Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/falcosecurity/driverkit

Kit for building Falco drivers: kernel modules or eBPF probes
https://github.com/falcosecurity/driverkit

Last synced: 23 minutes ago
JSON representation

Kit for building Falco drivers: kernel modules or eBPF probes

Host: GitHub
URL: https://github.com/falcosecurity/driverkit
Owner: falcosecurity
License: apache-2.0
Created: 2020-02-05T16:28:20.000Z (almost 5 years ago)
Default Branch: master
Last Pushed: 2025-01-08T11:27:42.000Z (11 days ago)
Last Synced: 2025-01-12T06:05:09.995Z (7 days ago)
Language: Go
Homepage:
Size: 1.43 MB
Stars: 65
Watchers: 12
Forks: 52
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome-repositories - falcosecurity/driverkit - Kit for building Falco drivers: kernel modules or eBPF probes (Go)

README

# driverkit

[![Falco Ecosystem Repository](https://github.com/falcosecurity/evolution/blob/main/repos/badges/falco-ecosystem-blue.svg)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#ecosystem-scope) [![Incubating](https://img.shields.io/badge/status-incubating-orange?style=for-the-badge)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#incubating)

[![Latest](https://img.shields.io/github/v/release/falcosecurity/driverkit?style=for-the-badge)](https://github.com/falcosecurity/driverkit/releases/latest)
![Architectures](https://img.shields.io/badge/ARCHS-x86__64%7Caarch64-blueviolet?style=for-the-badge)
[![Go Report Card](https://goreportcard.com/badge/github.com/falcosecurity/driverkit?style=for-the-badge)](https://goreportcard.com/report/github.com/falcosecurity/driverkit)
[![Docker pulls](https://img.shields.io/docker/pulls/falcosecurity/driverkit?style=for-the-badge)](https://hub.docker.com/r/falcosecurity/driverkit)

A command line tool that can be used to build the [Falco](https://github.com/falcosecurity/falco) kernel module and eBPF probe.

## Glossary

When you meet `kernelversion` that refers to the version you get executing `uname -v`:

For example, below, the version is the `59` after the hash

```bash
uname -v
#59-Ubuntu SMP Wed Dec 4 10:02:00 UTC 2019
```

When you meet `kernelrelease`, that refers to the kernel release you get executing `uname -r`:

```
uname -r
4.15.0-1057-aws
```

## Help

By checking driverkit help, you can quickly discover info about:
* Supported options
* Supported commands
* Supported architectures
* Supported targets
* Default options

```
driverkit help
```

## Architecture

The target architecture is taken from runtime environment, but it can be overridden through `architecture` config.
Driverkit also supports cross building for arm64 using qemu from an x86_64 host.

> **NOTE:** we could not automatically fetch correct architecture given a kernelrelease,
> because some kernel names do not have any architecture suffix, namely Ubuntu ones.

## Headers

Driverkit has an internal logic to retrieve headers urls given a target and desired kernelrelease/kernelversion.
Unfortunately, the logic is quite hard to implement correctly for every supported target.
As of today, the preferred method is to instead use the `kernelurls` configuration param,
that allows to specify a list of headers.

> **NOTE:** the internal headers fetching logic should be considered a fallback that will be, sooner or later, deprecated.

A solution to crawl all supported kernels by multiple distro was recently developed,
and it provides a json output with aforementioned `kernelheaders`: https://github.com/falcosecurity/kernel-crawler.
Json for supported architectures can be found at https://falcosecurity.github.io/kernel-crawler/.

## How to use

### Against a Kubernetes cluster

```bash
driverkit kubernetes --output-module /tmp/falco.ko --kernelversion=81 --kernelrelease=4.15.0-72-generic --driverversion=master --target=ubuntu-generic
```

### Against a Docker daemon

```bash
driverkit docker --output-module /tmp/falco.ko --kernelversion=81 --kernelrelease=4.15.0-72-generic --driverversion=master --target=ubuntu-generic
```

### Build using a configuration file

Create a file named `ubuntu-aws.yaml` containing the following content:

```yaml
kernelrelease: 4.15.0-1057-aws
kernelversion: 59
target: ubuntu-aws
output:
module: /tmp/falco-ubuntu-aws.ko
probe: /tmp/falco-ubuntu-aws.o
driverversion: master
```

Now run driverkit using the configuration file:

```bash
driverkit docker -c ubuntu-aws.yaml
```

### Configure the kernel module name

It is possible to customize the kernel module name that is produced by Driverkit with the `moduledevicename` and `moduledrivername` options.
In this context, the _device name_ is the prefix used for the devices in `/dev/`, while the _driver name_ is the kernel module name as reported by `modinfo` or `lsmod` once the module is loaded.

## Examples

For a comprehensive list of examples, heads to [example configs](Example_configs.md)!

## Support a new target

To add support for a new target, a new builder must be added.
For more info, you can find specific docs in [docs/builder.md](docs/builder.md) file.

## Support a new builder image

To add support for a new builder image, follow the doc at [docs/builder_images.md](docs/builder_images.md) file.

## Survey

We are conducting a [survey](http://bit.ly/driverkit-survey-vote) to know what is the most interesting set of Operating Systems we must support first in driverkit.

You can find the results of the survey [here](http://bit.ly/driverkit-survey-results)