The latest version of Falco introduces support for gVisor, Google's application kernel providing an additional isolation layer between applications and the host OS. Using Falco 0.32.1 users can monitor security events from gVisor to detect threats and audit containers.
Previous to version 0.32.1, Falco could not be used with gVisor sandboxes due to gVisor intercepting user space runtime events before they reach the underlying OS. This prevented Falco from monitoring runtime system calls, through either a kernel module or an eBPF probe.
To overcome this limitation, Google and Sysdig engineers worked together to leverage the stream of information that gVisor collects through its own system call monitoring and integrate it with Falco's rule based engine.
As you can see in the image above, the integration between Falco and gVisor takes place through Unix domain sockets (UDS) connecting to the Sentry. The Sentry is gVisor's component responsible for abstracting the system call layer and managing all syscalls in the app. Using UDS, Falco is able to communicate with the Sentry in a similar fashion to what it does with any other driver it supports. To make this possible, the Sentry has acquired a new behaviour in gVisor 20220704.0: after dispatching a syscall, it will additionally send a message to Falco through a socket using protocol buffers. At this point, it is business as usual for Falco to unpack the message and process it through its rule-based event processing queue.
To enable the new behaviour in gVisor, you will need to download a specific configuration file available at https://falco.org/blog/intro-gvisor-falco/assets/config.json. You will then need to install it at the appropriate location for the container engine you are using along with gVisor. For example, if you are using Docker, you will need to specify the gVisor configuration file in /etc/docker/daemon.json as described in Falco docs. Additionally, you will need to pass that configuration file to Falco itself using the --gvisor-config command line flag.
In their first integration, Falco and gVisor enable monitoring many syscalls, but not all of them. Anyway, the team has ensured that all events used in the default rulesets are supported and that the associated information stream can be kept consistent with the analysis and rule processing done by Falco.
You can install Falco 0.32.1 and gVisor runsc tool 20220704.0 from their respective download pages.