Edera Falco plugin

This crate implements a Falco plugin for Edera, using Falco's Rust plugin SDK.

The purpose of this plugin is to stream libscap-encoded syscall events out of Edera zones, and into the Falco rules engine, so Falco rules can be written against syscall events and other state from inside of Edera zones.

This is necessary because Edera zones are microvms running under a hypervisor, and without this plugin, syscall events from inside Edera zones would be invisible to the host-side Falco runtime.

Note

This plugin must be built as a cdylib explicitly, so the Falco runtime can load it as though it were a C library. Note that currently upstream Rust does not support building cdylib with the x86_64-unknown-linux-musl target, see: rust-lang/rust#59302 - building this crate with the x86_64-unknown-linux-musl target will result in a (useless to Falco) rlib output, only building with x86_64-unknown-linux-gnu is supported.

Architecture

Falco's plugin APIs exposes several kinds of plugins, each of which own a unique step (or "capability") in the event sourcing chain. It is not uncommon for "a Falco plugin" to actually be composed of a chain of smaller plugins that each implement some or all of these capabilities, and this plugin is no exeption.

Currently, we implement:

• The base plugin: This is the core EderaPlugin, and it maintains state to all the capability plugins.
• The source plugin. This plugin capability is responsible for talking to a running Edera daemon over /var/lib/edera/protect/daemon.socket, and watching for Edera zones. When a zone is discovered, the source plugin sends a message to the zone over the Edera IDM channel, asking the zone to begin streaming syscall events from the local zone kernel, encoded in libscap's binary format, back to it over the same channel. The zone replies with a snapshot of its local process state, including all current threads and their open file descriptors, and the plugin begins maintaining internal state for that zone by combining that initial state with the ongoing syscall events it sees. See libscap-rs for details on how these syscall events and initial state snapshots are scraped in-zone. Note that the state tracking is invalidated if a zone undergoes a CPU hotplug event - this is a core Falco limitation that the Edera plugin also shares. Falco will terminate if a CPU hotplug event is detected, but in our case, if a CPU hotplug event is detected, we simply disconnect from the zone and reconnect, reseeding the state, and carry on capturing.
• The parse plugin. The parse plugin is responsible for hydrating the raw scap-encoded events into internal plugin state, for consumption by plugins later on in the chain.
• The extract plugin. The extract plugin is responsible for exposing the list of valid "queryable properties" about each event and its context to the Falco rules engine. The goal is to expose analogs for every field that "regular Falco" would expose on host-generated syscall events, without extra scoping, such that existing hostside Falco rules already in use can be trivially retargeted to alert on Edera zone events without significant rewrites. See https://docs.edera.dev/guides/observability/falco-integration/#available-event-fields for the currently-supported list.

Usage and installation

The cdylib generated by this crate is already packaged with the Edera installer, and deployed to /var/lib/edera/protect/falco/libedera_falco_plugin.so with the Edera installer.

Please see https://docs.edera.dev/guides/observability/falco-integration/ for details on how to install Falco and configure it to use this plugin with your Edera install.

Shipping the plugin as an OCI artifact is a TODO