Skip to content

Kit for building Falco drivers: kernel modules or eBPF probes

License

Notifications You must be signed in to change notification settings

vjjmiras/falco-driverkit

 
 

Repository files navigation

driverkit

Falco Ecosystem Repository Incubating

Latest Architectures Go Report Card Docker pulls

A command line tool that can be used to build the Falco kernel module and eBPF probe.

Glossary

When you meet kernelversion that refers to the version you get executing uname -v:

For example, below, the version is the 59 after the hash

uname -v
#59-Ubuntu SMP Wed Dec 4 10:02:00 UTC 2019

When you meet kernelrelease, that refers to the kernel release you get executing uname -r:

uname -r
4.15.0-1057-aws

Help

By checking driverkit help, you can quickly discover info about:

  • Supported options
  • Supported commands
  • Supported architectures
  • Supported targets
  • Default options
driverkit help

Architecture

The target architecture is taken from runtime environment, but it can be overridden through architecture config.
Driverkit also supports cross building for arm64 using qemu from an x86_64 host.

NOTE: we could not automatically fetch correct architecture given a kernelrelease, because some kernel names do not have any architecture suffix, namely Ubuntu ones.

Headers

Driverkit has an internal logic to retrieve headers urls given a target and desired kernelrelease/kernelversion.
Unfortunately, the logic is quite hard to implement correctly for every supported target.
As of today, the preferred method is to instead use the kernelurls configuration param,
that allows to specify a list of headers.

NOTE: the internal headers fetching logic should be considered a fallback that will be, sooner or later, deprecated.

A solution to crawl all supported kernels by multiple distro was recently developed,
and it provides a json output with aforementioned kernelheaders: https://github.com/falcosecurity/kernel-crawler.
Json for supported architectures can be found at https://falcosecurity.github.io/kernel-crawler/.

How to use

Against a Kubernetes cluster

driverkit kubernetes --output-module /tmp/falco.ko --kernelversion=81 --kernelrelease=4.15.0-72-generic --driverversion=master --target=ubuntu-generic

Against a Docker daemon

driverkit docker --output-module /tmp/falco.ko --kernelversion=81 --kernelrelease=4.15.0-72-generic --driverversion=master --target=ubuntu-generic

Build using a configuration file

Create a file named ubuntu-aws.yaml containing the following content:

kernelrelease: 4.15.0-1057-aws
kernelversion: 59
target: ubuntu-aws
output:
  module: /tmp/falco-ubuntu-aws.ko
  probe: /tmp/falco-ubuntu-aws.o
driverversion: master

Now run driverkit using the configuration file:

driverkit docker -c ubuntu-aws.yaml

Configure the kernel module name

It is possible to customize the kernel module name that is produced by Driverkit with the moduledevicename and moduledrivername options. In this context, the device name is the prefix used for the devices in /dev/, while the driver name is the kernel module name as reported by modinfo or lsmod once the module is loaded.

Examples

For a comprehensive list of examples, heads to example configs!

Support a new target

To add support for a new target, a new builder must be added.
For more info, you can find specific docs in docs/builder.md file.

Support a new builder image

To add support for a new builder image, follow the doc at docs/builder_images.md file.

Survey

We are conducting a survey to know what is the most interesting set of Operating Systems we must support first in driverkit.

You can find the results of the survey here

About

Kit for building Falco drivers: kernel modules or eBPF probes

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Go 85.6%
  • Shell 7.6%
  • Dockerfile 4.9%
  • Makefile 1.9%