Skip to content

wip: feat!: isolate legacy bpf probe TOCTOU mitigation logic #2586

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ekoops wants to merge 1 commit into
base: master
Choose a base branch
from
Open

wip: feat!: isolate legacy bpf probe TOCTOU mitigation logic #2586

ekoops wants to merge 1 commit into from

Conversation

@ekoops
Copy link
Contributor

@ekoops ekoops commented Aug 20, 2025

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind test

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area API-version

/area build

/area CI

/area driver-kmod

/area driver-bpf

/area driver-modern-bpf

/area libscap-engine-bpf

/area libscap-engine-gvisor

/area libscap-engine-kmod

/area libscap-engine-modern-bpf

/area libscap-engine-nodriver

/area libscap-engine-noop

/area libscap-engine-source-plugin

/area libscap-engine-savefile

/area libscap

/area libpman

/area libsinsp

/area tests

/area proposals

Does this PR require a change in the driver versions?

/version driver-API-version-major

/version driver-API-version-minor

/version driver-API-version-patch

/version driver-SCHEMA-version-major

/version driver-SCHEMA-version-minor

/version driver-SCHEMA-version-patch

What this PR does / why we need it:

WIP

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

/milestone 0.22.0

Does this PR introduce a user-facing change?:

NONE

@poiana poiana added this to the 0.22.0 milestone Aug 20, 2025
@github-actions
Copy link

github-actions bot commented Aug 20, 2025
edited
Loading

Please double check driver/API_VERSION file. See versioning.

/hold

@poiana
Copy link
Contributor

poiana commented Aug 20, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ekoops

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ekoops ekoops force-pushed the ekoops/isolate-legacy-toctou branch 3 times, most recently from f19773d to 96ed25e Compare August 20, 2025 15:51
@codecov
Copy link

codecov bot commented Aug 20, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.17%. Comparing base (f9a1b93) to head (6fdb319).
⚠️ Report is 158 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #2586   +/-   ##
=======================================
  Coverage   78.17%   78.17%           
=======================================
  Files         298      298           
  Lines       32098    32098           
  Branches     4691     4691           
=======================================
  Hits        25092    25092           
  Misses       7006     7006
Flag Coverage Δ
libsinsp 78.17% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@ekoops ekoops force-pushed the ekoops/isolate-legacy-toctou branch 6 times, most recently from adaddd1 to b137cc5 Compare August 21, 2025 13:40
@github-actions
Copy link

github-actions bot commented Aug 21, 2025
edited
Loading

X64 kernel testing matrix

KERNEL CMAKE-CONFIGURE KMOD BUILD KMOD SCAP-OPEN BPF-PROBE BUILD BPF-PROBE SCAP-OPEN MODERN-BPF SCAP-OPEN
amazonlinux2-4.19 🟢 🟢 🟢 🟢 🟡
amazonlinux2-5.10 🟢 🟢 🟢 🟢 🟢 🟢
amazonlinux2-5.15 🟢 🟢 🟢 🟢 🟢 🟢
amazonlinux2-5.4 🟢 🟢 🟢 🟢 🟢 🟡
amazonlinux2022-5.15 🟢 🟢 🟢 🟢 🟢 🟢
amazonlinux2023-6.1 🟢 🟢 🟢 🟢 🟢 🟢
archlinux-6.0 🟢 🟢 🟢 🟢 🟢 🟢
archlinux-6.7 🟢 🟢 🟢 🟢 🟢 🟢
centos-3.10 🟢 🟢 🟢 🟡 🟡 🟡
centos-4.18 🟢 🟢 🟢 🟢 🟢 🟢
centos-5.14 🟢 🟢 🟢 🟢 🟢 🟢
fedora-5.17 🟢 🟢 🟢 🟢 🟢 🟢
fedora-5.8 🟢 🟢 🟢 🟢 🟢 🟢
fedora-6.2 🟢 🟢 🟢 🟢 🟢 🟢
oraclelinux-3.10 🟢 🟢 🟢 🟡 🟡 🟡
oraclelinux-4.14 🟢 🟢 🟢 🟢 🟡
oraclelinux-5.15 🟢 🟢 🟢 🟢 🟢 🟢
oraclelinux-5.4 🟢 🟢 🟢 🟢 🟡
ubuntu-4.15 🟢 🟢 🟢 🟢 🟡
ubuntu-5.8 🟢 🟢 🟢 🟢 🟢 🟡
ubuntu-6.5 🟢 🟢 🟢 🟢 🟢 🟢

ARM64 kernel testing matrix

KERNEL CMAKE-CONFIGURE KMOD BUILD KMOD SCAP-OPEN BPF-PROBE BUILD BPF-PROBE SCAP-OPEN MODERN-BPF SCAP-OPEN
amazonlinux2-5.4 🟢 🟢 🟢 🟢 🟢 🟡
amazonlinux2022-5.15 🟢 🟢 🟢 🟢 🟢 🟢
fedora-6.2 🟢 🟢 🟢 🟢 🟢 🟢
oraclelinux-4.14 🟢 🟢 🟢 🟡 🟡 🟡
oraclelinux-5.15 🟢 🟢 🟢 🟢 🟢 🟢
ubuntu-6.5 🟢 🟢 🟢 🟢 🟢 🟢

@ekoops ekoops force-pushed the ekoops/isolate-legacy-toctou branch 2 times, most recently from e4028f8 to 785e89a Compare August 21, 2025 14:46
@ekoops ekoops force-pushed the ekoops/isolate-legacy-toctou branch from 785e89a to cb97d71 Compare August 21, 2025 15:36
@ekoops
wip: feat!: isolate legacy bpf probe TOCTOU mitigation logic
6fdb319 
Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
@ekoops ekoops force-pushed the ekoops/isolate-legacy-toctou branch from cb97d71 to 6fdb319 Compare August 21, 2025 16:01
@leogr
Copy link
Member

leogr commented Sep 24, 2025

Unfortunately, it's too late to include this in the upcoming Falco release.
We have to document this alongside the release
/milestone 0.23.0

@poiana poiana modified the milestones: 0.22.0, 0.23.0 Sep 24, 2025
@ekoops
Copy link
Contributor Author

ekoops commented Dec 19, 2025

Unfortunately, this breaks the legacy eBPF probe in few distro/kernel combinations, and given the proposal to deprecate the legacy eBPF probe (falcosecurity/falco#3755), I'm gonna move this the next release. If the proposal gets approved, I'll close this.
/milestone next-driver

@poiana poiana modified the milestones: 0.23.0, next-driver Dec 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Andreagit97 Andreagit97 Awaiting requested review from Andreagit97

@hbrueckner hbrueckner Awaiting requested review from hbrueckner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

approved area/driver-bpf area/libscap-engine-bpf dco-signoff: yes do-not-merge/hold do-not-merge/work-in-progress kind/design kind/feature New feature or request release-note-none size/XXL

Projects

Falco Roadmap
Status: Todo

Milestone

next-driver

Development

Successfully merging this pull request may close these issues.

4 participants

@ekoops @poiana @leogr