Merge remote-tracking branch 'origin/dev'

.clang-format

@@ -0,0 +1,16 @@
+---
+Language: Cpp
+BasedOnStyle: LLVM
+AccessModifierOffset: -8
+BreakBeforeBraces: Allman
+BreakConstructorInitializers: AfterColon
+ColumnLimit: 0
+ConstructorInitializerIndentWidth: 8
+ContinuationIndentWidth: 8
+DerivePointerAlignment: true
+IndentWidth: 8
+SortIncludes: false
+SpaceAfterTemplateKeyword: false
+SpaceBeforeCtorInitializerColon: false
+SpaceBeforeParens: Never
+UseTab: Always

.cmake-format

@@ -0,0 +1,119 @@
+# --------------------------
+# General Formatting Options
+# --------------------------
+# How wide to allow formatted cmake files
+line_width = 80
+
+# How many spaces to tab for indent
+tab_size = 2
+
+# If arglists are longer than this, break them always
+max_subargs_per_line = 3
+
+# If true, separate flow control names from their parentheses with a space
+separate_ctrl_name_with_space = False
+
+# If true, separate function names from parentheses with a space
+separate_fn_name_with_space = False
+
+# If a statement is wrapped to more than one line, than dangle the closing
+# parenthesis on it's own line
+dangle_parens = False
+
+# If the statement spelling length (including space and parenthesis is larger
+# than the tab width by more than this amoung, then force reject un-nested
+# layouts.
+max_prefix_chars = 2
+
+# If a candidate layout is wrapped horizontally but it exceeds this many lines,
+# then reject the layout.
+max_lines_hwrap = 2
+
+# What style line endings to use in the output.
+line_ending = 'unix'
+
+# Format command names consistently as 'lower' or 'upper' case
+command_case = 'canonical'
+
+# Format keywords consistently as 'lower' or 'upper' case
+keyword_case = 'unchanged'
+
+# Specify structure for custom cmake functions
+additional_commands = {
+  "pkg_find": {
+    "kwargs": {
+      "PKG": "*"
+    }
+  }
+}
+
+# A list of command names which should always be wrapped
+always_wrap = []
+
+# Specify the order of wrapping algorithms during successive reflow attempts
+algorithm_order = [0, 1, 2, 3, 4]
+
+# If true, the argument lists which are known to be sortable will be sorted
+# lexicographicall
+enable_sort = True
+
+# If true, the parsers may infer whether or not an argument list is sortable
+# (without annotation).
+autosort = False
+
+# If a comment line starts with at least this many consecutive hash characters,
+# then don't lstrip() them off. This allows for lazy hash rulers where the first
+# hash char is not separated by space
+hashruler_min_length = 10
+
+# A dictionary containing any per-command configuration overrides. Currently
+# only `command_case` is supported.
+per_command = {}
+
+
+# --------------------------
+# Comment Formatting Options
+# --------------------------
+# What character to use for bulleted lists
+bullet_char = '*'
+
+# What character to use as punctuation after numerals in an enumerated list
+enum_char = '.'
+
+# enable comment markup parsing and reflow
+enable_markup = True
+
+# If comment markup is enabled, don't reflow the first comment block in each
+# listfile. Use this to preserve formatting of your copyright/license
+# statements.
+first_comment_is_literal = False
+
+# If comment markup is enabled, don't reflow any comment block which matches
+# this (regex) pattern. Default is `None` (disabled).
+literal_comment_pattern = None
+
+# Regular expression to match preformat fences in comments
+# default=r'^\s*([`~]{3}[`~]*)(.*)$'
+fence_pattern = '^\\s*([`~]{3}[`~]*)(.*)$'
+
+# Regular expression to match rulers in comments
+# default=r'^\s*[^\w\s]{3}.*[^\w\s]{3}$'
+ruler_pattern = '^\\s*[^\\w\\s]{3}.*[^\\w\\s]{3}$'
+
+# If true, then insert a space between the first hash char and remaining hash
+# chars in a hash ruler, and normalize it's length to fill the column
+canonicalize_hashrulers = True
+
+
+# ---------------------------------
+# Miscellaneous Options
+# ---------------------------------
+# If true, emit the unicode byte-order mark (BOM) at the start of the file
+emit_byteorder_mark = False
+
+# Specify the encoding of the input file. Defaults to utf-8.
+input_encoding = 'utf-8'
+
+# Specify the encoding of the output file. Defaults to utf-8. Note that cmake
+# only claims to support utf-8 so be careful when using anything else
+output_encoding = 'utf-8'

.github/PULL_REQUEST_TEMPLATE.md

@@ -7,48 +7,66 @@
 -->
 
 **What type of PR is this?**
-> Uncomment only one ` /kind <>` line, hit enter to put that in a new line, and remove leading whitespaces from that line:
->
+
+> Uncomment one (or more) `/kind <>` lines:
+
 > /kind bug
+
 > /kind cleanup
+
 > /kind design
+
 > /kind documentation
+
 > /kind failing-test
+
 > /kind feature
+
 > /kind flaky-test
 
-> If contributing rules or changes to rules, please make sure to uncomment the appropriate kind
+> If contributing rules or changes to rules, please make sure to also uncomment one of the following line:
+
+> /kind rule-update
 
-> /kind rule/update
-> /kind rule/create
+> /kind rule-create
 
 **Any specific area of the project related to this PR?**
 
+> Uncomment one (or more) `/area <>` lines:
+
 > /area engine
+
 > /area rules
+
 > /area deployment
+
 > /area integrations
+
 > /area examples
 
 **What this PR does / why we need it**:
 
 **Which issue(s) this PR fixes**:
+
 <!--
 Automatically closes linked issue when PR is merged.
 Usage: `Fixes #<issue number>`, or `Fixes (paste link of issue)`.
 If PR is `kind/failing-tests` or `kind/flaky-test`, please post the related issues/tests in a comment and do not use `Fixes`.
 -->
+
 Fixes #
 
 **Special notes for your reviewer**:
 
 **Does this PR introduce a user-facing change?**:
+
 <!--
 If no, just write "NONE" in the release-note block below.
 If yes, a release note is required:
-Enter your extended release note in the block below. If the PR requires additional action from users switching to the new release, include the string "action required:".
+Enter your extended release note in the block below. If the PR requires additional action from users switching to the new release, prepend the string "action required:".
 For example, `action required: change the API interface of the rule engine`.
 -->
+
 ```release-note
 
 ```

.gitignore

@@ -12,10 +12,15 @@ test/results*.json.*
 
 userspace/falco/lua/re.lua
 userspace/falco/lua/lpeg.so
+userspace/engine/lua/lyaml
+userspace/engine/lua/lyaml.lua
 
 docker/event-generator/event_generator
 docker/event-generator/mysqld
 docker/event-generator/httpd
 docker/event-generator/sha1sum
 docker/event-generator/vipw
-.vscode/*
+
+.vscode/*
+
+.luacheckcache

.luacheckrc

@@ -0,0 +1,9 @@
+std = "min"
+cache = true
+include_files = {
+    "userspace/falco/lua/*.lua",
+    "userspace/engine/lua/*.lua",
+    "userspace/engine/lua/lyaml/*.lua",
+    "*.luacheckrc"
+}
+exclude_files = {"build"}

.travis.yml

@@ -36,6 +36,7 @@ script:
     - cd build
     - docker run --user $(id -u):$(id -g) -v /etc/passwd:/etc/passwd:ro -e MAKE_JOBS=4 -v $TRAVIS_BUILD_DIR/..:/source -v $TRAVIS_BUILD_DIR/build:/build falcosecurity/falco-builder cmake
     - docker run --user $(id -u):$(id -g) -v /etc/passwd:/etc/passwd:ro -e MAKE_JOBS=4 -v $TRAVIS_BUILD_DIR/..:/source -v $TRAVIS_BUILD_DIR/build:/build falcosecurity/falco-builder package
+    - docker run --user $(id -u):$(id -g) -v /etc/passwd:/etc/passwd:ro -e MAKE_JOBS=1 -v $TRAVIS_BUILD_DIR/..:/source -v $TRAVIS_BUILD_DIR/build:/build falcosecurity/falco-builder tests
     - docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v /etc/passwd:/etc/passwd:ro -e MAKE_JOBS=4 -v $TRAVIS_BUILD_DIR/..:/source -v $TRAVIS_BUILD_DIR/build:/build falcosecurity/falco-tester
 notifications:
   webhooks:

.yamllint.conf

@@ -0,0 +1,8 @@
+extends: default
+
+rules:
+  indentation: disable
+  document-start: disable
+  comments: disable
+  line-length: disable
+  new-line-at-end-of-file: disable

CHANGELOG.md

@@ -2,6 +2,74 @@
 
 This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).
 
+## v0.16.0
+
+Released 2019-07-12
+
+## Major Changes
+
+* Clean up error reporting to provide more meaningful error messages along with context when loading rules files. When run with -V, the results of the validation ("OK" or error message) are sent to standard output. [[#708](https://github.com/falcosecurity/falco/pull/708)]
+
+* Improve rule loading performance by optimizing lua parsing paths to avoid expensive pattern matches. [[#694](https://github.com/falcosecurity/falco/pull/694)]
+
+* Bump falco engine version to 4 to reflect new fields `ka.useragent`, others. [[#710](https://github.com/falcosecurity/falco/pull/710)] [[#681](https://github.com/falcosecurity/falco/pull/681)]
+
+* Add Catch2 as a unit testing framework. This will add additional coverage on top of the regression tests using Avocado. [[#687](https://github.com/falcosecurity/falco/pull/687)]
+
+## Minor Changes
+
+* Add SYSDIG_DIR Cmake option to specify location for sysdig source code when building falco. [[#677](https://github.com/falcosecurity/falco/pull/677)] [[#679](https://github.com/falcosecurity/falco/pull/679)] [[#702](https://github.com/falcosecurity/falco/pull/702)]
+
+* New field `ka.useragent` reports the useragent from k8s audit events. [[#709](https://github.com/falcosecurity/falco/pull/709)]
+
+* Add clang formatter for C++ syntax formatting. [[#701](https://github.com/falcosecurity/falco/pull/701)] [[#689](https://github.com/falcosecurity/falco/pull/689)]
+
+* Partial changes towards lua syntax formatting. No particular formatting enforced yet, though. [[#718](https://github.com/falcosecurity/falco/pull/718)]
+
+* Partial changes towards yaml syntax formatting. No particular formatting enforced yet, though. [[#714](https://github.com/falcosecurity/falco/pull/714)]
+
+* Add cmake syntax formatting. [[#703](https://github.com/falcosecurity/falco/pull/703)]
+
+* Token bucket unit tests and redesign. [[#692](https://github.com/falcosecurity/falco/pull/692)]
+
+* Update github PR template. [[#699](https://github.com/falcosecurity/falco/pull/699)]
+
+* Fix PR template for kind/rule-*. [[#697](https://github.com/falcosecurity/falco/pull/697)]
+
+## Bug Fixes
+
+* Remove an unused cmake file. [[#700](https://github.com/falcosecurity/falco/pull/700)]
+
+* Misc Cmake cleanups. [[#673](https://github.com/falcosecurity/falco/pull/673)]
+
+* Misc k8s install docs improvements. [[#671](https://github.com/falcosecurity/falco/pull/671)]
+
+## Rule Changes
+
+* Allow k8s.gcr.io/kube-proxy image to run privileged. [[#717](https://github.com/falcosecurity/falco/pull/717)]
+
+* Add runc to the list of possible container entrypoint parents. [[#712](https://github.com/falcosecurity/falco/pull/712)]
+
+* Skip Source RFC 1918 addresses when considering outbound connections. [[#685](https://github.com/falcosecurity/falco/pull/685)]
+
+* Add additional `user_XXX` placeholder macros to allow for easy customization of rule exceptions. [[#685](https://github.com/falcosecurity/falco/pull/685)]
+
+* Let weaveworks programs change namespaces. [[#685](https://github.com/falcosecurity/falco/pull/685)]
+
+* Add additional openshift images. [[#685](https://github.com/falcosecurity/falco/pull/685)]
+
+* Add openshift as a k8s binary. [[#678](https://github.com/falcosecurity/falco/pull/678)]
+
+* Add dzdo as a binary that can change users. [[#678](https://github.com/falcosecurity/falco/pull/678)]
+
+* Allow azure/calico binaries to change namespaces. [[#678](https://github.com/falcosecurity/falco/pull/678)]
+
+* Add back trusted_containers list for backport compatibility [[#675](https://github.com/falcosecurity/falco/pull/675)]
+
+* Add mkdirat as a syscall for mkdir operations. [[#667](https://github.com/falcosecurity/falco/pull/667)]
+
+* Add container id/repository to rules that can work with containers. [[#667](https://github.com/falcosecurity/falco/pull/667)]
+
 ## v0.15.3
 
 Released 2019-06-12