feat: build falco dynamically, dedicated falco-kernel package for quick kernel updates

2023-07-31 18:19:31 +00:00 · 2023-07-31 18:19:31 +00:00 · 59a6f7521f
commit 59a6f7521f
parent c850734f9a
9 changed files with 9121 additions and 21 deletions
--- a/kubezero/falco-kernel/APKBUILD
+++ b/kubezero/falco-kernel/APKBUILD
@ -0,0 +1,50 @@
+# Contributor: Stefan Reimer <stefan@zero-downtime.net>
+# Maintainer: Stefan Reimer <stefan@zero-downtime.net>
+pkgname=falco-kernel
+pkgver=0.35.1
+pkgrel=0
+pkgdesc="Falco kernel module"
+url="https://github.com/falcosecurity/falco"
+arch="x86_64 aarch64"
+license="AGPL-3.0"
+makedepends="cmake linux-virt-dev linux-headers"
+             # protobuf-dev jq-dev openssl-dev curl-dev c-ares-dev grpc-dev yaml-dev yaml-cpp-dev jsoncpp-dev re2-dev"
+             # perl autoconf elfutils-dev libtool argp-standalone musl-fts-dev musl-libintl musl-obstack-dev"
+options="!check"
+
+source="
+  falco-$pkgver.tar.gz::https://github.com/falcosecurity/falco/archive/refs/tags/$pkgver.tar.gz
+  "
+builddir="$srcdir/falco-$pkgver"
+
+prepare() {
+  [[ -d build ]] || mkdir build
+}
+
+build() {
+  # Hack running the build inside a container other uname -r returns host kernel
+  KERNEL_VERSION=$(basename $(ls -d /lib/modules/*-virt))
+
+  cd build
+  cmake .. \
+    -DCMAKE_BUILD_TYPE=Release \
+    -DFALCO_VERSION=$pkgver \
+    -DCMAKE_INSTALL_PREFIX=/usr \
+    -DUSE_BUNDLED_DEPS=On \
+    -DMUSL_OPTIMIZED_BUILD=On
+
+  KERNELDIR=/lib/modules/$KERNEL_VERSION/build make driver
+}
+
+package() {
+  KERNEL_VERSION=$(basename $(ls -d /lib/modules/*-virt))
+  depends="linux-virt~$(echo $KERNEL_VERSION | sed -e 's/-.*$//')"
+
+  cd $srcdir/falco-$pkgver/build
+  mkdir -p "$pkgdir"/lib/modules/$KERNEL_VERSION/kernel
+  gzip -9 -c driver/falco.ko > "$pkgdir"/lib/modules/$KERNEL_VERSION/kernel/falco.ko.gz 
+}
+
+sha512sums="
+dc648d9b0a625a02320ff0235bbf4f4940e7ba40c684a8a1f972d34f0a3447b4a34e665d7fbc0ee1ec9a014f65f81a304dc76b4ec804fc7b4e448f330b9474af  falco-0.35.1.tar.gz
+"
--- a/kubezero/falco/APKBUILD
+++ b/kubezero/falco/APKBUILD
@ -7,37 +7,51 @@ pkgdesc="Falco is the open source solution for runtime security for hosts, conta
 url="https://github.com/falcosecurity/falco"
 arch="x86_64 aarch64"
 license="AGPL-3.0"
-makedepends="cmake bash linux-virt-dev linux-headers perl autoconf elfutils-dev libtool argp-standalone musl-fts-dev musl-libintl musl-obstack-dev"
-             #protobuf-dev jq-dev openssl-dev curl-dev c-ares-dev grpc-dev yaml-dev yaml-cpp-dev jsoncpp-dev re2-dev"
+# These deps are for BUNLDE_DEPS=On
+makedepends="cmake linux-headers bash perl autoconf elfutils-dev libtool argp-standalone musl-fts-dev musl-libintl musl-obstack-dev
+             protobuf-dev jq-dev openssl-dev curl-dev c-ares-dev grpc-dev yaml-dev yaml-cpp-dev jsoncpp-dev re2-dev"
 options="!check"
-source="$pkgname-$pkgver.tar.gz::https://github.com/falcosecurity/falco/archive/refs/tags/$pkgver.tar.gz"
+depends="falco-kernel~$pkgver"

-subpackages="$pkgname-kernel" # $pkgname-plugins"
+# Original config
+# https://raw.githubusercontent.com/falcosecurity/rules/main/rules/falco_rules.yaml
+# https://raw.githubusercontent.com/falcosecurity/falco/master/falco.yaml
+
+source="
+  $pkgname-$pkgver.tar.gz::https://github.com/falcosecurity/falco/archive/refs/tags/$pkgver.tar.gz
+  alpine.patch
+  falco.patch
+  rules.patch
+  "

 prepare() {
  [[ -d build ]] || mkdir build
+
+  # Disable static binaries
+  patch -i $srcdir/alpine.patch
 }

 build() {
-  # Hack running the build inside a container other uname -r returns host kernel
-  KERNEL_VERSION=$(basename $(ls -d /lib/modules/*-virt))
-
  cd build
  cmake .. \
    -DCMAKE_BUILD_TYPE=Release \
    -DFALCO_VERSION=$pkgver \
    -DCMAKE_INSTALL_PREFIX=/usr \
+    -DUSE_BUNDLED_DEPS=Off \
+    -DBUILD_DRIVER=Off \
    -DMUSL_OPTIMIZED_BUILD=On \
-    -DUSE_BUNDLED_DEPS=On

-  KERNELDIR=/lib/modules/$KERNEL_VERSION/build make -j4
+  make falco falcoctl
 }

 package() {
-  KERNEL_VERSION=$(basename $(ls -d /lib/modules/*-virt))
-
  cd build
-  make DESTDIR="${pkgdir}" KERNELDIR=/lib/modules/$KERNEL_VERSION/build install
+  make DESTDIR="${pkgdir}" install
+
+  # patch falco config
+  cd $pkgdir/etc/falco
+  patch -i $srcdir/falco.patch
+  patch -i $srcdir/rules.patch
  
  # We dont build anything on targets so remove sources
  rm -rf $pkgdir/usr/src
@ -45,15 +59,9 @@ package() {
  rm -rf $pkgdir/usr/include
 }

-kernel() {
-  KERNEL_VERSION=$(basename $(ls -d /lib/modules/*-virt))
-  depends="linux-virt~$(echo $KERNEL_VERSION | sed -e 's/-.*$//')"
-
-  cd src/$pkgname-$pkgver/build
-  mkdir -p "$subpkgdir"/lib/modules/$KERNEL_VERSION/kernel
-  gzip -9 -c driver/falco.ko > "$subpkgdir"/lib/modules/$KERNEL_VERSION/kernel/falco.ko.gz 
-}
-
 sha512sums="
 dc648d9b0a625a02320ff0235bbf4f4940e7ba40c684a8a1f972d34f0a3447b4a34e665d7fbc0ee1ec9a014f65f81a304dc76b4ec804fc7b4e448f330b9474af  falco-0.35.1.tar.gz
+b152fcf6cd81895efa37797ab7ff1aac7350b5f51f2648aa9e3cce9d5ece55791ddf82c396e9da216293e2379a785a294cc972f28a91162dc5bc88ab09e1ab08  falco.patch
+d8f71ca7c6d854a866826b3f2f5630b6f30448f794c4c5a56a9ea656ee03c3645a1cf7663b5e79d3ea63d4fab8bd44f91a80b1752c8239c8310efa08b495f2e2  rules.patch
+a067c340269b50354d8eff5cdcf1d60799819b8c20f2f4615af71746eb430d7db320062aa033b75822d4cb3fc2bc73f69d3a0b3ddaba5610155b630e28af6105  alpine.patch
 "
--- a/kubezero/falco/alpine.patch
+++ b/kubezero/falco/alpine.patch
@ -0,0 +1,11 @@
+--- CMakeLists.txt.orig	2023-07-31 17:28:10.413951551 +0000
+++ CMakeLists.txt	2023-07-31 17:28:19.927330458 +0000
+@@ -89,7 +89,7 @@
+ endif()
+ 
+ if(MUSL_OPTIMIZED_BUILD)
+-  set(MUSL_FLAGS "-static -Os -fPIE -pie")
+  set(MUSL_FLAGS "-Os -fPIE -pie")
+   add_definitions(-DMUSL_OPTIMIZED)
+ endif()
+ 
--- a/kubezero/falco/falco.patch
+++ b/kubezero/falco/falco.patch
@ -0,0 +1,20 @@
+--- falco.yaml	2023-07-05 11:42:11.816317256 +0000
+++ zdt_falco.yaml	2023-07-05 11:31:07.476468029 +0000
+@@ -238,7 +238,7 @@
+ # When enabled, Falco will output alert messages and rules file
+ # loading/validation results in JSON format, making it easier for downstream
+ # programs to process and consume the data. By default, this option is disabled.
+-json_output: false
+json_output: true
+ 
+ # [Stable] `json_include_output_property`
+ #
+@@ -263,7 +263,7 @@
+ # Enabling buffering for the output queue can offer performance optimization,
+ # efficient resource usage, and smoother data flow, resulting in a more reliable
+ # output mechanism. By default, buffering is disabled (false).
+-buffered_outputs: false
+buffered_outputs: true
+ 
+ # [Stable] `outputs`
+ #
--- a/kubezero/falco/falco.yaml
+++ b/kubezero/falco/falco.yaml
--- a/kubezero/falco/falco_rules.yaml
+++ b/kubezero/falco/falco_rules.yaml
--- a/kubezero/falco/rules.patch
+++ b/kubezero/falco/rules.patch
@ -0,0 +1,60 @@
+--- falco_rules.yaml	2023-07-05 11:42:09.732973942 +0000
+++ zdt_falco_rules.yaml	2023-07-05 13:30:14.184038126 +0000
+@@ -270,7 +270,7 @@
+ # A canonical set of processes that run other programs with different
+ # privileges or as a different user.
+ - list: userexec_binaries
+-  items: [sudo, su, suexec, critical-stack, dzdo]
+  items: [doas, sudo, su, suexec, critical-stack, dzdo]
+ 
+ - list: known_setuid_binaries
+   items: [
+@@ -2298,27 +2298,28 @@
+ - macro: user_known_non_sudo_setuid_conditions
+   condition: user.name=root
+ 
+# Disabled for now due to buysbox noise 
+ # sshd, mail programs attempt to setuid to root even when running as non-root. Excluding here to avoid meaningless FPs
+-- rule: Non sudo setuid
+-  desc: >
+-    an attempt to change users by calling setuid. sudo/su are excluded. users "root" and "nobody"
+-    suing to itself are also excluded, as setuid calls typically involve dropping privileges.
+-  condition: >
+-    evt.type=setuid and evt.dir=>
+-    and (known_user_in_container or not container)
+-    and not (user.name=root or user.uid=0)
+-    and not somebody_becoming_themselves
+-    and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries,
+-                          nomachine_binaries)
+-    and not proc.name startswith "runc:"
+-    and not java_running_sdjagent
+-    and not nrpe_becoming_nagios
+-    and not user_known_non_sudo_setuid_conditions
+-  output: >
+-    Unexpected setuid call by non-sudo, non-root program (user=%user.name user_loginuid=%user.loginuid cur_uid=%user.uid parent=%proc.pname
+-    command=%proc.cmdline pid=%proc.pid uid=%evt.arg.uid container_id=%container.id image=%container.image.repository)
+-  priority: NOTICE
+-  tags: [host, container, users, mitre_privilege_escalation, T1548.001]
+#- rule: Non sudo setuid
+#  desc: >
+#    an attempt to change users by calling setuid. sudo/su are excluded. users "root" and "nobody"
+#    suing to itself are also excluded, as setuid calls typically involve dropping privileges.
+#  condition: >
+#    evt.type=setuid and evt.dir=>
+#    and (known_user_in_container or not container)
+#    and not (user.name=root or user.uid=0)
+#    and not somebody_becoming_themselves
+#    and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries,
+#                          nomachine_binaries)
+#    and not proc.name startswith "runc:"
+#    and not java_running_sdjagent
+#    and not nrpe_becoming_nagios
+#    and not user_known_non_sudo_setuid_conditions
+#  output: >
+#    Unexpected setuid call by non-sudo, non-root program (user=%user.name user_loginuid=%user.loginuid cur_uid=%user.uid parent=%proc.pname
+#    command=%proc.cmdline pid=%proc.pid uid=%evt.arg.uid container_id=%container.id image=%container.image.repository)
+#  priority: NOTICE
+#  tags: [host, container, users, mitre_privilege_escalation, T1548.001]
+ 
+ - macro: user_known_user_management_activities
+   condition: (never_true)
--- a/kubezero/falco/zdt_falco.yaml
+++ b/kubezero/falco/zdt_falco.yaml
--- a/kubezero/falco/zdt_falco_rules.yaml
+++ b/kubezero/falco/zdt_falco_rules.yaml