCOSECURITY_LIBS_RELEASE_FLAGS "-O3 -fno-strict-aliasing -DNDEBUG")
set(FALCOSECURITY_LIBS_COVERAGE_FLAGS "-O0 -fprofile-arcs -ftest-coverage")
if(MINIMAL_BUILD)
set(FALCOSECURITY_LIBS_COMMON_FLAGS "${FALCOSECURITY_LIBS_COMMON_FLAGS} -DMINIMAL_BUILD")
endif()
if(MUSL_OPTIMIZED_BUILD)
set(FALCOSECURITY_LIBS_COMMON_FLAGS "${FALCOSECURITY_LIBS_COMMON_FLAGS} -static -Os")
endif()
if(BUILD_WARNINGS_AS_ERRORS)
set(CMAKE_COMPILE_WARNING_AS_ERROR ON)
set(CMAKE_SUPPRESSED_WARNINGS
"-Wno-unused-parameter -Wno-sign-compare -Wno-implicit-fallthrough -Wno-format-truncation -Wno-deprecated-declarations"
)
if(CMAKE_CXX_COMPILER_ID STREQUAL "Clang")
# Clang needs these for suppressing these warnings: - C++20 array designators used with
# C++17 - C99 array designators used in C++ - avoid complaining about the option above
# `-Wno-format-truncation`
set(CMAKE_SUPPRESSED_WARNINGS
"${CMAKE_SUPPRESSED_WARNINGS} -Wno-c++20-designator -Wno-c99-designator -Wno-unknown-warning-option"
)
set(CMAKE_SUPPRESSED_WARNINGS "-Wno-unused-parameter -Wno-sign-compare -Wno-implicit-fallthrough -Wno-format-truncation")
if (CMAKE_CXX_COMPILER_ID STREQUAL "Clang")
# Clang needs these for suppressing these warnings:
# - C++20 array designators used with C++17
# - C99 array designators used in C++
# - avoid complaining about the option above `-Wno-format-truncation`
set(CMAKE_SUPPRESSED_WARNINGS "${CMAKE_SUPPRESSED_WARNINGS} -Wno-c++20-designator -Wno-c99-designator -Wno-unknown-warning-option")
endif()
set(FALCOSECURITY_LIBS_COMMON_FLAGS
"${FALCOSECURITY_LIBS_COMMON_FLAGS} -Werror -Wextra ${CMAKE_SUPPRESSED_WARNINGS}"
)
set(FALCOSECURITY_LIBS_COMMON_FLAGS "${FALCOSECURITY_LIBS_COMMON_FLAGS} -Werror -Wextra ${CMAKE_SUPPRESSED_WARNINGS}")
endif()
if(USE_ASAN)
set(FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS
"${FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS};-fsanitize=address"
)
set(FALCOSECURITY_LIBS_USERSPACE_LINK_FLAGS
"${FALCOSECURITY_LIBS_USERSPACE_LINK_FLAGS};-fsanitize=address;-lpthread"
)
set(FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS "${FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS};-fsanitize=address")
set(FALCOSECURITY_LIBS_USERSPACE_LINK_FLAGS "${FALCOSECURITY_LIBS_USERSPACE_LINK_FLAGS};-fsanitize=address;-lpthread")
endif()
if(USE_UBSAN)
set(FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS
"${FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS};-fsanitize=undefined"
)
set(FALCOSECURITY_LIBS_USERSPACE_LINK_FLAGS
"${FALCOSECURITY_LIBS_USERSPACE_LINK_FLAGS};-fsanitize=undefined"
)
set(FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS "${FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS};-fsanitize=undefined")
set(FALCOSECURITY_LIBS_USERSPACE_LINK_FLAGS "${FALCOSECURITY_LIBS_USERSPACE_LINK_FLAGS};-fsanitize=undefined")
if(UBSAN_HALT_ON_ERROR)
set(FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS
"${FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS};-fno-sanitize-recover=undefined"
)
set(FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS "${FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS};-fno-sanitize-recover=undefined")
endif()
endif()
if(USE_TSAN)
set(FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS
"${FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS};-fsanitize=thread"
)
set(FALCOSECURITY_LIBS_USERSPACE_LINK_FLAGS
"${FALCOSECURITY_LIBS_USERSPACE_LINK_FLAGS};-fsanitize=thread"
)
endif()
if(ENABLE_COVERAGE)
set(FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS
"${FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS};--coverage"
)
set(FALCOSECURITY_LIBS_USERSPACE_LINK_FLAGS
"${FALCOSECURITY_LIBS_USERSPACE_COMPILE_FLAGS};--coverage"
)
endif()
if(ENABLE_THREAD_POOL)
set(FALCOSECURITY_LIBS_COMMON_FLAGS
"${FALCOSECURITY_LIBS_COMMON_FLAGS} -DENABLE_THREAD_POOL"
)
endif()
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${FALCOSECURITY_LIBS_COMMON_FLAGS}")
# we need also `-std=c++17` here beacuse `set(CMAKE_CXX_STANDARD 17)` is not enough to enforce
# c++17 with some Cmake versions: https://github.com/falcosecurity/libs/pull/950
# we need also `-std=c++17` here beacuse `set(CMAKE_CXX_STANDARD 17)` is not enough to enforce c++17
# with some Cmake versions: https://github.com/falcosecurity/libs/pull/950
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${FALCOSECURITY_LIBS_COMMON_FLAGS} -std=c++17")
set(CMAKE_C_FLAGS_DEBUG "${FALCOSECURITY_LIBS_DEBUG_FLAGS}")
@ -113,12 +79,15 @@ if(NOT MSVC)
set(CMAKE_C_FLAGS_RELEASE "${FALCOSECURITY_LIBS_RELEASE_FLAGS}")
set(CMAKE_CXX_FLAGS_RELEASE "${FALCOSECURITY_LIBS_RELEASE_FLAGS}")
set(CMAKE_C_FLAGS_COVERAGE "${FALCOSECURITY_LIBS_COVERAGE_FLAGS}")
set(CMAKE_CXX_FLAGS_COVERAGE "${FALCOSECURITY_LIBS_COVERAGE_FLAGS}")
add_definitions(-D__STDC_FORMAT_MACROS)
else() # MSVC
set(FALCOSECURITY_LIBS_COMMON_FLAGS
"-D_CRT_SECURE_NO_WARNINGS -DWIN32 /EHsc /W3 /Zi /std:c++17"
)
set(MINIMAL_BUILD ON)
set(FALCOSECURITY_LIBS_COMMON_FLAGS "-D_CRT_SECURE_NO_WARNINGS -DWIN32 -DMINIMAL_BUILD /EHsc /W3 /Zi /std:c++17")
if(CMAKE_VERSION VERSION_LESS 3.15.0)
set(FALCOSECURITY_LIBS_DEBUG_FLAGS "/MTd /Od")
set(FALCOSECURITY_LIBS_RELEASE_FLAGS "/MT")
@ -136,9 +105,8 @@ else() # MSVC
set(CMAKE_C_FLAGS_RELEASE "${FALCOSECURITY_LIBS_RELEASE_FLAGS}")
set(CMAKE_CXX_FLAGS_RELEASE "${FALCOSECURITY_LIBS_RELEASE_FLAGS}")
# "_DISABLE_CONSTEXPR_MUTEX_CONSTRUCTOR" enables a workaround for windows GH runner issue, see
# https://github.com/actions/runner-images/issues/10004 Also, define NOMINMAX globally.
add_compile_definitions(
_HAS_STD_BYTE=0 WIN32_LEAN_AND_MEAN _DISABLE_CONSTEXPR_MUTEX_CONSTRUCTOR NOMINMAX
_HAS_STD_BYTE=0
WIN32_LEAN_AND_MEAN
)
endif()

42
cmake/modules/FindMakedev.cmake
View File

@ -2,33 +2,43 @@
#
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# This module is used to understand where the makedev function is defined in the glibc in use. see
# 'man 3 makedev' Usage: In your CMakeLists.txt include(FindMakedev)
# This module is used to understand where the makedev function
# is defined in the glibc in use.
# see 'man 3 makedev'
# Usage:
# In your CMakeLists.txt
# include(FindMakedev)
#
# In your source code:
# In your source code:
#
# #if HAVE_SYS_MKDEV_H #include <sys/mkdev.h> #endif #ifdef HAVE_SYS_SYSMACROS_H #include
# <sys/sysmacros.h> #endif
# #if HAVE_SYS_MKDEV_H
# #include <sys/mkdev.h>
# #endif
# #ifdef HAVE_SYS_SYSMACROS_H
# #include <sys/sysmacros.h>
# #endif
#
include(${CMAKE_ROOT}/Modules/CheckIncludeFile.cmake)
check_include_file("sys/mkdev.h" HAVE_SYS_MKDEV_H)
check_include_file("sys/sysmacros.h" HAVE_SYS_SYSMACROS_H)
if(HAVE_SYS_MKDEV_H)
add_definitions(-DHAVE_SYS_MKDEV_H)
if (HAVE_SYS_MKDEV_H)
add_definitions(-DHAVE_SYS_MKDEV_H)
endif()
if(HAVE_SYS_SYSMACROS_H)
add_definitions(-DHAVE_SYS_SYSMACROS_H)
if (HAVE_SYS_SYSMACROS_H)
add_definitions(-DHAVE_SYS_SYSMACROS_H)
endif()

29
cmake/modules/Findbs_threadpool.cmake
View File

@ -1,29 +0,0 @@
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
#
find_path(BS_THREADPOOL_INCLUDE NAMES BS_thread_pool.hpp)
if(BS_THREADPOOL_INCLUDE)
if(NOT bs_threadpool_FIND_QUIETLY)
message(STATUS "Found bs_threadpool: include: ${BS_THREADPOOL_INCLUDE}.")
endif()
else()
if(bs_threadpool_FIND_REQUIRED)
message(FATAL_ERROR "Required component bs_threadpool missing.")
endif()
if(NOT bs_threadpool_FIND_QUIETLY)
message(WARNING "bs_threadpool not found.")
endif()
endif()

43
cmake/modules/Findvalijson.cmake
View File

@ -2,32 +2,35 @@
#
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# This module is used to find where the valijson headers are installed on the system. This is
# required up to v0.6, since package config files are not provided. This is fixed in master though,
# and this file shall be automatically ignored for later versions.
# This module is used to find where the valijson headers are installed
# on the system. This is required up to v0.6, since package config
# files are not provided. This is fixed in master though, and this
# file shall be automatically ignored for later versions.
find_path(VALIJSON_INCLUDE NAMES valijson/validator.hpp validator.hpp)
if(VALIJSON_INCLUDE)
if(NOT valijson_FIND_QUIETLY)
message(STATUS "Found valijson: include: ${VALIJSON_INCLUDE}.")
endif()
if (VALIJSON_INCLUDE)
if (NOT valijson_FIND_QUIETLY)
message(STATUS "Found valijson: include: ${VALIJSON_INCLUDE}.")
endif()
else()
if(valijson_FIND_REQUIRED)
message(FATAL_ERROR "Required component valijson missing.")
endif()
if(NOT valijson_FIND_QUIETLY)
message(WARNING "Valijson not found.")
endif()
if (valijson_FIND_REQUIRED)
message(FATAL_ERROR "Required component valijson missing.")
endif()
if (NOT valijson_FIND_QUIETLY)
message(WARNING "Valijson not found.")
endif()
endif()

300
cmake/modules/GetVersionFromGit.cmake
View File

@ -2,225 +2,191 @@
#
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
if(_falcosecurity_get_version_from_git)
return()
return()
endif()
set(_falcosecurity_get_version_from_git TRUE)
if(NOT FALCOSECURITY_RELEASE_BRANCH_REGEX)
set(FALCOSECURITY_RELEASE_BRANCH_REGEX "^release/")
set(FALCOSECURITY_RELEASE_BRANCH_REGEX "^release/")
endif()
function(_falcosecurity_execute_git _out)
if(NOT GIT_FOUND)
find_package(Git QUIET)
endif()
if(NOT GIT_FOUND)
find_package(Git QUIET)
endif()
execute_process(
COMMAND "${GIT_EXECUTABLE}" ${ARGN}
WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}"
RESULT_VARIABLE res
OUTPUT_VARIABLE out
ERROR_QUIET OUTPUT_STRIP_TRAILING_WHITESPACE
)
execute_process(COMMAND
"${GIT_EXECUTABLE}"
${ARGN}
WORKING_DIRECTORY
"${CMAKE_CURRENT_SOURCE_DIR}"
RESULT_VARIABLE
res
OUTPUT_VARIABLE
out
ERROR_QUIET
OUTPUT_STRIP_TRAILING_WHITESPACE)
if(NOT res EQUAL 0)
set(out "")
endif()
if(NOT res EQUAL 0)
set(out "")
endif()
set(${_out}
"${out}"
PARENT_SCOPE
)
set(${_out} "${out}" PARENT_SCOPE)
endfunction()
function(_falcosecurity_extract_version version_str x y z found)
string(REGEX MATCH "^([0-9]+)\\.([0-9]+)\\.([0-9]+)" match_result ${version_str})
string(REGEX MATCH "^([0-9]+)\\.([0-9]+)\\.([0-9]+)" match_result ${version_str})
if(match_result)
string(REGEX REPLACE "^([0-9]+)\\.([0-9]+)\\.([0-9]+).*" "\\1" x_val ${match_result})
string(REGEX REPLACE "^([0-9]+)\\.([0-9]+)\\.([0-9]+).*" "\\2" y_val ${match_result})
string(REGEX REPLACE "^([0-9]+)\\.([0-9]+)\\.([0-9]+).*" "\\3" z_val ${match_result})
set(${x}
${x_val}
PARENT_SCOPE
)
set(${y}
${y_val}
PARENT_SCOPE
)
set(${z}
${z_val}
PARENT_SCOPE
)
set(${found}
TRUE
PARENT_SCOPE
)
else()
set(${found}
FALSE
PARENT_SCOPE
)
endif()
if(match_result)
string(REGEX REPLACE "^([0-9]+)\\.([0-9]+)\\.([0-9]+).*" "\\1" x_val ${match_result})
string(REGEX REPLACE "^([0-9]+)\\.([0-9]+)\\.([0-9]+).*" "\\2" y_val ${match_result})
string(REGEX REPLACE "^([0-9]+)\\.([0-9]+)\\.([0-9]+).*" "\\3" z_val ${match_result})
set(${x} ${x_val} PARENT_SCOPE)
set(${y} ${y_val} PARENT_SCOPE)
set(${z} ${z_val} PARENT_SCOPE)
set(${found} TRUE PARENT_SCOPE)
else()
set(${found} FALSE PARENT_SCOPE)
endif()
endfunction()
# get_version_from_git() provides a basic implementation of the Falco versioning convention.
#
# The primary convention is that all version numbers should be a SemVer2.0-compatible string. The
# version number for the development build must follow a pre-release version pattern. To accomplish
# this, we use Git as the primary data source to construct the version number automatically. In this
# regard, the convention assumes that: any Git tag represents an officially released build, and each
# Git commit could potentially be a development build.
# The primary convention is that all version numbers should be a SemVer2.0-compatible string.
# The version number for the development build must follow a pre-release version pattern.
# To accomplish this, we use Git as the primary data source to construct the version number
# automatically. In this regard, the convention assumes that:
# any Git tag represents an officially released build,
# and each Git commit could potentially be a development build.
#
# With those assumptions, the build system will return a version number based on one of the
# following cases:
# With those assumptions, the build system will return a version number based on one of
# the following cases:
#
# * If the current Git checkout points to an exact Git tag, we assume it is an officially released
# version (either a release or a pre-release).
# - If the current Git checkout points to an exact Git tag,
# we assume it is an officially released version (either a release or a pre-release).
#
# * If we are in a release branch (with the suffix `release/`), we assume that each commit (i.e.,
# each development build) represents a potential new patch version.
# - If we are in a release branch (with the suffix `release/`),
# we assume that each commit (i.e., each development build) represents a potential new patch version.
#
# * If we are in any other branch, we assume that each commit (i.e., each development build)
# represents a potential new minor version.
# - If we are in any other branch,
# we assume that each commit (i.e., each development build) represents a potential new minor version.
#
# * In any other case (for example, if there's no git information available), version `0.0.0` will
# be returned as a fallback.
# - In any other case (for example, if there's no git information available),
# version `0.0.0` will be returned as a fallback.
#
# For the officially released versions, we assume the Git tag will carry on the correct information,
# so we return it as-is.
#
# For development versions, the string is built as follows: `<x>.<y>.<z>-<count>+<commit>[suffix]`
# Where: - `<x>.<y>.<z>` represents the next version number, reflecting either a patch for release
# branches or a minor version for development branches. - `<count>` is the number of commits ahead
# from either: - the latest tag on the branch, for release branches; or - the closest common
# ancestor with the branch holding the latest tagged version, for development branches. - `<commit>`
# refers to the first 7 digits of the commit hash. - `[suffix]` the value of `match_suffix`, if any.
# For development versions, the string is built as follows:
# `<x>.<y>.<z>-<count>+<commit>[suffix]`
# Where:
# - `<x>.<y>.<z>` represents the next version number, reflecting either a patch for release branches
# or a minor version for development branches.
# - `<count>` is the number of commits ahead from either:
# - the latest tag on the branch, for release branches; or
# - the closest common ancestor with the branch holding the latest tagged version,
# for development branches.
# - `<commit>` refers to the first 7 digits of the commit hash.
# - `[suffix]` the value of `match_suffix`, if any.
# Note: all non-alphanumerics will be converted to hyphens.
#
#
# This function sets the resulting version string to a variable in the parent scope.
#
# Arguments: - _var Variable to store the resulting version string. - match_suffix Only
# consider Git references with this suffix. - exclude_suffix Ignore Git references with this
# suffix.
# Arguments:
# - _var Variable to store the resulting version string.
# - match_suffix Only consider Git references with this suffix.
# - exclude_suffix Ignore Git references with this suffix.
function(get_version_from_git _var match_suffix exclude_suffix)
# Release version Try to obtain the exact git tag
if(exclude_suffix)
_falcosecurity_execute_git(
tag
describe
--tags
--exact-match
--match
"*${match_suffix}"
--exclude
"*${exclude_suffix}"
HEAD
)
else()
_falcosecurity_execute_git(
tag
describe
--tags
--exact-match
--match
"*${match_suffix}"
HEAD
)
endif()
# Release version
# Try to obtain the exact git tag
if(exclude_suffix)
_falcosecurity_execute_git(tag describe --tags --exact-match --match "*${match_suffix}" --exclude "*${exclude_suffix}" HEAD)
else()
_falcosecurity_execute_git(tag describe --tags --exact-match --match "*${match_suffix}" HEAD)
endif()
if(tag)
# A tag has been found: use it as the libs version
set(${_var}
"${tag}"
PARENT_SCOPE
)
return()
endif()
if(tag)
# A tag has been found: use it as the libs version
set(${_var}
"${tag}"
PARENT_SCOPE)
return()
endif()
# Otherwise, we are on a dev version
_falcosecurity_execute_git(current_hash rev-parse HEAD)
_falcosecurity_execute_git(current_hash_short rev-parse --short=7 HEAD)
_falcosecurity_execute_git(current_branch rev-parse --abbrev-ref HEAD)
# Otherwise, we are on a dev version
_falcosecurity_execute_git(current_hash rev-parse HEAD)
_falcosecurity_execute_git(current_hash_short rev-parse --short=7 HEAD)
_falcosecurity_execute_git(current_branch rev-parse --abbrev-ref HEAD)
set(dev_version "0.0.0")
set(dev_version "0.0.0")
# dev version / in a `release/M.m.x` branch
if(current_branch MATCHES "${FALCOSECURITY_RELEASE_BRANCH_REGEX}")
# get the latest tag on the release branch
set(_options --match "*.*.*${match_suffix}")
# dev version / in a `release/M.m.x` branch
if(current_branch MATCHES "${FALCOSECURITY_RELEASE_BRANCH_REGEX}")
# get the latest tag on the release branch
set(_options --match "*.*.*${match_suffix}")
if(exclude_suffix)
set(_options ${_options} --exclude "*${exclude_suffix}")
endif()
if(exclude_suffix)
set(_options ${_options} --exclude "*${exclude_suffix}")
endif()
_falcosecurity_execute_git(tag describe --tags ${_options} --abbrev=0 "${current_branch}")
_falcosecurity_execute_git(tag describe --tags ${_options} --abbrev=0 "${current_branch}")
if(tag)
_falcosecurity_extract_version("${tag}" x y z match_found)
if(tag)
_falcosecurity_extract_version("${tag}" x y z match_found)
if(match_found)
math(EXPR z_plus_one "${z} + 1")
set(dev_version "${x}.${y}.${z_plus_one}")
endif()
endif()
endif()
if(match_found)
math(EXPR z_plus_one "${z} + 1")
set(dev_version "${x}.${y}.${z_plus_one}")
endif()
endif()
endif()
# dev version / all other cases (and fallback)
if(dev_version MATCHES "0.0.0")
# get the latest tag that exactly matches a version number, sorted by version number in
# descending order
_falcosecurity_execute_git(
tag
for-each-ref
--count=1
--sort=-version:refname
--format
"%(refname:short)"
refs/tags/[0-9]*.[0-9]*.[0-9]${match_suffix}
)
# dev version / all other cases (and fallback)
if(dev_version MATCHES "0.0.0")
# get the latest tag that exactly matches a version number, sorted by version number in descending order
_falcosecurity_execute_git(tag for-each-ref --count=1 --sort=-version:refname --format "%(refname:short)" refs/tags/[0-9]*.[0-9]*.[0-9]${match_suffix})
if(tag)
_falcosecurity_extract_version("${tag}" x y z match_found)
if(tag)
_falcosecurity_extract_version("${tag}" x y z match_found)
if(match_found)
math(EXPR y_plus_one "${y} + 1")
set(dev_version "${x}.${y_plus_one}.0")
endif()
endif()
endif()
if(match_found)
math(EXPR y_plus_one "${y} + 1")
set(dev_version "${x}.${y_plus_one}.0")
endif()
endif()
endif()
# complete dev version with count and hash
if(NOT dev_version MATCHES "0.0.0")
_falcosecurity_execute_git(tag_commit rev-list -n 1 "${tag}")
_falcosecurity_execute_git(tag_common_ancestor merge-base "${current_hash}" "${tag_commit}")
_falcosecurity_execute_git(
commits_count rev-list --count "${tag_common_ancestor}..${current_hash}"
)
# complete dev version with count and hash
if(NOT dev_version MATCHES "0.0.0")
_falcosecurity_execute_git(tag_commit rev-list -n 1 "${tag}")
_falcosecurity_execute_git(tag_common_ancestor merge-base "${current_hash}" "${tag_commit}")
_falcosecurity_execute_git(commits_count rev-list --count "${tag_common_ancestor}..${current_hash}")
set(dev_version "${dev_version}-${commits_count}+${current_hash_short}")
set(dev_version "${dev_version}-${commits_count}+${current_hash_short}")
if(match_suffix)
string(REGEX REPLACE "[^0-9A-Za-z-]" "-" suffix "${match_suffix}")
set(dev_version "${dev_version}${suffix}")
endif()
endif()
if(match_suffix)
string(REGEX REPLACE "[^0-9A-Za-z-]" "-" suffix "${match_suffix}")
set(dev_version "${dev_version}${suffix}")
endif()
endif()
set(${_var}
"${dev_version}"
PARENT_SCOPE
)
set(${_var}
"${dev_version}"
PARENT_SCOPE)
endfunction()

47
cmake/modules/bs_threadpool.cmake
View File

@ -1,47 +0,0 @@
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (C) 2024 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
#
#
# bshoshany/thread-pool (https://github.com/bshoshany/thread-pool)
#
option(USE_BUNDLED_BS_THREADPOOL "Enable building of the bundled bs_threadpool" ${USE_BUNDLED_DEPS})
if(BS_THREADPOOL_INCLUDE)
# we already have bs_threadpool
elseif(NOT USE_BUNDLED_BS_THREADPOOL)
find_package(bs_threadpool REQUIRED)
else()
set(BS_THREADPOOL_SRC "${PROJECT_BINARY_DIR}/bs_threadpool-prefix/src/bs_threadpool")
set(BS_THREADPOOL_INCLUDE "${BS_THREADPOOL_SRC}/include")
message(STATUS "Using bundled bs_threadpool in '${BS_THREADPOOL_SRC}'")
ExternalProject_Add(
bs_threadpool
PREFIX "${PROJECT_BINARY_DIR}/bs_threadpool-prefix"
URL "https://github.com/bshoshany/thread-pool/archive/refs/tags/v4.1.0.tar.gz"
URL_HASH "SHA256=be7abecbc420bb87919eeef729b13ff7c29d5ce547bdae284923296c695415bd"
CONFIGURE_COMMAND ""
BUILD_COMMAND ""
INSTALL_COMMAND ""
)
endif()
if(NOT TARGET bs_threadpool)
add_custom_target(bs_threadpool)
endif()
include_directories("${BS_THREADPOOL_INCLUDE}")

65
cmake/modules/cares.cmake Normal file
View File

@ -0,0 +1,65 @@
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
option(USE_BUNDLED_CARES "Enable building of the bundled c-ares" ${USE_BUNDLED_DEPS})
if(CARES_INCLUDE)
# we already have c-ares
elseif(NOT USE_BUNDLED_CARES)
find_path(CARES_INCLUDE NAMES cares/ares.h ares.h)
find_library(CARES_LIB NAMES cares)
if(CARES_INCLUDE AND CARES_LIB)
message(STATUS "Found c-ares: include: ${CARES_INCLUDE}, lib: ${CARES_LIB}")
else()
message(FATAL_ERROR "Couldn't find system c-ares")
endif()
else()
if(BUILD_SHARED_LIBS)
set(CARES_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
set(CARES_CPPFLAGS )
set(CARES_STATIC_OPTION )
else()
set(CARES_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
set(CARES_CPPFLAGS -DCARES_STATICLIB)
set(CARES_STATIC_OPTION --disable-shared)
endif()
set(CARES_SRC "${PROJECT_BINARY_DIR}/c-ares-prefix/src/c-ares")
set(CARES_INCLUDE "${CARES_SRC}/target/include/")
set(CARES_LIB "${CARES_SRC}/target/lib/libcares${CARES_LIB_SUFFIX}")
set(CARES_INSTALL_DIR "${CARES_SRC}/target")
if(NOT TARGET c-ares)
message(STATUS "Using bundled c-ares in '${CARES_SRC}'")
ExternalProject_Add(c-ares
PREFIX "${PROJECT_BINARY_DIR}/c-ares-prefix"
URL "https://c-ares.haxx.se/download/c-ares-1.19.1.tar.gz"
URL_HASH "SHA256=321700399b72ed0e037d0074c629e7741f6b2ec2dda92956abe3e9671d3e268e"
CONFIGURE_COMMAND CPPFLAGS=${CARES_CPPFLAGS} ./configure ${CARES_STATIC_OPTION} --prefix=${CARES_INSTALL_DIR}
BUILD_COMMAND make
BUILD_IN_SOURCE 1
BUILD_BYPRODUCTS ${CARES_INCLUDE} ${CARES_LIB}
INSTALL_COMMAND make install)
install(FILES "${CARES_LIB}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps")
install(DIRECTORY "${CARES_INCLUDE}" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps")
endif()
endif()
if(NOT TARGET c-ares)
add_custom_target(c-ares)
endif()
include_directories("${CARES_INCLUDE}")

62
cmake/modules/compute_versions.cmake
View File

@ -2,50 +2,38 @@
#
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
# Computes API/SCHEMA major, minor, patch and git commit
macro(compute_versions api_version_path schema_version_path)
# API VERSION
file(STRINGS ${api_version_path} DRIVER_API_VERSION LIMIT_COUNT 1)
string(REGEX MATCHALL "[0-9]+" DRIVER_API_COMPONENTS "${DRIVER_API_VERSION}")
list(GET DRIVER_API_COMPONENTS 0 PPM_API_CURRENT_VERSION_MAJOR)
list(GET DRIVER_API_COMPONENTS 1 PPM_API_CURRENT_VERSION_MINOR)
list(GET DRIVER_API_COMPONENTS 2 PPM_API_CURRENT_VERSION_PATCH)
message(STATUS "Driver API version ${PPM_API_CURRENT_VERSION_MAJOR}.${PPM_API_CURRENT_VERSION_MINOR}.${PPM_API_CURRENT_VERSION_PATCH}")
# API VERSION
file(STRINGS ${api_version_path} DRIVER_API_VERSION LIMIT_COUNT 1)
string(REGEX MATCHALL "[0-9]+" DRIVER_API_COMPONENTS "${DRIVER_API_VERSION}")
list(GET DRIVER_API_COMPONENTS 0 PPM_API_CURRENT_VERSION_MAJOR)
list(GET DRIVER_API_COMPONENTS 1 PPM_API_CURRENT_VERSION_MINOR)
list(GET DRIVER_API_COMPONENTS 2 PPM_API_CURRENT_VERSION_PATCH)
message(
STATUS
"Driver API version ${PPM_API_CURRENT_VERSION_MAJOR}.${PPM_API_CURRENT_VERSION_MINOR}.${PPM_API_CURRENT_VERSION_PATCH}"
)
# SCHEMA VERSION
file(STRINGS ${schema_version_path} DRIVER_SCHEMA_VERSION LIMIT_COUNT 1)
string(REGEX MATCHALL "[0-9]+" DRIVER_SCHEMA_COMPONENTS "${DRIVER_SCHEMA_VERSION}")
list(GET DRIVER_SCHEMA_COMPONENTS 0 PPM_SCHEMA_CURRENT_VERSION_MAJOR)
list(GET DRIVER_SCHEMA_COMPONENTS 1 PPM_SCHEMA_CURRENT_VERSION_MINOR)
list(GET DRIVER_SCHEMA_COMPONENTS 2 PPM_SCHEMA_CURRENT_VERSION_PATCH)
message(STATUS "Driver schema version ${PPM_SCHEMA_CURRENT_VERSION_MAJOR}.${PPM_SCHEMA_CURRENT_VERSION_MINOR}.${PPM_SCHEMA_CURRENT_VERSION_PATCH}")
# SCHEMA VERSION
file(STRINGS ${schema_version_path} DRIVER_SCHEMA_VERSION LIMIT_COUNT 1)
string(REGEX MATCHALL "[0-9]+" DRIVER_SCHEMA_COMPONENTS "${DRIVER_SCHEMA_VERSION}")
list(GET DRIVER_SCHEMA_COMPONENTS 0 PPM_SCHEMA_CURRENT_VERSION_MAJOR)
list(GET DRIVER_SCHEMA_COMPONENTS 1 PPM_SCHEMA_CURRENT_VERSION_MINOR)
list(GET DRIVER_SCHEMA_COMPONENTS 2 PPM_SCHEMA_CURRENT_VERSION_PATCH)
message(
STATUS
"Driver schema version ${PPM_SCHEMA_CURRENT_VERSION_MAJOR}.${PPM_SCHEMA_CURRENT_VERSION_MINOR}.${PPM_SCHEMA_CURRENT_VERSION_PATCH}"
)
# GIT COMMIT
if(NOT DEFINED GIT_COMMIT)
execute_process(
COMMAND git rev-parse HEAD
OUTPUT_VARIABLE GIT_COMMIT
ERROR_QUIET
WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}
)
endif()
string(STRIP "${GIT_COMMIT}" GIT_COMMIT)
# GIT COMMIT
if(NOT DEFINED GIT_COMMIT)
execute_process(COMMAND git rev-parse HEAD OUTPUT_VARIABLE GIT_COMMIT ERROR_QUIET WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR})
endif()
string(STRIP "${GIT_COMMIT}" GIT_COMMIT)
endmacro()

44
cmake/modules/container_plugin.cmake
View File

@ -1,44 +0,0 @@
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (C) 2025 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
#
include(ExternalProject)
string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} PLUGINS_SYSTEM_NAME)
set(CONTAINER_LIBRARY
"${CMAKE_CURRENT_BINARY_DIR}/container_plugin-prefix/src/container_plugin/libcontainer.so"
)
if(NOT CONTAINER_VERSION)
set(CONTAINER_VERSION "0.3.4")
endif()
if(NOT CONTAINER_HASH)
if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
set(CONTAINER_HASH "658f96c4b4a56d1bf945a788d60571076f808ae1bcc877c4ba3625b0fd752d8d")
else() # arm64
set(CONTAINER_HASH "34a153aca0164843a169193aba092a3063b24bca9ef80fd4f1d1f1919aba3bde")
endif()
endif()
if(NOT TARGET container_plugin)
message(STATUS "Fetching container plugin ${CONTAINER_VERSION} in '${CONTAINER_LIBRARY}'")
ExternalProject_Add(
container_plugin
URL "https://download.falco.org/plugins/stable/container-${CONTAINER_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
URL_HASH "SHA256=${CONTAINER_HASH}"
CONFIGURE_COMMAND ""
BUILD_COMMAND ""
INSTALL_COMMAND ""
)
endif()

114
cmake/modules/curl.cmake Normal file
View File

@ -0,0 +1,114 @@
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
option(USE_BUNDLED_CURL "Enable building of the bundled curl" ${USE_BUNDLED_DEPS})
include(openssl)
include(zlib)
if(CURL_INCLUDE_DIRS)
# we already have curl
elseif(NOT USE_BUNDLED_CURL)
find_package(CURL REQUIRED)
message(STATUS "Found CURL: include: ${CURL_INCLUDE_DIRS}, lib: ${CURL_LIBRARIES}")
else()
if(BUILD_SHARED_LIBS)
set(CURL_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
set(CURL_STATIC_OPTION )
else()
set(CURL_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
set(CURL_STATIC_OPTION --disable-shared)
endif()
set(CURL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/curl-prefix/src/curl")
set(CURL_INCLUDE_DIRS "${CURL_BUNDLE_DIR}/include/")
set(CURL_LIBRARIES "${CURL_BUNDLE_DIR}/lib/.libs/libcurl${CURL_LIB_SUFFIX}")
if(NOT USE_BUNDLED_OPENSSL)
set(CURL_SSL_OPTION "--with-ssl")
else()
set(CURL_SSL_OPTION "--with-ssl=${OPENSSL_INSTALL_DIR}")
message(STATUS "Using SSL for curl in '${OPENSSL_INSTALL_DIR}'")
endif()
if(NOT USE_BUNDLED_ZLIB)
set(CURL_ZLIB_OPTION "--with-zlib")
else()
set(CURL_ZLIB_OPTION "--with-zlib=${ZLIB_SRC}")
message(STATUS "Using zlib for curl in '${ZLIB_SRC}'")
endif()
message(STATUS "Using bundled curl in '${CURL_BUNDLE_DIR}'")
if(NOT TARGET curl)
ExternalProject_Add(
curl
PREFIX "${PROJECT_BINARY_DIR}/curl-prefix"
DEPENDS openssl zlib
URL "https://github.com/curl/curl/releases/download/curl-8_4_0/curl-8.4.0.tar.bz2"
URL_HASH "SHA256=e5250581a9c032b1b6ed3cf2f9c114c811fc41881069e9892d115cc73f9e88c6"
CONFIGURE_COMMAND
./configure
${CURL_SSL_OPTION}
${CURL_ZLIB_OPTION}
${CURL_STATIC_OPTION}
--enable-optimize
--disable-curldebug
--disable-rt
--enable-http
--disable-ftp
--disable-file
--disable-ldap
--disable-ldaps
--disable-rtsp
--disable-telnet
--disable-tftp
--disable-pop3
--disable-imap
--disable-smb
--disable-smtp
--disable-gopher
--disable-sspi
--disable-ntlm-wb
--disable-tls-srp
--without-winssl
--without-polarssl
--without-cyassl
--without-nss
--without-axtls
--without-librtmp
--without-winidn
--without-libidn2
--without-libpsl
--without-nghttp2
--without-libssh2
--with-ca-path=/etc/ssl/certs/
--disable-threaded-resolver
--without-brotli
--without-zstd
BUILD_COMMAND make
BUILD_IN_SOURCE 1
BUILD_BYPRODUCTS ${CURL_LIBRARIES}
INSTALL_COMMAND "")
install(FILES "${CURL_LIBRARIES}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps")
install(DIRECTORY "${CURL_INCLUDE_DIRS}curl" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
FILES_MATCHING PATTERN "*.h")
endif()
endif()
if(NOT TARGET curl)
add_custom_target(curl)
endif()
include_directories("${CURL_INCLUDE_DIRS}")

4
cmake/modules/engine_config.cmake
View File

@ -23,9 +23,9 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux")
endif()
# gVisor is currently only supported on Linux x86_64
if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64" AND CMAKE_SYSTEM_NAME MATCHES "Linux")
if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64" AND CMAKE_SYSTEM_NAME MATCHES "Linux" AND NOT MINIMAL_BUILD)
option(BUILD_LIBSCAP_GVISOR "Build gVisor support" ON)
if(BUILD_LIBSCAP_GVISOR)
if (BUILD_LIBSCAP_GVISOR)
set(HAS_ENGINE_GVISOR On)
endif()
endif()

27
cmake/modules/googleBenchmark.cmake
View File

@ -1,27 +0,0 @@
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (C) 2024 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
#
# Disable the Google Benchmark requirement on Google Test
set(BENCHMARK_ENABLE_TESTING OFF)
include(FetchContent)
FetchContent_Declare(
googlebenchmark
GIT_REPOSITORY https://github.com/google/benchmark.git
GIT_TAG v1.9.0
)
FetchContent_MakeAvailable(googlebenchmark)

222
cmake/modules/grpc.cmake Normal file
View File

@ -0,0 +1,222 @@
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
option(USE_BUNDLED_GRPC "Enable building of the bundled grpc" ${USE_BUNDLED_DEPS})
if(GRPC_INCLUDE)
# we already have grpc
elseif(NOT USE_BUNDLED_GRPC)
# gRPC
find_package(gRPC CONFIG)
if(gRPC_FOUND)
message(STATUS "Using gRPC ${gRPC_VERSION}")
set(GPR_LIB gRPC::gpr)
set(GRPC_LIB gRPC::grpc)
set(GRPCPP_LIB gRPC::grpc++)
# gRPC C++ plugin
get_target_property(GRPC_CPP_PLUGIN gRPC::grpc_cpp_plugin LOCATION)
if(NOT GRPC_CPP_PLUGIN)
message(FATAL_ERROR "System grpc_cpp_plugin not found")
endif()
# gRPC include dir + properly handle grpc{++,pp}
get_target_property(GRPC_INCLUDE gRPC::grpc++ INTERFACE_INCLUDE_DIRECTORIES)
find_path(GRPCXX_INCLUDE NAMES grpc++/grpc++.h PATHS ${GRPC_INCLUDE})
if(NOT GRPCXX_INCLUDE)
find_path(GRPCPP_INCLUDE NAMES grpcpp/grpcpp.h PATHS ${GRPC_INCLUDE})
add_definitions(-DGRPC_INCLUDE_IS_GRPCPP=1)
endif()
else()
# Fallback to manually find libraries;
# Some distro, namely Ubuntu focal, do not install gRPC config cmake module
find_library(GPR_LIB NAMES gpr)
if(GPR_LIB)
message(STATUS "Found gpr lib: ${GPR_LIB}")
else()
message(FATAL_ERROR "Couldn't find system gpr")
endif()
find_path(GRPCXX_INCLUDE NAMES grpc++/grpc++.h)
if(GRPCXX_INCLUDE)
set(GRPC_INCLUDE ${GRPCXX_INCLUDE})
else()
find_path(GRPCPP_INCLUDE NAMES grpcpp/grpcpp.h)
set(GRPC_INCLUDE ${GRPCPP_INCLUDE})
add_definitions(-DGRPC_INCLUDE_IS_GRPCPP=1)
endif()
find_library(GRPC_LIB NAMES grpc)
find_library(GRPCPP_LIB NAMES grpc++)
if(GRPC_INCLUDE AND GRPC_LIB AND GRPCPP_LIB)
message(STATUS "Found grpc: include: ${GRPC_INCLUDE}, C lib: ${GRPC_LIB}, C++ lib: ${GRPCPP_LIB}")
else()
message(FATAL_ERROR "Couldn't find system grpc")
endif()
find_program(GRPC_CPP_PLUGIN grpc_cpp_plugin)
if(NOT GRPC_CPP_PLUGIN)
message(FATAL_ERROR "System grpc_cpp_plugin not found")
endif()
endif()
else()
include(cares)
include(protobuf)
include(zlib)
include(openssl)
if(BUILD_SHARED_LIBS)
set(GRPC_OPENSSL_STATIC_LIBS_OPTION FALSE)
else()
set(GRPC_OPENSSL_STATIC_LIBS_OPTION TRUE)
endif()
include(re2)
set(GRPC_SRC "${PROJECT_BINARY_DIR}/grpc-prefix/src/grpc")
set(GRPC_INSTALL_DIR "${GRPC_SRC}/target")
set(GRPC_INCLUDE
"${GRPC_INSTALL_DIR}/include"
"${GRPC_SRC}/third_party/abseil-cpp")
set(GPR_LIB "${GRPC_SRC}/libgpr.a")
set(GRPC_LIB "${GRPC_SRC}/libgrpc.a")
set(GRPCPP_LIB "${GRPC_SRC}/libgrpc++.a")
set(GRPC_CPP_PLUGIN "${GRPC_SRC}/grpc_cpp_plugin")
set(GRPC_MAIN_LIBS "")
list(APPEND GRPC_MAIN_LIBS
"${GPR_LIB}"
"${GRPC_LIB}"
"${GRPCPP_LIB}"
"${GRPC_SRC}/libgrpc++_alts.a"
"${GRPC_SRC}/libgrpc++_error_details.a"
"${GRPC_SRC}/libgrpc++_reflection.a"
"${GRPC_SRC}/libgrpc++_unsecure.a"
"${GRPC_SRC}/libgrpc_plugin_support.a"
"${GRPC_SRC}/libgrpc_unsecure.a"
"${GRPC_SRC}/libgrpcpp_channelz.a"
)
get_filename_component(PROTOC_DIR ${PROTOC} PATH)
if(NOT TARGET grpc)
message(STATUS "Using bundled grpc in '${GRPC_SRC}'")
# fixme(leogr): this workaround is required to inject the missing deps (built by gRCP cmakefiles)
# into target_link_libraries later
# note: the list below is manually generated starting from the output of pkg-config --libs grpc++
set(GRPC_LIBRARIES "")
list(APPEND GRPC_LIBRARIES
"${GRPC_SRC}/libaddress_sorting.a"
"${GRPC_SRC}/libupb.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/hash/libabsl_hash.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/hash/libabsl_city.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/hash/libabsl_low_level_hash.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/container/libabsl_raw_hash_set.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/container/libabsl_hashtablez_sampler.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/status/libabsl_statusor.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/status/libabsl_status.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cord.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cordz_functions.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/profiling/libabsl_exponential_biased.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/types/libabsl_bad_optional_access.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/types/libabsl_bad_variant_access.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_str_format_internal.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/synchronization/libabsl_synchronization.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/synchronization/libabsl_graphcycles_internal.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_stacktrace.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_symbolize.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_debugging_internal.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_demangle_internal.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_malloc_internal.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/time/libabsl_time.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/time/libabsl_civil_time.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_strings.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_strings_internal.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_base.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_spinlock_wait.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/numeric/libabsl_int128.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_throw_delegate.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_raw_logging_internal.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_log_severity.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/time/libabsl_time_zone.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cord_internal.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cordz_info.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cordz_handle.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_pool_urbg.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen_hwaes.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen_hwaes_impl.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen_slow.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_seed_material.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_platform.a"
"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_seed_gen_exception.a"
)
ExternalProject_Add(grpc
PREFIX "${PROJECT_BINARY_DIR}/grpc-prefix"
DEPENDS openssl protobuf c-ares zlib re2
GIT_REPOSITORY https://github.com/grpc/grpc.git
GIT_TAG v1.44.0
GIT_SUBMODULES "third_party/abseil-cpp"
CMAKE_CACHE_ARGS
-DCMAKE_INSTALL_PREFIX:PATH=${GRPC_INSTALL_DIR}
-DCMAKE_BUILD_TYPE:STRING=Release
-DgRPC_INSTALL:BOOL=OFF
# disable unused stuff
-DgRPC_BUILD_TESTS:BOOL=OFF
-DgRPC_BUILD_CSHARP_EXT:BOOL=OFF
-DgRPC_BUILD_GRPC_CSHARP_PLUGIN:BOOL=OFF
-DgRPC_BUILD_GRPC_NODE_PLUGIN:BOOL=OFF
-DgRPC_BUILD_GRPC_OBJECTIVE_C_PLUGIN:BOOL=OFF
-DgRPC_BUILD_GRPC_PHP_PLUGIN:BOOL=OFF
-DgRPC_BUILD_GRPC_PYTHON_PLUGIN:BOOL=OFF
-DgRPC_BUILD_GRPC_RUBY_PLUGIN:BOOL=OFF
# deps provided by us
# https://github.com/grpc/grpc/blob/v1.32.0/cmake/modules/Findc-ares.cmake
-DgRPC_CARES_PROVIDER:STRING=package
-Dc-ares_DIR:PATH=${CARES_SRC}
-Dc-ares_INCLUDE_DIR:PATH=${CARES_INCLUDE}
-Dc-ares_LIBRARY:PATH=${CARES_LIB}
# https://cmake.org/cmake/help/v3.6/module/FindProtobuf.html
-DgRPC_PROTOBUF_PROVIDER:STRING=package
-DCMAKE_CXX_FLAGS:STRING=-I${PROTOBUF_INCLUDE}
-DProtobuf_INCLUDE_DIR:PATH=${PROTOBUF_INCLUDE}
-DProtobuf_LIBRARY:PATH=${PROTOBUF_LIB}
-DProtobuf_PROTOC_LIBRARY:PATH=${PROTOC_LIB}
-DProtobuf_PROTOC_EXECUTABLE:PATH=${PROTOC}
# https://cmake.org/cmake/help/v3.6/module/FindOpenSSL.html
-DgRPC_SSL_PROVIDER:STRING=package
-DOPENSSL_ROOT_DIR:PATH=${OPENSSL_INSTALL_DIR}
-DOPENSSL_USE_STATIC_LIBS:BOOL=${GRPC_OPENSSL_STATIC_LIBS_OPTION}
# https://cmake.org/cmake/help/v3.6/module/FindZLIB.html
-DgRPC_ZLIB_PROVIDER:STRING=package
-DZLIB_ROOT:STRING=${ZLIB_SRC}
# RE2
-DgRPC_RE2_PROVIDER:STRING=package
-Dre2_DIR:PATH=${RE2_DIR}
BUILD_IN_SOURCE 1
BUILD_BYPRODUCTS ${GRPC_LIB} ${GRPCPP_LIB} ${GPR_LIB} ${GRPC_LIBRARIES}
# Keep installation files into the local ${GRPC_INSTALL_DIR}
# since here is the case when we are embedding gRPC
UPDATE_COMMAND ""
INSTALL_COMMAND DESTDIR= ${CMAKE_MAKE_PROGRAM} install
)
install(FILES ${GRPC_MAIN_LIBS} DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps")
install(FILES ${GRPC_LIBRARIES} DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps")
install(DIRECTORY "${GRPC_SRC}/target/include/" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps")
endif()
endif()
if(NOT TARGET grpc)
add_custom_target(grpc)
endif()
include_directories("${GRPC_INCLUDE}")

60
cmake/modules/gtest.cmake
View File

@ -2,15 +2,14 @@
#
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
option(USE_BUNDLED_GTEST "Enable building of the bundled gtest" ${USE_BUNDLED_DEPS})
@ -18,60 +17,41 @@ option(USE_BUNDLED_GTEST "Enable building of the bundled gtest" ${USE_BUNDLED_DE
if(GTEST_INCLUDE_DIR)
# we already have gtest
elseif(NOT USE_BUNDLED_GTEST)
find_path(
GTEST_INCLUDE_DIR
PATH_SUFFIXES gtest
NAMES gtest.h
)
find_path(GTEST_INCLUDE_DIR PATH_SUFFIXES gtest NAMES gtest.h)
find_library(GTEST_LIB NAMES gtest)
find_library(GTEST_MAIN_LIB NAMES gtest_main)
if(GTEST_INCLUDE_DIR
AND GTEST_LIB
AND GTEST_MAIN_LIB
)
message(
STATUS
"Found gtest: include: ${GTEST_INCLUDE_DIR}, lib: ${GTEST_LIB}, main lib: ${GTEST_MAIN_LIB}"
)
if(GTEST_INCLUDE_DIR AND GTEST_LIB AND GTEST_MAIN_LIB)
message(STATUS "Found gtest: include: ${GTEST_INCLUDE_DIR}, lib: ${GTEST_LIB}, main lib: ${GTEST_MAIN_LIB}")
else()
message(FATAL_ERROR "Couldn't find system gtest")
endif()
else()
# https://github.com/google/googletest/tree/main/googletest#incorporating-into-an-existing-cmake-project
# Download and unpack googletest at configure time
configure_file(
CMakeListsGtestInclude.cmake ${PROJECT_BINARY_DIR}/googletest-download/CMakeLists.txt
)
execute_process(
COMMAND ${CMAKE_COMMAND} -G "${CMAKE_GENERATOR}" .
configure_file(CMakeListsGtestInclude.cmake ${PROJECT_BINARY_DIR}/googletest-download/CMakeLists.txt)
execute_process(COMMAND ${CMAKE_COMMAND} -G "${CMAKE_GENERATOR}" .
RESULT_VARIABLE result
WORKING_DIRECTORY ${PROJECT_BINARY_DIR}/googletest-download
)
WORKING_DIRECTORY ${PROJECT_BINARY_DIR}/googletest-download )
if(result)
message(FATAL_ERROR "CMake step for googletest failed: ${result}")
endif()
execute_process(
COMMAND ${CMAKE_COMMAND} --build .
execute_process(COMMAND ${CMAKE_COMMAND} --build .
RESULT_VARIABLE result
WORKING_DIRECTORY ${PROJECT_BINARY_DIR}/googletest-download
)
WORKING_DIRECTORY ${PROJECT_BINARY_DIR}/googletest-download )
if(result)
message(FATAL_ERROR "Build step for googletest failed: ${result}")
endif()
# Add googletest directly to our build. This defines the gtest and gtest_main targets.
add_subdirectory(
${PROJECT_BINARY_DIR}/googletest-src ${PROJECT_BINARY_DIR}/googletest-build
EXCLUDE_FROM_ALL
)
# Add googletest directly to our build. This defines
# the gtest and gtest_main targets.
add_subdirectory(${PROJECT_BINARY_DIR}/googletest-src
${PROJECT_BINARY_DIR}/googletest-build
EXCLUDE_FROM_ALL)
set(GTEST_INCLUDE_DIR "${gtest_SOURCE_DIR}/include")
set(GTEST_MAIN_LIB "gtest_main")
install(
DIRECTORY "${GTEST_INCLUDE_DIR}"
DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
)
install(DIRECTORY "${GTEST_INCLUDE_DIR}" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps")
endif()
if(NOT TARGET gtest)

107
cmake/modules/jsoncpp.cmake
View File

@ -2,15 +2,14 @@
#
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
option(USE_BUNDLED_JSONCPP "Enable building of the bundled jsoncpp" ${USE_BUNDLED_DEPS})
@ -45,70 +44,66 @@ else()
message(STATUS "Using bundled jsoncpp in '${JSONCPP_SRC}'")
if(NOT WIN32)
ExternalProject_Add(
jsoncpp
PREFIX "${PROJECT_BINARY_DIR}/jsoncpp-prefix"
URL "https://github.com/open-source-parsers/jsoncpp/archive/refs/tags/1.9.5.tar.gz"
URL_HASH "SHA256=f409856e5920c18d0c2fb85276e24ee607d2a09b5e7d5f0a371368903c275da2"
CMAKE_ARGS -DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
-DBUILD_OBJECT_LIBS=Off
${JSONCPP_STATIC_OPTION}
-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-DJSONCPP_WITH_TESTS=Off
-DJSONCPP_WITH_POST_BUILD_UNITTEST=Off
-DCMAKE_INSTALL_PREFIX=${JSONCPP_SRC}
-DCMAKE_INSTALL_LIBDIR=lib
BUILD_BYPRODUCTS ${JSONCPP_LIB}
jsoncpp
PREFIX "${PROJECT_BINARY_DIR}/jsoncpp-prefix"
URL "https://github.com/open-source-parsers/jsoncpp/archive/refs/tags/1.9.5.tar.gz"
URL_HASH
"SHA256=f409856e5920c18d0c2fb85276e24ee607d2a09b5e7d5f0a371368903c275da2"
CMAKE_ARGS
-DBUILD_OBJECT_LIBS=Off
${JSONCPP_STATIC_OPTION}
-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-DJSONCPP_WITH_TESTS=Off
-DJSONCPP_WITH_POST_BUILD_UNITTEST=Off
-DCMAKE_INSTALL_PREFIX=${JSONCPP_SRC}
-DCMAKE_INSTALL_LIBDIR=lib
BUILD_BYPRODUCTS ${JSONCPP_LIB}
)
else()
# see: https://cmake.org/cmake/help/latest/policy/CMP0091.html
if(CMAKE_VERSION VERSION_LESS 3.15.0)
ExternalProject_Add(
jsoncpp
PREFIX "${PROJECT_BINARY_DIR}/jsoncpp-prefix"
URL "https://github.com/open-source-parsers/jsoncpp/archive/refs/tags/1.9.5.tar.gz"
URL_HASH
jsoncpp
PREFIX "${PROJECT_BINARY_DIR}/jsoncpp-prefix"
URL "https://github.com/open-source-parsers/jsoncpp/archive/refs/tags/1.9.5.tar.gz"
URL_HASH
"SHA256=f409856e5920c18d0c2fb85276e24ee607d2a09b5e7d5f0a371368903c275da2"
CMAKE_ARGS -DCMAKE_CXX_FLAGS_DEBUG=${FALCOSECURITY_LIBS_DEBUG_FLAGS}
-DCMAKE_CXX_FLAGS_RELEASE=${FALCOSECURITY_LIBS_RELEASE_FLAGS}
-DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
-DBUILD_OBJECT_LIBS=Off
${JSONCPP_STATIC_OPTION}
-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-DJSONCPP_WITH_TESTS=Off
-DJSONCPP_WITH_POST_BUILD_UNITTEST=Off
-DCMAKE_INSTALL_PREFIX=${JSONCPP_SRC}
-DCMAKE_INSTALL_LIBDIR=lib
CMAKE_ARGS
-DCMAKE_CXX_FLAGS_DEBUG=${FALCOSECURITY_LIBS_DEBUG_FLAGS}
-DCMAKE_CXX_FLAGS_RELEASE=${FALCOSECURITY_LIBS_RELEASE_FLAGS}
-DBUILD_OBJECT_LIBS=Off
${JSONCPP_STATIC_OPTION}
-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-DJSONCPP_WITH_TESTS=Off
-DJSONCPP_WITH_POST_BUILD_UNITTEST=Off
-DCMAKE_INSTALL_PREFIX=${JSONCPP_SRC}
-DCMAKE_INSTALL_LIBDIR=lib
)
else()
ExternalProject_Add(
jsoncpp
PREFIX "${PROJECT_BINARY_DIR}/jsoncpp-prefix"
URL "https://github.com/open-source-parsers/jsoncpp/archive/refs/tags/1.9.5.tar.gz"
URL_HASH
jsoncpp
PREFIX "${PROJECT_BINARY_DIR}/jsoncpp-prefix"
URL "https://github.com/open-source-parsers/jsoncpp/archive/refs/tags/1.9.5.tar.gz"
URL_HASH
"SHA256=f409856e5920c18d0c2fb85276e24ee607d2a09b5e7d5f0a371368903c275da2"
CMAKE_ARGS -DCMAKE_POLICY_DEFAULT_CMP0091:STRING=NEW
-DCMAKE_MSVC_RUNTIME_LIBRARY=${CMAKE_MSVC_RUNTIME_LIBRARY}
-DBUILD_OBJECT_LIBS=Off
${JSONCPP_STATIC_OPTION}
-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-DJSONCPP_WITH_TESTS=Off
-DJSONCPP_WITH_POST_BUILD_UNITTEST=Off
-DCMAKE_INSTALL_PREFIX=${JSONCPP_SRC}
-DCMAKE_INSTALL_LIBDIR=lib
CMAKE_ARGS
-DCMAKE_POLICY_DEFAULT_CMP0091:STRING=NEW
-DCMAKE_MSVC_RUNTIME_LIBRARY=${CMAKE_MSVC_RUNTIME_LIBRARY}
-DBUILD_OBJECT_LIBS=Off
${JSONCPP_STATIC_OPTION}
-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-DJSONCPP_WITH_TESTS=Off
-DJSONCPP_WITH_POST_BUILD_UNITTEST=Off
-DCMAKE_INSTALL_PREFIX=${JSONCPP_SRC}
-DCMAKE_INSTALL_LIBDIR=lib
)
endif()
endif()
install(
FILES "${JSONCPP_LIB}"
DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
)
install(
DIRECTORY "${JSONCPP_INCLUDE}"
DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
)
install(FILES "${JSONCPP_LIB}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps")
install(DIRECTORY "${JSONCPP_INCLUDE}" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps")
endif()
endif()

110
cmake/modules/libbpf.cmake
View File

@ -2,79 +2,57 @@
#
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
option(USE_BUNDLED_LIBBPF "Enable building of the bundled libbpf" ${USE_BUNDLED_DEPS})
if(TARGET lbpf)
# we already have libbpf
if(LIBBPF_INCLUDE)
# we already have libbpf
elseif(NOT USE_BUNDLED_LIBBPF)
include(zlib)
include(libelf)
find_path(LIBBPF_INCLUDE bpf/libbpf.h)
find_library(LIBBPF_LIB NAMES bpf)
if(LIBBPF_INCLUDE AND LIBBPF_LIB)
add_library(lbpf STATIC IMPORTED GLOBAL)
set_target_properties(lbpf PROPERTIES IMPORTED_LOCATION ${LIBBPF_LIB})
target_include_directories(lbpf INTERFACE $<BUILD_INTERFACE:${LIBBPF_INCLUDE}>)
target_link_libraries(lbpf INTERFACE elf ${ZLIB_LIB})
message(STATUS "Found libbpf: include: ${LIBBPF_INCLUDE}, lib: ${LIBBPF_LIB}")
else()
message(FATAL_ERROR "Couldn't find system libbpf")
endif()
find_path(LIBBPF_INCLUDE bpf/libbpf.h)
find_library(LIBBPF_LIB NAMES bpf)
if(LIBBPF_INCLUDE AND LIBBPF_LIB)
message(STATUS "Found libbpf: include: ${LIBBPF_INCLUDE}, lib: ${LIBBPF_LIB}")
else()
message(FATAL_ERROR "Couldn't find system libbpf")
endif()
else()
include(zlib)
include(libelf)
set(LIBBPF_SRC "${PROJECT_BINARY_DIR}/libbpf-prefix/src")
set(LIBBPF_BUILD_DIR "${LIBBPF_SRC}/libbpf-build")
set(LIBBPF_INCLUDE "${LIBBPF_BUILD_DIR}/root/usr/include")
set(LIBBPF_LIB "${LIBBPF_BUILD_DIR}/root/usr/lib64/libbpf.a")
get_target_property(LIBELF_INCLUDE_DIR elf INCLUDE_DIRECTORIES)
foreach(dir ${LIBELF_INCLUDE_DIR})
string(APPEND LIBELF_COMPILER_STRING "-I${dir} ")
endforeach()
ExternalProject_Add(
libbpf
PREFIX "${PROJECT_BINARY_DIR}/libbpf-prefix"
DEPENDS zlib elf
URL "https://github.com/libbpf/libbpf/archive/refs/tags/v1.3.0.tar.gz"
URL_HASH "SHA256=11db86acd627e468bc48b7258c1130aba41a12c4d364f78e184fd2f5a913d861"
CONFIGURE_COMMAND mkdir -p build root
BUILD_COMMAND
make BUILD_STATIC_ONLY=y OBJDIR=${LIBBPF_BUILD_DIR}/build
DESTDIR=${LIBBPF_BUILD_DIR}/root NO_PKG_CONFIG=1
"EXTRA_CFLAGS=-fPIC ${LIBELF_COMPILER_STRING} -I${ZLIB_INCLUDE}" "LDFLAGS=-Wl,-Bstatic"
"EXTRA_LDFLAGS=-L${LIBELF_SRC}/libelf/libelf -L${ZLIB_SRC}" -C ${LIBBPF_SRC}/libbpf/src
install install_uapi_headers
INSTALL_COMMAND ""
UPDATE_COMMAND ""
BUILD_BYPRODUCTS ${LIBBPF_LIB}
)
add_library(lbpf STATIC IMPORTED GLOBAL)
set_target_properties(lbpf PROPERTIES IMPORTED_LOCATION ${LIBBPF_LIB})
file(MAKE_DIRECTORY ${LIBBPF_INCLUDE}) # necessary to make target_include_directories() work
target_include_directories(lbpf INTERFACE $<BUILD_INTERFACE:${LIBBPF_INCLUDE}>)
add_dependencies(lbpf libbpf)
target_link_libraries(lbpf INTERFACE elf ${ZLIB_LIB})
message(STATUS "Using bundled libbpf: include'${LIBBPF_INCLUDE}', lib: ${LIBBPF_LIB}")
install(
FILES "${LIBBPF_LIB}"
DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
)
include(zlib)
include(libelf)
set(LIBBPF_SRC "${PROJECT_BINARY_DIR}/libbpf-prefix/src")
set(LIBBPF_BUILD_DIR "${LIBBPF_SRC}/libbpf-build")
set(LIBBPF_INCLUDE "${LIBBPF_BUILD_DIR}/root/usr/include")
set(LIBBPF_LIB "${LIBBPF_BUILD_DIR}/root/usr/lib64/libbpf.a")
ExternalProject_Add(
libbpf
PREFIX "${PROJECT_BINARY_DIR}/libbpf-prefix"
DEPENDS zlib libelf
URL "https://github.com/libbpf/libbpf/archive/refs/tags/v1.3.0.tar.gz"
URL_HASH
"SHA256=11db86acd627e468bc48b7258c1130aba41a12c4d364f78e184fd2f5a913d861"
CONFIGURE_COMMAND mkdir -p build root
BUILD_COMMAND make BUILD_STATIC_ONLY=y OBJDIR=${LIBBPF_BUILD_DIR}/build DESTDIR=${LIBBPF_BUILD_DIR}/root NO_PKG_CONFIG=1 "EXTRA_CFLAGS=-fPIC -I${LIBELF_INCLUDE} -I${ZLIB_INCLUDE}" "LDFLAGS=-Wl,-Bstatic" "EXTRA_LDFLAGS=-L${LIBELF_SRC}/libelf/libelf -L${ZLIB_SRC}" -C ${LIBBPF_SRC}/libbpf/src install install_uapi_headers
INSTALL_COMMAND ""
UPDATE_COMMAND ""
BUILD_BYPRODUCTS ${LIBBPF_LIB}
)
message(STATUS "Using bundled libbpf: include'${LIBBPF_INCLUDE}', lib: ${LIBBPF_LIB}")
install(FILES "${LIBBPF_LIB}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps")
install(DIRECTORY "${LIBBPF_INCLUDE}" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps")
endif()
if(NOT TARGET libbpf)
add_custom_target(libbpf)
endif()
include_directories(${LIBBPF_INCLUDE})

117
cmake/modules/libelf.cmake
View File

@ -2,74 +2,71 @@
#
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
include_guard()
option(USE_BUNDLED_LIBELF "Enable building of the bundled libelf" ${USE_BUNDLED_DEPS})
option(USE_SHARED_LIBELF "When not using bundled libelf, link it dynamically" ON)
if(TARGET elf)
# we already have libelf
if(LIBELF_INCLUDE)
# we already have LIBELF
elseif(NOT USE_BUNDLED_LIBELF)
find_path(LIBELF_INCLUDE elf.h PATH_SUFFIXES elf)
if(BUILD_SHARED_LIBS OR USE_SHARED_LIBELF)
set(LIBELF_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
else()
set(LIBELF_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
endif()
# Zig workaround: since it won't look up in /usr/lib/..., add an HINT
if(CMAKE_C_COMPILER MATCHES "zig")
find_library(
LIBELF_LIB
NAMES libelf${LIBELF_LIB_SUFFIX}
HINTS /usr/lib/${CMAKE_SYSTEM_PROCESSOR}-linux-gnu/
)
else()
find_library(LIBELF_LIB NAMES libelf${LIBELF_LIB_SUFFIX})
endif()
if(LIBELF_LIB)
# Zig workaround: avoid include whole /usr/include because it would include also system
# glibc headers breaking the build since we are targeting the build against our boostrapped
# zig.
if(CMAKE_C_COMPILER MATCHES "zig")
message(STATUS "Enabling zig workaround for libelf")
configure_file(${LIBELF_INCLUDE}/libelf.h libelf/libelf.h COPYONLY)
configure_file(${LIBELF_INCLUDE}/elf.h libelf/elf.h COPYONLY)
configure_file(${LIBELF_INCLUDE}/gelf.h libelf/gelf.h COPYONLY)
set(LIBELF_INCLUDE ${CMAKE_CURRENT_BINARY_DIR}/libelf)
endif()
message(STATUS "Found LIBELF: include: ${LIBELF_INCLUDE}, lib: ${LIBELF_LIB}")
else()
message(FATAL_ERROR "Couldn't find system libelf")
endif()
if(BUILD_SHARED_LIBS OR USE_SHARED_LIBELF)
add_library(elf SHARED IMPORTED GLOBAL)
else()
add_library(elf STATIC IMPORTED GLOBAL)
endif()
set_target_properties(elf PROPERTIES IMPORTED_LOCATION ${LIBELF_LIB})
target_include_directories(elf INTERFACE ${LIBELF_INCLUDE})
find_path(LIBELF_INCLUDE elf.h PATH_SUFFIXES elf)
if(BUILD_SHARED_LIBS OR USE_SHARED_LIBELF)
set(LIBELF_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
else()
set(LIBELF_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
endif()
find_library(LIBELF_LIB NAMES libelf${LIBELF_LIB_SUFFIX})
if(LIBELF_LIB)
message(STATUS "Found LIBELF: include: ${LIBELF_INCLUDE}, lib: ${LIBELF_LIB}")
else()
message(FATAL_ERROR "Couldn't find system libelf")
endif()
# We add a custom target, in this way we can always depend on `libelf`
# without distinguishing between "bundled" and "not-bundled" case
add_custom_target(libelf)
else()
include(FetchContent)
FetchContent_Declare(
libelf_elftoolchain
URL https://github.com/falcosecurity/elftoolchain/releases/download/libelf-r4073-0/libelf-r4073-0.tar.gz
URL_HASH SHA256=adfeb3033c23ca579902f2bce7d9ffeec662f97d3846bb74e57fb65d70f6f056
)
FetchContent_MakeAvailable(libelf_elftoolchain)
get_target_property(LIBELF_INCLUDE elf INCLUDE_DIRECTORIES)
message(STATUS "Using bundled libelf: include'${LIBELF_INCLUDE}'")
if(BUILD_SHARED_LIBS)
set(LIBELF_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
else()
set(LIBELF_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
endif()
set(LIBELF_SRC "${PROJECT_BINARY_DIR}/libelf-prefix/src")
set(LIBELF_INCLUDE "${LIBELF_SRC}/libelf/libelf")
set(LIBELF_LIB "${LIBELF_SRC}/libelf/libelf/libelf${LIBELF_LIB_SUFFIX}")
ExternalProject_Add(
libelf
PREFIX "${PROJECT_BINARY_DIR}/libelf-prefix"
DEPENDS zlib
URL "https://sourceware.org/elfutils/ftp/0.189/elfutils-0.189.tar.bz2"
URL_HASH "SHA256=39bd8f1a338e2b7cd4abc3ff11a0eddc6e690f69578a57478d8179b4148708c8"
CONFIGURE_COMMAND ./configure LDFLAGS=-L${ZLIB_SRC} "CFLAGS=-I${ZLIB_INCLUDE}" --enable-deterministic-archives --disable-debuginfod --disable-libdebuginfod --without-zstd
BUILD_IN_SOURCE 1
BUILD_COMMAND make -C lib libeu.a
COMMAND make -C libelf libelf${LIBELF_LIB_SUFFIX}
INSTALL_COMMAND ""
UPDATE_COMMAND ""
BUILD_BYPRODUCTS ${LIBELF_LIB}
)
message(STATUS "Using bundled libelf: include'${LIBELF_INCLUDE}', lib: ${LIBELF_LIB}")
install(FILES "${LIBELF_LIB}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps")
install(DIRECTORY "${LIBELF_INCLUDE}" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps")
endif()
# We add a custom target, in this way we can always depend on `libelf`
# without distinguishing between "bundled" and "not-bundled" case
if(NOT TARGET libelf)
add_custom_target(libelf)
endif()
include_directories(${LIBELF_INCLUDE})

245
cmake/modules/libscap.cmake
View File

@ -2,140 +2,141 @@
#
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
if(NOT HAVE_LIBSCAP)
set(HAVE_LIBSCAP On)
set(HAVE_LIBSCAP On)
if(NOT LIBS_DIR)
get_filename_component(LIBS_DIR ${CMAKE_CURRENT_LIST_DIR}/../.. ABSOLUTE)
if(NOT LIBS_DIR)
get_filename_component(LIBS_DIR ${CMAKE_CURRENT_LIST_DIR}/../.. ABSOLUTE)
endif()
option(USE_BUNDLED_DEPS "Enable bundled dependencies instead of using the system ones" ON)
include(GNUInstallDirs)
include(ExternalProject)
include(uthash)
include(CheckSymbolExists)
check_symbol_exists(strlcpy "string.h" HAVE_STRLCPY)
check_symbol_exists(strlcat "string.h" HAVE_STRLCAT)
if(HAVE_STRLCPY)
message(STATUS "Existing strlcpy found, will *not* use local definition")
else()
message(STATUS "No strlcpy found, will use local definition")
endif()
if(HAVE_STRLCAT)
message(STATUS "Existing strlcat found, will *not* use local definition")
else()
message(STATUS "No strlcat found, will use local definition")
endif()
add_definitions(-DPLATFORM_NAME="${CMAKE_SYSTEM_NAME}")
if(CMAKE_SYSTEM_NAME MATCHES "Linux")
get_filename_component(DRIVER_CONFIG_DIR ${CMAKE_BINARY_DIR}/driver/src ABSOLUTE)
else()
# This doesn't install all of the driver headers but seems to be sufficient for
# non-Linux platforms.
get_filename_component(DRIVER_CONFIG_DIR ${PROJECT_SOURCE_DIR}/driver ABSOLUTE)
endif()
get_filename_component(LIBSCAP_INCLUDE_DIR ${LIBS_DIR}/userspace/libscap ABSOLUTE)
set(LIBSCAP_INCLUDE_DIRS ${LIBSCAP_INCLUDE_DIR} ${PROJECT_BINARY_DIR} ${DRIVER_CONFIG_DIR})
function(set_scap_target_properties target)
set_target_properties(${target} PROPERTIES
VERSION ${FALCOSECURITY_SHARED_LIBS_VERSION}
SOVERSION ${FALCOSECURITY_SHARED_LIBS_SOVERSION}
)
endfunction()
add_subdirectory(${LIBS_DIR}/userspace/libscap ${PROJECT_BINARY_DIR}/libscap)
set(LIBSCAP_INSTALL_LIBS)
# All of the targets in userspace/libscap
get_directory_property(libscap_subdirs DIRECTORY ${LIBS_DIR}/userspace/libscap SUBDIRECTORIES)
set(libscap_subdir_targets)
foreach(libscap_subdir ${LIBS_DIR}/userspace/libscap ${libscap_subdirs})
get_directory_property(subdir_targets DIRECTORY ${libscap_subdir} BUILDSYSTEM_TARGETS)
list(APPEND libscap_subdir_targets ${subdir_targets})
endforeach()
set(install_lib_type STATIC_LIBRARY)
if (BUILD_SHARED_LIBS)
set(install_lib_type SHARED_LIBRARY)
endif()
# Installation targets only
foreach(libscap_subdir_target ${libscap_subdir_targets})
get_target_property(cl_target_type ${libscap_subdir_target} TYPE)
if (${cl_target_type} STREQUAL ${install_lib_type})
list(APPEND LIBSCAP_INSTALL_LIBS ${libscap_subdir_target})
endif()
endforeach()
option(USE_BUNDLED_DEPS "Enable bundled dependencies instead of using the system ones" ON)
include(GNUInstallDirs)
include(ExternalProject)
include(uthash)
include(CheckSymbolExists)
check_symbol_exists(strlcpy "string.h" HAVE_STRLCPY)
check_symbol_exists(strlcat "string.h" HAVE_STRLCAT)
include(BuildPkgConfigDependencies)
if(HAVE_STRLCPY)
message(STATUS "Existing strlcpy found, will *not* use local definition")
else()
message(STATUS "No strlcpy found, will use local definition")
endif()
if(HAVE_STRLCAT)
message(STATUS "Existing strlcat found, will *not* use local definition")
else()
message(STATUS "No strlcat found, will use local definition")
endif()
add_definitions(-DPLATFORM_NAME="${CMAKE_SYSTEM_NAME}")
if(CMAKE_SYSTEM_NAME MATCHES "Linux")
get_filename_component(DRIVER_CONFIG_DIR ${CMAKE_BINARY_DIR}/driver/src ABSOLUTE)
else()
# This doesn't install all of the driver headers but seems to be sufficient for non-Linux
# platforms.
get_filename_component(DRIVER_CONFIG_DIR ${PROJECT_SOURCE_DIR}/driver ABSOLUTE)
endif()
get_filename_component(LIBSCAP_INCLUDE_DIR ${LIBS_DIR}/userspace/libscap ABSOLUTE)
set(LIBSCAP_INCLUDE_DIRS ${LIBSCAP_INCLUDE_DIR} ${PROJECT_BINARY_DIR} ${DRIVER_CONFIG_DIR})
function(set_scap_target_properties target)
set_target_properties(
${target} PROPERTIES VERSION ${FALCOSECURITY_SHARED_LIBS_VERSION}
SOVERSION ${FALCOSECURITY_SHARED_LIBS_SOVERSION}
)
endfunction()
add_subdirectory(${LIBS_DIR}/userspace/libscap ${PROJECT_BINARY_DIR}/libscap)
set(LIBSCAP_INSTALL_LIBS)
# All of the targets in userspace/libscap
get_directory_property(libscap_subdirs DIRECTORY ${LIBS_DIR}/userspace/libscap SUBDIRECTORIES)
set(libscap_subdir_targets)
foreach(libscap_subdir ${LIBS_DIR}/userspace/libscap ${libscap_subdirs})
get_directory_property(subdir_targets DIRECTORY ${libscap_subdir} BUILDSYSTEM_TARGETS)
list(APPEND libscap_subdir_targets ${subdir_targets})
endforeach()
set(install_lib_type STATIC_LIBRARY)
if(BUILD_SHARED_LIBS)
set(install_lib_type SHARED_LIBRARY)
endif()
# Installation targets only
foreach(libscap_subdir_target ${libscap_subdir_targets})
get_target_property(cl_target_type ${libscap_subdir_target} TYPE)
if(${cl_target_type} STREQUAL ${install_lib_type})
list(APPEND LIBSCAP_INSTALL_LIBS ${libscap_subdir_target})
# Installation targets and their dependencies
set(libscap_link_libraries)
set(libscap_link_libdirs)
foreach(libscap_install_lib ${LIBSCAP_INSTALL_LIBS})
list(APPEND libscap_link_libraries ${libscap_install_lib})
get_target_property(install_lib_link_libraries ${libscap_install_lib} LINK_LIBRARIES)
foreach (install_lib_link_library ${install_lib_link_libraries})
if (NOT ${install_lib_link_library} IN_LIST libscap_subdir_targets)
if(${install_lib_link_library} MATCHES "/")
# We have a path. Convert it to -L<dir> + -l<lib>.
get_filename_component(scap_lib_dir ${install_lib_link_library} DIRECTORY)
list(APPEND libscap_link_libdirs -L${scap_lib_dir})
get_filename_component(scap_lib_base ${install_lib_link_library} NAME_WE)
string(REGEX REPLACE "^lib" "" scap_lib_base ${scap_lib_base})
list(APPEND libscap_link_libraries ${scap_lib_base})
else()
list(APPEND libscap_link_libraries ${install_lib_link_library})
endif()
endif()
endforeach()
endforeach()
list(REMOVE_DUPLICATES libscap_link_libraries)
install(
TARGETS ${LIBSCAP_INSTALL_LIBS}
ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}"
LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}"
RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}"
COMPONENT "scap"
OPTIONAL
)
install(
DIRECTORY "${LIBSCAP_INCLUDE_DIR}"
DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "scap"
FILES_MATCHING
PATTERN "*.h"
PATTERN "*examples*" EXCLUDE
PATTERN "*doxygen*" EXCLUDE
)
install(
DIRECTORY "${DRIVER_CONFIG_DIR}/"
DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/driver"
COMPONENT "scap"
FILES_MATCHING
PATTERN "*.h"
)
install(
DIRECTORY "${LIBS_DIR}/userspace/plugin"
DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "scap"
FILES_MATCHING
PATTERN "*.h"
)
set(libscap_link_flags)
foreach(libscap_link_library ${libscap_link_libraries})
list(APPEND libscap_link_flags "-l${libscap_link_library}")
endforeach()
if(USE_BUNDLED_UTHASH)
install(FILES ${UTHASH_INCLUDE}/uthash.h
DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/libscap
)
endif()
string(REPLACE ";" " " LIBSCAP_LINK_LIBRARIES_FLAGS "${libscap_link_flags}")
string(REPLACE ";" " " LIBSCAP_LINK_LIBDIRS_FLAGS "${libscap_link_libdirs}")
configure_file(${LIBS_DIR}/userspace/libscap/libscap.pc.in ${PROJECT_BINARY_DIR}/libscap/libscap.pc @ONLY)
install(FILES ${PROJECT_BINARY_DIR}/libscap/scap_config.h
DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/libscap
)
install(FILES ${PROJECT_BINARY_DIR}/libscap/scap_strl_config.h
DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/libscap
)
install(FILES ${PROJECT_BINARY_DIR}/libscap/libscap.pc
DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig
)
install(TARGETS ${LIBSCAP_INSTALL_LIBS}
ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}"
LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}"
RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}"
COMPONENT "scap" OPTIONAL)
install(DIRECTORY "${LIBSCAP_INCLUDE_DIR}" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "scap"
FILES_MATCHING PATTERN "*.h"
PATTERN "*examples*" EXCLUDE
PATTERN "*doxygen*" EXCLUDE)
install(DIRECTORY "${DRIVER_CONFIG_DIR}/" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/driver"
COMPONENT "scap"
FILES_MATCHING PATTERN "*.h")
install(DIRECTORY "${LIBS_DIR}/userspace/plugin" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "scap"
FILES_MATCHING PATTERN "*.h")
install(FILES ${PROJECT_BINARY_DIR}/libscap/scap_config.h DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/libscap)
install(FILES ${PROJECT_BINARY_DIR}/libscap/scap_strl_config.h DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/libscap)
install(FILES ${PROJECT_BINARY_DIR}/libscap/libscap.pc DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig)
endif()

144
cmake/modules/libsinsp.cmake
View File

@ -2,89 +2,99 @@
#
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
if(NOT HAVE_LIBSINSP)
set(HAVE_LIBSINSP On)
set(HAVE_LIBSINSP On)
if(NOT LIBS_DIR)
get_filename_component(LIBS_DIR ${CMAKE_CURRENT_LIST_DIR}/../.. ABSOLUTE)
endif()
if(NOT LIBS_DIR)
get_filename_component(LIBS_DIR ${CMAKE_CURRENT_LIST_DIR}/../.. ABSOLUTE)
endif()
option(USE_BUNDLED_DEPS "Enable bundled dependencies instead of using the system ones" ON)
option(ENABLE_THREAD_POOL "Enable inspector thread pool" OFF)
option(USE_BUNDLED_DEPS "Enable bundled dependencies instead of using the system ones" ON)
if(DEFINED LIBSINSP_USER_AGENT)
add_definitions(-DLIBSINSP_USER_AGENT="${LIBSINSP_USER_AGENT}")
endif()
option(WITH_CHISEL "Include chisel implementation" OFF)
include(ExternalProject)
include(libscap)
if(NOT EMSCRIPTEN)
include(tbb)
endif()
include(jsoncpp)
include(valijson)
include(re2)
if(DEFINED LIBSINSP_USER_AGENT)
add_definitions(-DLIBSINSP_USER_AGENT="${LIBSINSP_USER_AGENT}")
endif()
if(ENABLE_THREAD_POOL AND NOT EMSCRIPTEN)
include(bs_threadpool)
endif()
include(ExternalProject)
include(libscap)
if (NOT EMSCRIPTEN)
include(tbb)
endif()
if(NOT WIN32 AND NOT APPLE AND NOT MINIMAL_BUILD AND NOT EMSCRIPTEN)
include(cares)
include(curl)
endif()
include(jsoncpp)
include(valijson)
include(re2)
set(LIBSINSP_INCLUDE_DIRS)
set(LIBSINSP_INCLUDE_DIRS ${LIBS_DIR} ${LIBS_DIR}/userspace ${LIBSCAP_INCLUDE_DIRS} ${DRIVER_CONFIG_DIR})
if(NOT USE_BUNDLED_TBB AND NOT EMSCRIPTEN)
list(APPEND LIBSINSP_INCLUDE_DIRS ${TBB_INCLUDE_DIR})
endif()
if (NOT EMSCRIPTEN)
get_filename_component(TBB_ABSOLUTE_INCLUDE_DIR ${TBB_INCLUDE_DIR} ABSOLUTE)
list(APPEND LIBSINSP_INCLUDE_DIRS ${TBB_ABSOLUTE_INCLUDE_DIR})
endif()
if(NOT USE_BUNDLED_JSONCPP)
list(APPEND LIBSINSP_INCLUDE_DIRS ${JSONCPP_INCLUDE})
endif()
get_filename_component(JSONCPP_ABSOLUTE_INCLUDE_DIR ${JSONCPP_INCLUDE} ABSOLUTE)
list(APPEND LIBSINSP_INCLUDE_DIRS ${JSONCPP_ABSOLUTE_INCLUDE_DIR})
function(set_sinsp_target_properties target)
set_target_properties(
${target} PROPERTIES VERSION ${FALCOSECURITY_SHARED_LIBS_VERSION}
SOVERSION ${FALCOSECURITY_SHARED_LIBS_SOVERSION}
)
endfunction()
get_filename_component(VALIJSON_ABSOLUTE_INCLUDE_DIR ${VALIJSON_INCLUDE} ABSOLUTE)
list(APPEND LIBSINSP_INCLUDE_DIRS ${VALIJSON_ABSOLUTE_INCLUDE_DIR})
add_subdirectory(${LIBS_DIR}/userspace/libsinsp ${CMAKE_BINARY_DIR}/libsinsp)
install(
TARGETS sinsp
ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}"
LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}"
RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}" COMPONENT "sinsp"
)
install(
DIRECTORY "${LIBS_DIR}/userspace/libsinsp"
DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "sinsp"
FILES_MATCHING
PATTERN "*.h"
PATTERN "*third_party*" EXCLUDE
PATTERN "*examples*" EXCLUDE
PATTERN "*doxygen*" EXCLUDE
PATTERN "*scripts*" EXCLUDE
PATTERN "*test*" EXCLUDE
)
install(
DIRECTORY "${LIBS_DIR}/userspace/async"
DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "sinsp"
FILES_MATCHING
PATTERN "*.h"
)
install(FILES ${PROJECT_BINARY_DIR}/libsinsp/libsinsp.pc
DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig
get_filename_component(RE2_ABSOLUTE_INCLUDE_DIR ${RE2_INCLUDE} ABSOLUTE)
list(APPEND LIBSINSP_INCLUDE_DIRS ${RE2_ABSOLUTE_INCLUDE_DIR})
if(NOT MINIMAL_BUILD AND NOT EMSCRIPTEN AND NOT APPLE)
get_filename_component(CARES_ABSOLUTE_INCLUDE_DIR ${CARES_INCLUDE} ABSOLUTE)
list(APPEND LIBSINSP_INCLUDE_DIRS ${CARES_ABSOLUTE_INCLUDE_DIR})
endif()
if(NOT WIN32 AND NOT APPLE AND NOT MINIMAL_BUILD AND NOT EMSCRIPTEN)
get_filename_component(CURL_ABSOLUTE_INCLUDE_DIR ${CURL_INCLUDE_DIRS} ABSOLUTE)
list(APPEND LIBSINSP_INCLUDE_DIRS ${CURL_ABSOLUTE_INCLUDE_DIR})
endif()
function(set_sinsp_target_properties target)
set_target_properties(${target} PROPERTIES
VERSION ${FALCOSECURITY_SHARED_LIBS_VERSION}
SOVERSION ${FALCOSECURITY_SHARED_LIBS_SOVERSION}
)
endfunction()
add_subdirectory(${LIBS_DIR}/userspace/libsinsp ${CMAKE_BINARY_DIR}/libsinsp)
install(TARGETS sinsp
ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}"
LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}"
RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}"
COMPONENT "sinsp")
install(DIRECTORY "${LIBS_DIR}/userspace/libsinsp" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "sinsp"
FILES_MATCHING PATTERN "*.h"
PATTERN "*third_party*" EXCLUDE
PATTERN "*examples*" EXCLUDE
PATTERN "*doxygen*" EXCLUDE
PATTERN "*scripts*" EXCLUDE
PATTERN "*test*" EXCLUDE)
install(DIRECTORY "${LIBS_DIR}/userspace/async" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "sinsp"
FILES_MATCHING PATTERN "*.h")
if(WITH_CHISEL)
install(DIRECTORY "${LIBS_DIR}/userspace/chisel" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "sinsp"
FILES_MATCHING PATTERN "*.h")
endif()
install(FILES ${PROJECT_BINARY_DIR}/libsinsp/libsinsp.pc DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig)
endif()

110
cmake/modules/luajit.cmake Normal file
View File

@ -0,0 +1,110 @@
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
option(USE_BUNDLED_LUAJIT "Enable building of the bundled LuaJIT" ${USE_BUNDLED_DEPS})
if(LUAJIT_INCLUDE)
# we already have luajit
elseif(NOT USE_BUNDLED_LUAJIT)
find_path(LUAJIT_INCLUDE luajit.h PATH_SUFFIXES luajit-2.0 luajit-2.1 luajit)
find_library(LUAJIT_LIB NAMES luajit luajit-5.1)
if(LUAJIT_INCLUDE AND LUAJIT_LIB)
message(STATUS "Found LuaJIT: include: ${LUAJIT_INCLUDE}, lib: ${LUAJIT_LIB}")
else()
# alternatively try stock Lua
find_package(Lua REQUIRED)
set(LUAJIT_LIB ${LUA_LIBRARY})
set(LUAJIT_INCLUDE ${LUA_INCLUDE_DIR})
endif()
else()
set(LUAJIT_SRC "${PROJECT_BINARY_DIR}/luajit-prefix/src/luajit/src")
set(LUAJIT_INCLUDE "${LUAJIT_SRC}/")
if(NOT WIN32)
set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
else()
set(LUAJIT_LIB "${LUAJIT_SRC}/lua51.lib")
endif()
if(NOT TARGET luajit)
message(STATUS "Using bundled LuaJIT in '${LUAJIT_SRC}'")
if(NOT WIN32)
if("${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "ppc64le")
ExternalProject_Add(luajit
PREFIX "${PROJECT_BINARY_DIR}/luajit-prefix"
GIT_REPOSITORY "https://github.com/moonjit/moonjit"
GIT_TAG "2.1.2"
CONFIGURE_COMMAND ""
BUILD_COMMAND make
BUILD_IN_SOURCE 1
BUILD_BYPRODUCTS ${LUAJIT_LIB}
UPDATE_COMMAND ""
INSTALL_COMMAND "")
elseif("${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "s390x")
ExternalProject_Add(luajit
PREFIX "${PROJECT_BINARY_DIR}/luajit-prefix"
GIT_REPOSITORY "https://github.com/linux-on-ibm-z/LuaJIT.git"
GIT_TAG "v2.1"
CONFIGURE_COMMAND ""
BUILD_COMMAND make
BUILD_IN_SOURCE 1
BUILD_BYPRODUCTS ${LUAJIT_LIB}
UPDATE_COMMAND ""
INSTALL_COMMAND "")
elseif(APPLE)
ExternalProject_Add(luajit
PREFIX "${PROJECT_BINARY_DIR}/luajit-prefix"
URL "https://github.com/LuaJIT/LuaJIT/archive/8635cbabf3094c4d8bd00578c7d812bea87bb2d3.tar.gz"
URL_HASH "SHA256=835035b244c3dc3d3d19bdd5ac623af90b84207e6330fb78f9fa51d6e200d760"
CONFIGURE_COMMAND ""
BUILD_COMMAND make MACOSX_DEPLOYMENT_TARGET=10.14
BUILD_IN_SOURCE 1
BUILD_BYPRODUCTS ${LUAJIT_LIB}
INSTALL_COMMAND "")
else()
ExternalProject_Add(luajit
PREFIX "${PROJECT_BINARY_DIR}/luajit-prefix"
GIT_REPOSITORY "https://github.com/LuaJIT/LuaJIT"
GIT_TAG "f3c856915b4ce7ccd24341e8ac73e8a9fd934171"
CONFIGURE_COMMAND ""
BUILD_COMMAND make
BUILD_IN_SOURCE 1
BUILD_BYPRODUCTS ${LUAJIT_LIB}
UPDATE_COMMAND ""
INSTALL_COMMAND "")
endif()
install(FILES "${LUAJIT_LIB}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps")
install(DIRECTORY "${LUAJIT_INCLUDE}" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
FILES_MATCHING PATTERN "*.h")
else()
ExternalProject_Add(luajit
PREFIX "${PROJECT_BINARY_DIR}/luajit-prefix"
URL "https://github.com/LuaJIT/LuaJIT/archive/v2.1.0-beta3.tar.gz"
URL_HASH "SHA256=409f7fe570d3c16558e594421c47bdd130238323c9d6fd6c83dedd2aaeb082a8"
CONFIGURE_COMMAND ""
BUILD_COMMAND msvcbuild.bat
BUILD_BYPRODUCTS ${LUAJIT_LIB}
BINARY_DIR "${LUAJIT_SRC}"
INSTALL_COMMAND "")
endif()
endif()
endif()
if(NOT TARGET luajit)
add_custom_target(luajit)
endif()
include_directories("${LUAJIT_INCLUDE}")

62
cmake/modules/openssl.cmake Normal file
View File

@ -0,0 +1,62 @@
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
option(USE_BUNDLED_OPENSSL "Enable building of the bundled OpenSSL" ${USE_BUNDLED_DEPS})
if(OPENSSL_INCLUDE_DIR)
# we already have openssl
elseif(NOT USE_BUNDLED_OPENSSL)
find_package(OpenSSL REQUIRED)
message(STATUS "Found OpenSSL: include: ${OPENSSL_INCLUDE_DIR}, lib: ${OPENSSL_LIBRARIES}")
else()
if(BUILD_SHARED_LIBS)
set(OPENSSL_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
set(OPENSSL_SHARED_OPTION shared)
else()
set(OPENSSL_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
set(OPENSSL_SHARED_OPTION no-shared)
endif()
set(OPENSSL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl")
set(OPENSSL_INSTALL_DIR "${OPENSSL_BUNDLE_DIR}/target")
set(OPENSSL_INCLUDE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl/include/")
set(OPENSSL_LIBRARY_SSL "${OPENSSL_INSTALL_DIR}/lib/libssl${OPENSSL_LIB_SUFFIX}")
set(OPENSSL_LIBRARY_CRYPTO "${OPENSSL_INSTALL_DIR}/lib/libcrypto${OPENSSL_LIB_SUFFIX}")
set(OPENSSL_LIBRARIES ${OPENSSL_LIBRARY_SSL} ${OPENSSL_LIBRARY_CRYPTO})
if(NOT TARGET openssl)
message(STATUS "Using bundled openssl in '${OPENSSL_BUNDLE_DIR}'")
ExternalProject_Add(openssl
PREFIX "${PROJECT_BINARY_DIR}/openssl-prefix"
URL "https://github.com/openssl/openssl/releases/download/openssl-3.1.4/openssl-3.1.4.tar.gz"
URL_HASH "SHA256=840af5366ab9b522bde525826be3ef0fb0af81c6a9ebd84caa600fea1731eee3"
CONFIGURE_COMMAND ./config ${OPENSSL_SHARED_OPTION} --prefix=${OPENSSL_INSTALL_DIR} --libdir=lib
BUILD_COMMAND make
BUILD_IN_SOURCE 1
BUILD_BYPRODUCTS ${OPENSSL_LIBRARY_SSL} ${OPENSSL_LIBRARY_CRYPTO}
INSTALL_COMMAND make install_sw)
install(FILES "${OPENSSL_LIBRARY_SSL}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps")
install(FILES "${OPENSSL_LIBRARY_CRYPTO}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps")
install(DIRECTORY "${OPENSSL_INCLUDE_DIR}" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps")
endif()
endif()
if(NOT TARGET openssl)
add_custom_target(openssl)
endif()
include_directories("${OPENSSL_INCLUDE_DIR}")

73
cmake/modules/protobuf.cmake
View File

@ -2,15 +2,14 @@
#
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
option(USE_BUNDLED_PROTOBUF "Enable building of the bundled protobuf" ${USE_BUNDLED_DEPS})
@ -21,14 +20,8 @@ elseif(NOT USE_BUNDLED_PROTOBUF)
find_program(PROTOC NAMES protoc)
find_path(PROTOBUF_INCLUDE NAMES google/protobuf/message.h)
find_library(PROTOBUF_LIB NAMES protobuf)
if(PROTOC
AND PROTOBUF_INCLUDE
AND PROTOBUF_LIB
)
message(
STATUS
"Found protobuf: compiler: ${PROTOC}, include: ${PROTOBUF_INCLUDE}, lib: ${PROTOBUF_LIB}"
)
if(PROTOC AND PROTOBUF_INCLUDE AND PROTOBUF_LIB)
message(STATUS "Found protobuf: compiler: ${PROTOC}, include: ${PROTOBUF_INCLUDE}, lib: ${PROTOBUF_LIB}")
else()
message(FATAL_ERROR "Couldn't find system protobuf")
endif()
@ -45,57 +38,29 @@ else()
set(PROTOBUF_SRC "${PROJECT_BINARY_DIR}/protobuf-prefix/src/protobuf")
set(PROTOC "${PROTOBUF_SRC}/target/bin/protoc")
set(PROTOBUF_INCLUDE "${PROTOBUF_SRC}/target/include/")
set(PROTOBUF_LIB
"${PROTOBUF_SRC}/target/lib/libprotobuf${PROTOBUF_LIB_SUFFIX}"
CACHE PATH "Path to libprotobuf"
)
set(PROTOBUF_LIB "${PROTOBUF_SRC}/target/lib/libprotobuf${PROTOBUF_LIB_SUFFIX}" CACHE PATH "Path to libprotobuf")
set(PROTOC_LIB "${PROTOBUF_SRC}/target/lib/libprotoc${PROTOBUF_LIB_SUFFIX}")
set(PROTOBUF_INSTALL_DIR "${PROTOBUF_SRC}/target")
if(NOT TARGET protobuf)
if(NOT ENABLE_PIC)
set(PROTOBUF_PIC_OPTION)
else()
set(PROTOBUF_PIC_OPTION "--with-pic=yes")
endif()
# Match both release and relwithdebinfo builds
if(CMAKE_BUILD_TYPE MATCHES "[R,r]el*")
set(PROTOBUF_CXXFLAGS "-O3 -std=c++11 -DNDEBUG")
else()
set(PROTOBUF_CXXFLAGS "-g -std=c++11")
endif()
message(STATUS "Using bundled protobuf in '${PROTOBUF_SRC}'")
ExternalProject_Add(
protobuf
ExternalProject_Add(protobuf
PREFIX "${PROJECT_BINARY_DIR}/protobuf-prefix"
DEPENDS zlib
URL "https://github.com/protocolbuffers/protobuf/releases/download/v3.20.3/protobuf-cpp-3.20.3.tar.gz"
URL_HASH "SHA256=e51cc8fc496f893e2a48beb417730ab6cbcb251142ad8b2cd1951faa5c76fe3d"
URL "https://github.com/protocolbuffers/protobuf/releases/download/v3.17.3/protobuf-cpp-3.17.3.tar.gz"
URL_HASH "SHA256=51cec99f108b83422b7af1170afd7aeb2dd77d2bcbb7b6bad1f92509e9ccf8cb"
# TODO what if using system zlib?
CONFIGURE_COMMAND
./configure CXXFLAGS=${PROTOBUF_CXXFLAGS} --with-zlib-include=${ZLIB_INCLUDE}
--with-zlib-lib=${ZLIB_SRC} --with-zlib ${PROTOBUF_CONFIGURE_FLAGS}
${PROTOBUF_PIC_OPTION} --prefix=${PROTOBUF_INSTALL_DIR}
CONFIGURE_COMMAND CPPFLAGS=-I${ZLIB_INCLUDE} LDFLAGS=-L${ZLIB_SRC} ./configure --with-zlib ${PROTOBUF_CONFIGURE_FLAGS} --prefix=${PROTOBUF_INSTALL_DIR}
BUILD_COMMAND make
BUILD_IN_SOURCE 1
BUILD_BYPRODUCTS ${PROTOC} ${PROTOBUF_INCLUDE} ${PROTOBUF_LIB}
INSTALL_COMMAND make install
)
install(
FILES "${PROTOBUF_LIB}"
DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
)
install(
FILES "${PROTOC_LIB}"
DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
)
install(
DIRECTORY "${PROTOBUF_INCLUDE}"
DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
)
INSTALL_COMMAND make install)
install(FILES "${PROTOBUF_LIB}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps")
install(FILES "${PROTOC_LIB}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps")
install(DIRECTORY "${PROTOBUF_INCLUDE}" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps")
endif()
endif()

113
cmake/modules/re2.cmake
View File

@ -2,15 +2,14 @@
#
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
option(USE_BUNDLED_RE2 "Enable building of the bundled RE2" ${USE_BUNDLED_DEPS})
@ -42,95 +41,57 @@ else()
if(NOT WIN32)
set(RE2_LIB "${RE2_SRC}/lib/libre2${RE2_LIB_SUFFIX}")
set(RE2_LIB_PATTERN "libre2*")
if(CMAKE_VERSION VERSION_LESS 3.29.1)
ExternalProject_Add(
re2
PREFIX "${PROJECT_BINARY_DIR}/re2-prefix"
URL "${RE2_URL}"
URL_HASH "${RE2_URL_HASH}"
BINARY_DIR "${PROJECT_BINARY_DIR}/re2-prefix/build"
BUILD_BYPRODUCTS ${RE2_LIB}
CMAKE_ARGS -DCMAKE_INSTALL_LIBDIR=lib
-DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
-DRE2_BUILD_TESTING=OFF
-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-DCMAKE_INSTALL_PREFIX=${RE2_SRC}
-DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
)
else()
# CMake 3.29.1 removed the support for the `PACKAGE_PREFIX_DIR` variable. The patch
# command just applies the same patch applied by re2 to solve the issue:
# https://github.com/google/re2/commit/9ebe4a22cad8a025b68a9594bdff3c047a111333
ExternalProject_Add(
re2
PREFIX "${PROJECT_BINARY_DIR}/re2-prefix"
URL "${RE2_URL}"
URL_HASH "${RE2_URL_HASH}"
BINARY_DIR "${PROJECT_BINARY_DIR}/re2-prefix/build"
BUILD_BYPRODUCTS ${RE2_LIB}
PATCH_COMMAND
COMMAND sed -i".bak" "/set_and_check/d" re2Config.cmake.in
CMAKE_ARGS -DCMAKE_INSTALL_LIBDIR=lib
-DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
-DRE2_BUILD_TESTING=OFF
-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-DCMAKE_INSTALL_PREFIX=${RE2_SRC}
-DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
)
endif()
ExternalProject_Add(re2
PREFIX "${PROJECT_BINARY_DIR}/re2-prefix"
URL "${RE2_URL}"
URL_HASH "${RE2_URL_HASH}"
BINARY_DIR "${PROJECT_BINARY_DIR}/re2-prefix/build"
BUILD_BYPRODUCTS ${RE2_LIB}
CMAKE_ARGS
-DCMAKE_INSTALL_LIBDIR=lib
-DRE2_BUILD_TESTING=OFF
-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-DCMAKE_INSTALL_PREFIX=${RE2_SRC})
else()
set(RE2_LIB "${RE2_SRC}/lib/re2.lib")
set(RE2_LIB_PATTERN "re2.lib")
# see: https://cmake.org/cmake/help/latest/policy/CMP0091.html
if(CMAKE_VERSION VERSION_LESS 3.15.0)
ExternalProject_Add(
re2
ExternalProject_Add(re2
PREFIX "${PROJECT_BINARY_DIR}/re2-prefix"
URL "${RE2_URL}"
URL_HASH "${RE2_URL_HASH}"
BINARY_DIR "${PROJECT_BINARY_DIR}/re2-prefix/build"
BUILD_BYPRODUCTS ${RE2_LIB}
CMAKE_ARGS -DCMAKE_CXX_FLAGS_DEBUG=${FALCOSECURITY_LIBS_DEBUG_FLAGS}
-DCMAKE_CXX_FLAGS_RELEASE=${FALCOSECURITY_LIBS_RELEASE_FLAGS}
-DCMAKE_INSTALL_LIBDIR=lib
-DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
-DRE2_BUILD_TESTING=OFF
-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-DCMAKE_INSTALL_PREFIX=${RE2_SRC}
-DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
)
CMAKE_ARGS
-DCMAKE_CXX_FLAGS_DEBUG=${FALCOSECURITY_LIBS_DEBUG_FLAGS}
-DCMAKE_CXX_FLAGS_RELEASE=${FALCOSECURITY_LIBS_RELEASE_FLAGS}
-DCMAKE_INSTALL_LIBDIR=lib
-DRE2_BUILD_TESTING=OFF
-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-DCMAKE_INSTALL_PREFIX=${RE2_SRC})
else()
ExternalProject_Add(
re2
ExternalProject_Add(re2
PREFIX "${PROJECT_BINARY_DIR}/re2-prefix"
URL "${RE2_URL}"
URL_HASH "${RE2_URL_HASH}"
BINARY_DIR "${PROJECT_BINARY_DIR}/re2-prefix/build"
BUILD_BYPRODUCTS ${RE2_LIB}
CMAKE_ARGS -DCMAKE_POLICY_DEFAULT_CMP0091:STRING=NEW
-DCMAKE_MSVC_RUNTIME_LIBRARY=${CMAKE_MSVC_RUNTIME_LIBRARY}
-DCMAKE_INSTALL_LIBDIR=lib
-DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
-DRE2_BUILD_TESTING=OFF
-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-DCMAKE_INSTALL_PREFIX=${RE2_SRC}
-DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
)
CMAKE_ARGS
-DCMAKE_POLICY_DEFAULT_CMP0091:STRING=NEW
-DCMAKE_MSVC_RUNTIME_LIBRARY=${CMAKE_MSVC_RUNTIME_LIBRARY}
-DCMAKE_INSTALL_LIBDIR=lib
-DRE2_BUILD_TESTING=OFF
-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-DCMAKE_INSTALL_PREFIX=${RE2_SRC})
endif()
endif()
install(
DIRECTORY ${RE2_SRC}/lib/
DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
FILES_MATCHING
PATTERN ${RE2_LIB_PATTERN}
)
install(
DIRECTORY "${RE2_INCLUDE}"
DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
)
install(DIRECTORY ${RE2_SRC}/lib/ DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
FILES_MATCHING PATTERN ${RE2_LIB_PATTERN})
install(DIRECTORY "${RE2_INCLUDE}" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps")
endif()
if(NOT TARGET re2)

119
cmake/modules/tbb.cmake
View File

@ -2,15 +2,14 @@
#
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
option(USE_BUNDLED_TBB "Enable building of the bundled tbb" ${USE_BUNDLED_DEPS})
@ -53,106 +52,76 @@ else()
else()
set(TBB_LIB_BASENAME "tbb12")
endif()
endif()
endif()
set(TBB_LIB "${TBB_LIB_BASEDIR}/${TBB_LIB_PREFIX}${TBB_LIB_BASENAME}${TBB_LIB_SUFFIX}")
if(NOT TARGET tbb)
message(STATUS "Using bundled tbb in '${TBB_SRC}'")
set(TBB_SRC_URL "https://github.com/oneapi-src/oneTBB/archive/refs/tags/v2022.1.0.tar.gz")
set(TBB_SRC_URL_HASH
"SHA256=ed067603ece0dc832d2881ba5c516625ac2522c665d95f767ef6304e34f961b5"
)
set(TBB_SRC_URL "https://github.com/oneapi-src/oneTBB/archive/refs/tags/v2021.9.0.tar.gz")
set(TBB_SRC_URL_HASH "SHA256=1ce48f34dada7837f510735ff1172f6e2c261b09460e3bf773b49791d247d24e")
set(TBB_FLAGS "")
if(CMAKE_CXX_COMPILER_ID STREQUAL "GNU")
# latest TBB has issues with GCC >= 12 see:
# https://github.com/oneapi-src/oneTBB/issues/843#issuecomment-1152646035
if (CMAKE_CXX_COMPILER_ID STREQUAL "GNU")
# latest TBB has issues with GCC >= 12
# see: https://github.com/oneapi-src/oneTBB/issues/843#issuecomment-1152646035
set(TBB_FLAGS "-Wno-error=stringop-overflow")
endif()
if(EMSCRIPTEN)
set(TBB_FLAGS "${TBB_FLAGS} -Wno-unused-command-line-argument")
set(TBB_EMSCRIPTEN "ON")
endif()
if(NOT WIN32)
ExternalProject_Add(
tbb
if(NOT WIN32)
ExternalProject_Add(tbb
PREFIX "${PROJECT_BINARY_DIR}/tbb-prefix"
URL "${TBB_SRC_URL}"
URL_HASH "${TBB_SRC_URL_HASH}"
BUILD_IN_SOURCE 1
BUILD_COMMAND ${CMAKE_COMMAND} --build . --target tbb
CMAKE_ARGS -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
-DTBB_OUTPUT_DIR_BASE=lib
-DCMAKE_CXX_FLAGS=${TBB_FLAGS}
-DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
-DCMAKE_CXX_COMPILER=${CMAKE_CXX_COMPILER}
-DCMAKE_C_COMPILER=${CMAKE_C_COMPILER}
-DEMSCRIPTEN=${TBB_EMSCRIPTEN}
-DTBB_FILE_TRIM=Off
-DTBB_INSTALL=Off
CMAKE_ARGS
-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
-DTBB_OUTPUT_DIR_BASE=lib
-DCMAKE_CXX_FLAGS="${TBB_FLAGS}"
BUILD_BYPRODUCTS ${TBB_LIB}
INSTALL_COMMAND ""
)
INSTALL_COMMAND "")
else()
# see: https://cmake.org/cmake/help/latest/policy/CMP0091.html
if(CMAKE_VERSION VERSION_LESS 3.15.0)
ExternalProject_Add(
tbb
ExternalProject_Add(tbb
PREFIX "${PROJECT_BINARY_DIR}/tbb-prefix"
URL "${TBB_SRC_URL}"
URL_HASH "${TBB_SRC_URL_HASH}"
BUILD_IN_SOURCE 1
BUILD_COMMAND ${CMAKE_COMMAND} --build . --target tbb --config
${CMAKE_BUILD_TYPE}
CMAKE_ARGS -DCMAKE_CXX_FLAGS_DEBUG=${FALCOSECURITY_LIBS_DEBUG_FLAGS}
-DCMAKE_CXX_FLAGS_RELEASE=${FALCOSECURITY_LIBS_RELEASE_FLAGS}
-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
-DTBB_OUTPUT_DIR_BASE=lib
-DCMAKE_CXX_FLAGS="${TBB_FLAGS}"
-DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
-DTBB_FILE_TRIM=Off
-DTBB_INSTALL=Off
BUILD_COMMAND ${CMAKE_COMMAND} --build . --target tbb --config ${CMAKE_BUILD_TYPE}
CMAKE_ARGS
-DCMAKE_CXX_FLAGS_DEBUG=${FALCOSECURITY_LIBS_DEBUG_FLAGS}
-DCMAKE_CXX_FLAGS_RELEASE=${FALCOSECURITY_LIBS_RELEASE_FLAGS}
-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
-DTBB_OUTPUT_DIR_BASE=lib
-DCMAKE_CXX_FLAGS="${TBB_FLAGS}"
BUILD_BYPRODUCTS ${TBB_LIB}
INSTALL_COMMAND ""
)
INSTALL_COMMAND "")
else()
ExternalProject_Add(
tbb
ExternalProject_Add(tbb
PREFIX "${PROJECT_BINARY_DIR}/tbb-prefix"
URL "${TBB_SRC_URL}"
URL_HASH "${TBB_SRC_URL_HASH}"
BUILD_IN_SOURCE 1
BUILD_COMMAND ${CMAKE_COMMAND} --build . --target tbb --config
${CMAKE_BUILD_TYPE}
CMAKE_ARGS -DCMAKE_POLICY_DEFAULT_CMP0091:STRING=NEW
-DCMAKE_MSVC_RUNTIME_LIBRARY=${CMAKE_MSVC_RUNTIME_LIBRARY}
-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
-DTBB_OUTPUT_DIR_BASE=lib
-DCMAKE_CXX_FLAGS="${TBB_FLAGS}"
-DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
-DTBB_FILE_TRIM=Off
-DTBB_INSTALL=Off
BUILD_COMMAND ${CMAKE_COMMAND} --build . --target tbb --config ${CMAKE_BUILD_TYPE}
CMAKE_ARGS
-DCMAKE_POLICY_DEFAULT_CMP0091:STRING=NEW
-DCMAKE_MSVC_RUNTIME_LIBRARY=${CMAKE_MSVC_RUNTIME_LIBRARY}
-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
-DTBB_OUTPUT_DIR_BASE=lib
-DCMAKE_CXX_FLAGS="${TBB_FLAGS}"
BUILD_BYPRODUCTS ${TBB_LIB}
INSTALL_COMMAND ""
)
INSTALL_COMMAND "")
endif()
endif()
install(
DIRECTORY "${TBB_LIB_BASEDIR}/"
DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
FILES_MATCHING
PATTERN "${TBB_LIB_PREFIX}tbb*"
)
install(
DIRECTORY "${TBB_INCLUDE_DIR}/tbb"
DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
)
install(DIRECTORY "${TBB_LIB_BASEDIR}/" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
FILES_MATCHING PATTERN "${TBB_LIB_PREFIX}tbb*")
install(DIRECTORY "${TBB_INCLUDE_DIR}/tbb" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps")
endif()
endif()

27
cmake/modules/uthash.cmake
View File

@ -2,15 +2,14 @@
#
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
option(USE_BUNDLED_UTHASH "Enable downloading of the bundled uthash library" ${USE_BUNDLED_DEPS})
@ -32,15 +31,13 @@ else()
message(STATUS "Using bundled uthash in '${UTHASH_SRC}'")
ExternalProject_Add(
uthash
PREFIX "${PROJECT_BINARY_DIR}/uthash-prefix"
URL "https://github.com/troydhanson/uthash/archive/refs/tags/v1.9.8.tar.gz"
URL_HASH "SHA256=d9d123ce81c5d127442876fc3b12fab3ad632bee6aca685be7d461c08e24c046"
CONFIGURE_COMMAND ""
BUILD_COMMAND ""
INSTALL_COMMAND ""
)
ExternalProject_Add(uthash
PREFIX "${PROJECT_BINARY_DIR}/uthash-prefix"
URL "https://github.com/troydhanson/uthash/archive/refs/tags/v1.9.8.tar.gz"
URL_HASH "SHA256=d9d123ce81c5d127442876fc3b12fab3ad632bee6aca685be7d461c08e24c046"
CONFIGURE_COMMAND ""
BUILD_COMMAND ""
INSTALL_COMMAND "")
endif()
if(NOT TARGET uthash)

17
cmake/modules/valijson.cmake
View File

@ -2,15 +2,14 @@
#
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
#
@ -29,15 +28,13 @@ else()
message(STATUS "Using bundled valijson in '${VALIJSON_SRC}'")
ExternalProject_Add(
valijson
ExternalProject_Add(valijson
PREFIX "${PROJECT_BINARY_DIR}/valijson-prefix"
URL "https://github.com/tristanpenman/valijson/archive/refs/tags/v1.0.2.tar.gz"
URL_HASH "SHA256=35d86e54fc727f1265226434dc996e33000a570f833537a25c8b702b0b824431"
CONFIGURE_COMMAND ""
BUILD_COMMAND ""
INSTALL_COMMAND ""
)
INSTALL_COMMAND "")
endif()
if(NOT TARGET valijson)

64
cmake/modules/versions.cmake
View File

@ -2,57 +2,51 @@
#
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
include(GetVersionFromGit)
function(get_libs_version _var)
# `+driver` is given to ignore drivers tags when fetching the version of libs
get_version_from_git(ver "" "+driver")
# `+driver` is given to ignore drivers tags when fetching the version of libs
get_version_from_git(ver "" "+driver")
set(${_var}
"${ver}"
PARENT_SCOPE
)
return()
set(${_var}
"${ver}"
PARENT_SCOPE)
return()
endfunction()
function(get_drivers_version _var)
# `+driver` is given to only fetch drivers tags, thus excluding libs ones
get_version_from_git(ver "+driver" "")
# `+driver` is given to only fetch drivers tags, thus excluding libs ones
get_version_from_git(ver "+driver" "")
set(${_var}
"${ver}"
PARENT_SCOPE
)
return()
set(${_var}
"${ver}"
PARENT_SCOPE)
return()
endfunction()
function(get_shared_libs_versions _var _sovar)
string(REGEX MATCH "^[0-9]+\\.[0-9]+\\.[0-9]+" sl_ver ${FALCOSECURITY_LIBS_VERSION})
string(REGEX MATCH "^[0-9]+\\.[0-9]+\\.[0-9]+" sl_ver ${FALCOSECURITY_LIBS_VERSION})
if(NOT sl_ver)
set(sl_ver "0.0.0")
endif()
if(NOT sl_ver)
set(sl_ver "0.0.0")
endif()
set(${_var}
${sl_ver}
PARENT_SCOPE
)
string(REPLACE "." ";" sl_ver_list ${sl_ver})
list(GET sl_ver_list 0 so_ver)
set(${_sovar}
${so_ver}
PARENT_SCOPE
)
return()
set(${_var} ${sl_ver} PARENT_SCOPE)
string(REPLACE "." ";" sl_ver_list ${sl_ver})
list(GET sl_ver_list 0 so_ver)
set(${_sovar} ${so_ver} PARENT_SCOPE)
return()
endfunction()

88
cmake/modules/zlib.cmake
View File

@ -2,15 +2,14 @@
#
# Copyright (C) 2023 The Falco Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License
# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
# or implied. See the License for the specific language governing permissions and limitations under
# the License.
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
option(USE_BUNDLED_ZLIB "Enable building of the bundled zlib" ${USE_BUNDLED_DEPS})
@ -29,9 +28,7 @@ else()
set(ZLIB_SRC "${PROJECT_BINARY_DIR}/zlib-prefix/src/zlib")
set(ZLIB_INCLUDE "${ZLIB_SRC}")
set(ZLIB_HEADERS "")
list(
APPEND
ZLIB_HEADERS
list(APPEND ZLIB_HEADERS
"${ZLIB_INCLUDE}/crc32.h"
"${ZLIB_INCLUDE}/deflate.h"
"${ZLIB_INCLUDE}/gzguts.h"
@ -45,80 +42,49 @@ else()
"${ZLIB_INCLUDE}/zutil.h"
)
if(NOT TARGET zlib)
# Match both release and relwithdebinfo builds
if(CMAKE_BUILD_TYPE MATCHES "[R,r]el*")
set(ZLIB_CFLAGS "-O3")
else()
set(ZLIB_CFLAGS "-g")
endif()
if(ENABLE_PIC)
set(ZLIB_CFLAGS "${ZLIB_CFLAGS} -fPIC")
endif()
message(STATUS "Using bundled zlib in '${ZLIB_SRC}'")
if(NOT WIN32)
if(BUILD_SHARED_LIBS)
set(ZLIB_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
set(ZLIB_CONFIGURE_FLAGS)
set(ZLIB_CONFIGURE_FLAGS )
else()
set(ZLIB_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
set(ZLIB_CONFIGURE_FLAGS "--static")
endif()
set(ZLIB_LIB "${ZLIB_SRC}/libz${ZLIB_LIB_SUFFIX}")
ExternalProject_Add(
zlib
ExternalProject_Add(zlib
PREFIX "${PROJECT_BINARY_DIR}/zlib-prefix"
URL "https://github.com/madler/zlib/releases/download/v1.3.1/zlib-1.3.1.tar.gz"
URL_HASH "SHA256=9a93b2b7dfdac77ceba5a558a580e74667dd6fede4585b91eefb60f03b72df23"
CONFIGURE_COMMAND CFLAGS=${ZLIB_CFLAGS} ./configure --prefix=${ZLIB_SRC}
${ZLIB_CONFIGURE_FLAGS}
URL "https://github.com/madler/zlib/archive/v1.2.13.tar.gz"
URL_HASH "SHA256=1525952a0a567581792613a9723333d7f8cc20b87a81f920fb8bc7e3f2251428"
CONFIGURE_COMMAND ./configure --prefix=${ZLIB_SRC} ${ZLIB_CONFIGURE_FLAGS}
BUILD_COMMAND make
BUILD_IN_SOURCE 1
BUILD_BYPRODUCTS ${ZLIB_LIB}
INSTALL_COMMAND ""
)
install(
FILES "${ZLIB_LIB}"
DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
)
install(
FILES ${ZLIB_HEADERS}
DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/zlib"
COMPONENT "libs-deps"
)
INSTALL_COMMAND "")
install(FILES "${ZLIB_LIB}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps")
install(FILES ${ZLIB_HEADERS} DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/zlib"
COMPONENT "libs-deps")
else()
if(BUILD_SHARED_LIBS)
set(ZLIB_LIB_SUFFIX "${CMAKE_SHARED_LIBRARY_SUFFIX}")
set(ZLIB_LIB "${ZLIB_SRC}/lib/zlib$<$<CONFIG:Debug>:d>${ZLIB_LIB_SUFFIX}")
else()
set(ZLIB_LIB_SUFFIX "${CMAKE_STATIC_LIBRARY_SUFFIX}")
set(ZLIB_LIB "${ZLIB_SRC}/lib/zlibstatic$<$<CONFIG:Debug>:d>${ZLIB_LIB_SUFFIX}")
endif()
ExternalProject_Add(
zlib
set(ZLIB_LIB "${ZLIB_SRC}/zlib${ZLIB_LIB_SUFFIX}")
ExternalProject_Add(zlib
PREFIX "${PROJECT_BINARY_DIR}/zlib-prefix"
URL "https://github.com/madler/zlib/releases/download/v1.3.1/zlib-1.3.1.tar.gz"
URL_HASH "SHA256=9a93b2b7dfdac77ceba5a558a580e74667dd6fede4585b91eefb60f03b72df23"
URL "https://github.com/madler/zlib/archive/v1.2.13.tar.gz"
URL_HASH "SHA256=1525952a0a567581792613a9723333d7f8cc20b87a81f920fb8bc7e3f2251428"
CONFIGURE_COMMAND ""
BUILD_COMMAND nmake -f win32/Makefile.msc LOC=-DZLIB_WINAPI
BUILD_IN_SOURCE 1
BUILD_BYPRODUCTS ${ZLIB_LIB}
CMAKE_ARGS -DCMAKE_POLICY_DEFAULT_CMP0091:STRING=NEW
-DCMAKE_MSVC_RUNTIME_LIBRARY=${CMAKE_MSVC_RUNTIME_LIBRARY}
-DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
-DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_PIC}
-DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
-DCMAKE_INSTALL_PREFIX=${ZLIB_SRC}
)
install(
FILES "${ZLIB_LIB}"
DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps"
)
install(
FILES ${ZLIB_HEADERS}
DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/zlib"
COMPONENT "libs-deps"
)
INSTALL_COMMAND "")
install(FILES "${ZLIB_LIB}" DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
COMPONENT "libs-deps")
install(FILES ${ZLIB_HEADERS} DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}/zlib"
COMPONENT "libs-deps")
endif()
endif()
endif()

16
codecov.yml
View File

@ -1,16 +0,0 @@
coverage:
status:
project:
default: off
libsinsp:
flags:
- libsinsp
flags:
libsinsp:
paths:
- userspace/libsinsp/
parsers:
cobertura:
partials_as_hits: true

278
coding_conventions.md Normal file
View File

@ -0,0 +1,278 @@
0 Introduction
------
This repository strives for a consistent high quality code base and uses the conventions
below. If you are going to commit code that doesn't follow them, then you put the
work on us. :-(
If you use vim or emacs, you can put a custom configuration file in the base
directory in order to follow the conventions.
Also, note that the conventions in this file apply **strictly to the userspace** part
of this repository. For the kernel code, you should refer to
https://www.kernel.org/doc/html/latest/process/coding-style.html
and always run `checkpatch.pl` from the kernel tree before submitting pull requests.
Thanks for your attention and time.
1 Curly Braces
------
Every curly brace ("{" and "}") should go on its own line.
Example:
if(a == 0)
{
b = 1;
}
2 If and for statements
------
Every `if` and `for` statement should have the curly braces.
Example:
if(a == 0)
{
b = 1;
}
and not
if(a == 0)
b = 1;
3 Whitespace usage
------
Spaces are used in the following way:
int32_t foo(int32_t a, int32_t b)
{
for(j = 0; j < 10; j++)
{
foo(a, b);
}
}
Note that:
* in a function declaration, there is no space between the function name and the "(".
* in a function declaration, there is no space between the "(" and the first parameter.
* in a statement (e.g `for`, `while`...), there is no space between the "for" and the "(".
* in a statement (e.g `for`), there is no space between the "(" and the variable name.
* in a function call, there is no space between the function name and the "(".
* in a function call, there is no space between the "(" and the first parameter.
* "," and ";" work like in English: there should be a space after them.
4 Primitive types
------
For portability reasons, please use the standard C99 types instead of the native C types
like `int` and `long`. C99 types types will be available in all the user level
source files:
Example:
int32_t foo;
5 Commenting Style
------
Comments should be in the C++ style so we can use `/* */` to quickly remove
portions of code during development.
Example:
// this is a comment
6 Commenting Content
------
Code comments work in the following 2-level way:
* A three-line comment should document what the code does and give higher level explanations.
* A one line comment should detail single code lines or explain specific actions.
Example:
//
// Swap two variables
//
int a = 1, b = 2, t;
// make a copy of a
t = a;
// perform the swap
a = b;
b = t;
7 Class variables
------
In order to know whether a variable belongs to a `class` or a `function` we start member variables with "`m_`".
Example:
public int32_t m_counter;
8 Global variables
------
Similarly, in order to know whether the variable is global or not, we start
globals with "`g_`".
Example:
int g_nplugins;
9 Capitalization
------
The naming convention is camel-cased "Unix" style, i.e. always lower case. Words are separated by underscores.
Example:
int32_t g_global_bean_counter;
int32_t count_beans();
and not,
int32_t GlobalBeanCounter;
10 Packed Structures
-------
Packed structures should use the GCC and MSVC-style supported `pragma`:
#pragma pack(push,1)
struct frame_control
{
struct fields....
};
#pragma pack(pop)
11 OS-specific macros
-------
There's an online wiki which enumerates the different macros for compilers, operating systems, and architectures.
It's available at [http://sourceforge.net/p/predef/wiki/Home/](http://sourceforge.net/p/predef/wiki/Home/). Generally speaking we use the operating system page: [http://sourceforge.net/p/predef/wiki/OperatingSystems/](http://sourceforge.net/p/predef/wiki/OperatingSystems/).
12 64-bit constants
-------
Put an "LL" at the end of your 64 bit constants. Without the LL, on some platforms the compiler tries to interpret the constant on the right hand side
as a long integer instead of a long long and in some platform this generate an error at building time.
Example:
x=0X00FF00000000000LL
13 Class Declaration
-------
Class declarations follow the following sequence
1. constructors and destructor
2. public functions
3. public data
4. private functions
5. private data
6. friend declarations
Example:
class foo
{
public:
foo();
~foo();
int32_t lonli();
int32_t m_val;
private:
int32_t temustra();
int32_t m_val2;
};
14 Struct guidelines
-------
We think hiding the presence of a pointer makes the code unnecessarily
ambiguous and more difficult.
Seeing a * in a variable declaration immediately identifies a pointer, which
is easier to mentally keep track of!
Also we think that defining the struct as a typedef makes forward declarations
clunky and find using the C++ style when declaring our structs makes our
lives easier.
//
// Us human parsers find this confusing.
//
typedef struct _my_struct
{
u_int16 m_field;
} my_struct,
*p_my_struct;
//
// This is easier!
//
struct my_struct {
u_int16 m_field;
};
15 Temporary variables
-------
Since "j" is used less frequently in english prose than "a" or "i", we find
that these variables (in hierarchical order) are great for counters: j, k, l,
m, n.
Example:
int32_t j,k;
for(j = 0; j < 10; j++)
{
for(k = 0; k < 10; k++)
{
int32_t foo = j + k;
}
}
as opposed to:
int32_t i,counter;
for(i = 0; i < 10; i++)
{
for(counter = 0; counter < 10; counter++)
{
int32_t foo = i + counter;
}
}
16 Error management
-------
Error management inside libscap is done through return values, since the scap
library is written in C.
Error management in the rest of the user level code base is done through
exceptions. We know there's a lot of debate between return values and
exceptions. We decided to pick the latter, so please stick with that.
## You Made It!
Phew! That's it. Thanks!
If we've left anything in the open, feel free to contact us and we'll be happy
to get back to you. Also, you can look at the existing code and see how it's
done.
Have a good one!

4
docs/index.md
View File

@ -11,7 +11,3 @@ Navigate to the Home of Falco Drivers Kernel Testing on the left, or click this
## Supported Syscalls Report
Navigate to the Home of Falco Drivers Syscalls Report on the left, or click this [link](syscalls.md), or directly proceed to the supported syscalls [report](report.md).
## Perf Continuous Monitoring
Navigate to the Home of Falco Perf Monitoring on the left, or click this [link](perf.md).

11
docs/perf.md
View File

@ -1,11 +0,0 @@
# Home of Falco Perf Monitoring
Our CI is capable of continuously benchmarking performance of our userspace code, both CPU and memory.
Every PR will have a comment with the perf diff from master for multiple aspects, while on master the flamegraph are pushed to this github pages.
Navigate to the perf reports on the left, or click these links:
* [unit tests cpu perf](perf_unit_tests.md)
* [scap file reading cpu perf](perf_scap_file.md)
* [unit tests memory profile](heaptrack_unit_tests.md)
* [scap file reading memory profile](heaptrack_scap_file.md)

829
docs/report.md
View File

@ -1,418 +1,411 @@
| SYSCALL | SUPPORTED | ARCHITECTURE |
|-------------------------|-----------|--------------------------------------------------|
| _llseek | 🟢 | ppc64le |
| _newselect | 🟡 | ppc64le |
| accept | 🟢 | aarch64,loongarch64,ppc64le,riscv64,x86_64 |
| accept4 | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| access | 🟢 | ppc64le,s390x,x86_64 |
| acct | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| add_key | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| adjtimex | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| alarm | 🟡 | ppc64le,s390x,x86_64 |
| arch_prctl | 🟡 | x86_64 |
| bind | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| bpf | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| brk | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| cachestat | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| capget | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| capset | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| chdir | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| chmod | 🟢 | ppc64le,s390x,x86_64 |
| chown | 🟢 | ppc64le,s390x,x86_64 |
| chroot | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| clock_adjtime | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| clock_getres | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| clock_gettime | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| clock_nanosleep | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| clock_settime | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| clone | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| clone3 | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| close | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| close_range | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| connect | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| copy_file_range | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| creat | 🟢 | ppc64le,s390x,x86_64 |
| delete_module | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| dup | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| dup2 | 🟢 | ppc64le,s390x,x86_64 |
| dup3 | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| epoll_create | 🟢 | ppc64le,s390x,x86_64 |
| epoll_create1 | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| epoll_ctl | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| epoll_ctl_old | 🟡 | x86_64 |
| epoll_pwait | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| epoll_pwait2 | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| epoll_wait | 🟢 | ppc64le,s390x,x86_64 |
| epoll_wait_old | 🟡 | x86_64 |
| eventfd | 🟢 | ppc64le,s390x,x86_64 |
| eventfd2 | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| execve | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| execveat | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| exit | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| exit_group | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| faccessat | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| faccessat2 | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| fadvise64 | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| fallocate | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| fanotify_init | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| fanotify_mark | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| fchdir | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| fchmod | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| fchmodat | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| fchmodat2 | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| fchown | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| fchownat | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| fcntl | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| fdatasync | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| fgetxattr | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| finit_module | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| flistxattr | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| flock | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| fork | 🟢 | ppc64le,s390x,x86_64 |
| fremovexattr | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| fsconfig | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| fsetxattr | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| fsmount | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| fsopen | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| fspick | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| fstat | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| fstatfs | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| fstatfs64 | 🟡 | ppc64le,s390x |
| fsync | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| ftruncate | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| futex | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| futex_requeue | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| futex_wait | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| futex_waitv | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| futex_wake | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| futimesat | 🟡 | ppc64le,s390x,x86_64 |
| get_mempolicy | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| get_robust_list | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| get_thread_area | 🟡 | x86_64 |
| getcpu | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| getcwd | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| getdents | 🟢 | ppc64le,s390x,x86_64 |
| getdents64 | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| getegid | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| geteuid | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| getgid | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| getgroups | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| getitimer | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| getpeername | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| getpgid | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| getpgrp | 🟡 | ppc64le,s390x,x86_64 |
| getpid | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| getppid | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| getpriority | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| getrandom | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| getresgid | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| getresuid | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| getrlimit | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| getrusage | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| getsid | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| getsockname | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| getsockopt | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| gettid | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| gettimeofday | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| getuid | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| getxattr | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| getxattrat | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| init_module | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| inotify_add_watch | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| inotify_init | 🟢 | ppc64le,s390x,x86_64 |
| inotify_init1 | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| inotify_rm_watch | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| io_cancel | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| io_destroy | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| io_getevents | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| io_pgetevents | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| io_setup | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| io_submit | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| io_uring_enter | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| io_uring_register | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| io_uring_setup | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| ioctl | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| ioperm | 🟡 | ppc64le,x86_64 |
| iopl | 🟡 | ppc64le,x86_64 |
| ioprio_get | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| ioprio_set | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| ipc | 🟡 | ppc64le,s390x |
| kcmp | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| kexec_file_load | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| kexec_load | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| keyctl | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| kill | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| landlock_add_rule | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| landlock_create_ruleset | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| landlock_restrict_self | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| lchown | 🟢 | ppc64le,s390x,x86_64 |
| lgetxattr | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| link | 🟢 | ppc64le,s390x,x86_64 |
| linkat | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| listen | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| listmount | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| listxattr | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| listxattrat | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| llistxattr | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| lookup_dcookie | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| lremovexattr | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| lseek | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| lsetxattr | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| lsm_get_self_attr | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| lsm_list_modules | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| lsm_set_self_attr | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| lstat | 🟢 | ppc64le,s390x,x86_64 |
| madvise | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| map_shadow_stack | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| mbind | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| membarrier | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| memfd_create | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| memfd_secret | 🟡 | aarch64,riscv64,s390x,x86_64 |
| migrate_pages | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| mincore | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| mkdir | 🟢 | ppc64le,s390x,x86_64 |
| mkdirat | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| mknod | 🟢 | ppc64le,s390x,x86_64 |
| mknodat | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| mlock | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| mlock2 | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| mlockall | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| mmap | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| modify_ldt | 🟡 | ppc64le,x86_64 |
| mount | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| mount_setattr | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| move_mount | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| move_pages | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| mprotect | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| mq_getsetattr | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| mq_notify | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| mq_open | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| mq_timedreceive | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| mq_timedsend | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| mq_unlink | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| mremap | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| mseal | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| msgctl | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| msgget | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| msgrcv | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| msgsnd | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| msync | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| multiplexer | 🟡 | ppc64le |
| munlock | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| munlockall | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| munmap | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| name_to_handle_at | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| nanosleep | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| newfstatat | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| nice | 🟡 | ppc64le,s390x |
| oldfstat | 🟡 | ppc64le |
| oldlstat | 🟡 | ppc64le |
| oldolduname | 🟡 | ppc64le |
| oldstat | 🟡 | ppc64le |
| olduname | 🟡 | ppc64le |
| open | 🟢 | ppc64le,s390x,x86_64 |
| open_by_handle_at | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| open_tree | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| open_tree_attr | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| openat | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| openat2 | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| pause | 🟡 | ppc64le,s390x,x86_64 |
| pciconfig_iobase | 🟡 | ppc64le |
| pciconfig_read | 🟡 | ppc64le |
| pciconfig_write | 🟡 | ppc64le |
| perf_event_open | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| personality | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| pidfd_getfd | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| pidfd_open | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| pidfd_send_signal | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| pipe | 🟢 | ppc64le,s390x,x86_64 |
| pipe2 | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| pivot_root | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| pkey_alloc | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| pkey_free | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| pkey_mprotect | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| poll | 🟢 | ppc64le,s390x,x86_64 |
| ppoll | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| prctl | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| pread64 | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| preadv | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| preadv2 | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| prlimit64 | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| process_madvise | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| process_mrelease | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| process_vm_readv | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| process_vm_writev | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| pselect6 | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| ptrace | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| pwrite64 | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| pwritev | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| pwritev2 | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| quotactl | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| quotactl_fd | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| read | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| readahead | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| readdir | 🟡 | ppc64le,s390x |
| readlink | 🟡 | ppc64le,s390x,x86_64 |
| readlinkat | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| readv | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| reboot | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| recv | 🟢 | ppc64le |
| recvfrom | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| recvmmsg | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| recvmsg | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| remap_file_pages | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| removexattr | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| removexattrat | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| rename | 🟢 | ppc64le,s390x,x86_64 |
| renameat | 🟢 | aarch64,ppc64le,s390x,x86_64 |
| renameat2 | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| request_key | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| restart_syscall | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| riscv_flush_icache | 🟡 | riscv64 |
| riscv_hwprobe | 🟡 | riscv64 |
| rmdir | 🟢 | ppc64le,s390x,x86_64 |
| rseq | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| rt_sigaction | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| rt_sigpending | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| rt_sigprocmask | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| rt_sigqueueinfo | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| rt_sigreturn | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| rt_sigsuspend | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| rt_sigtimedwait | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| rt_tgsigqueueinfo | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| rtas | 🟡 | ppc64le |
| s390_guarded_storage | 🟡 | s390x |
| s390_pci_mmio_read | 🟡 | s390x |
| s390_pci_mmio_write | 🟡 | s390x |
| s390_runtime_instr | 🟡 | s390x |
| s390_sthyi | 🟡 | s390x |
| sched_get_priority_max | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| sched_get_priority_min | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| sched_getaffinity | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| sched_getattr | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| sched_getparam | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| sched_getscheduler | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| sched_rr_get_interval | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| sched_setaffinity | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| sched_setattr | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| sched_setparam | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| sched_setscheduler | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| sched_yield | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| seccomp | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| select | 🟢 | ppc64le,s390x,x86_64 |
| semctl | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| semget | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| semop | 🟢 | aarch64,loongarch64,riscv64,x86_64 |
| semtimedop | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| send | 🟢 | ppc64le |
| sendfile | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| sendmmsg | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| sendmsg | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| sendto | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| set_mempolicy | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| set_mempolicy_home_node | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| set_robust_list | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| set_thread_area | 🟡 | x86_64 |
| set_tid_address | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| setdomainname | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| setfsgid | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| setfsuid | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| setgid | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| setgroups | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| sethostname | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| setitimer | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| setns | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| setpgid | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| setpriority | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| setregid | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| setresgid | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| setresuid | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| setreuid | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| setrlimit | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| setsid | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| setsockopt | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| settimeofday | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| setuid | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| setxattr | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| setxattrat | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| sgetmask | 🟡 | ppc64le |
| shmat | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| shmctl | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| shmdt | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| shmget | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| shutdown | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| sigaction | 🟡 | ppc64le,s390x |
| sigaltstack | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| signal | 🟡 | ppc64le,s390x |
| signalfd | 🟢 | ppc64le,s390x,x86_64 |
| signalfd4 | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| sigpending | 🟡 | ppc64le,s390x |
| sigprocmask | 🟡 | ppc64le,s390x |
| sigreturn | 🟡 | ppc64le,s390x |
| sigsuspend | 🟡 | ppc64le,s390x |
| socket | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| socketcall | 🟡 | ppc64le,s390x |
| socketpair | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| splice | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| spu_create | 🟡 | ppc64le |
| spu_run | 🟡 | ppc64le |
| ssetmask | 🟡 | ppc64le |
| stat | 🟢 | ppc64le,s390x,x86_64 |
| statfs | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| statfs64 | 🟡 | ppc64le,s390x |
| statmount | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| statx | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| stime | 🟡 | ppc64le |
| subpage_prot | 🟡 | ppc64le |
| swapcontext | 🟡 | ppc64le |
| swapoff | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| swapon | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| switch_endian | 🟡 | ppc64le |
| symlink | 🟢 | ppc64le,s390x,x86_64 |
| symlinkat | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| sync | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| sync_file_range | 🟡 | aarch64,loongarch64,riscv64,s390x,x86_64 |
| sync_file_range2 | 🟡 | ppc64le |
| syncfs | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| sys_debug_setcontext | 🟡 | ppc64le |
| sysfs | 🟡 | ppc64le,s390x,x86_64 |
| sysinfo | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| syslog | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| tee | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| tgkill | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| time | 🟡 | ppc64le,x86_64 |
| timer_create | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| timer_delete | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| timer_getoverrun | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| timer_gettime | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| timer_settime | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| timerfd | 🟡 | s390x |
| timerfd_create | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| timerfd_gettime | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| timerfd_settime | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| times | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| tkill | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| truncate | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| ugetrlimit | 🟢 | ppc64le |
| umask | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| umount | 🟢 | ppc64le,s390x |
| umount2 | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| uname | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| unlink | 🟢 | ppc64le,s390x,x86_64 |
| unlinkat | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| unshare | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| uretprobe | 🟡 | x86_64 |
| userfaultfd | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| ustat | 🟡 | ppc64le,s390x,x86_64 |
| utime | 🟡 | ppc64le,s390x,x86_64 |
| utimensat | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| utimes | 🟡 | ppc64le,s390x,x86_64 |
| vfork | 🟢 | ppc64le,s390x,x86_64 |
| vhangup | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| vm86 | 🟡 | ppc64le |
| vmsplice | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| wait4 | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| waitid | 🟡 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| waitpid | 🟡 | ppc64le |
| write | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| writev | 🟢 | aarch64,loongarch64,ppc64le,riscv64,s390x,x86_64 |
| SYSCALL | SUPPORTED | ARCHITECTURE |
|-------------------------|-----------|--------------------------------------|
| _llseek | 🟢 | ppc64le |
| _newselect | 🟡 | ppc64le |
| accept | 🟢 | aarch64,ppc64le,riscv64,x86_64 |
| accept4 | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| access | 🟢 | ppc64le,s390x,x86_64 |
| acct | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| add_key | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| adjtimex | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| alarm | 🟡 | ppc64le,s390x,x86_64 |
| arch_prctl | 🟡 | x86_64 |
| bind | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| bpf | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| brk | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| cachestat | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| capget | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| capset | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| chdir | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| chmod | 🟢 | ppc64le,s390x,x86_64 |
| chown | 🟢 | ppc64le,s390x,x86_64 |
| chroot | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| clock_adjtime | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| clock_getres | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| clock_gettime | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| clock_nanosleep | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| clock_settime | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| clone | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| clone3 | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| close | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| close_range | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| connect | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| copy_file_range | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| creat | 🟢 | ppc64le,s390x,x86_64 |
| delete_module | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| dup | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| dup2 | 🟢 | ppc64le,s390x,x86_64 |
| dup3 | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| epoll_create | 🟢 | ppc64le,s390x,x86_64 |
| epoll_create1 | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| epoll_ctl | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| epoll_ctl_old | 🟡 | x86_64 |
| epoll_pwait | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| epoll_pwait2 | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| epoll_wait | 🟢 | ppc64le,s390x,x86_64 |
| epoll_wait_old | 🟡 | x86_64 |
| eventfd | 🟢 | ppc64le,s390x,x86_64 |
| eventfd2 | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| execve | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| execveat | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| exit | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| exit_group | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| faccessat | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| faccessat2 | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| fadvise64 | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| fallocate | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| fanotify_init | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| fanotify_mark | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| fchdir | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| fchmod | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| fchmodat | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| fchmodat2 | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| fchown | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| fchownat | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| fcntl | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| fdatasync | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| fgetxattr | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| finit_module | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| flistxattr | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| flock | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| fork | 🟢 | ppc64le,s390x,x86_64 |
| fremovexattr | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| fsconfig | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| fsetxattr | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| fsmount | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| fsopen | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| fspick | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| fstat | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| fstatfs | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| fstatfs64 | 🟡 | ppc64le,s390x |
| fsync | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| ftruncate | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| futex | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| futex_requeue | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| futex_wait | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| futex_waitv | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| futex_wake | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| futimesat | 🟡 | ppc64le,s390x,x86_64 |
| get_mempolicy | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| get_robust_list | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| get_thread_area | 🟡 | x86_64 |
| getcpu | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| getcwd | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| getdents | 🟢 | ppc64le,s390x,x86_64 |
| getdents64 | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| getegid | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| geteuid | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| getgid | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| getgroups | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| getitimer | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| getpeername | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| getpgid | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| getpgrp | 🟡 | ppc64le,s390x,x86_64 |
| getpid | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| getppid | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| getpriority | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| getrandom | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| getresgid | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| getresuid | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| getrlimit | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| getrusage | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| getsid | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| getsockname | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| getsockopt | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| gettid | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| gettimeofday | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| getuid | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| getxattr | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| init_module | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| inotify_add_watch | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| inotify_init | 🟢 | ppc64le,s390x,x86_64 |
| inotify_init1 | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| inotify_rm_watch | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| io_cancel | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| io_destroy | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| io_getevents | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| io_pgetevents | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| io_setup | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| io_submit | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| io_uring_enter | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| io_uring_register | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| io_uring_setup | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| ioctl | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| ioperm | 🟡 | ppc64le,x86_64 |
| iopl | 🟡 | ppc64le,x86_64 |
| ioprio_get | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| ioprio_set | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| ipc | 🟡 | ppc64le,s390x |
| kcmp | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| kexec_file_load | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| kexec_load | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| keyctl | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| kill | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| landlock_add_rule | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| landlock_create_ruleset | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| landlock_restrict_self | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| lchown | 🟢 | ppc64le,s390x,x86_64 |
| lgetxattr | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| link | 🟢 | ppc64le,s390x,x86_64 |
| linkat | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| listen | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| listmount | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| listxattr | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| llistxattr | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| lookup_dcookie | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| lremovexattr | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| lseek | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| lsetxattr | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| lsm_get_self_attr | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| lsm_list_modules | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| lsm_set_self_attr | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| lstat | 🟢 | ppc64le,s390x,x86_64 |
| madvise | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| map_shadow_stack | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| mbind | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| membarrier | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| memfd_create | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| memfd_secret | 🟡 | aarch64,riscv64,s390x,x86_64 |
| migrate_pages | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| mincore | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| mkdir | 🟢 | ppc64le,s390x,x86_64 |
| mkdirat | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| mknod | 🟢 | ppc64le,s390x,x86_64 |
| mknodat | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| mlock | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| mlock2 | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| mlockall | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| mmap | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| modify_ldt | 🟡 | ppc64le,x86_64 |
| mount | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| mount_setattr | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| move_mount | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| move_pages | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| mprotect | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| mq_getsetattr | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| mq_notify | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| mq_open | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| mq_timedreceive | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| mq_timedsend | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| mq_unlink | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| mremap | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| msgctl | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| msgget | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| msgrcv | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| msgsnd | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| msync | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| multiplexer | 🟡 | ppc64le |
| munlock | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| munlockall | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| munmap | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| name_to_handle_at | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| nanosleep | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| newfstatat | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| nice | 🟡 | ppc64le,s390x |
| oldfstat | 🟡 | ppc64le |
| oldlstat | 🟡 | ppc64le |
| oldolduname | 🟡 | ppc64le |
| oldstat | 🟡 | ppc64le |
| olduname | 🟡 | ppc64le |
| open | 🟢 | ppc64le,s390x,x86_64 |
| open_by_handle_at | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| open_tree | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| openat | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| openat2 | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| pause | 🟡 | ppc64le,s390x,x86_64 |
| pciconfig_iobase | 🟡 | ppc64le |
| pciconfig_read | 🟡 | ppc64le |
| pciconfig_write | 🟡 | ppc64le |
| perf_event_open | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| personality | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| pidfd_getfd | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| pidfd_open | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| pidfd_send_signal | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| pipe | 🟢 | ppc64le,s390x,x86_64 |
| pipe2 | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| pivot_root | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| pkey_alloc | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| pkey_free | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| pkey_mprotect | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| poll | 🟢 | ppc64le,s390x,x86_64 |
| ppoll | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| prctl | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| pread64 | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| preadv | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| preadv2 | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| prlimit64 | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| process_madvise | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| process_mrelease | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| process_vm_readv | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| process_vm_writev | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| pselect6 | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| ptrace | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| pwrite64 | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| pwritev | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| pwritev2 | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| quotactl | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| quotactl_fd | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| read | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| readahead | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| readdir | 🟡 | ppc64le,s390x |
| readlink | 🟡 | ppc64le,s390x,x86_64 |
| readlinkat | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| readv | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| reboot | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| recv | 🟢 | ppc64le |
| recvfrom | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| recvmmsg | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| recvmsg | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| remap_file_pages | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| removexattr | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| rename | 🟢 | ppc64le,s390x,x86_64 |
| renameat | 🟢 | aarch64,ppc64le,s390x,x86_64 |
| renameat2 | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| request_key | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| restart_syscall | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| riscv_flush_icache | 🟡 | riscv64 |
| riscv_hwprobe | 🟡 | riscv64 |
| rmdir | 🟢 | ppc64le,s390x,x86_64 |
| rseq | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| rt_sigaction | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| rt_sigpending | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| rt_sigprocmask | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| rt_sigqueueinfo | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| rt_sigreturn | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| rt_sigsuspend | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| rt_sigtimedwait | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| rt_tgsigqueueinfo | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| rtas | 🟡 | ppc64le |
| s390_guarded_storage | 🟡 | s390x |
| s390_pci_mmio_read | 🟡 | s390x |
| s390_pci_mmio_write | 🟡 | s390x |
| s390_runtime_instr | 🟡 | s390x |
| s390_sthyi | 🟡 | s390x |
| sched_get_priority_max | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| sched_get_priority_min | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| sched_getaffinity | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| sched_getattr | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| sched_getparam | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| sched_getscheduler | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| sched_rr_get_interval | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| sched_setaffinity | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| sched_setattr | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| sched_setparam | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| sched_setscheduler | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| sched_yield | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| seccomp | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| select | 🟢 | ppc64le,s390x,x86_64 |
| semctl | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| semget | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| semop | 🟢 | aarch64,riscv64,x86_64 |
| semtimedop | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| send | 🟢 | ppc64le |
| sendfile | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| sendmmsg | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| sendmsg | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| sendto | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| set_mempolicy | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| set_mempolicy_home_node | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| set_robust_list | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| set_thread_area | 🟡 | x86_64 |
| set_tid_address | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| setdomainname | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| setfsgid | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| setfsuid | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| setgid | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| setgroups | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| sethostname | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| setitimer | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| setns | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| setpgid | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| setpriority | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| setregid | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| setresgid | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| setresuid | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| setreuid | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| setrlimit | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| setsid | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| setsockopt | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| settimeofday | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| setuid | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| setxattr | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| sgetmask | 🟡 | ppc64le |
| shmat | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| shmctl | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| shmdt | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| shmget | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| shutdown | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| sigaction | 🟡 | ppc64le,s390x |
| sigaltstack | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| signal | 🟡 | ppc64le,s390x |
| signalfd | 🟢 | ppc64le,s390x,x86_64 |
| signalfd4 | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| sigpending | 🟡 | ppc64le,s390x |
| sigprocmask | 🟡 | ppc64le,s390x |
| sigreturn | 🟡 | ppc64le,s390x |
| sigsuspend | 🟡 | ppc64le,s390x |
| socket | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| socketcall | 🟡 | ppc64le,s390x |
| socketpair | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| splice | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| spu_create | 🟡 | ppc64le |
| spu_run | 🟡 | ppc64le |
| ssetmask | 🟡 | ppc64le |
| stat | 🟢 | ppc64le,s390x,x86_64 |
| statfs | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| statfs64 | 🟡 | ppc64le,s390x |
| statmount | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| statx | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| stime | 🟡 | ppc64le |
| subpage_prot | 🟡 | ppc64le |
| swapcontext | 🟡 | ppc64le |
| swapoff | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| swapon | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| switch_endian | 🟡 | ppc64le |
| symlink | 🟢 | ppc64le,s390x,x86_64 |
| symlinkat | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| sync | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| sync_file_range | 🟡 | aarch64,riscv64,s390x,x86_64 |
| sync_file_range2 | 🟡 | ppc64le |
| syncfs | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| sys_debug_setcontext | 🟡 | ppc64le |
| sysfs | 🟡 | ppc64le,s390x,x86_64 |
| sysinfo | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| syslog | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| tee | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| tgkill | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| time | 🟡 | ppc64le,x86_64 |
| timer_create | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| timer_delete | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| timer_getoverrun | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| timer_gettime | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| timer_settime | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| timerfd | 🟡 | s390x |
| timerfd_create | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| timerfd_gettime | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| timerfd_settime | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| times | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| tkill | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| truncate | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| ugetrlimit | 🟢 | ppc64le |
| umask | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| umount | 🟢 | ppc64le,s390x |
| umount2 | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| uname | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| unlink | 🟢 | ppc64le,s390x,x86_64 |
| unlinkat | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| unshare | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| userfaultfd | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| ustat | 🟡 | ppc64le,s390x,x86_64 |
| utime | 🟡 | ppc64le,s390x,x86_64 |
| utimensat | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| utimes | 🟡 | ppc64le,s390x,x86_64 |
| vfork | 🟢 | ppc64le,s390x,x86_64 |
| vhangup | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| vm86 | 🟡 | ppc64le |
| vmsplice | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| wait4 | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| waitid | 🟡 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| waitpid | 🟡 | ppc64le |
| write | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |
| writev | 🟢 | aarch64,ppc64le,riscv64,s390x,x86_64 |

2
driver/API_VERSION
View File

@ -1 +1 @@
8.0.4
8.0.2

143
driver/CMakeLists.txt
View File

@ -2,31 +2,25 @@
#
# Copyright (C) 2023 The Falco Authors.
#
# This file is dual licensed under either the MIT or GPL 2. See MIT.txt or GPL.txt for full copies
# of the license.
# This file is dual licensed under either the MIT or GPL 2. See
# MIT.txt or GPL.txt for full copies of the license.
#
cmake_minimum_required(VERSION 3.12)
project(driver)
set(TARGET_ARCH ${CMAKE_HOST_SYSTEM_PROCESSOR})
if((NOT TARGET_ARCH STREQUAL "x86_64")
AND (NOT TARGET_ARCH STREQUAL "aarch64")
AND (NOT TARGET_ARCH STREQUAL "s390x")
AND (NOT TARGET_ARCH STREQUAL "riscv64")
AND (NOT TARGET_ARCH STREQUAL "ppc64le")
AND (NOT TARGET_ARCH STREQUAL "loongarch64")
)
if((NOT TARGET_ARCH STREQUAL "x86_64") AND
(NOT TARGET_ARCH STREQUAL "aarch64") AND
(NOT TARGET_ARCH STREQUAL "s390x") AND
(NOT TARGET_ARCH STREQUAL "riscv64") AND
(NOT TARGET_ARCH STREQUAL "ppc64le"))
message(WARNING "Target architecture not officially supported by our drivers!")
else()
# Load current kernel version
execute_process(
COMMAND uname -r
OUTPUT_VARIABLE UNAME_RESULT
OUTPUT_STRIP_TRAILING_WHITESPACE
)
execute_process(COMMAND uname -r OUTPUT_VARIABLE UNAME_RESULT OUTPUT_STRIP_TRAILING_WHITESPACE)
string(REGEX MATCH "[0-9]+.[0-9]+" LINUX_KERNEL_VERSION ${UNAME_RESULT})
message(STATUS "Kernel version: ${UNAME_RESULT}")
message(STATUS "Kernel version: ${UNAME_RESULT}")
# Check minimum kernel version
set(kmod_min_kver_map_x86_64 2.6)
@ -34,13 +28,8 @@ else()
set(kmod_min_kver_map_s390x 2.6)
set(kmod_min_kver_map_riscv64 5.0)
set(kmod_min_kver_map_ppc64le 2.6)
set(kmod_min_kver_map_loongarch64 5.10)
if(LINUX_KERNEL_VERSION VERSION_LESS ${kmod_min_kver_map_${TARGET_ARCH}})
message(
WARNING
"[KMOD] To run this driver you need a Linux kernel version >= ${kmod_min_kver_map_${TARGET_ARCH}} but actual kernel version is: ${UNAME_RESULT}"
)
if (LINUX_KERNEL_VERSION VERSION_LESS ${kmod_min_kver_map_${TARGET_ARCH}})
message(WARNING "[KMOD] To run this driver you need a Linux kernel version >= ${kmod_min_kver_map_${TARGET_ARCH}} but actual kernel version is: ${UNAME_RESULT}")
endif()
endif()
@ -48,9 +37,8 @@ option(BUILD_DRIVER "Build the driver on Linux" ON)
option(ENABLE_DKMS "Enable DKMS on Linux" ON)
if(NOT DEFINED DRIVER_VERSION)
message(
FATAL_ERROR
"No DRIVER_VERSION set.\nPlease either explicitly set it or build the root project 'falcosecurity/libs' from a git working directory."
message(FATAL_ERROR
"No DRIVER_VERSION set.\nPlease either explicitly set it or build the root project 'falcosecurity/libs' from a git working directory."
)
endif()
@ -73,30 +61,36 @@ if(NOT DEFINED DRIVER_DEVICE_NAME)
set(DRIVER_DEVICE_NAME "${DRIVER_NAME}")
endif()
# The driver build process is somewhat involved because we use the same sources for building the
# driver locally and for shipping as a DKMS module.
# The driver build process is somewhat involved because we use the same
# sources for building the driver locally and for shipping as a DKMS module.
#
# We need a single directory with the following files inside: - all the driver *.c/*.h sources -
# Makefile generated from Makefile.in - driver_config.h generated from driver_config.h.in
# We need a single directory with the following files inside:
# - all the driver *.c/*.h sources
# - Makefile generated from Makefile.in
# - driver_config.h generated from driver_config.h.in
#
# The Makefile _must_ be called just Makefile (and not e.g. Makefile.dkms) because of the module
# build process, which looks like this: 1. The user (or some script) runs make in our driver
# directory 2. Our Makefile runs the Makefile from kernel sources/headers 3. The kernel Makefile
# calls our original Makefile again, with options that trigger the actual build. This step cannot
# know that our Makefile has a different name.
# The Makefile _must_ be called just Makefile (and not e.g. Makefile.dkms)
# because of the module build process, which looks like this:
# 1. The user (or some script) runs make in our driver directory
# 2. Our Makefile runs the Makefile from kernel sources/headers
# 3. The kernel Makefile calls our original Makefile again, with options that
# trigger the actual build. This step cannot know that our Makefile has
# a different name.
#
# (DKMS needs a Makefile called Makefile as well).
#
# The files need to be in a single directory because we cannot know where the sources will be built
# (especially by DKMS) so we cannot put _any_ paths in the Makefile.
# The files need to be in a single directory because we cannot know where
# the sources will be built (especially by DKMS) so we cannot put _any_ paths
# in the Makefile.
#
# The chosen directory must not be ${CMAKE_CURRENT_BINARY_DIR} because CMake puts its own generated
# Makefile in there, so we (arbitrarily) choose ${CMAKE_CURRENT_BINARY_DIR}/src. To maintain
# compatibility with older versions, after the build we copy the compiled module one directory up,
# The chosen directory must not be ${CMAKE_CURRENT_BINARY_DIR} because CMake
# puts its own generated Makefile in there, so we (arbitrarily) choose
# ${CMAKE_CURRENT_BINARY_DIR}/src. To maintain compatibility with older versions,
# after the build we copy the compiled module one directory up,
# to ${CMAKE_CURRENT_BINARY_DIR}.
include(compute_versions RESULT_VARIABLE RESULT)
if(RESULT STREQUAL NOTFOUND)
message(FATAL_ERROR "problem with compute_versions.cmake in ${CMAKE_MODULE_PATH}")
message(FATAL_ERROR "problem with compute_versions.cmake in ${CMAKE_MODULE_PATH}")
endif()
compute_versions(API_VERSION SCHEMA_VERSION)
@ -111,26 +105,23 @@ file(GLOB configure_modules "${CMAKE_CURRENT_SOURCE_DIR}/configure/*")
foreach(subdir ${configure_modules})
if(IS_DIRECTORY "${subdir}")
file(RELATIVE_PATH CONFIGURE_MODULE "${CMAKE_CURRENT_SOURCE_DIR}/configure" "${subdir}")
configure_file(
configure/${CONFIGURE_MODULE}/test.c src/configure/${CONFIGURE_MODULE}/test.c COPYONLY
)
configure_file(configure/${CONFIGURE_MODULE}/test.c src/configure/${CONFIGURE_MODULE}/test.c COPYONLY)
configure_file(configure/Makefile src/configure/${CONFIGURE_MODULE}/Makefile COPYONLY)
configure_file(configure/build.sh src/configure/${CONFIGURE_MODULE}/build.sh COPYONLY)
configure_file(configure/Makefile.inc.in src/configure/${CONFIGURE_MODULE}/Makefile.inc)
if(ENABLE_DKMS)
install(
FILES "${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/build.sh"
"${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/test.c"
"${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/Makefile"
"${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/Makefile.inc"
DESTINATION
"src/${DRIVER_PACKAGE_NAME}-${DRIVER_VERSION}/configure/${CONFIGURE_MODULE}"
COMPONENT ${DRIVER_KMOD_COMPONENT_NAME}
)
install(FILES
"${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/build.sh"
"${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/test.c"
"${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/Makefile"
"${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/Makefile.inc"
DESTINATION "src/${DRIVER_PACKAGE_NAME}-${DRIVER_VERSION}/configure/${CONFIGURE_MODULE}"
COMPONENT ${DRIVER_KMOD_COMPONENT_NAME})
endif()
endif()
endforeach()
set(DRIVER_SOURCES
dynamic_params_table.c
event_table.c
@ -158,11 +149,6 @@ set(DRIVER_SOURCES
ppm_consumer.h
capture_macro.h
socketcall_to_syscall.h
syscall_compat_loongarch64.h
syscall_compat_ppc64le.h
syscall_compat_riscv64.h
syscall_compat_s390x.h
syscall_compat_x86_64.h
syscall_ia32_64_map.c
)
@ -170,51 +156,44 @@ foreach(FILENAME IN LISTS DRIVER_SOURCES)
configure_file(${FILENAME} src/${FILENAME} COPYONLY)
endforeach()
# make can be self-referenced as $(MAKE) only from Makefiles but this triggers syntax errors with
# other generators such as Ninja
# make can be self-referenced as $(MAKE) only from Makefiles but this
# triggers syntax errors with other generators such as Ninja
if(${CMAKE_GENERATOR} STREQUAL "Unix Makefiles")
set(MAKE_COMMAND "$(MAKE)")
else()
set(MAKE_COMMAND "make")
endif()
# This if/else is needed because you currently cannot manipulate dependencies of built-in targets
# like "all" in CMake: http://public.kitware.com/Bug/view.php?id=8438
# This if/else is needed because you currently cannot manipulate dependencies
# of built-in targets like "all" in CMake:
# http://public.kitware.com/Bug/view.php?id=8438
if(BUILD_DRIVER)
add_custom_target(
driver ALL
add_custom_target(driver ALL
COMMAND ${MAKE_COMMAND}
COMMAND "${CMAKE_COMMAND}" -E copy_if_different ${DRIVER_NAME}.ko
"${CMAKE_CURRENT_BINARY_DIR}"
COMMAND "${CMAKE_COMMAND}" -E copy_if_different ${DRIVER_NAME}.ko "${CMAKE_CURRENT_BINARY_DIR}"
WORKING_DIRECTORY src
VERBATIM
)
VERBATIM)
else()
add_custom_target(
driver
add_custom_target(driver
COMMAND ${MAKE_COMMAND}
COMMAND "${CMAKE_COMMAND}" -E copy_if_different ${DRIVER_NAME}.ko
"${CMAKE_CURRENT_BINARY_DIR}"
COMMAND "${CMAKE_COMMAND}" -E copy_if_different ${DRIVER_NAME}.ko "${CMAKE_CURRENT_BINARY_DIR}"
WORKING_DIRECTORY src
VERBATIM
)
VERBATIM)
endif()
add_custom_target(
install_driver
add_custom_target(install_driver
COMMAND ${MAKE_COMMAND} install
DEPENDS driver
WORKING_DIRECTORY src
VERBATIM
)
VERBATIM)
if(ENABLE_DKMS)
install(
FILES ${CMAKE_CURRENT_BINARY_DIR}/src/Makefile ${CMAKE_CURRENT_BINARY_DIR}/src/dkms.conf
${CMAKE_CURRENT_BINARY_DIR}/src/driver_config.h ${DRIVER_SOURCES}
install(FILES ${CMAKE_CURRENT_BINARY_DIR}/src/Makefile
${CMAKE_CURRENT_BINARY_DIR}/src/dkms.conf
${CMAKE_CURRENT_BINARY_DIR}/src/driver_config.h
${DRIVER_SOURCES}
DESTINATION "src/${DRIVER_PACKAGE_NAME}-${DRIVER_VERSION}"
COMPONENT ${DRIVER_KMOD_COMPONENT_NAME}
)
COMPONENT ${DRIVER_KMOD_COMPONENT_NAME})
endif()
add_subdirectory(bpf)

2
driver/Makefile.in
View File

@ -29,7 +29,7 @@ install: all
else
KERNELDIR ?= $(realpath $(objtree))
KERNELDIR ?= $(CURDIR)
#
# Get the path of the module sources
#

2
driver/SCHEMA_VERSION
View File

@ -1 +1 @@
3.69.0
2.18.2

55
driver/bpf/CMakeLists.txt
View File

@ -2,8 +2,8 @@
#
# Copyright (C) 2023 The Falco Authors.
#
# This file is dual licensed under either the MIT or GPL 2. See MIT.txt or GPL.txt for full copies
# of the license.
# This file is dual licensed under either the MIT or GPL 2. See
# MIT.txt or GPL.txt for full copies of the license.
#
configure_file(../driver_config.h.in ${CMAKE_CURRENT_SOURCE_DIR}/../driver_config.h)
@ -15,21 +15,16 @@ if(BUILD_BPF)
set(bpf_min_kver_map_x86_64 4.14)
set(bpf_min_kver_map_aarch64 4.17)
set(bpf_min_kver_map_s390x 5.5)
set(bpf_min_kver_map_ppc64le 5.1)
if(LINUX_KERNEL_VERSION VERSION_LESS ${bpf_min_kver_map_${TARGET_ARCH}})
message(
WARNING
"[BPF] To run this driver you need a Linux kernel version >= ${bpf_min_kver_map_${TARGET_ARCH}} but actual kernel version is: ${UNAME_RESULT}"
)
set(bpf_min_kver_map_ppc64le 4.18)
if (LINUX_KERNEL_VERSION VERSION_LESS ${bpf_min_kver_map_${TARGET_ARCH}})
message(WARNING "[BPF] To run this driver you need a Linux kernel version >= ${bpf_min_kver_map_${TARGET_ARCH}} but actual kernel version is: ${UNAME_RESULT}")
endif()
add_custom_target(
bpf ALL
COMMAND make
COMMAND "${CMAKE_COMMAND}" -E copy_if_different probe.o "${CMAKE_CURRENT_BINARY_DIR}"
WORKING_DIRECTORY src
VERBATIM
)
add_custom_target(bpf ALL
COMMAND make
COMMAND "${CMAKE_COMMAND}" -E copy_if_different probe.o "${CMAKE_CURRENT_BINARY_DIR}"
WORKING_DIRECTORY src
VERBATIM)
endif()
set(BPF_SOURCES
@ -56,16 +51,16 @@ file(GLOB DRIVER_HEADERS ${CMAKE_CURRENT_SOURCE_DIR}/../*.h)
list(APPEND BPF_SOURCES ${DRIVER_HEADERS})
set(INSTALL_SET "")
# Copy all needed sources under src folder in current binary dir and add them to the set of
# installed files
# Copy all needed sources under src folder in current binary dir
# and add them to the set of installed files
foreach(SOURCE IN LISTS BPF_SOURCES)
get_filename_component(FILENAME ${SOURCE} NAME)
configure_file(${SOURCE} src/${FILENAME} COPYONLY)
list(APPEND INSTALL_SET ${CMAKE_CURRENT_BINARY_DIR}/src/${FILENAME})
endforeach()
install(
FILES ${INSTALL_SET}
install(FILES
${INSTALL_SET}
DESTINATION "src/${DRIVER_PACKAGE_NAME}-${DRIVER_VERSION}/bpf"
COMPONENT ${DRIVER_BPF_COMPONENT_NAME}
)
@ -77,20 +72,16 @@ file(GLOB configure_modules "${CMAKE_CURRENT_SOURCE_DIR}/configure/*")
foreach(subdir ${configure_modules})
if(IS_DIRECTORY "${subdir}")
file(RELATIVE_PATH CONFIGURE_MODULE "${CMAKE_CURRENT_SOURCE_DIR}/configure" "${subdir}")
configure_file(
configure/${CONFIGURE_MODULE}/test.c src/configure/${CONFIGURE_MODULE}/test.c COPYONLY
)
configure_file(configure/${CONFIGURE_MODULE}/test.c src/configure/${CONFIGURE_MODULE}/test.c COPYONLY)
configure_file(configure/Makefile src/configure/${CONFIGURE_MODULE}/Makefile COPYONLY)
configure_file(configure/build.sh src/configure/${CONFIGURE_MODULE}/build.sh COPYONLY)
configure_file(configure/Makefile.inc.in src/configure/${CONFIGURE_MODULE}/Makefile.inc)
install(
FILES "${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/build.sh"
"${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/test.c"
"${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/Makefile"
"${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/Makefile.inc"
DESTINATION
"src/${DRIVER_PACKAGE_NAME}-${DRIVER_VERSION}/bpf/configure/${CONFIGURE_MODULE}"
COMPONENT ${DRIVER_BPF_COMPONENT_NAME}
)
install(FILES
"${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/build.sh"
"${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/test.c"
"${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/Makefile"
"${CMAKE_CURRENT_BINARY_DIR}/src/configure/${CONFIGURE_MODULE}/Makefile.inc"
DESTINATION "src/${DRIVER_PACKAGE_NAME}-${DRIVER_VERSION}/bpf/configure/${CONFIGURE_MODULE}"
COMPONENT ${DRIVER_BPF_COMPONENT_NAME})
endif()
endforeach()
endforeach()

54
driver/bpf/Makefile
View File

@ -13,40 +13,16 @@ always = $(always-y)
LLC ?= llc
CLANG ?= clang
# DEBUG = -DBPF_DEBUG
ifeq ($(strip $(MAKEFILE_LIST)),Makefile)
KERNELDIR ?= /lib/modules/$(shell uname -r)/build
all:
$(MAKE) -C $(KERNELDIR) M=$$PWD
clean:
$(MAKE) -C $(KERNELDIR) M=$$PWD clean
@rm -f *~
else
KERNELDIR ?= $(realpath $(objtree))
#
# Get the path of the module sources
#
FIRST_MAKEFILE := $(firstword $(MAKEFILE_LIST))
FIRST_MAKEFILE_FILENAME := $(notdir $(FIRST_MAKEFILE))
FIRST_MAKEFILE_DIRNAME := $(shell basename $(dir $(FIRST_MAKEFILE)))
ifeq ($(FIRST_MAKEFILE_DIRNAME)/$(FIRST_MAKEFILE_FILENAME), scripts/Makefile.build)
# Build phase
MODULE_MAKEFILE_DIR := $(dir $(abspath $(lastword $(MAKEFILE_LIST))))
MAKEFILE_INC_FILES := $(shell find $(MODULE_MAKEFILE_DIR)/configure -type f -name Makefile.inc)
$(info [configure-bpf] Including $(MAKEFILE_INC_FILES))
include $(MAKEFILE_INC_FILES)
endif
# DEBUG = -DBPF_DEBUG
#
# https://chromium.googlesource.com/chromiumos/third_party/kernel/+/096925a44076ba5c52faa84d255a847130ff341e%5E%21/#F2
# This commit diverged the ChromiumOS kernel from stock in the area of audit information, which this probe accesses.
#
#
# This enables the workaround for this divergence.
#
NEEDS_COS_73_WORKAROUND = $(shell expr `grep -sc "^\s*struct\s\+audit_task_info\s\+\*audit;\s*$$" $(KERNELDIR)/include/linux/sched.h` = 1)
@ -61,6 +37,30 @@ ifeq ($(IS_CLANG_OLDER_THAN_10), 1)
KBUILD_CPPFLAGS := $(filter-out -fmacro-prefix-map=%,$(KBUILD_CPPFLAGS))
endif
all:
$(MAKE) -C $(KERNELDIR) M=$$PWD
clean:
$(MAKE) -C $(KERNELDIR) M=$$PWD clean
@rm -f *~
else
KERNELDIR ?= $(CURDIR)
#
# Get the path of the module sources
#
FIRST_MAKEFILE := $(firstword $(MAKEFILE_LIST))
FIRST_MAKEFILE_FILENAME := $(notdir $(FIRST_MAKEFILE))
FIRST_MAKEFILE_DIRNAME := $(shell basename $(dir $(FIRST_MAKEFILE)))
ifeq ($(FIRST_MAKEFILE_DIRNAME)/$(FIRST_MAKEFILE_FILENAME), scripts/Makefile.build)
# Build phase
MODULE_MAKEFILE_DIR := $(dir $(abspath $(lastword $(MAKEFILE_LIST))))
MAKEFILE_INC_FILES := $(shell find $(MODULE_MAKEFILE_DIR)/configure -type f -name Makefile.inc)
$(info [configure-bpf] Including $(MAKEFILE_INC_FILES))
include $(MAKEFILE_INC_FILES)
endif
$(obj)/probe.o: $(src)/probe.c \
$(src)/bpf_helpers.h \
$(src)/filler_helpers.h \
@ -86,4 +86,4 @@ $(obj)/probe.o: $(src)/probe.c \
-O2 -g -emit-llvm -c $< -o $(patsubst %.o,%.ll,$@)
$(LLC) -march=bpf -filetype=obj -o $@ $(patsubst %.o,%.ll,$@)
endif # $(strip $(MAKEFILE_LIST)),Makefile
endif # $(strip $(MAKEFILE_LIST)),Makefile

171
driver/bpf/bpf_helpers.h
View File

@ -10,99 +10,102 @@ or GPL2.txt for full copies of the license.
#ifndef __BPF_HELPERS_H
#define __BPF_HELPERS_H
static void *(*bpf_map_lookup_elem)(void *map, void *key) = (void *)BPF_FUNC_map_lookup_elem;
static int (*bpf_map_update_elem)(void *map,
void *key,
void *value,
unsigned long long flags) = (void *)BPF_FUNC_map_update_elem;
static int (*bpf_map_delete_elem)(void *map, void *key) = (void *)BPF_FUNC_map_delete_elem;
static int (*bpf_probe_read)(void *dst, int size, void *unsafe_ptr) = (void *)BPF_FUNC_probe_read;
static void *(*bpf_map_lookup_elem)(void *map, void *key) =
(void *)BPF_FUNC_map_lookup_elem;
static int (*bpf_map_update_elem)(void *map, void *key, void *value,
unsigned long long flags) =
(void *)BPF_FUNC_map_update_elem;
static int (*bpf_map_delete_elem)(void *map, void *key) =
(void *)BPF_FUNC_map_delete_elem;
static int (*bpf_probe_read)(void *dst, int size, void *unsafe_ptr) =
(void *)BPF_FUNC_probe_read;
/* Introduced in linux 5.8, see
* https://github.com/torvalds/linux/commit/71d19214776e61b33da48f7c1b46e522c7f78221 */
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 8, 0)
static unsigned long long (*bpf_ktime_get_boot_ns)(void) = (void *)BPF_FUNC_ktime_get_boot_ns;
/* Introduced in linux 5.8, see https://github.com/torvalds/linux/commit/71d19214776e61b33da48f7c1b46e522c7f78221 */
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5,8,0)
static unsigned long long (*bpf_ktime_get_boot_ns)(void) =
(void *)BPF_FUNC_ktime_get_boot_ns;
#else
/* fallback at using old, non suspend-time aware, helper */
static unsigned long long (*bpf_ktime_get_boot_ns)(void) = (void *)BPF_FUNC_ktime_get_ns;
static unsigned long long (*bpf_ktime_get_boot_ns)(void) =
(void *)BPF_FUNC_ktime_get_ns;
#endif
static int (*bpf_trace_printk)(const char *fmt, int fmt_size, ...) = (void *)BPF_FUNC_trace_printk;
static void (*bpf_tail_call)(void *ctx, void *map, int index) = (void *)BPF_FUNC_tail_call;
static unsigned long long (*bpf_get_smp_processor_id)(void) = (void *)BPF_FUNC_get_smp_processor_id;
static unsigned long long (*bpf_get_current_pid_tgid)(void) = (void *)BPF_FUNC_get_current_pid_tgid;
static unsigned long long (*bpf_get_current_uid_gid)(void) = (void *)BPF_FUNC_get_current_uid_gid;
static int (*bpf_get_current_comm)(void *buf, int buf_size) = (void *)BPF_FUNC_get_current_comm;
static int (*bpf_perf_event_read)(void *map, int index) = (void *)BPF_FUNC_perf_event_read;
static int (*bpf_clone_redirect)(void *ctx,
int ifindex,
int flags) = (void *)BPF_FUNC_clone_redirect;
static int (*bpf_redirect)(int ifindex, int flags) = (void *)BPF_FUNC_redirect;
static int (*bpf_perf_event_output)(void *ctx,
void *map,
unsigned long long flags,
void *data,
int size) = (void *)BPF_FUNC_perf_event_output;
static int (*bpf_get_stackid)(void *ctx, void *map, int flags) = (void *)BPF_FUNC_get_stackid;
static int (*bpf_probe_write_user)(void *dst,
void *src,
int size) = (void *)BPF_FUNC_probe_write_user;
static int (*bpf_current_task_under_cgroup)(void *map,
int index) = (void *)BPF_FUNC_current_task_under_cgroup;
static int (*bpf_skb_get_tunnel_key)(void *ctx, void *key, int size, int flags) = (void *)
BPF_FUNC_skb_get_tunnel_key;
static int (*bpf_skb_set_tunnel_key)(void *ctx, void *key, int size, int flags) = (void *)
BPF_FUNC_skb_set_tunnel_key;
static int (*bpf_skb_get_tunnel_opt)(void *ctx,
void *md,
int size) = (void *)BPF_FUNC_skb_get_tunnel_opt;
static int (*bpf_skb_set_tunnel_opt)(void *ctx,
void *md,
int size) = (void *)BPF_FUNC_skb_set_tunnel_opt;
static unsigned long long (*bpf_get_prandom_u32)(void) = (void *)BPF_FUNC_get_prandom_u32;
static int (*bpf_xdp_adjust_head)(void *ctx, int offset) = (void *)BPF_FUNC_xdp_adjust_head;
static int (*bpf_probe_read_str)(void *dst,
uint64_t size,
const void *unsafe_ptr) = (void *)BPF_FUNC_probe_read_str;
static int (*bpf_trace_printk)(const char *fmt, int fmt_size, ...) =
(void *)BPF_FUNC_trace_printk;
static void (*bpf_tail_call)(void *ctx, void *map, int index) =
(void *)BPF_FUNC_tail_call;
static unsigned long long (*bpf_get_smp_processor_id)(void) =
(void *)BPF_FUNC_get_smp_processor_id;
static unsigned long long (*bpf_get_current_pid_tgid)(void) =
(void *)BPF_FUNC_get_current_pid_tgid;
static unsigned long long (*bpf_get_current_uid_gid)(void) =
(void *)BPF_FUNC_get_current_uid_gid;
static int (*bpf_get_current_comm)(void *buf, int buf_size) =
(void *)BPF_FUNC_get_current_comm;
static int (*bpf_perf_event_read)(void *map, int index) =
(void *)BPF_FUNC_perf_event_read;
static int (*bpf_clone_redirect)(void *ctx, int ifindex, int flags) =
(void *)BPF_FUNC_clone_redirect;
static int (*bpf_redirect)(int ifindex, int flags) =
(void *)BPF_FUNC_redirect;
static int (*bpf_perf_event_output)(void *ctx, void *map,
unsigned long long flags, void *data,
int size) =
(void *)BPF_FUNC_perf_event_output;
static int (*bpf_get_stackid)(void *ctx, void *map, int flags) =
(void *)BPF_FUNC_get_stackid;
static int (*bpf_probe_write_user)(void *dst, void *src, int size) =
(void *)BPF_FUNC_probe_write_user;
static int (*bpf_current_task_under_cgroup)(void *map, int index) =
(void *)BPF_FUNC_current_task_under_cgroup;
static int (*bpf_skb_get_tunnel_key)(void *ctx, void *key, int size, int flags) =
(void *)BPF_FUNC_skb_get_tunnel_key;
static int (*bpf_skb_set_tunnel_key)(void *ctx, void *key, int size, int flags) =
(void *)BPF_FUNC_skb_set_tunnel_key;
static int (*bpf_skb_get_tunnel_opt)(void *ctx, void *md, int size) =
(void *)BPF_FUNC_skb_get_tunnel_opt;
static int (*bpf_skb_set_tunnel_opt)(void *ctx, void *md, int size) =
(void *)BPF_FUNC_skb_set_tunnel_opt;
static unsigned long long (*bpf_get_prandom_u32)(void) =
(void *)BPF_FUNC_get_prandom_u32;
static int (*bpf_xdp_adjust_head)(void *ctx, int offset) =
(void *)BPF_FUNC_xdp_adjust_head;
static int (*bpf_probe_read_str)(void *dst, uint64_t size, const void *unsafe_ptr) =
(void *)BPF_FUNC_probe_read_str;
#if defined(USE_BPF_PROBE_KERNEL_USER_VARIANTS)
static int (*bpf_probe_read_user)(void *dst,
uint32_t size,
const void *unsafe_ptr) = (void *)BPF_FUNC_probe_read_user;
static int (*bpf_probe_read_kernel)(void *dst,
uint32_t size,
const void *unsafe_ptr) = (void *)BPF_FUNC_probe_read_kernel;
static int (*bpf_probe_read_user_str)(void *dst, uint32_t size, const void *unsafe_ptr) = (void *)
BPF_FUNC_probe_read_user_str;
static int (*bpf_probe_read_kernel_str)(void *dst, uint32_t size, const void *unsafe_ptr) = (void *)
BPF_FUNC_probe_read_kernel_str;
static int (*bpf_probe_read_user)(void *dst, uint32_t size, const void *unsafe_ptr) =
(void *)BPF_FUNC_probe_read_user;
static int (*bpf_probe_read_kernel)(void *dst, uint32_t size, const void *unsafe_ptr) =
(void *)BPF_FUNC_probe_read_kernel;
static int (*bpf_probe_read_user_str)(void *dst, uint32_t size, const void *unsafe_ptr) =
(void *)BPF_FUNC_probe_read_user_str;
static int (*bpf_probe_read_kernel_str)(void *dst, uint32_t size, const void *unsafe_ptr) =
(void *)BPF_FUNC_probe_read_kernel_str;
#else
static int (*bpf_probe_read_user)(void *dst,
uint32_t size,
const void *unsafe_ptr) = (void *)BPF_FUNC_probe_read;
static int (*bpf_probe_read_kernel)(void *dst,
uint32_t size,
const void *unsafe_ptr) = (void *)BPF_FUNC_probe_read;
static int (*bpf_probe_read_user_str)(void *dst,
uint32_t size,
const void *unsafe_ptr) = (void *)BPF_FUNC_probe_read_str;
static int (*bpf_probe_read_kernel_str)(void *dst,
uint32_t size,
const void *unsafe_ptr) = (void *)BPF_FUNC_probe_read_str;
static int (*bpf_probe_read_user)(void *dst, uint32_t size, const void *unsafe_ptr) =
(void *)BPF_FUNC_probe_read;
static int (*bpf_probe_read_kernel)(void *dst, uint32_t size, const void *unsafe_ptr) =
(void *)BPF_FUNC_probe_read;
static int (*bpf_probe_read_user_str)(void *dst, uint32_t size, const void *unsafe_ptr) =
(void *)BPF_FUNC_probe_read_str;
static int (*bpf_probe_read_kernel_str)(void *dst, uint32_t size, const void *unsafe_ptr) =
(void *)BPF_FUNC_probe_read_str;
#endif
static uint64_t (*bpf_get_current_task)(void) = (void *)BPF_FUNC_get_current_task;
static int (*bpf_skb_load_bytes)(void *ctx, int off, void *to, int len) = (void *)
BPF_FUNC_skb_load_bytes;
static int (*bpf_skb_store_bytes)(void *ctx, int off, void *from, int len, int flags) = (void *)
BPF_FUNC_skb_store_bytes;
static int (*bpf_l3_csum_replace)(void *ctx, int off, int from, int to, int flags) = (void *)
BPF_FUNC_l3_csum_replace;
static int (*bpf_l4_csum_replace)(void *ctx, int off, int from, int to, int flags) = (void *)
BPF_FUNC_l4_csum_replace;
static int (*bpf_skb_under_cgroup)(void *ctx,
void *map,
int index) = (void *)BPF_FUNC_skb_under_cgroup;
static int (*bpf_skb_change_head)(void *, int len, int flags) = (void *)BPF_FUNC_skb_change_head;
static uint64_t (*bpf_get_current_task)(void) =
(void *)BPF_FUNC_get_current_task;
static int (*bpf_skb_load_bytes)(void *ctx, int off, void *to, int len) =
(void *)BPF_FUNC_skb_load_bytes;
static int (*bpf_skb_store_bytes)(void *ctx, int off, void *from, int len, int flags) =
(void *)BPF_FUNC_skb_store_bytes;
static int (*bpf_l3_csum_replace)(void *ctx, int off, int from, int to, int flags) =
(void *)BPF_FUNC_l3_csum_replace;
static int (*bpf_l4_csum_replace)(void *ctx, int off, int from, int to, int flags) =
(void *)BPF_FUNC_l4_csum_replace;
static int (*bpf_skb_under_cgroup)(void *ctx, void *map, int index) =
(void *)BPF_FUNC_skb_under_cgroup;
static int (*bpf_skb_change_head)(void *, int len, int flags) =
(void *)BPF_FUNC_skb_change_head;
#endif

2
driver/bpf/builtins.h
View File

@ -28,4 +28,4 @@ or GPL2.txt for full copies of the license.
#endif
#define memcpy __builtin_memcpy
#endif // __BUILTINS_H
#endif // __BUILTINS_H

23
driver/bpf/configure/0__SANITY/test.c
View File

@ -1,23 +0,0 @@
// SPDX-License-Identifier: GPL-2.0-only OR MIT
/*
Copyright (C) 2024 The Falco Authors.
This file is dual licensed under either the MIT or GPL 2. See MIT.txt
or GPL2.txt for full copies of the license.
*/
/*
* Check that the build system is sane.
*/
#include "../../quirks.h"
#include "../../ppm_events_public.h"
#include "../../types.h"
BPF_PROBE("sanity/", sanity, sanity_args) {
return 0;
}
char __license[] __bpf_section("license") = "Dual MIT/GPL";

32
driver/bpf/configure/KERNFS_NODE_PARENT/test.c
View File

@ -1,32 +0,0 @@
// SPDX-License-Identifier: GPL-2.0-only OR MIT
/*
Copyright (C) 2025 The Falco Authors.
This file is dual licensed under either the MIT or GPL 2. See MIT.txt
or GPL2.txt for full copies of the license.
*/
/*
* Check that kernfs_node's field `parent` exists.
* See 6.15 kernel commit it is named __parent:
* https://github.com/torvalds/linux/commit/633488947ef66b194377411322dc9e12aab79b65
*/
#include "../../quirks.h"
#include "../../ppm_events_public.h"
#include "../../types.h"
// struct kernfs_node declaration
#include <linux/kernfs.h>
BPF_PROBE("signal/", signal_deliver, signal_deliver_args) {
struct kernfs_node *parent;
struct kernfs_node node;
parent = node.parent;
return 0;
}
char __license[] __bpf_section("license") = "Dual MIT/GPL";

14
driver/bpf/configure/Makefile.inc.in
View File

@ -1,23 +1,13 @@
MODULE_MAKEFILE_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
# Run the module build.sh (wrapper for make) script with an empty environment, but PATH
HAS_@CONFIGURE_MODULE@ := $(shell env -i CLANG="$(CLANG)" LLC="$(LLC)" PATH="$(PATH)" KERNELDIR="$(KERNELDIR)" sh $(MODULE_MAKEFILE_DIR)/build.sh ; echo $$?)
HAS_@CONFIGURE_MODULE@ := $(shell env -i PATH="$(PATH)" KERNELDIR="$(KERNELDIR)" sh $(MODULE_MAKEFILE_DIR)/build.sh ; echo $$?)
ifeq ($(HAS_@CONFIGURE_MODULE@),0)
$(info [configure-bpf] Setting HAS_@CONFIGURE_MODULE@ flag)
KBUILD_CPPFLAGS += -DHAS_@CONFIGURE_MODULE@
else
HAS_@CONFIGURE_MODULE@_OUT1 := $(shell cat $(MODULE_MAKEFILE_DIR)/build.log | sed -n ':a;N;$$$!ba;s/\n/@@NEWLINE@@/g;P')
HAS_@CONFIGURE_MODULE@_OUT := $(subst @@NEWLINE@@,$(newline),$(HAS_@CONFIGURE_MODULE@_OUT1))
HAS_@CONFIGURE_MODULE@_OUT := $(shell cat $(MODULE_MAKEFILE_DIR)/build.log)
$(info [configure-bpf] Build output for HAS_@CONFIGURE_MODULE@:)
$(info [configure-bpf] $(HAS_@CONFIGURE_MODULE@_OUT))
endif
ifeq ('@CONFIGURE_MODULE@','0__SANITY')
ifeq ($(HAS_@CONFIGURE_MODULE@),0)
$(info [configure-bpf] Build system is sane)
else
$(info [configure-bpf] Build system is broken, please see above errors)
$(error The build system is broken, please see above errors)
endif
endif

6
driver/bpf/configure/RSS_STAT_ARRAY/test.c
View File

@ -10,8 +10,7 @@ or GPL2.txt for full copies of the license.
/*
* Check that mm_struct's field `rss_stat` is an array.
* See 6.2 kernel commit:
* https://github.com/torvalds/linux/commit/f1a7941243c102a44e8847e3b94ff4ff3ec56f25
* See 6.2 kernel commit: https://github.com/torvalds/linux/commit/f1a7941243c102a44e8847e3b94ff4ff3ec56f25
*/
#include "../../quirks.h"
@ -21,7 +20,8 @@ or GPL2.txt for full copies of the license.
// struct mm_struct declaration
#include <linux/mm_types.h>
BPF_PROBE("signal/", signal_deliver, signal_deliver_args) {
BPF_PROBE("signal/", signal_deliver, signal_deliver_args)
{
long val;
struct mm_struct *mm;
val = mm->rss_stat[0].count;

29
driver/bpf/configure/TASK_PIDS_FIELD/test.c
View File

@ -1,29 +0,0 @@
// SPDX-License-Identifier: GPL-2.0-only OR MIT
/*
Copyright (C) 2024 The Falco Authors.
This file is dual licensed under either the MIT or GPL 2. See MIT.txt
or GPL2.txt for full copies of the license.
*/
/*
* Check that the `pids` field is defined in the `task_struct` struct.
* Since kernel version 4.19.0 the `pids` field is moved in the `signal_struct` struct, but this
* change has been backported to older kernels.
*/
#include "../../quirks.h"
#include "../../ppm_events_public.h"
#include "../../types.h"
BPF_PROBE("signal/", signal_deliver, signal_deliver_args) {
struct task_struct *task = (struct task_struct *)0;
if(task->pids) {
return 1;
}
return 0;
}
char __license[] __bpf_section("license") = "Dual MIT/GPL";

888
driver/bpf/filler_helpers.h
View File

File diff suppressed because it is too large Load Diff

5946
driver/bpf/fillers.h
View File

File diff suppressed because it is too large Load Diff

98
driver/bpf/maps.h
View File

@ -22,92 +22,92 @@ struct bpf_map_def {
#ifdef __KERNEL__
struct bpf_map_def __bpf_section("maps") perf_map = {
.type = BPF_MAP_TYPE_PERF_EVENT_ARRAY,
.key_size = sizeof(uint32_t),
.value_size = sizeof(uint32_t),
.max_entries = 0,
.type = BPF_MAP_TYPE_PERF_EVENT_ARRAY,
.key_size = sizeof(uint32_t),
.value_size = sizeof(uint32_t),
.max_entries = 0,
};
struct bpf_map_def __bpf_section("maps") tail_map = {
.type = BPF_MAP_TYPE_PROG_ARRAY,
.key_size = sizeof(uint32_t),
.value_size = sizeof(uint32_t),
.max_entries = PPM_FILLER_MAX,
.type = BPF_MAP_TYPE_PROG_ARRAY,
.key_size = sizeof(uint32_t),
.value_size = sizeof(uint32_t),
.max_entries = PPM_FILLER_MAX,
};
struct bpf_map_def __bpf_section("maps") syscall_table = {
.type = BPF_MAP_TYPE_ARRAY,
.key_size = sizeof(uint32_t),
.value_size = sizeof(struct syscall_evt_pair),
.max_entries = SYSCALL_TABLE_SIZE,
.type = BPF_MAP_TYPE_ARRAY,
.key_size = sizeof(uint32_t),
.value_size = sizeof(struct syscall_evt_pair),
.max_entries = SYSCALL_TABLE_SIZE,
};
struct bpf_map_def __bpf_section("maps") event_info_table = {
.type = BPF_MAP_TYPE_ARRAY,
.key_size = sizeof(uint32_t),
.value_size = sizeof(struct ppm_event_info),
.max_entries = PPM_EVENT_MAX,
.type = BPF_MAP_TYPE_ARRAY,
.key_size = sizeof(uint32_t),
.value_size = sizeof(struct ppm_event_info),
.max_entries = PPM_EVENT_MAX,
};
struct bpf_map_def __bpf_section("maps") fillers_table = {
.type = BPF_MAP_TYPE_ARRAY,
.key_size = sizeof(uint32_t),
.value_size = sizeof(struct ppm_event_entry),
.max_entries = PPM_EVENT_MAX,
.type = BPF_MAP_TYPE_ARRAY,
.key_size = sizeof(uint32_t),
.value_size = sizeof(struct ppm_event_entry),
.max_entries = PPM_EVENT_MAX,
};
struct bpf_map_def __bpf_section("maps") frame_scratch_map = {
.type = BPF_MAP_TYPE_ARRAY,
.key_size = sizeof(uint32_t),
.value_size = SCRATCH_SIZE,
.max_entries = 0,
.type = BPF_MAP_TYPE_ARRAY,
.key_size = sizeof(uint32_t),
.value_size = SCRATCH_SIZE,
.max_entries = 0,
};
struct bpf_map_def __bpf_section("maps") tmp_scratch_map = {
.type = BPF_MAP_TYPE_ARRAY,
.key_size = sizeof(uint32_t),
.value_size = SCRATCH_SIZE,
.max_entries = 0,
.type = BPF_MAP_TYPE_ARRAY,
.key_size = sizeof(uint32_t),
.value_size = SCRATCH_SIZE,
.max_entries = 0,
};
struct bpf_map_def __bpf_section("maps") settings_map = {
.type = BPF_MAP_TYPE_ARRAY,
.key_size = sizeof(uint32_t),
.value_size = sizeof(struct scap_bpf_settings),
.max_entries = 1,
.type = BPF_MAP_TYPE_ARRAY,
.key_size = sizeof(uint32_t),
.value_size = sizeof(struct scap_bpf_settings),
.max_entries = 1,
};
struct bpf_map_def __bpf_section("maps") local_state_map = {
.type = BPF_MAP_TYPE_ARRAY,
.key_size = sizeof(uint32_t),
.value_size = sizeof(struct scap_bpf_per_cpu_state),
.max_entries = 0,
.type = BPF_MAP_TYPE_ARRAY,
.key_size = sizeof(uint32_t),
.value_size = sizeof(struct scap_bpf_per_cpu_state),
.max_entries = 0,
};
struct bpf_map_def __bpf_section("maps") interesting_syscalls_table = {
.type = BPF_MAP_TYPE_ARRAY,
.key_size = sizeof(uint32_t),
.value_size = sizeof(bool),
.max_entries = SYSCALL_TABLE_SIZE,
.type = BPF_MAP_TYPE_ARRAY,
.key_size = sizeof(uint32_t),
.value_size = sizeof(bool),
.max_entries = SYSCALL_TABLE_SIZE,
};
// The key is the 32-bit syscall code while the value is 64-bit one
struct bpf_map_def __bpf_section("maps") ia32_64_map = {
.type = BPF_MAP_TYPE_ARRAY,
.key_size = sizeof(uint32_t),
.value_size = sizeof(uint32_t),
.max_entries = SYSCALL_TABLE_SIZE,
.type = BPF_MAP_TYPE_ARRAY,
.key_size = sizeof(uint32_t),
.value_size = sizeof(uint32_t),
.max_entries = SYSCALL_TABLE_SIZE,
};
#ifndef BPF_SUPPORTS_RAW_TRACEPOINTS
struct bpf_map_def __bpf_section("maps") stash_map = {
.type = BPF_MAP_TYPE_HASH,
.key_size = sizeof(uint64_t),
.value_size = sizeof(struct sys_stash_args),
.max_entries = 65535,
.type = BPF_MAP_TYPE_HASH,
.key_size = sizeof(uint64_t),
.value_size = sizeof(struct sys_stash_args),
.max_entries = 65535,
};
#endif
#endif // __KERNEL__
#endif // __KERNEL__
#endif

41
driver/bpf/missing_definitions.h
View File

@ -10,14 +10,45 @@ or GPL2.txt for full copies of the license.
#ifndef __BPF_MISSING_DEFINITIONS_H__
#define __BPF_MISSING_DEFINITIONS_H__
#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 16, 0)
struct ovl_entry {
union {
struct {
unsigned long has_upper;
bool opaque;
};
struct rcu_head rcu;
};
unsigned numlower;
struct path lowerstack[];
};
#else
struct ovl_entry {
union {
struct {
unsigned long flags;
};
struct rcu_head rcu;
};
unsigned numlower;
//struct ovl_path lowerstack[];
};
enum ovl_entry_flag {
OVL_E_UPPER_ALIAS,
OVL_E_OPAQUE,
OVL_E_CONNECTED,
};
#endif
#include <linux/mount.h>
/* This require the inlclude `linux/mount.h` for `vfsmount` definition */
struct mount {
struct hlist_node mnt_hash;
struct mount *mnt_parent;
struct dentry *mnt_mountpoint;
struct vfsmount mnt;
// ...
struct hlist_node mnt_hash;
struct mount *mnt_parent;
struct dentry *mnt_mountpoint;
struct vfsmount mnt;
// ...
};
#endif /*__BPF_MISSING_DEFINITIONS_H__*/

339
driver/bpf/plumbing_helpers.h
View File

@ -18,63 +18,65 @@ or GPL2.txt for full copies of the license.
#include "builtins.h"
#include "socketcall_to_syscall.h"
#define _READ(P) \
({ \
typeof(P) _val; \
bpf_probe_read_kernel(&_val, sizeof(_val), &P); \
_val; \
})
#define _READ(P) ({ typeof(P) _val; \
bpf_probe_read_kernel(&_val, sizeof(_val), &P); \
_val; \
})
#define _READ_KERNEL(P) _READ(P)
#define _READ_USER(P) \
({ \
typeof(P) _val; \
bpf_probe_read_user(&_val, sizeof(_val), &P); \
_val; \
})
#define _READ_USER(P) ({ typeof(P) _val; \
bpf_probe_read_user(&_val, sizeof(_val), &P); \
_val; \
})
#ifdef BPF_DEBUG
#define bpf_printk(fmt, ...) \
do { \
char s[] = fmt; \
bpf_trace_printk(s, sizeof(s), ##__VA_ARGS__); \
} while(0)
#define bpf_printk(fmt, ...) \
do { \
char s[] = fmt; \
bpf_trace_printk(s, sizeof(s), ##__VA_ARGS__); \
} while (0)
#else
#define bpf_printk(fmt, ...)
#endif
#ifndef BPF_SUPPORTS_RAW_TRACEPOINTS
static __always_inline int __stash_args(unsigned long long id, unsigned long *args) {
static __always_inline int __stash_args(unsigned long long id,
unsigned long *args)
{
int ret = bpf_map_update_elem(&stash_map, &id, args, BPF_ANY);
if(ret)
if (ret)
bpf_printk("error stashing arguments for %d:%d\n", id, ret);
return ret;
}
static __always_inline int stash_args(unsigned long *args) {
static __always_inline int stash_args(unsigned long *args)
{
unsigned long long id = bpf_get_current_pid_tgid() & 0xffffffff;
return __stash_args(id, args);
}
static __always_inline unsigned long *__unstash_args(unsigned long long id) {
static __always_inline unsigned long *__unstash_args(unsigned long long id)
{
struct sys_stash_args *args;
args = bpf_map_lookup_elem(&stash_map, &id);
if(!args)
if (!args)
return NULL;
return args->args;
}
static __always_inline unsigned long *unstash_args(void) {
static __always_inline unsigned long *unstash_args(void)
{
unsigned long long id = bpf_get_current_pid_tgid() & 0xffffffff;
return __unstash_args(id);
}
static __always_inline void delete_args(void) {
static __always_inline void delete_args(void)
{
unsigned long long id = bpf_get_current_pid_tgid() & 0xffffffff;
bpf_map_delete_elem(&stash_map, &id);
@ -83,28 +85,19 @@ static __always_inline void delete_args(void) {
/* Can be called just from an exit event
*/
static __always_inline long bpf_syscall_get_retval(void *ctx) {
static __always_inline long bpf_syscall_get_retval(void *ctx)
{
struct sys_exit_args *args = (struct sys_exit_args *)ctx;
return args->ret;
}
static __always_inline bool bpf_in_ia32_syscall() {
static __always_inline bool bpf_in_ia32_syscall()
{
struct task_struct *task = (struct task_struct *)bpf_get_current_task();
uint32_t status = 0;
#ifndef CONFIG_THREAD_INFO_IN_TASK
// If task_struct has no embedded thread_info,
// we cannot deduce anything. Just return.
// NOTE: this means that emulated 32bit syscalls will
// be parsed as 64bits syscalls.
// However, our minimum supported kernel releases
// already enforce that CONFIG_THREAD_INFO_IN_TASK is defined,
// therefore we already show a warning to the user
// when building against an unsupported kernel release.
#warning "bpf_in_ia32_syscall() support disabled since CONFIG_THREAD_INFO_IN_TASK is undefined."
return false;
#elif CONFIG_X86_64
#ifdef CONFIG_X86_64
#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 14, 18)
status = _READ(task->thread.status);
@ -156,7 +149,8 @@ static __always_inline bool bpf_in_ia32_syscall() {
/* Can be called from both enter and exit event, id is at the same
* offset in both struct sys_enter_args and struct sys_exit_args
*/
static __always_inline long bpf_syscall_get_nr(void *ctx) {
static __always_inline long bpf_syscall_get_nr(void *ctx)
{
struct sys_enter_args *args = (struct sys_enter_args *)ctx;
long id = 0;
@ -168,14 +162,14 @@ static __always_inline long bpf_syscall_get_nr(void *ctx) {
/* See here for the definition:
* https://github.com/torvalds/linux/blob/69cb6c6556ad89620547318439d6be8bb1629a5a/arch/x86/include/asm/syscall.h#L40
*/
*/
id = _READ(regs->orig_ax);
#elif CONFIG_ARM64
/* See here for the definition:
* https://github.com/torvalds/linux/blob/69cb6c6556ad89620547318439d6be8bb1629a5a/arch/arm64/include/asm/syscall.h#L23
*/
*/
id = _READ(regs->syscallno);
#elif CONFIG_S390
@ -206,10 +200,12 @@ static __always_inline long bpf_syscall_get_nr(void *ctx) {
#ifndef BPF_SUPPORTS_RAW_TRACEPOINTS
static __always_inline unsigned long bpf_syscall_get_argument_from_args(unsigned long *args,
int idx) {
int idx)
{
unsigned long arg = 0;
if(idx <= 5) {
if(idx <= 5)
{
arg = args[idx];
}
@ -217,7 +213,9 @@ static __always_inline unsigned long bpf_syscall_get_argument_from_args(unsigned
}
#endif
static __always_inline unsigned long bpf_syscall_get_argument_from_ctx(void *ctx, int idx) {
static __always_inline unsigned long bpf_syscall_get_argument_from_ctx(void *ctx,
int idx)
{
unsigned long arg = 0;
#ifdef BPF_SUPPORTS_RAW_TRACEPOINTS
@ -226,8 +224,9 @@ static __always_inline unsigned long bpf_syscall_get_argument_from_ctx(void *ctx
struct pt_regs *regs = (struct pt_regs *)args->regs;
#ifdef CONFIG_X86_64
if(bpf_in_ia32_syscall()) {
switch(idx) {
if (bpf_in_ia32_syscall())
{
switch (idx) {
case 0:
arg = _READ(regs->bx);
break;
@ -255,7 +254,7 @@ static __always_inline unsigned long bpf_syscall_get_argument_from_ctx(void *ctx
/* See here for the definition:
* https://github.com/libbpf/libbpf/blob/master/src/bpf_tracing.h#L75-L87
*/
switch(idx) {
switch (idx) {
case 0:
arg = _READ(regs->di);
break;
@ -281,10 +280,10 @@ static __always_inline unsigned long bpf_syscall_get_argument_from_ctx(void *ctx
#elif CONFIG_ARM64
/* See here for the definition:
* https://github.com/libbpf/libbpf/blob/master/src/bpf_tracing.h#L166-L178
* https://github.com/libbpf/libbpf/blob/master/src/bpf_tracing.h#L166-L178
*/
struct user_pt_regs *user_regs = (struct user_pt_regs *)args->regs;
switch(idx) {
switch (idx) {
case 0:
arg = _READ(regs->orig_x0);
break;
@ -300,12 +299,12 @@ static __always_inline unsigned long bpf_syscall_get_argument_from_ctx(void *ctx
}
#elif CONFIG_S390
/* See here for the definition:
* https://github.com/libbpf/libbpf/blob/master/src/bpf_tracing.h#L132-L144
*/
user_pt_regs *user_regs = (user_pt_regs *)args->regs;
switch(idx) {
switch (idx) {
case 0:
arg = _READ(regs->orig_gpr2);
break;
@ -314,7 +313,7 @@ static __always_inline unsigned long bpf_syscall_get_argument_from_ctx(void *ctx
case 3:
case 4:
case 5:
arg = _READ(user_regs->gprs[idx + 2]);
arg = _READ(user_regs->gprs[idx+2]);
break;
default:
arg = 0;
@ -325,7 +324,7 @@ static __always_inline unsigned long bpf_syscall_get_argument_from_ctx(void *ctx
/* See here for the definition:
* https://github.com/libbpf/libbpf/blob/master/src/bpf_tracing.h#L290-L306
*/
switch(idx) {
switch (idx) {
case 0:
arg = _READ(regs->orig_gpr3);
break;
@ -334,7 +333,7 @@ static __always_inline unsigned long bpf_syscall_get_argument_from_ctx(void *ctx
case 3:
case 4:
case 5:
arg = _READ(regs->gpr[idx + 3]);
arg = _READ(regs->gpr[idx+3]);
break;
default:
arg = 0;
@ -345,40 +344,41 @@ static __always_inline unsigned long bpf_syscall_get_argument_from_ctx(void *ctx
#else
unsigned long *args = unstash_args();
if(args)
if (args)
arg = bpf_syscall_get_argument_from_args(args, idx);
else
arg = 0;
#endif /* BPF_SUPPORTS_RAW_TRACEPOINTS */
return arg;
}
static __always_inline unsigned long bpf_syscall_get_socketcall_arg(void *ctx, int idx) {
static __always_inline unsigned long bpf_syscall_get_socketcall_arg(void *ctx, int idx)
{
unsigned long arg = 0;
unsigned long args_pointer = 0;
args_pointer = bpf_syscall_get_argument_from_ctx(ctx, 1);
if(bpf_in_ia32_syscall()) {
bpf_probe_read_user(&arg,
sizeof(uint32_t),
(void *)(args_pointer + (idx * sizeof(uint32_t))));
} else {
bpf_probe_read_user(&arg,
sizeof(unsigned long),
(void *)(args_pointer + (idx * sizeof(unsigned long))));
if (bpf_in_ia32_syscall())
{
bpf_probe_read_user(&arg, sizeof(uint32_t), (void*)(args_pointer + (idx * sizeof(uint32_t))));
}
else
{
bpf_probe_read_user(&arg, sizeof(unsigned long), (void*)(args_pointer + (idx * sizeof(unsigned long))));
}
return arg;
}
static __always_inline unsigned long bpf_syscall_get_argument(struct filler_data *data, int idx) {
static __always_inline unsigned long bpf_syscall_get_argument(struct filler_data *data,
int idx)
{
#ifdef BPF_SUPPORTS_RAW_TRACEPOINTS
// We define it here because we support socket calls only on kernels with
// BPF_SUPPORTS_RAW_TRACEPOINTS `data->state->tail_ctx.socketcall_syscall_id != -1` just to
// improve perf
if(data->state->tail_ctx.socketcall_syscall_id != -1 &&
bpf_syscall_get_nr(data->ctx) == data->state->tail_ctx.socketcall_syscall_id) {
// We define it here because we support socket calls only on kernels with BPF_SUPPORTS_RAW_TRACEPOINTS
// `data->state->tail_ctx.socketcall_syscall_id != -1` just to improve perf
if(data->state->tail_ctx.socketcall_syscall_id != -1 && bpf_syscall_get_nr(data->ctx) == data->state->tail_ctx.socketcall_syscall_id)
{
return bpf_syscall_get_socketcall_arg(data->ctx, idx);
}
return bpf_syscall_get_argument_from_ctx(data->ctx, idx);
@ -387,39 +387,45 @@ static __always_inline unsigned long bpf_syscall_get_argument(struct filler_data
#endif
}
static __always_inline char *get_frame_scratch_area(unsigned int cpu) {
static __always_inline char *get_frame_scratch_area(unsigned int cpu)
{
char *scratchp;
scratchp = bpf_map_lookup_elem(&frame_scratch_map, &cpu);
if(!scratchp)
if (!scratchp)
bpf_printk("frame scratch NULL\n");
return scratchp;
}
static __always_inline char *get_tmp_scratch_area(unsigned int cpu) {
static __always_inline char *get_tmp_scratch_area(unsigned int cpu)
{
char *scratchp;
scratchp = bpf_map_lookup_elem(&tmp_scratch_map, &cpu);
if(!scratchp)
if (!scratchp)
bpf_printk("tmp scratch NULL\n");
return scratchp;
}
static __always_inline const struct syscall_evt_pair *get_syscall_info(int id) {
const struct syscall_evt_pair *p = bpf_map_lookup_elem(&syscall_table, &id);
static __always_inline const struct syscall_evt_pair *get_syscall_info(int id)
{
const struct syscall_evt_pair *p =
bpf_map_lookup_elem(&syscall_table, &id);
if(!p)
if (!p)
bpf_printk("no syscall_info for %d\n", id);
return p;
}
static __always_inline bool is_syscall_interesting(int id) {
static __always_inline bool is_syscall_interesting(int id)
{
bool *enabled = bpf_map_lookup_elem(&interesting_syscalls_table, &id);
if(!enabled) {
if (!enabled)
{
bpf_printk("no syscall_info for %d\n", id);
return false;
}
@ -427,10 +433,12 @@ static __always_inline bool is_syscall_interesting(int id) {
return *enabled;
}
static __always_inline int convert_ia32_to_64(int id) {
static __always_inline int convert_ia32_to_64(int id)
{
int *x64_id = bpf_map_lookup_elem(&ia32_64_map, &id);
if(!x64_id) {
if (!x64_id)
{
bpf_printk("no 64bit mapped value for %d\n", id);
return -1;
}
@ -438,49 +446,54 @@ static __always_inline int convert_ia32_to_64(int id) {
return *x64_id;
}
static __always_inline const struct ppm_event_info *get_event_info(ppm_event_code event_type) {
const struct ppm_event_info *e = bpf_map_lookup_elem(&event_info_table, &event_type);
static __always_inline const struct ppm_event_info *get_event_info(ppm_event_code event_type)
{
const struct ppm_event_info *e =
bpf_map_lookup_elem(&event_info_table, &event_type);
if(!e)
if (!e)
bpf_printk("no event info for %d\n", event_type);
return e;
}
static __always_inline const struct ppm_event_entry *get_event_filler_info(
ppm_event_code event_type) {
static __always_inline const struct ppm_event_entry *get_event_filler_info(ppm_event_code event_type)
{
const struct ppm_event_entry *e;
e = bpf_map_lookup_elem(&fillers_table, &event_type);
if(!e)
if (!e)
bpf_printk("no filler info for %d\n", event_type);
return e;
}
static __always_inline struct scap_bpf_settings *get_bpf_settings(void) {
static __always_inline struct scap_bpf_settings *get_bpf_settings(void)
{
struct scap_bpf_settings *settings;
int id = 0;
settings = bpf_map_lookup_elem(&settings_map, &id);
if(!settings)
if (!settings)
bpf_printk("settings NULL\n");
return settings;
}
static __always_inline struct scap_bpf_per_cpu_state *get_local_state(unsigned int cpu) {
static __always_inline struct scap_bpf_per_cpu_state *get_local_state(unsigned int cpu)
{
struct scap_bpf_per_cpu_state *state;
state = bpf_map_lookup_elem(&local_state_map, &cpu);
if(!state)
if (!state)
bpf_printk("state NULL\n");
return state;
}
static __always_inline bool acquire_local_state(struct scap_bpf_per_cpu_state *state) {
if(state->in_use) {
static __always_inline bool acquire_local_state(struct scap_bpf_per_cpu_state *state)
{
if (state->in_use) {
bpf_printk("acquire_local_state: already in use\n");
return false;
}
@ -489,8 +502,9 @@ static __always_inline bool acquire_local_state(struct scap_bpf_per_cpu_state *s
return true;
}
static __always_inline bool release_local_state(struct scap_bpf_per_cpu_state *state) {
if(!state->in_use) {
static __always_inline bool release_local_state(struct scap_bpf_per_cpu_state *state)
{
if (!state->in_use) {
bpf_printk("release_local_state: already not in use\n");
return false;
}
@ -499,41 +513,44 @@ static __always_inline bool release_local_state(struct scap_bpf_per_cpu_state *s
return true;
}
static __always_inline int init_filler_data(void *ctx, struct filler_data *data, bool is_syscall) {
static __always_inline int init_filler_data(void *ctx,
struct filler_data *data,
bool is_syscall)
{
unsigned int cpu;
data->ctx = ctx;
data->settings = get_bpf_settings();
if(!data->settings)
if (!data->settings)
return PPM_FAILURE_BUG;
cpu = bpf_get_smp_processor_id();
data->buf = get_frame_scratch_area(cpu);
if(!data->buf)
if (!data->buf)
return PPM_FAILURE_BUG;
data->state = get_local_state(cpu);
if(!data->state)
if (!data->state)
return PPM_FAILURE_BUG;
data->tmp_scratch = get_tmp_scratch_area(cpu);
if(!data->tmp_scratch)
if (!data->tmp_scratch)
return PPM_FAILURE_BUG;
data->evt = get_event_info(data->state->tail_ctx.evt_type);
if(!data->evt)
if (!data->evt)
return PPM_FAILURE_BUG;
data->filler_info = get_event_filler_info(data->state->tail_ctx.evt_type);
if(!data->filler_info)
if (!data->filler_info)
return PPM_FAILURE_BUG;
#ifndef BPF_SUPPORTS_RAW_TRACEPOINTS
if(is_syscall) {
if (is_syscall) {
data->args = unstash_args();
if(!data->args)
if (!data->args)
return PPM_SKIP_EVENT;
}
#endif
@ -544,14 +561,17 @@ static __always_inline int init_filler_data(void *ctx, struct filler_data *data,
return PPM_SUCCESS;
}
static __always_inline int bpf_test_bit(int nr, unsigned long *addr) {
static __always_inline int bpf_test_bit(int nr, unsigned long *addr)
{
return 1UL & (_READ(addr[BIT_WORD(nr)]) >> (nr & (BITS_PER_LONG - 1)));
}
#if defined(CAPTURE_SCHED_PROC_FORK) || defined(CAPTURE_SCHED_PROC_EXEC)
static __always_inline bool bpf_drop_syscall_exit_events(void *ctx, ppm_event_code evt_type) {
static __always_inline bool bpf_drop_syscall_exit_events(void *ctx, ppm_event_code evt_type)
{
long ret = 0;
switch(evt_type) {
switch (evt_type)
{
/* On s390x, clone and fork child events will be generated but
* due to page faults, no args/envp information will be collected.
* Also no child events appear for clone3 syscall.
@ -560,47 +580,48 @@ static __always_inline bool bpf_drop_syscall_exit_events(void *ctx, ppm_event_co
* let proactively ignore them.
*/
#ifdef CAPTURE_SCHED_PROC_FORK
case PPME_SYSCALL_CLONE_20_X:
case PPME_SYSCALL_FORK_20_X:
case PPME_SYSCALL_VFORK_20_X:
case PPME_SYSCALL_CLONE3_X:
ret = bpf_syscall_get_retval(ctx);
/* We ignore only child events, so ret == 0! */
return ret == 0;
case PPME_SYSCALL_CLONE_20_X:
case PPME_SYSCALL_FORK_20_X:
case PPME_SYSCALL_VFORK_20_X:
case PPME_SYSCALL_CLONE3_X:
ret = bpf_syscall_get_retval(ctx);
/* We ignore only child events, so ret == 0! */
return ret == 0;
#endif
/* If `CAPTURE_SCHED_PROC_EXEC` logic is enabled we collect execve-family
* exit events through a dedicated tracepoint so we can ignore them here.
*/
#ifdef CAPTURE_SCHED_PROC_EXEC
case PPME_SYSCALL_EXECVE_19_X:
case PPME_SYSCALL_EXECVEAT_X:
ret = bpf_syscall_get_retval(ctx);
/* We ignore only successful events, so ret == 0! */
return ret == 0;
case PPME_SYSCALL_EXECVE_19_X:
case PPME_SYSCALL_EXECVEAT_X:
ret = bpf_syscall_get_retval(ctx);
/* We ignore only successful events, so ret == 0! */
return ret == 0;
#endif
default:
break;
default:
break;
}
return false;
}
#endif
static __always_inline bool drop_event(void *ctx,
struct scap_bpf_per_cpu_state *state,
ppm_event_code evt_type,
struct scap_bpf_settings *settings,
enum syscall_flags drop_flags) {
if(!settings->dropping_mode)
struct scap_bpf_per_cpu_state *state,
ppm_event_code evt_type,
struct scap_bpf_settings *settings,
enum syscall_flags drop_flags)
{
if (!settings->dropping_mode)
return false;
switch(evt_type) {
switch (evt_type) {
case PPME_SYSCALL_CLOSE_X:
case PPME_SOCKET_BIND_X: {
long ret = bpf_syscall_get_retval(ctx);
if(ret < 0)
if (ret < 0)
return true;
break;
@ -615,30 +636,30 @@ static __always_inline bool drop_event(void *ctx,
int max_fds;
close_fd = bpf_syscall_get_argument_from_ctx(ctx, 0);
if(close_fd < 0)
if (close_fd < 0)
return true;
task = (struct task_struct *)bpf_get_current_task();
if(!task)
if (!task)
break;
files = _READ(task->files);
if(!files)
if (!files)
break;
fdt = _READ(files->fdt);
if(!fdt)
if (!fdt)
break;
max_fds = _READ(fdt->max_fds);
if(close_fd >= max_fds)
if (close_fd >= max_fds)
return true;
open_fds = _READ(fdt->open_fds);
if(!open_fds)
if (!open_fds)
break;
if(!bpf_test_bit(close_fd, open_fds))
if (!bpf_test_bit(close_fd, open_fds))
return true;
break;
@ -647,7 +668,7 @@ static __always_inline bool drop_event(void *ctx,
case PPME_SYSCALL_FCNTL_X: {
long cmd = bpf_syscall_get_argument_from_ctx(ctx, 1);
if(cmd != F_DUPFD && cmd != F_DUPFD_CLOEXEC)
if (cmd != F_DUPFD && cmd != F_DUPFD_CLOEXEC)
return true;
break;
@ -656,14 +677,15 @@ static __always_inline bool drop_event(void *ctx,
break;
}
if(drop_flags & UF_NEVER_DROP)
if (drop_flags & UF_NEVER_DROP)
return false;
if(drop_flags & UF_ALWAYS_DROP)
if (drop_flags & UF_ALWAYS_DROP)
return true;
if(state->tail_ctx.ts % 1000000000 >= 1000000000 / settings->sampling_ratio) {
if(!settings->is_dropping) {
if (state->tail_ctx.ts % 1000000000 >= 1000000000 /
settings->sampling_ratio) {
if (!settings->is_dropping) {
settings->is_dropping = true;
state->tail_ctx.evt_type = PPME_DROP_E;
return false;
@ -672,7 +694,7 @@ static __always_inline bool drop_event(void *ctx,
return true;
}
if(settings->is_dropping) {
if (settings->is_dropping) {
settings->is_dropping = false;
state->tail_ctx.evt_type = PPME_DROP_X;
return false;
@ -682,8 +704,9 @@ static __always_inline bool drop_event(void *ctx,
}
static __always_inline void reset_tail_ctx(struct scap_bpf_per_cpu_state *state,
ppm_event_code evt_type,
unsigned long long ts) {
ppm_event_code evt_type,
unsigned long long ts)
{
state->tail_ctx.evt_type = evt_type;
state->tail_ctx.ts = ts;
state->tail_ctx.curarg = 0;
@ -693,10 +716,11 @@ static __always_inline void reset_tail_ctx(struct scap_bpf_per_cpu_state *state,
}
static __always_inline void call_filler(void *ctx,
void *stack_ctx,
ppm_event_code evt_type,
enum syscall_flags drop_flags,
int socketcall_syscall_id) {
void *stack_ctx,
ppm_event_code evt_type,
enum syscall_flags drop_flags,
int socketcall_syscall_id)
{
struct scap_bpf_settings *settings;
const struct ppm_event_entry *filler_info;
struct scap_bpf_per_cpu_state *state;
@ -707,17 +731,17 @@ static __always_inline void call_filler(void *ctx,
cpu = bpf_get_smp_processor_id();
state = get_local_state(cpu);
if(!state)
if (!state)
return;
settings = get_bpf_settings();
if(!settings)
if (!settings)
return;
if(!acquire_local_state(state))
if (!acquire_local_state(state))
return;
if(cpu == 0 && state->hotplug_cpu != 0) {
if (cpu == 0 && state->hotplug_cpu != 0) {
evt_type = PPME_CPU_HOTPLUG_E;
drop_flags = UF_NEVER_DROP;
}
@ -726,7 +750,7 @@ static __always_inline void call_filler(void *ctx,
reset_tail_ctx(state, evt_type, ts);
/* drop_event can change state->tail_ctx.evt_type */
if(drop_event(stack_ctx, state, evt_type, settings, drop_flags))
if (drop_event(stack_ctx, state, evt_type, settings, drop_flags))
goto cleanup;
++state->n_evts;
@ -734,20 +758,21 @@ static __always_inline void call_filler(void *ctx,
state->tail_ctx.socketcall_syscall_id = socketcall_syscall_id;
filler_info = get_event_filler_info(state->tail_ctx.evt_type);
if(!filler_info)
if (!filler_info)
goto cleanup;
bpf_tail_call(ctx, &tail_map, filler_info->filler_id);
bpf_printk("Can't tail call filler evt=%d, filler=%d\n",
state->tail_ctx.evt_type,
filler_info->filler_id);
state->tail_ctx.evt_type,
filler_info->filler_id);
cleanup:
release_local_state(state);
}
#ifdef BPF_SUPPORTS_RAW_TRACEPOINTS
static __always_inline long convert_network_syscalls(void *ctx, bool *is_syscall) {
static __always_inline long convert_network_syscalls(void *ctx, bool *is_syscall)
{
int socketcall_id = (int)bpf_syscall_get_argument_from_ctx(ctx, 0);
return socketcall_code_to_syscall_code(socketcall_id, is_syscall);
}

190
driver/bpf/probe.c
View File

@ -14,6 +14,7 @@ or GPL2.txt for full copies of the license.
#if __has_include(<asm/rwonce.h>)
#include <asm/rwonce.h>
#endif
#include <linux/sched.h>
#include "driver_config.h"
#include "ppm_events_public.h"
@ -28,7 +29,8 @@ or GPL2.txt for full copies of the license.
#define __NR_ia32_socketcall 102
BPF_PROBE("raw_syscalls/", sys_enter, sys_enter_args) {
BPF_PROBE("raw_syscalls/", sys_enter, sys_enter_args)
{
const struct syscall_evt_pair *sc_evt = NULL;
ppm_event_code evt_type = -1;
int drop_flags = 0;
@ -37,47 +39,59 @@ BPF_PROBE("raw_syscalls/", sys_enter, sys_enter_args) {
int socketcall_syscall_id = -1;
id = bpf_syscall_get_nr(ctx);
if(id < 0 || id >= SYSCALL_TABLE_SIZE)
if (id < 0 || id >= SYSCALL_TABLE_SIZE)
return 0;
if(bpf_in_ia32_syscall()) {
// Right now we support 32-bit emulation only on x86.
// We try to convert the 32-bit id into the 64-bit one.
if (bpf_in_ia32_syscall())
{
// Right now we support 32-bit emulation only on x86.
// We try to convert the 32-bit id into the 64-bit one.
#if defined(CONFIG_X86_64) && defined(CONFIG_IA32_EMULATION)
if(id == __NR_ia32_socketcall) {
if (id == __NR_ia32_socketcall)
{
socketcall_syscall_id = __NR_ia32_socketcall;
} else {
}
else
{
id = convert_ia32_to_64(id);
// syscalls defined only on 32 bits are dropped here.
if(id == -1) {
if(id == -1)
{
return 0;
}
}
#else
// Unsupported arch
return 0;
#endif
} else {
// Right now only s390x supports it
#endif
}
else
{
// Right now only s390x supports it
#ifdef __NR_socketcall
socketcall_syscall_id = __NR_socketcall;
#endif
}
// Now all syscalls on 32-bit should be converted to 64-bit apart from `socketcall`.
// This one deserves a special treatment
if(id == socketcall_syscall_id) {
if(id == socketcall_syscall_id)
{
#ifdef BPF_SUPPORTS_RAW_TRACEPOINTS
bool is_syscall_return = false;
int return_code = convert_network_syscalls(ctx, &is_syscall_return);
if(return_code == -1) {
if (return_code == -1)
{
// Wrong SYS_ argument passed. Drop the syscall.
return 0;
}
if(!is_syscall_return) {
if(!is_syscall_return)
{
evt_type = return_code;
drop_flags = UF_USED;
} else {
}
else
{
id = return_code;
}
#else
@ -91,9 +105,11 @@ BPF_PROBE("raw_syscalls/", sys_enter, sys_enter_args) {
// There could be cases in which we have a `PPME_SOCKET_SEND_E` event
// and`id=__NR_ia32_socketcall`...We resolved the correct event type but we cannot
// update the `id`.
if(evt_type == -1) {
if (evt_type == -1)
{
enabled = is_syscall_interesting(id);
if(!enabled) {
if(!enabled)
{
return 0;
}
@ -101,15 +117,19 @@ BPF_PROBE("raw_syscalls/", sys_enter, sys_enter_args) {
if(!sc_evt)
return 0;
if(sc_evt->flags & UF_USED) {
if(sc_evt->flags & UF_USED)
{
evt_type = sc_evt->enter_event_type;
drop_flags = sc_evt->flags;
} else {
}
else
{
evt_type = PPME_GENERIC_E;
drop_flags = UF_ALWAYS_DROP;
}
}
#ifdef BPF_SUPPORTS_RAW_TRACEPOINTS
call_filler(ctx, ctx, evt_type, drop_flags, socketcall_syscall_id);
#else
@ -117,7 +137,7 @@ BPF_PROBE("raw_syscalls/", sys_enter, sys_enter_args) {
struct sys_enter_args stack_ctx;
memcpy(stack_ctx.args, ctx->args, sizeof(ctx->args));
if(stash_args(stack_ctx.args))
if (stash_args(stack_ctx.args))
return 0;
call_filler(ctx, &stack_ctx, evt_type, drop_flags, socketcall_syscall_id);
@ -125,25 +145,30 @@ BPF_PROBE("raw_syscalls/", sys_enter, sys_enter_args) {
return 0;
}
BPF_PROBE("raw_syscalls/", sys_exit, sys_exit_args) {
BPF_PROBE("raw_syscalls/", sys_exit, sys_exit_args)
{
const struct syscall_evt_pair *sc_evt = NULL;
ppm_event_code evt_type = -1;
int drop_flags = 0;
long id = 0;
bool enabled = false;
struct scap_bpf_settings *settings = 0;
struct scap_bpf_settings *settings = 0;
long retval = 0;
int socketcall_syscall_id = -1;
id = bpf_syscall_get_nr(ctx);
if(id < 0 || id >= SYSCALL_TABLE_SIZE)
if (id < 0 || id >= SYSCALL_TABLE_SIZE)
return 0;
if(bpf_in_ia32_syscall()) {
if (bpf_in_ia32_syscall())
{
#if defined(CONFIG_X86_64) && defined(CONFIG_IA32_EMULATION)
if(id == __NR_ia32_socketcall) {
if (id == __NR_ia32_socketcall)
{
socketcall_syscall_id = __NR_ia32_socketcall;
} else {
}
else
{
/*
* When a process does execve from 64bit to 32bit, TS_COMPAT is marked true
* but the id of the syscall is __NR_execve, so to correctly parse it we need to
@ -157,7 +182,8 @@ BPF_PROBE("raw_syscalls/", sys_exit, sys_exit_args) {
#endif
{
id = convert_ia32_to_64(id);
if(id == -1) {
if(id == -1)
{
return 0;
}
}
@ -166,24 +192,31 @@ BPF_PROBE("raw_syscalls/", sys_exit, sys_exit_args) {
// Unsupported arch
return 0;
#endif
} else {
}
else
{
#ifdef __NR_socketcall
socketcall_syscall_id = __NR_socketcall;
#endif
}
if(id == socketcall_syscall_id) {
if(id == socketcall_syscall_id)
{
#ifdef BPF_SUPPORTS_RAW_TRACEPOINTS
bool is_syscall_return = false;
int return_code = convert_network_syscalls(ctx, &is_syscall_return);
if(return_code == -1) {
if (return_code == -1)
{
// Wrong SYS_ argument passed. Drop the syscall.
return 0;
}
if(!is_syscall_return) {
evt_type = return_code + 1; // we are in sys_exit!
if(!is_syscall_return)
{
evt_type = return_code + 1; // we are in sys_exit!
drop_flags = UF_USED;
} else {
}
else
{
id = return_code;
}
#else
@ -192,32 +225,39 @@ BPF_PROBE("raw_syscalls/", sys_exit, sys_exit_args) {
#endif
}
if(evt_type == -1) {
if(evt_type == -1)
{
enabled = is_syscall_interesting(id);
if(!enabled) {
if(!enabled)
{
return 0;
}
sc_evt = get_syscall_info(id);
if(!sc_evt)
return 0;
if(sc_evt->flags & UF_USED) {
if(sc_evt->flags & UF_USED)
{
evt_type = sc_evt->exit_event_type;
drop_flags = sc_evt->flags;
} else {
}
else
{
evt_type = PPME_GENERIC_X;
drop_flags = UF_ALWAYS_DROP;
}
}
settings = get_bpf_settings();
if(!settings)
if (!settings)
return 0;
// Drop failed syscalls if necessary
if(settings->drop_failed) {
if (settings->drop_failed)
{
retval = bpf_syscall_get_retval(ctx);
if(retval < 0) {
if (retval < 0)
{
return 0;
}
}
@ -231,7 +271,8 @@ BPF_PROBE("raw_syscalls/", sys_exit, sys_exit_args) {
return 0;
}
BPF_PROBE("sched/", sched_process_exit, sched_process_exit_args) {
BPF_PROBE("sched/", sched_process_exit, sched_process_exit_args)
{
ppm_event_code evt_type;
struct task_struct *task;
unsigned int flags;
@ -239,7 +280,7 @@ BPF_PROBE("sched/", sched_process_exit, sched_process_exit_args) {
task = (struct task_struct *)bpf_get_current_task();
flags = _READ(task->flags);
if(flags & PF_KTHREAD)
if (flags & PF_KTHREAD)
return 0;
evt_type = PPME_PROCEXIT_1_E;
@ -248,17 +289,19 @@ BPF_PROBE("sched/", sched_process_exit, sched_process_exit_args) {
return 0;
}
BPF_PROBE("sched/", sched_switch, sched_switch_args) {
BPF_PROBE("sched/", sched_switch, sched_switch_args)
{
ppm_event_code evt_type;
evt_type = PPME_SCHEDSWITCH_6_E;
call_filler(ctx, ctx, evt_type, UF_ALWAYS_DROP, -1);
call_filler(ctx, ctx, evt_type, 0, -1);
return 0;
}
#ifdef CAPTURE_PAGE_FAULTS
static __always_inline int bpf_page_fault(struct page_fault_args *ctx) {
static __always_inline int bpf_page_fault(struct page_fault_args *ctx)
{
ppm_event_code evt_type;
evt_type = PPME_PAGE_FAULT_E;
@ -267,16 +310,19 @@ static __always_inline int bpf_page_fault(struct page_fault_args *ctx) {
return 0;
}
BPF_PROBE("exceptions/", page_fault_user, page_fault_args) {
BPF_PROBE("exceptions/", page_fault_user, page_fault_args)
{
return bpf_page_fault(ctx);
}
BPF_PROBE("exceptions/", page_fault_kernel, page_fault_args) {
BPF_PROBE("exceptions/", page_fault_kernel, page_fault_args)
{
return bpf_page_fault(ctx);
}
#endif
BPF_PROBE("signal/", signal_deliver, signal_deliver_args) {
BPF_PROBE("signal/", signal_deliver, signal_deliver_args)
{
ppm_event_code evt_type;
evt_type = PPME_SIGNALDELIVER_E;
@ -286,14 +332,15 @@ BPF_PROBE("signal/", signal_deliver, signal_deliver_args) {
}
#ifndef BPF_SUPPORTS_RAW_TRACEPOINTS
__bpf_section(TP_NAME "sched/sched_process_fork&1") int bpf_sched_process_fork(
struct sched_process_fork_args *ctx) {
__bpf_section(TP_NAME "sched/sched_process_fork&1")
int bpf_sched_process_fork(struct sched_process_fork_args *ctx)
{
ppm_event_code evt_type;
struct sys_stash_args args;
unsigned long *argsp;
argsp = __unstash_args(ctx->parent_pid);
if(!argsp)
if (!argsp)
return 0;
memcpy(&args, argsp, sizeof(args));
@ -305,7 +352,8 @@ __bpf_section(TP_NAME "sched/sched_process_fork&1") int bpf_sched_process_fork(
#endif
#ifdef CAPTURE_SCHED_PROC_EXEC
BPF_PROBE("sched/", sched_process_exec, sched_process_exec_args) {
BPF_PROBE("sched/", sched_process_exec, sched_process_exec_args)
{
struct scap_bpf_settings *settings;
/* We will always send an execve exit event. */
ppm_event_code event_type = PPME_SYSCALL_EXECVE_19_X;
@ -313,37 +361,42 @@ BPF_PROBE("sched/", sched_process_exec, sched_process_exec_args) {
/* We are not interested in kernel threads. */
struct task_struct *task = (struct task_struct *)bpf_get_current_task();
unsigned int flags = _READ(task->flags);
if(flags & PF_KTHREAD) {
if(flags & PF_KTHREAD)
{
return 0;
}
/* Reset the tail context in the CPU state map. */
uint32_t cpu = bpf_get_smp_processor_id();
struct scap_bpf_per_cpu_state *state = get_local_state(cpu);
if(!state) {
struct scap_bpf_per_cpu_state * state = get_local_state(cpu);
if(!state)
{
return 0;
}
settings = get_bpf_settings();
if(!settings) {
if(!settings)
{
return 0;
}
uint64_t ts = settings->boot_time + bpf_ktime_get_boot_ns();
reset_tail_ctx(state, event_type, ts);
++state->n_evts;
int filler_code = PPM_FILLER_sched_prog_exec;
bpf_tail_call(ctx, &tail_map, filler_code);
bpf_printk("Can't tail call filler 'sched_proc_exec' evt=%d, filler=%d\n",
event_type,
filler_code);
event_type,
filler_code);
return 0;
}
#endif /* CAPTURE_SCHED_PROC_EXEC */
#ifdef CAPTURE_SCHED_PROC_FORK
__bpf_section("raw_tracepoint/sched_process_fork&2") int bpf_sched_process_fork(
struct sched_process_fork_raw_args *ctx) {
__bpf_section("raw_tracepoint/sched_process_fork&2")
int bpf_sched_process_fork(struct sched_process_fork_raw_args *ctx)
{
struct scap_bpf_settings *settings;
/* We will always send a clone exit event. */
ppm_event_code event_type = PPME_SYSCALL_CLONE_20_X;
@ -351,19 +404,22 @@ __bpf_section("raw_tracepoint/sched_process_fork&2") int bpf_sched_process_fork(
/* We are not interested in kernel threads. */
struct task_struct *task = (struct task_struct *)bpf_get_current_task();
unsigned int flags = _READ(task->flags);
if(flags & PF_KTHREAD) {
if(flags & PF_KTHREAD)
{
return 0;
}
/* Reset the tail context in the CPU state map. */
uint32_t cpu = bpf_get_smp_processor_id();
struct scap_bpf_per_cpu_state *state = get_local_state(cpu);
if(!state) {
struct scap_bpf_per_cpu_state * state = get_local_state(cpu);
if(!state)
{
return 0;
}
settings = get_bpf_settings();
if(!settings) {
if(!settings)
{
return 0;
}
uint64_t ts = settings->boot_time + bpf_ktime_get_boot_ns();
@ -373,8 +429,8 @@ __bpf_section("raw_tracepoint/sched_process_fork&2") int bpf_sched_process_fork(
int filler_code = PPM_FILLER_sched_prog_fork;
bpf_tail_call(ctx, &tail_map, filler_code);
bpf_printk("Can't tail call filler 'sched_proc_fork' evt=%d, filler=%d\n",
event_type,
filler_code);
event_type,
filler_code);
return 0;
}
#endif /* CAPTURE_SCHED_PROC_FORK */

14
driver/bpf/quirks.h
View File

@ -17,24 +17,20 @@ or GPL2.txt for full copies of the license.
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 13, 0) && LINUX_VERSION_CODE < KERNEL_VERSION(4, 14, 4)
#define randomized_struct_fields_start struct {
#define randomized_struct_fields_end \
} \
;
#define randomized_struct_fields_start struct {
#define randomized_struct_fields_end };
#endif
#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 15, 0)
#define BPF_FORBIDS_ZERO_ACCESS
#endif
#if(defined(CONFIG_X86_64) || defined(CONFIG_ARM64) || defined(CONFIG_S390) || \
defined(CONFIG_PPC64)) && \
LINUX_VERSION_CODE >= KERNEL_VERSION(4, 17, 0)
#define BPF_SUPPORTS_RAW_TRACEPOINTS
#if (defined(CONFIG_X86_64) || defined(CONFIG_ARM64) || defined(CONFIG_S390) || defined(CONFIG_PPC64)) && LINUX_VERSION_CODE >= KERNEL_VERSION(4, 17, 0)
#define BPF_SUPPORTS_RAW_TRACEPOINTS
#endif
#if CAPTURE_SCHED_PROC_FORK && !defined(BPF_SUPPORTS_RAW_TRACEPOINTS)
#error The CAPTURE_SCHED_PROC_FORK support requires 'raw_tracepoints' so kernel versions greater or equal than '4.17'.
#error The CAPTURE_SCHED_PROC_FORK support requires 'raw_tracepoints' so kernel versions greater or equal than '4.17'.
#endif
/* Redefine asm_volatile_goto to work around clang not supporting it

57
driver/bpf/ring_helpers.h
View File

@ -10,7 +10,8 @@ or GPL2.txt for full copies of the license.
#ifndef __RING_HELPERS_H
#define __RING_HELPERS_H
static __always_inline void write_evt_hdr(struct filler_data *data) {
static __always_inline void write_evt_hdr(struct filler_data *data)
{
struct ppm_evt_hdr *evt_hdr = (struct ppm_evt_hdr *)data->buf;
evt_hdr->ts = data->state->tail_ctx.ts;
@ -18,35 +19,43 @@ static __always_inline void write_evt_hdr(struct filler_data *data) {
evt_hdr->type = data->state->tail_ctx.evt_type;
evt_hdr->nparams = data->evt->nparams;
data->state->tail_ctx.curoff =
sizeof(struct ppm_evt_hdr) + sizeof(uint16_t) * data->evt->nparams;
data->state->tail_ctx.curoff = sizeof(struct ppm_evt_hdr) +
sizeof(uint16_t) * data->evt->nparams;
data->state->tail_ctx.len = data->state->tail_ctx.curoff;
}
static __always_inline void fixup_evt_len(char *p, unsigned long len) {
static __always_inline void fixup_evt_len(char *p, unsigned long len)
{
struct ppm_evt_hdr *evt_hdr = (struct ppm_evt_hdr *)p;
evt_hdr->len = len;
}
static __always_inline void fixup_evt_arg_len(char *p, unsigned int argnum, unsigned int arglen) {
if(argnum > PPM_MAX_EVENT_PARAMS) {
static __always_inline void fixup_evt_arg_len(char *p,
unsigned int argnum,
unsigned int arglen)
{
if (argnum > PPM_MAX_EVENT_PARAMS)
{
return;
}
volatile unsigned int argnumv = argnum;
*((uint16_t *)&p[sizeof(struct ppm_evt_hdr)] + (argnumv & (PPM_MAX_EVENT_PARAMS - 1))) = arglen;
}
static __always_inline int push_evt_frame(void *ctx, struct filler_data *data) {
if(data->state->tail_ctx.curarg != data->evt->nparams) {
static __always_inline int push_evt_frame(void *ctx,
struct filler_data *data)
{
if (data->state->tail_ctx.curarg != data->evt->nparams) {
bpf_printk("corrupted filler for event type %d (added %u args, should have added %u)\n",
data->state->tail_ctx.evt_type,
data->state->tail_ctx.curarg,
data->evt->nparams);
data->state->tail_ctx.evt_type,
data->state->tail_ctx.curarg,
data->evt->nparams);
return PPM_FAILURE_BUG;
}
if(data->state->tail_ctx.len > PERF_EVENT_MAX_SIZE) {
if (data->state->tail_ctx.len > PERF_EVENT_MAX_SIZE)
{
return PPM_FAILURE_FRAME_SCRATCH_MAP_FULL;
}
@ -54,18 +63,18 @@ static __always_inline int push_evt_frame(void *ctx, struct filler_data *data) {
#ifdef BPF_FORBIDS_ZERO_ACCESS
int res = bpf_perf_event_output(ctx,
&perf_map,
BPF_F_CURRENT_CPU,
data->buf,
((data->state->tail_ctx.len - 1) & SCRATCH_SIZE_MAX) + 1);
&perf_map,
BPF_F_CURRENT_CPU,
data->buf,
((data->state->tail_ctx.len - 1) & SCRATCH_SIZE_MAX) + 1);
#else
int res = bpf_perf_event_output(ctx,
&perf_map,
BPF_F_CURRENT_CPU,
data->buf,
data->state->tail_ctx.len & SCRATCH_SIZE_MAX);
&perf_map,
BPF_F_CURRENT_CPU,
data->buf,
data->state->tail_ctx.len & SCRATCH_SIZE_MAX);
#endif
if(res == -ENOENT || res == -EOPNOTSUPP) {
if (res == -ENOENT || res == -EOPNOTSUPP) {
/*
* ENOENT = likely a new CPU is online that wasn't
* opened in userspace
@ -77,15 +86,15 @@ static __always_inline int push_evt_frame(void *ctx, struct filler_data *data) {
*/
struct scap_bpf_per_cpu_state *state = get_local_state(0);
if(!state)
if (!state)
return PPM_FAILURE_BUG;
state->hotplug_cpu = bpf_get_smp_processor_id();
bpf_printk("detected hotplug event, cpu=%d\n", state->hotplug_cpu);
} else if(res == -ENOSPC) {
} else if (res == -ENOSPC) {
bpf_printk("bpf_perf_buffer full\n");
return PPM_FAILURE_BUFFER_FULL;
} else if(res) {
} else if (res) {
bpf_printk("bpf_perf_event_output failed, res=%d\n", res);
return PPM_FAILURE_BUG;
}

65
driver/bpf/types.h
View File

@ -12,8 +12,6 @@ or GPL2.txt for full copies of the license.
#ifdef __KERNEL__
#include <linux/sched.h> // TASK_COMM_LEN definition
#define __bpf_section(NAME) __attribute__((section(NAME), used))
#ifndef __always_inline
@ -27,11 +25,13 @@ or GPL2.txt for full copies of the license.
#endif
#ifdef BPF_SUPPORTS_RAW_TRACEPOINTS
#define BPF_PROBE(prefix, event, type) \
__bpf_section(TP_NAME #event) int bpf_##event(struct type *ctx)
#define BPF_PROBE(prefix, event, type) \
__bpf_section(TP_NAME #event) \
int bpf_##event(struct type *ctx)
#else
#define BPF_PROBE(prefix, event, type) \
__bpf_section(TP_NAME prefix #event) int bpf_##event(struct type *ctx)
#define BPF_PROBE(prefix, event, type) \
__bpf_section(TP_NAME prefix #event) \
int bpf_##event(struct type *ctx)
#endif
#ifdef BPF_SUPPORTS_RAW_TRACEPOINTS
@ -143,24 +143,26 @@ struct sys_stash_args {
#ifdef CAPTURE_SCHED_PROC_EXEC
#ifndef BPF_SUPPORTS_RAW_TRACEPOINTS
struct sched_process_exec_args {
/* TP_PROTO(struct task_struct *p, pid_t old_pid, struct linux_binprm *bprm)
* Taken from `/include/trace/events/sched.h`
*/
struct sched_process_exec_args
{
struct task_struct *p;
pid_t old_pid;
struct linux_binprm *bprm;
};
#else
struct sched_process_exec_args
{
unsigned short common_type;
unsigned char common_flags;
unsigned char common_preempt_count;
int common_pid;
__u32 filename; // This is actually defined as "__data_loc char[] filename;".
int filename;
pid_t pid;
pid_t old_pid;
};
#else
/* TP_PROTO(struct task_struct *p, pid_t old_pid, struct linux_binprm *bprm)
* Taken from `/include/trace/events/sched.h`
*/
struct sched_process_exec_args {
struct task_struct *p;
pid_t old_pid;
struct linux_binprm *bprm;
};
#endif /* BPF_SUPPORTS_RAW_TRACEPOINTS */
#endif /* CAPTURE_SCHED_PROC_EXEC */
@ -169,9 +171,10 @@ struct sched_process_exec_args {
/* TP_PROTO(struct task_struct *parent, struct task_struct *child)
* Taken from `/include/trace/events/sched.h`
*/
struct sched_process_fork_raw_args {
struct sched_process_fork_raw_args
{
struct task_struct *parent;
struct task_struct *child;
struct task_struct *child;
};
#endif
@ -217,6 +220,7 @@ struct perf_event_sample {
#endif /* __KERNEL__ */
/* WARNING: This enum must follow the order in which BPF maps are defined in
* `driver/bpf/maps.h`.
*/
@ -263,13 +267,9 @@ struct tail_context {
struct scap_bpf_per_cpu_state {
struct tail_context tail_ctx;
unsigned long long n_evts; /* Total number of kernel side events actively traced (not including
events discarded due to simple consumer mode). */
unsigned long long
n_drops_buffer; /* Total number of kernel side drops due to full buffer, includes all
categories below, likely higher than sum of syscall categories. */
/* Kernel side drops due to full buffer for categories of system calls. Not all system calls of
* interest are mapped into one of the categories. */
unsigned long long n_evts; /* Total number of kernel side events actively traced (not including events discarded due to simple consumer mode). */
unsigned long long n_drops_buffer; /* Total number of kernel side drops due to full buffer, includes all categories below, likely higher than sum of syscall categories. */
/* Kernel side drops due to full buffer for categories of system calls. Not all system calls of interest are mapped into one of the categories. */
unsigned long long n_drops_buffer_clone_fork_enter;
unsigned long long n_drops_buffer_clone_fork_exit;
unsigned long long n_drops_buffer_execve_enter;
@ -280,18 +280,13 @@ struct scap_bpf_per_cpu_state {
unsigned long long n_drops_buffer_open_exit;
unsigned long long n_drops_buffer_dir_file_enter;
unsigned long long n_drops_buffer_dir_file_exit;
unsigned long long
n_drops_buffer_other_interest_enter; /* Category of other system calls of interest, not
all other system calls that did not match a
category from above. */
unsigned long long n_drops_buffer_other_interest_enter; /* Category of other system calls of interest, not all other system calls that did not match a category from above. */
unsigned long long n_drops_buffer_other_interest_exit;
unsigned long long n_drops_buffer_close_exit;
unsigned long long n_drops_buffer_proc_exit;
unsigned long long n_drops_scratch_map; /* Number of kernel side scratch map drops. */
unsigned long long
n_drops_pf; /* Number of kernel side page faults drops (invalid memory access). */
unsigned long long n_drops_bug; /* Number of kernel side bug drops (invalid condition in the
kernel instrumentation). */
unsigned long long n_drops_scratch_map; /* Number of kernel side scratch map drops. */
unsigned long long n_drops_pf; /* Number of kernel side page faults drops (invalid memory access). */
unsigned long long n_drops_bug; /* Number of kernel side bug drops (invalid condition in the kernel instrumentation). */
unsigned int hotplug_cpu;
bool in_use;
} __attribute__((packed));

4
driver/capture_macro.h
View File

@ -13,7 +13,6 @@ or GPL2.txt for full copies of the license.
// #define SNAPLEN_TRACERS_ENABLED 4096 // note: deprecated
#define SNAPLEN_FULLCAPTURE_PORT 16000
#define SNAPLEN_MAX 65000
#define SNAPLEN_DNS_UDP 512
/* Deep packet inspection logic */
#define DPI_LOOKAHEAD_SIZE 16
@ -21,7 +20,6 @@ or GPL2.txt for full copies of the license.
#define PPM_PORT_POSTGRES 5432
#define PPM_PORT_STATSD 8125
#define PPM_PORT_MONGODB 27017
#define PPM_PORT_DNS 53
/* HTTP */
#define BPF_HTTP_GET 0x20544547
@ -37,5 +35,5 @@ or GPL2.txt for full copies of the license.
#define SECOND_TO_NS 1000000000ULL
#ifdef PAGE_SIZE
#define STR_STORAGE_SIZE PAGE_SIZE
#define STR_STORAGE_SIZE PAGE_SIZE
#endif

26
driver/configure/0__SANITY/test.c
View File

@ -1,26 +0,0 @@
/*
Copyright (C) 2023 The Falco Authors.
This file is dual licensed under either the MIT or GPL 2. See MIT.txt
or GPL2.txt for full copies of the license.
*/
/*
* Check that the build environment is sane
*/
#include <linux/module.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("the Falco authors");
static int empty_init(void) {
return 0;
}
static void empty_exit(void) {}
module_init(empty_init);
module_exit(empty_exit);

Some files were not shown because too many files have changed in this diff Show More