A command line tool that can be used to build the Falco kernel module and eBPF probe.

When you meet kernelversion that refers to the version you get executing uname -v:

For example, below, the version is the 59 after the hash

uname -v
#59-Ubuntu SMP Wed Dec 4 10:02:00 UTC 2019

When you meet kernelrelease, that refers to the kernel release you get executing uname -r:

uname -r
4.15.0-1057-aws

By checking driverkit help, you can quickly discover info about:

• Supported options
• Supported commands
• Supported architectures
• Supported targets
• Default options

driverkit help

The target architecture is taken from runtime environment, but it can be overridden through architecture config.
Driverkit also supports cross building for arm64 using qemu from an x86_64 host.

NOTE: we could not automatically fetch correct architecture given a kernelrelease, because some kernel names do not have any architecture suffix, namely Ubuntu ones.

Driverkit has an internal logic to retrieve headers urls given a target and desired kernelrelease/kernelversion.
Unfortunately, the logic is quite hard to implement correctly for every supported target.
As of today, the preferred method is to instead use the kernelurls configuration param,
that allows to specify a list of headers.

NOTE: the internal headers fetching logic should be considered a fallback that will be, sooner or later, deprecated.

A solution to crawl all supported kernels by multiple distro was recently developed,
and it provides a json output with aforementioned kernelheaders: https://github.com/falcosecurity/kernel-crawler.
Json for supported architectures can be found at https://falcosecurity.github.io/kernel-crawler/.

driverkit kubernetes --output-module /tmp/falco.ko --kernelversion=81 --kernelrelease=4.15.0-72-generic --driverversion=master --target=ubuntu-generic

driverkit docker --output-module /tmp/falco.ko --kernelversion=81 --kernelrelease=4.15.0-72-generic --driverversion=master --target=ubuntu-generic

Create a file named ubuntu-aws.yaml containing the following content:

kernelrelease: 4.15.0-1057-aws
kernelversion: 59
target: ubuntu-aws
output:
  module: /tmp/falco-ubuntu-aws.ko
  probe: /tmp/falco-ubuntu-aws.o
driverversion: master

Now run driverkit using the configuration file:

driverkit docker -c ubuntu-aws.yaml

It is possible to customize the kernel module name that is produced by Driverkit with the moduledevicename and moduledrivername options. In this context, the device name is the prefix used for the devices in /dev/, while the driver name is the kernel module name as reported by modinfo or lsmod once the module is loaded.

For a comprehensive list of examples, heads to example configs!

To add support for a new target, a new builder must be added.
For more info, you can find specific docs in docs/builder.md file.

To add support for a new builder image, follow the doc at docs/builder_images.md file.

We are conducting a survey to know what is the most interesting set of Operating Systems we must support first in driverkit.

You can find the results of the survey here