feat: falco version bump, make BPF work again

kubezero/falco/APKBUILD

@@ -1,7 +1,7 @@
 # Contributor: Stefan Reimer <stefan@zero-downtime.net>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=falco
-pkgver=0.39.2
+pkgver=0.40.0
 pkgrel=0
 pkgdesc="Falco is the open source solution for runtime security for hosts, containers, Kubernetes and the cloud"
 url="https://github.com/falcosecurity/falco"
@@ -48,8 +48,8 @@ build() {
     -DCMAKE_INSTALL_PREFIX=/usr \
     -DFALCO_ETC_DIR=/etc/falco \
     -DUSE_BUNDLED_DEPS=On \
-    -DUSE_JEMALLOC=On \
     -DMINIMAL_BUILD=On \
+    -DUSE_JEMALLOC=Off \
     -DUSE_DYNAMIC_LIBELF=Off \
     -DMUSL_OPTIMIZED_BUILD=On \
     -DBUILD_DRIVER=Off \
@@ -80,8 +80,8 @@ package() {
 }
 
 sha512sums="
-198405e9383625ca4d78822de7674c62863d15b3108ba5b06d4cf6ff20850f7eec9123fe7d98d049acc2931b98e4b09d7ef0d66136a31363ce59a64ad9e8eda0  falco-0.39.2.tar.gz
+1db97907cd43447472dde3cd5035b49eec3d1a6a2270a76c229edc076934d57de054d518f9299fb54ea9b46f17d28863a0e6d4311325dbaefffe5c38cdd314df  falco-0.40.0.tar.gz
-b152fcf6cd81895efa37797ab7ff1aac7350b5f51f2648aa9e3cce9d5ece55791ddf82c396e9da216293e2379a785a294cc972f28a91162dc5bc88ab09e1ab08  falco.patch
+1cfa0fc1ad837b68e571564244fceedcfe23d698bc43fc88bdc95f8ad83370d96e843fccb0494c09b78ba059687dd9bb7bdfd53c6bfc90d08a9cdab124a13efd  falco.patch
-b6cf8bda946b71241b332d25bcde73e73159ae0993be4291c158e23e44f927b4432d53b9d6d730aee442c94ffc75e119b9f6467e94a0950a19a5f1369afb4e13  rules.patch
+a7ab1f2e365fe3aba5a1e3797dce632123bf9477eccfefb1d31f0ae10300d657e328c0a84462fb1557e10e88d567e2e93220db054cb6089ee52ee38bba1096e4  rules.patch
 9d1292a99bab7792bfe344940fa41ccf01318d5f30f854b01457e9f53ccca27f7f334466c061a11fbe8ebf918aeeb7f723b16a233c9e3bd60dd632d831ae9f5c  falco.initd
 "

kubezero/falco/falco.patch

@@ -1,6 +1,6 @@
---- falco.yaml	2023-07-05 11:42:11.816317256 +0000
+--- falco.yml.orig	2025-01-29 17:13:37.287476135 +0000
-+++ zdt_falco.yaml	2023-07-05 11:31:07.476468029 +0000
++++ falco.yaml	2025-01-29 17:03:49.774144402 +0000
-@@ -238,7 +238,7 @@
+@@ -522,7 +522,7 @@
  # When enabled, Falco will output alert messages and rules file
  # loading/validation results in JSON format, making it easier for downstream
  # programs to process and consume the data. By default, this option is disabled.
@@ -9,12 +9,12 @@
  
  # [Stable] `json_include_output_property`
  #
-@@ -263,7 +263,7 @@
+@@ -561,7 +561,7 @@
- # Enabling buffering for the output queue can offer performance optimization,
+ # Additionally, this setting is separate from the `output_queue` option. The output queue
- # efficient resource usage, and smoother data flow, resulting in a more reliable
+ # sits between the rule engine and the output channels, while output buffering occurs
- # output mechanism. By default, buffering is disabled (false).
+ # afterward once the specific channel implementation outputs the formatted message.
 -buffered_outputs: false
 +buffered_outputs: true
  
- # [Stable] `outputs`
+ # [Incubating] `rule_matching`
  #

kubezero/falco/rules.patch

@@ -1,6 +1,6 @@
---- falco_rules.yaml	2023-11-07 16:26:40.171716913 +0000
+--- falco_rules.yaml.orig	2025-01-29 18:47:38.918577192 +0000
-+++ zdt_falco_rules.yaml	2023-11-07 16:30:24.912804117 +0000
++++ falco_rules.yaml	2025-01-29 18:47:21.505145109 +0000
-@@ -171,7 +171,7 @@
+@@ -172,7 +172,7 @@
  # A canonical set of processes that run other programs with different
  # privileges or as a different user.
  - list: userexec_binaries
@@ -9,7 +9,7 @@
  
  - list: user_mgmt_binaries
    items: [login_binaries, passwd_binaries, shadowutils_binaries]
-@@ -200,7 +200,7 @@
+@@ -201,7 +201,7 @@
      ]
  
  - list: sensitive_file_names
@@ -18,7 +18,7 @@
  
  - list: sensitive_directory_names
    items: [/, /etc, /etc/, /root, /root/]
-@@ -208,7 +208,7 @@
+@@ -209,7 +209,7 @@
  - macro: sensitive_files
    condition: >
      (fd.name in (sensitive_file_names) or
@@ -27,3 +27,12 @@
  
  # Indicates that the process is new. Currently detected using time
  # since process was started, using a threshold of 5 seconds.
+@@ -362,7 +362,7 @@
+ 
+ - list: read_sensitive_file_binaries
+   items: [
+-    iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd,
++    iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd, sshd-session,
+     vsftpd, systemd, mysql_install_d, psql, screen, debconf-show, sa-update,
+     pam-auth-update, pam-config, /usr/sbin/spamd, polkit-agent-he, lsattr, file, sosreport,
+     scxcimservera, adclient, rtvscand, cockpit-session, userhelper, ossec-syscheckd