0.10.0

0.10.0

Changelog

See milestone: https://github.com/falcosecurity/libs/milestone/3

0.9.2

What's Changed

• Sync changes for 0.9.2: gvisor bugfixes by @LucaGuerra in #725
• Sync changes for 0.9.2: bpf bugfixes by @LucaGuerra in #726

Full Changelog: 0.9.1...0.9.2

0.9.1

What's Changed

• update: sync commits on 0.9 branch release by @jasondellaluce in #697
• update: sync commits on 0.9 branch release by @jasondellaluce in #701

Full Changelog: 0.9.0...0.9.1

0.9.0

What's Changed

• update(gvisor): add retries and ignore_setup_error to gvisor config g… by @loresuso in #488
• fix: thread-safety issue in proclist savefile by @deepskyblue86 in #473
• update(OWNERS): move inactive approvers to emeritus_approvers by @jasondellaluce in #489
• feat: Add new return code for filtered events(1/3) by @nathan-b in #490
• Lookup retry on asynchronous container engines by @deepskyblue86 in #402
• Convert savefile (scap file reader) to a scap engine [3/n] by @gnosek in #487
• new(CI): add GH actions for modern BPF probe by @Andreagit97 in #496
• cleanup(libsinsp): remove redundant string in validate_filter_value by @LucaGuerra in #507
• fix(userspace/libscap): fix windows and macos linking of binaries. by @FedeDP in #502
• fix(libsinsp): retain compatibility with PPME_SYSCALL_DUP_X by @LucaGuerra in #508
• new(userspace/libsinsp): support loading users and groups from overlayfs for containers by @FedeDP in #493
• new(sinsp/test): add event based tests by @LucaGuerra in #485
• update(libsinsp): drop also untracked syscalls in kernel-side simple consumer mode by @Andreagit97 in #211
• Don't use C99 initializers in C++ by @gnosek in #511
• update(CI): build also bpf_test in ARM64 job by @Andreagit97 in #510
• Track container user info and expose via user.name by @mstemm in #332
• Fix threadinfo leaks when threaded programs exec by @mstemm in #336
• feat(filterchecks): add optional metrics struct for caching by @mstemm in #351
• Add ast as string by @mstemm in #394
• fix(scap/gvisor): do not use C99 initializers in C++ in gVisor by @LucaGuerra in #519
• fix(gvisor): cleanup tests, consistent return values by @LucaGuerra in #520
• Detect valijson on the system and use it when requested by @ovalenti in #491
• fix(libscap): Use fdopen if gzdopen isn't available. by @geraldcombs in #523
• update(tests): automatically run libscap tests in CI by @LucaGuerra in #522
• update(scap-open): handle all scap return codes by @jasondellaluce in #528
• chore(PULL_REQUEST_TEMPLATE.md): add savefile engine entry by @jasondellaluce in #529
• update(userspace/libscap): support scap reader for stream data by @jasondellaluce in #525
• fix(userspace/libsinsp): revert container.mount source and dest extraction by @jasondellaluce in #532
• fix(libsinsp/tests): fix two simple memory leaks in tests by @LucaGuerra in #534
• fix(ci): fixed checkout action fetch depth. by @FedeDP in #533
• chore(userspace/libscap): fixed printf on error when check_api_compatibility() fails by @FedeDP in #527
• new(ci): build libs and modern-bpf for s390x by @hbrueckner in #538
• cleanup(userspace/libsinsp): remove legacy references by @jasondellaluce in #539
• update(OWNERS): add Luca Guerra (LucaGuerra) to owners by @LucaGuerra in #536
• Fixup our Win32 checks. by @geraldcombs in #541
• fix(libsinsp): consider <NA> as an empty param by @Andreagit97 in #499
• update(userspace/libscap): improve scap reader by @jasondellaluce in #545
• create static method to clone existing sinsp_evt by @VadimZy in #495
• new(libsinsp/tests): add basic dup/dup2/dup3 tests by @LucaGuerra in #537
• refactor(libsinsp): manage memory in ast/parser via unique_ptrs by @LucaGuerra in #535
• update(cmake): Remove old LuaJIT+macOS compiler flags. by @geraldcombs in #555
• update(libsinsp/drivers): send empty params from drivers and manage them in userspace by @Andreagit97 in #551
• fix(userspace/libscap): set gzerror fallback to static by @jasondellaluce in #557
• improve fields parsing performance by eliminating temp strings. by @VadimZy in #530
• update: add re2 dependency for portable and reliable regex matching by @jasondellaluce in #556
• fix(userspace/libsinsp): fix parse_field_name() wrong check (size_t, aka uint32_t, cast of max_fldlen) by @FedeDP in #562
• fix(userspace/libsinsp): solve assert errors in unit tests by @jasondellaluce in #563
• chore(userspace/libscap): give name to bpf programs by @alban in #559
• (fix) Fix compile error in sinsp_with_test_input by @gnosek in #564
• fix(libsinsp): retrieve the correct exepath with execveat syscall by @Andreagit97 in #552
• update(libsinsp)!: merge all the opening methods into just one by @Andreagit97 in #540
• fix(userspace/libsinsp/filter)!: use raw pointers in AST as_string signature by @jasondellaluce in #561
• fix(libsinsp): avoid unused variable by @gnosek in #566
• fix(readme): fixed small typo. by @FedeDP in #570
• Consider scap host root for passwd and group lookup by @deepskyblue86 in #542
• cleanup(sinsp): add output format option to sinsp-example by @incertum in #568
• fix(libsinsp): keep the copy of cgroups alive across the write by @deepskyblue86 in #575
• new(ci): run tests with AddressSanitizer on x86_64 by @LucaGuerra in #573
• update(build): bump c-ares to 1.18.1 by @LucaGuerra in #578
• update(userspace/plugin): bump plugin API version to 2.0.0 by @jasondellaluce in #547
• update(readme): add a beautiful archs badge that links to proper section in readme by @FedeDP in #586
• fix(userspace/libscap,userspace/libsinsp): properly add parsers for multiple EF_CREATES_FD events. by @FedeDP in #579
• update(userspace/libsinsp): k8s filterchecks documentation desc by @leogr in #589
• update(OWNERS): add Hendrik Brueckner (hbrueckner) as reviewer by @hbrueckner in #590
• new(libsinsp/test): Test open/openat/creat NULL filenames and enter/exit string disagreements by @LucaGuerra in #572
• Add e2e tests based on sinsp-example by @Molter73 in #506
• chore(userspace/libsinsp): improve get_event_type util method in sinsp-example by @FedeDP in #598
• new(userspace/libsinsp): provide multiple default sets for ppm_sc of interest by @FedeDP in #585
• Random cleanups by @gnosek in #588
• chore(userspace/libsinsp): move new enforce_X_ppm_sc near to enforce_sinsp_state_ppm_sc by @FedeDP in #599
• Save parser positions ast by @mstemm in #560
• fix(userspace/libsinsp): use self instead of inspector's usergroup_manager by @deepskyblue86 in #602
• new(sinsp/tests): introduce sinsp_usergroup_manager test by @deepskyblue86 in #601
• add filter execution statistics to be analyzed by the clients by @VadimZy in #583
• new(libsinsp,engines): add support for variable shared buffer dimension by @Andreagit97 in #584
• fix(CI): remove an old reference by @Andreagit97 in #613
• new(libsinps): add a new API in sinsp to obtain the events associated with a set of ppm_sc by @Andreagit97 in #609
• update(build): use -Og when debugging by @LucaGuerra in #616
• new(libsinsp/test): add spawn process test by @LucaGuerra in #614
• mitigation for falco#1909 - fix(k8s-client): han...

3.0.1+driver

What's Changed

• fix(driver): avoid kmod buffer corruption in case of len>max_arg_size by @Andreagit97 in #660

Full Changelog: 3.0.0+driver...3.0.1+driver

3.0.0+driver

What's Changed

• fix(driver): fixed build of kmod on ancient < 2.6.39 kernels. by @FedeDP in #459
• fix(driver/bpf): accessing loginuid depends upon a config flag in the kernel by @FedeDP in #472
• fix(driver): fixed a couple of possible (yet unlikely) uninitialized vars in driver by @FedeDP in #449
• Scaffolding modern BPF probe by @Andreagit97 in #373
• new(driver-bpf,driver-kmod,libscap,libscap-engine-bpf,libscap-engine-kmod): extend buffer event drop metrics by @incertum in #414
• new: add the gtest framework for the modern BPF probe by @Andreagit97 in #484
• chore(driver): bump API driver version by @Andreagit97 in #492
• cleanup(drivers): introduce CAPTURE_SCHED_PROC_EXEC and CAPTURE_SCHED_PROC_FORK feature gates by @Andreagit97 in #452
• fix(kmod): support clone child exit events on s390x by @Andreagit97 in #500
• RFC: new(modern_bpf): add s390x registers management by @hbrueckner in #504
• update(bpf): disable BPF raw tracepoints for not supported architectures by @Andreagit97 in #505
• update(driver): add getrlimit and ugetrlimit to simple consumer by @Andreagit97 in #382
• new(modern_bpf): add support for open family syscalls by @Andreagit97 in #503
• new(modern_bpf): add support for some file related syscalls by @Andreagit97 in #514
• new(modern_bpf): add support for chdir family syscalls by @Andreagit97 in #509
• new(driver,userspace/libsinsp): introduce a new PPME_SYSCALL_BPF_2_ events to avoid using the dynamic argument by @FedeDP in #501
• new(modern_bpf): add support for notify syscalls by @Andreagit97 in #516
• update(driver): add support for mlock2 syscall by @alacuku in #358
• new(modern_bpf): add support for kill family, seccomp, ptrace, capset syscalls by @Andreagit97 in #517
• new(modern_bpf): add support for some network family syscalls by @Andreagit97 in #544
• update(libsinsp/drivers): send empty params from drivers and manage them in userspace by @Andreagit97 in #551
• new(modern_bpf): add support for process family syscalls by @Andreagit97 in #553
• update(driver): Unpack a couple of structs. by @geraldcombs in #565
• new(modern_bpf): add support for rename family and pipe family syscalls by @Andreagit97 in #518
• new(modern_bpf): add support for bpf, flock, ioctl, quotactl, unshare, mount, umount2 by @Andreagit97 in #549
• new(modern_bpf): add support for link family syscalls by @Andreagit97 in #550
• fix(kmod): add the string terminator if not present by @Andreagit97 in #574
• new(modern_bpf): add support for set family syscalls by @Andreagit97 in #554
• new(modern_bpf): add support for last network family syscalls by @Andreagit97 in #558
• cleanup(driver,userspace/libscap,userspace/libsinsp): dropped simpleconsumer mode and simple driver concepts by @FedeDP in #521
• new(modern_bpf): add fcntl and shutdown syscalls by @Andreagit97 in #569
• cleanup(driver,userspace/libscap): merged syscall_code_routing_table with syscall_table by @FedeDP in #581
• fix(bpf): restore the right order of BPF maps definitions by @Andreagit97 in #592
• fix(driver/kmod): fixed tracepoint detach to avoid dmesg errors. by @FedeDP in #597
• new(modern_bpf): add missing tracepoints by @Andreagit97 in #594
• chore(driver): allow modern probe to compute API/SCHEMA versions by @Andreagit97 in #600
• fix(bpf): fallback for unsupported prog_names by @Andreagit97 in #607
• new: fsconfig support by @FedeDP in #606
• new(modern_bpf): change sys_enter and sys_exit prog names by @Andreagit97 in #623
• Avoid calls to sock->getname() from kernel module fillers by @jcpittman144 in #640
• fix(kmod): check use of kstrtoul by @Andreagit97 in #642

New Contributors

• @incertum made their first contribution in #468
• @hbrueckner made their first contribution in #504

Full Changelog: 2.0.0+driver...3.0.0+driver

3.0.0-rc1+driver

fix(sinsp): don't look up thread -1 in the table

Synthetic events don't have a real tid but use -1 instead.
We exclude the container events but missed the recently
introduced user/group events

Signed-off-by: Grzegorz Nosek <[email protected]>

0.9.0-rc1

fix(sinsp): don't look up thread -1 in the table

Synthetic events don't have a real tid but use -1 instead.
We exclude the container events but missed the recently
introduced user/group events

Signed-off-by: Grzegorz Nosek <[email protected]>

0.8.0

What's Changed

• fix(libscap): add EF_OLD_VERSION for older versions of events by @LucaGuerra in #474
• new(userspace/libsinsp): extend filter/display fields by @incertum in #468
• new(ci): port to github actions. Added a windows and macos CI too. by @FedeDP in #453
• docs: add libpman label by @Andreagit97 in #475
• fix(install): install the 10 libscap related libraries by @terylt in #467
• fix(ci): fixed github actions from master branch by @FedeDP in #478
• refactor!: move parts of libsinsp under the chisel directory by @jasondellaluce in #249
• chore: fix gtest fatal error by @Andreagit97 in #457
• fix(curl-https-fail): Removing 2 configuration flags for lib curl by @Lowaiz in #442
• Refactor freeing of devices in scap by @Molter73 in #427
• refactor(userspace): re-implement plugin loader in C and split it in its own package by @jasondellaluce in #392
• fix(libscap): fix call to ioctl when getting proclist by @loresuso in #481
• update(OWNERS): add Mauro Moltrasio (Molter73) to OWNERS by @Molter73 in #480
• fix(userspace/libscap): solve compilation warnings and errors by @jasondellaluce in #483
• docs: fix order of eBPF warning and gVisor paragraph by @loresuso in #476

New Contributors

• @Lowaiz made their first contribution in #442

Full Changelog: 0.7.0...0.8.0

0.7.0

What's Changed

• new(libsinsp): add is_gvisor() by @LucaGuerra in #417
• new(gvisor): retrieve procfs state from gvisor by @loresuso in #412
• update(build): upgrade OpenSSL to 1.1.1p by @LucaGuerra in #422
• chore(userspace/libsinsp): make k8s bad node name error more informative by @jasondellaluce in #424
• fix(gvisor): initialize missing variables by @Molter73 in #420
• Add async key value unit tests by @mstemm in #419
• build: reorganize driver cmake vars by @leogr in #423
• update(gvisor): fill also tinfo uid and gid by @loresuso in #426
• update(libsinsp): add a way to generate gVisor trace session config file by @loresuso in #425
• fix(libsinsp): Don't overwrite good container metadata with bad by @gnosek in #428
• update(gvisor): implement parsing for procfs regular files by @loresuso in #430
• new(gvisor): get socket from configuration file, fix tests by @LucaGuerra in #429
• cleanup(gvisor): use SYS_ macros instead of syscall numbers by @LucaGuerra in #431
• update(build): upgrade libcurl to 7.84.0 by @LucaGuerra in #432
• fix(gvisor): fix off-by-one in json parsing eating the last character by @LucaGuerra in #434
• new(gvisor): missing syscalls by @loresuso in #433
• feature(sinsp-example): print info about all threads by @Molter73 in #437
• update(gvisor): introduce default root path by @loresuso in #444
• new(gvisor): add new syscalls (update to gvisor 45b06bbb) by @LucaGuerra in #438
• fix(libscap): bump minimum schema version to 2.0.0 by @Molter73 in #445
• fix(libsinsp/k8s): set api url path to "apps/v1" by @alacuku in #447
• fix(userspace/libscap,userspace/libsinsp): fix windows build by @geraldcombs in #451
• fix(userspace/libscap): propagate scap open errors by @jasondellaluce in #456
• fix(userspace/libsinsp): avoid crashing in TYPE_RESSTR when an EF_CREATES_FD event has no "fd" param by @FedeDP in #455
• fix(gvisor): fix epoll use-after-free by @loresuso in #458
• update(gvisor): implement get_stats for gVisor by @loresuso in #463
• update(gvisor): do not count unsupported messages for stats by @LucaGuerra in #464
• fix(build): set gtest tag instead of using main by @LucaGuerra in #466
• fix(userspace/libsinsp): reduce mem allocs for filter comparisons by @jasondellaluce in #368
• fix(userspace/libsinsp): avoid string copy in plugin extraction by @jasondellaluce in #370
• new(userspace/libscap): [part 1/n] Introduce vtable-based dispatchby @gnosek in #213
• fix(userspace/libsinsp): reduce mem allocs for field extraction in chisels and formatting by @jasondellaluce in #369
• docs: update PULL_REQUEST_TEMPLATE.md by @Andreagit97 in #372
• update(driver,libsinsp): inode numbers in file events by @yo348 in #302
• refactor(userspace/libsinsp): remove unused check_id from events by @jasondellaluce in #376
• fix(libscap): call vtable->free_handle at shutdown by @LucaGuerra in #380
• fix(userspace/libsinsp): define HAVE_PWD_H and HAVE_GRP_H on every non-windows system by @jasondellaluce in #383
• refactor(userspace/libsinsp)!: split plugin creation and initialization phases by @jasondellaluce in #378
• new(userspace/libscap): [part 2/n] Move kmod and BPF engines to vtables by @gnosek in #374
• fix(userspace/libsinsp): Fix helgrind errors for async_key_value_source by @mstemm in #384
• update(build): Move CMAKE_THREAD_LIBS_INIT to after gtest when linking by @mstemm in #387
• fix(build): make codebase more robust to __STDC_FORMAT_MACROS definitions by @jasondellaluce in #390
• chore(userspace/libsinsp): improve messages of plugin version errors by @jasondellaluce in #389
• new(libscap): add gVisor scap engine by @LucaGuerra @loresuso @Molter73 in #328
• fix(libscap): bpf probe was not correctly loaded by @Andreagit97 in #396
• fix(libscap): fix debug mode assert by @LucaGuerra in #397
• update(userspace/libscap): support scaps stats in source plugin engine by @jasondellaluce in #400
• update(libscap): improve scap-open example by @Andreagit97 in #371
• update(libscap): Add a macOS platform directory by @geraldcombs in #398
• new(userspace,driver): Better support for dup syscall family by @alacuku in #385
• new(libscap): add /proc scan vtable functions, wire them to gvisor implementation by @LucaGuerra in #404
• new(libscap): gVisor sandboxes trace session set up with runsc by @loresuso in #393
• fix(gvisor): use strlcpy to copy unix path strings by @LucaGuerra in #406
• fix(scap_open): avoid segmentation faults when the path is missing by @Andreagit97 in #409
• update(gvisor): only build on x86_64 by @LucaGuerra in #408
• fix(gvisor): handle empty root path or socket by @LucaGuerra in #407
• new(build): sets FALCOSECURITY_LIBS_VERSION on the checked-out git ref by @andreabonanno in #196
• docs: initial release.md by @leogr in #405
• fix(gvisor): add DEPENDS to proto generation command by @LucaGuerra in #415
• build: versioning system by @leogr in #413

Full Changelog: 0.7.0-alpha...0.7.0