falcosecurity · poiana · Feb 2, 2024 · Jan 31, 2024 · Jan 19, 2024 · Feb 1, 2024
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -33,13 +33,15 @@ jobs:
   test-dev-packages:
     needs: [fetch-version, build-dev-packages]
     uses: ./.github/workflows/reusable_test_packages.yaml
-    strategy:
-      fail-fast: false
-      matrix:
-        static: ["static", ""]
+    # The musl build job is currently disabled because we link libelf dynamically and it is
+    # not possible to dynamically link with musl
+    # strategy:
+    #   fail-fast: false
+    #   matrix:
+    #     static: ["static", ""]
     with:
       arch: x86_64
-      static: ${{ matrix.static != '' && true || false }}
+      # static: ${{ matrix.static != '' && true || false }}
       version: ${{ needs.fetch-version.outputs.version }}
 
   test-dev-packages-arm64:

diff --git a/.github/workflows/master.yaml b/.github/workflows/master.yaml
@@ -31,13 +31,15 @@ jobs:
   test-dev-packages:
     needs: [fetch-version, build-dev-packages]
     uses: ./.github/workflows/reusable_test_packages.yaml
-    strategy:
-      fail-fast: false
-      matrix:
-        static: ["static", ""]
+    # The musl build job is currently disabled because we link libelf dynamically and it is
+    # not possible to dynamically link with musl
+    # strategy:
+    #   fail-fast: false
+    #   matrix:
+    #     static: ["static", ""]
     with:
       arch: x86_64
-      static: ${{ matrix.static != '' && true || false }}
+      # static: ${{ matrix.static != '' && true || false }}
       version: ${{ needs.fetch-version.outputs.version }}
 
   test-dev-packages-arm64:

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -69,13 +69,16 @@ jobs:
   test-packages:
     needs: [release-settings, build-packages]
     uses: ./.github/workflows/reusable_test_packages.yaml
-    strategy:
-      fail-fast: false
-      matrix:
-        static: ["static", ""]
+
+    # The musl build job is currently disabled because we link libelf dynamically and it is
+    # not possible to dynamically link with musl
+    # strategy:
+    #   fail-fast: false
+    #   matrix:
+    #     static: ["static", ""]
     with:
       arch: x86_64
-      static: ${{ matrix.static != '' && true || false }}
+      # static: ${{ matrix.static != '' && true || false }}
       version: ${{ github.event.release.tag_name }}
 
   test-packages-arm64:

diff --git a/.github/workflows/reusable_build_packages.yaml b/.github/workflows/reusable_build_packages.yaml
@@ -20,7 +20,7 @@ jobs:
       # Always install deps before invoking checkout action, to properly perform a full clone.
       - name: Install build dependencies
         run: |
-          dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake libbpf-devel
+          dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake libbpf-devel elfutils-libelf-devel
 
       - name: Checkout
         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
@@ -50,7 +50,7 @@ jobs:
           yum -y install centos-release-scl
           yum -y install devtoolset-9-gcc devtoolset-9-gcc-c++
           source /opt/rh/devtoolset-9/enable
-          yum install -y wget git make m4 rpm-build perl-IPC-Cmd
+          yum install -y wget git make m4 rpm-build elfutils-libelf-devel perl-IPC-Cmd
 
       - name: Checkout
         # It is not possible to upgrade the checkout action to versions >= v4.0.0 because of incompatibilities with centos 7's libc.
@@ -118,9 +118,12 @@ jobs:
           path: |
             ${{ github.workspace }}/build/falco-*.rpm
 
+  # The musl build job is currently disabled because we link libelf dynamically and it is
+  # not possible to dynamically link with musl
   build-musl-package:
     # x86_64 only for now
-    if: ${{ inputs.arch == 'x86_64' }}
+    # if: ${{ inputs.arch == 'x86_64' }}
+    if: false 
     runs-on: ubuntu-latest
     container: alpine:3.17
     steps:

diff --git a/.github/workflows/reusable_fetch_version.yaml b/.github/workflows/reusable_fetch_version.yaml
@@ -31,7 +31,7 @@ jobs:
       - name: Configure project
         run: |
           mkdir build && cd build
-          cmake -DUSE_BUNDLED_DEPS=On ..
+          cmake -DUSE_BUNDLED_DEPS=On -DUSE_DYNAMIC_LIBELF=Off ..
 
       - name: Load and store Falco version output
         id: store_version

diff --git a/.github/workflows/reusable_publish_packages.yaml b/.github/workflows/reusable_publish_packages.yaml
@@ -65,7 +65,10 @@ jobs:
           name: falco-${{ inputs.version }}-aarch64.tar.gz
           path: /tmp/falco-build-bin
 
+      # The musl build job is currently disabled because we link libelf dynamically and it is
+      # not possible to dynamically link with musl
       - name: Download static binary x86_64
+        if: false
         uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: falco-${{ inputs.version }}-static-x86_64.tar.gz
@@ -89,8 +92,11 @@ jobs:
         run: |
           ./scripts/publish-bin -f /tmp/falco-build-bin/falco-${{ inputs.version }}-x86_64.tar.gz -r bin${{ inputs.bucket_suffix }} -a x86_64
           ./scripts/publish-bin -f /tmp/falco-build-bin/falco-${{ inputs.version }}-aarch64.tar.gz -r bin${{ inputs.bucket_suffix }} -a aarch64
-
+
+      # The musl build job is currently disabled because we link libelf dynamically and it is
+      # not possible to dynamically link with musl
       - name: Publish static
+        if: false
         run: |
           ./scripts/publish-bin -f /tmp/falco-build-bin-static/falco-${{ inputs.version }}-static-x86_64.tar.gz -r bin${{ inputs.bucket_suffix }} -a x86_64
 

diff --git a/.github/workflows/staticanalysis.yaml b/.github/workflows/staticanalysis.yaml
@@ -20,7 +20,7 @@ jobs:
       - name: Build and run cppcheck 🏎️
         run: |
           mkdir build
-          cd build && cmake -DUSE_BUNDLED_DEPS=On -DBUILD_WARNINGS_AS_ERRORS=ON -DCREATE_TEST_TARGETS=Off -DCMAKE_BUILD_TYPE="release" -DBUILD_BPF=Off -DBUILD_DRIVER=Off ..
+          cd build && cmake -DUSE_BUNDLED_DEPS=On -DUSE_DYNAMIC_LIBELF=Off -DBUILD_WARNINGS_AS_ERRORS=ON -DCREATE_TEST_TARGETS=Off -DCMAKE_BUILD_TYPE="release" -DBUILD_BPF=Off -DBUILD_DRIVER=Off ..
           make -j4 cppcheck
           make -j4 cppcheck_htmlreport
 

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -16,6 +16,7 @@ cmake_minimum_required(VERSION 3.5.1)
 project(falco)
 
 option(USE_BUNDLED_DEPS "Bundle hard to find dependencies into the Falco binary" OFF)
+option(USE_DYNAMIC_LIBELF "Dynamically link libelf" ON)
 option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags" OFF)
 option(MINIMAL_BUILD "Build a minimal version of Falco, containing only the engine and basic input/output (EXPERIMENTAL)" OFF)
 option(MUSL_OPTIMIZED_BUILD "Enable if you want a musl optimized build" OFF)

diff --git a/cmake/modules/driver.cmake b/cmake/modules/driver.cmake
@@ -34,8 +34,8 @@ else()
   # In case you want to test against another driver version (or branch, or commit) just pass the variable -
   # ie., `cmake -DDRIVER_VERSION=dev ..`
   if(NOT DRIVER_VERSION)
-    set(DRIVER_VERSION "bfbc0076b4dd52054f858cc45e98f1fdd9a91010")
-    set(DRIVER_CHECKSUM "SHA256=e987fef047925171be1f599e15e7ab0f5afc88a19596518bcaebd5dc9c3c81ef")
+    set(DRIVER_VERSION "9cd289cb27efb94ad47c4598f976253151dd3f62")
+    set(DRIVER_CHECKSUM "SHA256=b380f5bc1e0e2f21d82023ff361ac60bea3e4de336e3ec94b98618b5c58290a2")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

diff --git a/cmake/modules/falcosecurity-libs.cmake b/cmake/modules/falcosecurity-libs.cmake
@@ -35,8 +35,8 @@ else()
   # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
   # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..`
   if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "bfbc0076b4dd52054f858cc45e98f1fdd9a91010")
-    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=e987fef047925171be1f599e15e7ab0f5afc88a19596518bcaebd5dc9c3c81ef")
+    set(FALCOSECURITY_LIBS_VERSION "9cd289cb27efb94ad47c4598f976253151dd3f62")
+    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=b380f5bc1e0e2f21d82023ff361ac60bea3e4de336e3ec94b98618b5c58290a2")
   endif()
 
   # cd /path/to/build && cmake /path/to/source
@@ -87,6 +87,10 @@ set(USE_BUNDLED_NLOHMANN_JSON ON CACHE BOOL "")
 set(USE_BUNDLED_VALIJSON ON CACHE BOOL "")
 set(USE_BUNDLED_RE2 ON CACHE BOOL "")
 set(USE_BUNDLED_UTHASH ON CACHE BOOL "")
+if(USE_DYNAMIC_LIBELF)
+  set(USE_BUNDLED_LIBELF OFF CACHE BOOL "")
+  set(USE_SHARED_LIBELF ON CACHE BOOL "")
+endif()
 
 list(APPEND CMAKE_MODULE_PATH "${FALCOSECURITY_LIBS_SOURCE_DIR}/cmake/modules")
 

diff --git a/docker/no-driver/Dockerfile b/docker/no-driver/Dockerfile
@@ -28,7 +28,7 @@ LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
 LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
 # NOTE: for the "least privileged" use case, please refer to the official documentation
 
-RUN apt-get -y update && apt-get -y install ca-certificates curl jq \
+RUN apt-get -y update && apt-get -y install ca-certificates curl jq libelf1 \
     && apt clean -y && rm -rf /var/lib/apt/lists/*
 
 ENV HOST_ROOT /host

diff --git a/docker/no-driver/Dockerfile.distroless b/docker/no-driver/Dockerfile.distroless
@@ -6,7 +6,7 @@ ARG VERSION_BUCKET=bin
 ENV FALCO_VERSION=${FALCO_VERSION}
 ENV VERSION_BUCKET=${VERSION_BUCKET}
 
-RUN apk update && apk add build-base gcc curl ca-certificates jq
+RUN apk update && apk add build-base gcc curl ca-certificates jq elfutils
 
 WORKDIR /
 
@@ -21,14 +21,16 @@ RUN FALCO_VERSION_URLENCODED=$(echo -n ${FALCO_VERSION}|jq -sRr @uri) && \
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
     && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml
 
-FROM cgr.dev/chainguard/glibc-dynamic
+FROM cgr.dev/chainguard/wolfi-base
 
 LABEL maintainer="[email protected]"
 LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
 
 LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
 # NOTE: for the "least privileged" use case, please refer to the official documentation
 
+RUN apk update && apk add libelf
+
 ENV HOST_ROOT /host
 ENV HOME /root
 

diff --git a/userspace/engine/falco_engine_version.h b/userspace/engine/falco_engine_version.h
@@ -20,7 +20,7 @@ limitations under the License.
 
 // The version of this Falco engine
 #define FALCO_ENGINE_VERSION_MAJOR 0
-#define FALCO_ENGINE_VERSION_MINOR 32
+#define FALCO_ENGINE_VERSION_MINOR 33
 #define FALCO_ENGINE_VERSION_PATCH 0
 
 #define FALCO_ENGINE_VERSION \
@@ -34,4 +34,4 @@ limitations under the License.
 // It represents the fields supported by this version of Falco,
 // the event types, and the underlying driverevent schema. It's used to
 // detetect changes in engine version in our CI jobs.
-#define FALCO_ENGINE_CHECKSUM "b5e45959d248f7c28ad51ac12962150770770d1dd4506e8f7aa90d68ba670c12"
+#define FALCO_ENGINE_CHECKSUM "6de427ad72fad5911239683aa6627833f8006a2350808730c436a85fc8648a9a"