Merge pull request #21 from kinvolk/alban_falco

Publish events to Falco via a Falco plugin
kinvolk · Feb 23, 2022 · 9c4ed3b · 9c4ed3b
2 parents bc435a1 + 7e9504d
commit 9c4ed3b
Show file tree

Hide file tree

Showing 251 changed files with 36,625 additions and 421 deletions.
diff --git a/Makefile b/Makefile
@@ -5,6 +5,7 @@ IMAGE_TAG=$(shell ./tools/image-tag)
 IMAGE_BRANCH_TAG=$(shell ./tools/image-tag branch)
 CONTAINER_REPO ?= quay.io/kinvolk/seccompagent
 
+.PHONY: seccompagent
 seccompagent:
 	$(GO_BUILD) -o seccompagent ./cmd/seccompagent
 
@@ -27,3 +28,7 @@ vendor:
 .PHONY: test
 test:
 	go test -test.v ./...
+
+.PHONY: falco-plugin
+falco-plugin:
+	DOCKER_BUILDKIT=1 docker build -f falco-plugin/Dockerfile --output=falco-plugin/ .
diff --git a/cmd/seccompagent/seccompagent.go b/cmd/seccompagent/seccompagent.go
@@ -27,6 +27,7 @@ import (
 
 	"github.com/kinvolk/seccompagent/pkg/agent"
 	"github.com/kinvolk/seccompagent/pkg/handlers"
+	"github.com/kinvolk/seccompagent/pkg/handlers/falco"
 	"github.com/kinvolk/seccompagent/pkg/kuberesolver"
 	"github.com/kinvolk/seccompagent/pkg/nsenter"
 	"github.com/kinvolk/seccompagent/pkg/registry"
@@ -117,6 +118,20 @@ func main() {
 
 			r := registry.New()
 
+			if v, ok := metadata["MIDDLEWARE"]; ok {
+				for _, middleware := range strings.Split(v, ",") {
+					switch middleware {
+					case "falco":
+						r.MiddlewareHandlers = append(r.MiddlewareHandlers, falco.NotifyFalco(podCtx))
+					default:
+						log.WithFields(log.Fields{
+							"pod":        podCtx,
+							"middleware": middleware,
+						}).Error("Invalid middleware")
+					}
+				}
+			}
+
 			if v, ok := metadata["DEFAULT_ACTION"]; ok {
 				switch v {
 				// DEFAULT_ACTION=kill-container differs from SCMP_ACT_KILL_PROCESS that

diff --git a/docs/profiles/notify-dangerous.json b/docs/profiles/notify-dangerous.json
@@ -4,7 +4,7 @@
     "SCMP_ARCH_X86_64"
   ],
   "listenerPath": "/run/seccomp-agent.socket",
-  "listenerMetadata": "DEFAULT_ACTION=freeze-container",
+  "listenerMetadata": "DEFAULT_ACTION=kill-container\nMIDDLEWARE=falco",
   "syscalls": [
     {
       "action": "SCMP_ACT_NOTIFY",

diff --git a/docs/profiles/notify-dangerous.yaml b/docs/profiles/notify-dangerous.yaml
@@ -10,7 +10,8 @@ spec:
   - SCMP_ARCH_X86_64
   listenerPath: "/run/seccomp-agent.socket"
   #listenerMetadata: "DEFAULT_ACTION=kill-container"
-  listenerMetadata: "DEFAULT_ACTION=freeze-container"
+  #listenerMetadata: "DEFAULT_ACTION=freeze-container\nMIDDLEWARE=falco"
+  listenerMetadata: "DEFAULT_ACTION=kill-container\nMIDDLEWARE=falco"
 
   syscalls:
 

diff --git a/falco-plugin/.gitignore b/falco-plugin/.gitignore
@@ -0,0 +1 @@
+*.so
diff --git a/falco-plugin/Dockerfile b/falco-plugin/Dockerfile
@@ -0,0 +1,15 @@
+# Use the same base image as falco to ensure compatibility with glibc version
+FROM golang:buster as builder
+
+# Cache go modules so they won't be downloaded at each build
+COPY go.mod go.sum /src/
+RUN cd /src && go mod download
+
+COPY ./ /src
+RUN cd /src && make -C falco-plugin
+
+# Use the following command to get the built files:
+# DOCKER_BUILDKIT=1 docker build -f falco-plugin/Dockerfile --output=falco-plugin/ .
+FROM scratch AS deploy-source
+COPY --from=builder /src/falco-plugin/*.so /
+
diff --git a/falco-plugin/Makefile b/falco-plugin/Makefile
@@ -0,0 +1,32 @@
+#
+# Copyright (C) 2022 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+SHELL=/bin/bash -o pipefail
+GO ?= go
+
+NAME := seccompagent
+OUTPUT := lib$(NAME).so
+
+ifeq ($(DEBUG), 1)
+    GODEBUGFLAGS= GODEBUG=cgocheck=2
+else
+    GODEBUGFLAGS= GODEBUG=cgocheck=0
+endif
+
+all: $(OUTPUT)
+
+clean:
+	@rm -f *.so
+
+$(OUTPUT): *.go clean
+	@$(GODEBUGFLAGS) $(GO) build -buildmode=c-shared -o $(OUTPUT)
diff --git a/falco-plugin/api/Makefile b/falco-plugin/api/Makefile
@@ -0,0 +1,8 @@
+.PHONY: generated-files
+generated-files: seccomp-agent.pb.go
+
+seccomp-agent.pb.go: seccomp-agent.proto
+	protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_opt=paths=source_relative seccomp-agent.proto
+
+clean:
+	rm -f seccomp-agent.pb.go seccomp-agent_grpc.pb.go