Patch vuln attack surface#3844
Patch vuln attack surface#3844parisnakitakejser wants to merge 2 commits intofalcosecurity:masterfrom
Conversation
|
Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Welcome @parisnakitakejser! It looks like this is your first PR to falcosecurity/falco 🎉 |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: parisnakitakejser The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
parisnakitakejser
force-pushed
the
patch-vuln-attack-surface
branch
7 times, most recently
from
c8db5ef to
0917549
Compare
Signed-off-by: Paris Nakita Kejser <hi@pnk.sh>
Signed-off-by: Paris Nakita Kejser <hi@pnk.sh>
parisnakitakejser
force-pushed
the
patch-vuln-attack-surface
branch
from
0917549 to
0ed0bda
Compare
leogr
left a comment
leogr
left a comment
There was a problem hiding this comment.
Hey @parisnakitakejser, thanks for looking into this!
The apt-key modernization and the gnupg2 👉 gnupg change are good improvements 👍
However, upgrading the base image to debian:13-slim and dropping gcc-11 is something we can't do. The falco-driver-loader image exists to compile kernel modules and legacy eBPF probes on-the-fly on user systems. The GCC version must be compatible with the one used to build the running kernel, and different kernel versions require different GCC versions (e.g., kernel 5.x needs gcc-11, kernel 6.0-6.4 needs gcc-12).
By bumping to Debian 13, the default gcc would jump to 14.x (only valid for kernel 6.9+) and gcc-11 would no longer be available from apt. That would break driver compilation for anyone running kernel 5.x or 6.0-6.8.
N.B. the main falcosecurity/falco image is already based on Wolfi (not Debian) and is not affected by Debian CVEs. The -debian variant and the driver-loader image are Debian-based specifically because of the build toolchain requirements. They use old Debian versions on purpose, and the CVEs reported can't be really exploited because the affected tools are only used to build the driver (during the init phase) and not to run Falco.
May you consider splitting this PR? The apt-key and gnupg fixes could be submitted separately and would likely be accepted. The base image bump needs a broader discussion since it impacts driver compatibility.
Thanks 🙏
/kind cleanup
/area build
3 participants
This patch upgrades the driver Dockerfile to support Debian 13.
The current driver image contains over 2000 known vulnerabilities. This update aims to significantly reduce that number by moving to a more secure and up-to-date base image, improving the overall security posture of the runtime environment.