edera-dev · bleggett · Jan 29, 2026 · Jan 29, 2026 · Jan 29, 2026 · Jan 29, 2026
diff --git a/examples/README.md b/examples/README.md
@@ -0,0 +1,5 @@
+# Example snippets
+
+- [`example-rule.yaml`](example-rule.yaml) -> A trivial Falco rule snippet to log syscall events from Edera workloads to Falco's stdout stream.
+- [`example-config.yaml`](example-config.yaml) -> A minimal Falco config file that only loads the Edera plugin source.
+- [`falco-helm-values.yaml`](falco-helm-values.yaml) -> A basic set of Helm values to use when deploying Falco via the [upstream Helm chart](https://falco.org/docs/setup/kubernetes/) in an Edera cluster.
diff --git a/examples/example-config.yaml b/examples/example-config.yaml
@@ -0,0 +1,13 @@
+# This config disables all other default Falco drivers and syscall capturing and
+# only loads the Edera source plugin.
+plugins:
+  - name: edera
+    library_path: /var/lib/edera/protect/falco/libedera_falco_plugin.so
+    init_config:
+      mirror_host_syscalls: false
+load_plugins: [edera]
+stdout_output:
+  enabled: true
+engine:
+  kind: nodriver
+log_stderr: true
diff --git a/examples/example-rule.yaml b/examples/example-rule.yaml
@@ -0,0 +1,16 @@
+- macro: open_read_edera
+  condition: (evt.pluginname == "edera")
+
+- rule: Edera Events
+  desc: >
+    Logs every syscall event from every running Edera zone, with no filtering.
+    Useful for testing and understanding what events are available.
+  source: edera_zone
+  output: >
+    Edera Event | time=%evt.time zone_id=%edera.zone.id evt.type=%evt.type
+    syscall.type=%syscall.type evt.category=%evt.category evt.dir=%evt.dir
+    proc.exe=%proc.exe evt.args=%evt.args is_open=%evt.type.is[open]
+  priority: WARNING
+  tags: [edera_zone, filesystem]
+  condition: >
+    open_read_edera
diff --git a/examples/falco-helm-values.yaml b/examples/falco-helm-values.yaml
@@ -0,0 +1,23 @@
+mounts:
+  volumes:
+    - name: edera-plugin
+      hostPath:
+        path: /var/lib/edera/protect/falco
+    - name: edera-daemon-socket
+      hostPath:
+        path: /var/lib/edera/protect
+  volumeMounts:
+    - name: edera-plugin
+      mountPath: /var/lib/edera/protect/falco
+      readOnly: true
+    - name: edera-daemon-socket
+      mountPath: /var/lib/edera/protect
+      readOnly: false
+
+falco:
+  plugins:
+    - name: edera
+      library_path: /var/lib/edera/protect/falco/libedera_falco_plugin.so
+      init_config:
+        mirror_host_syscalls: true
+  load_plugins: [edera]
diff --git a/hack/proto/buf.gen.control.yaml b/hack/proto/buf.gen.control.yaml
@@ -4,13 +4,13 @@ managed:
   enabled: true
 plugins:
   - local: protoc-gen-prost
-    out: src/proto/generated/protect/control
+    out: src/proto/generated
     opt:
       - compile_well_known_types
       - extern_path=.google.protobuf=::pbjson_types
   - local: protoc-gen-prost-serde
-    out: src/proto/generated/protect/control
+    out: src/proto/generated
   - local: protoc-gen-tonic
-    out: src/proto/generated/protect/control
+    out: src/proto/generated
 inputs:
   - module: buf.build/edera-dev/protect
diff --git a/hack/proto/install-tools.sh b/hack/proto/install-tools.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env sh
+# shellcheck disable=SC2086
+set -e
+
+# shellcheck source-path=SCRIPTDIR source=versions.sh
+. "$(dirname "${0}")/versions.sh"
+
+[ -z "${ADD_GO_FLAGS}" ] && ADD_GO_FLAGS=""
+[ -z "${ADD_CARGO_FLAGS}" ] && ADD_CARGO_FLAGS="--force"
+
+${INSTALL_BUF} ${ADD_GO_FLAGS}
+${INSTALL_PROTOC_GEN_GO} ${ADD_GO_FLAGS}
+${INSTALL_PROTOC_GEN_GO_GRPC} ${ADD_GO_FLAGS}
+${INSTALL_PROTOC_GEN_PROST} ${ADD_CARGO_FLAGS}
+${INSTALL_PROTOC_GEN_TONIC} ${ADD_CARGO_FLAGS}
+${INSTALL_PROTOC_GEN_PROST_SERDE} ${ADD_CARGO_FLAGS}
diff --git a/hack/proto/versions.sh b/hack/proto/versions.sh
@@ -3,15 +3,15 @@
 set -e
 
 PROTOC_GEN_PROST_REPOSITORY="https://github.com/neoeinstein/protoc-gen-prost.git"
-PROTOC_GEN_PROST_COMMIT=66b503dd1631bc2eaf79db37cde74b01567c8224
-BUF_COMMIT=69a3227530199878cc50df6ce889b176b498e077
+PROTOC_GEN_PROST_COMMIT=6915e08b082a15feb260062fe82d049edc0eadd6
+BUF_COMMIT=8ecc976ddc58ac372f045092202061f3c53f9f88
 
-BUF_VERSION=v1.56.0
-PROTOC_GEN_PROST_VERSION=0.4.1
-PROTOC_GEN_TONIC_VERSION=0.4.2
-PROTOC_GEN_PROST_SERDE_VERSION=0.3.2
+BUF_VERSION=v1.64.0
+PROTOC_GEN_PROST_VERSION=0.5.0
+PROTOC_GEN_TONIC_VERSION=0.5.0
+PROTOC_GEN_PROST_SERDE_VERSION=0.4.0
 
 INSTALL_BUF="go install github.com/bufbuild/buf/cmd/buf@${BUF_COMMIT}"
-INSTALL_PROTOC_GEN_PROST="cargo install --git ${PROTOC_GEN_PROST_REPOSITORY} --rev ${PROTOC_GEN_PROST_COMMIT} protoc-gen-prost"
-INSTALL_PROTOC_GEN_TONIC="cargo install --git ${PROTOC_GEN_PROST_REPOSITORY} --rev ${PROTOC_GEN_PROST_COMMIT} protoc-gen-tonic"
-INSTALL_PROTOC_GEN_PROST_SERDE="cargo install --git ${PROTOC_GEN_PROST_REPOSITORY} --rev ${PROTOC_GEN_PROST_COMMIT} protoc-gen-prost-serde"
+INSTALL_PROTOC_GEN_PROST="cargo install --locked --git ${PROTOC_GEN_PROST_REPOSITORY} --rev ${PROTOC_GEN_PROST_COMMIT} protoc-gen-prost"
+INSTALL_PROTOC_GEN_TONIC="cargo install --locked --git ${PROTOC_GEN_PROST_REPOSITORY} --rev ${PROTOC_GEN_PROST_COMMIT} protoc-gen-tonic"
+INSTALL_PROTOC_GEN_PROST_SERDE="cargo install --locked --git ${PROTOC_GEN_PROST_REPOSITORY} --rev ${PROTOC_GEN_PROST_COMMIT} protoc-gen-prost-serde"
diff --git a/src/proto/generated.rs b/src/proto/generated.rs
@@ -2,7 +2,7 @@
 #[allow(clippy::all)]
 pub mod protect {
     pub mod control {
-        #[path = "protect.control.v1.rs"]
+        #[path = "v1/protect.control.v1.rs"]
         pub mod v1;
     }
 }
diff --git a/...ted/protect/control/protect.control.v1.rs → .../protect/control/v1/protect.control.v1.rs b/...ted/protect/control/protect.control.v1.rs → .../protect/control/v1/protect.control.v1.rs
@@ -181,6 +181,22 @@ pub struct DeviceReferenceSpec {
     #[prost(string, tag="1")]
     pub name: ::prost::alloc::string::String,
 }
+#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
+pub struct WorkloadBlockDeviceSpec {
+    #[prost(string, tag="1")]
+    pub target_path: ::prost::alloc::string::String,
+    #[prost(string, tag="2")]
+    pub device_path: ::prost::alloc::string::String,
+    #[prost(message, optional, tag="3")]
+    pub mount_options: ::core::option::Option<BlockDeviceMountOptions>,
+}
+#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
+pub struct BlockDeviceMountOptions {
+    #[prost(bool, tag="1")]
+    pub readonly: bool,
+    #[prost(string, tag="2")]
+    pub permissions: ::prost::alloc::string::String,
+}
 #[derive(Clone, PartialEq, ::prost::Message)]
 pub struct ZoneStatus {
     #[prost(enumeration="ZoneState", tag="1")]
@@ -379,6 +395,19 @@ pub struct WorkloadSpec {
     pub security: ::core::option::Option<WorkloadSecuritySpec>,
     #[prost(message, repeated, tag="8")]
     pub scratch_mount: ::prost::alloc::vec::Vec<WorkloadScratchMount>,
+    #[prost(message, repeated, tag="9")]
+    pub cgroup_limits: ::prost::alloc::vec::Vec<CgroupLimit>,
+    #[prost(string, tag="10")]
+    pub hostname: ::prost::alloc::string::String,
+    #[prost(message, repeated, tag="11")]
+    pub block_devices: ::prost::alloc::vec::Vec<WorkloadBlockDeviceSpec>,
+}
+#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
+pub struct CgroupLimit {
+    #[prost(string, tag="1")]
+    pub limit_name: ::prost::alloc::string::String,
+    #[prost(string, tag="2")]
+    pub value: ::prost::alloc::string::String,
 }
 #[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
 pub struct WorkloadScratchMount {
@@ -401,6 +430,10 @@ pub struct WorkloadSecuritySpec {
     pub disable_all_namespaces: bool,
     #[prost(enumeration="ProcessNamespace", repeated, tag="7")]
     pub disable_namespaces: ::prost::alloc::vec::Vec<i32>,
+    #[prost(bool, tag="8")]
+    pub read_only_rootfs: bool,
+    #[prost(bool, tag="9")]
+    pub no_new_privs: bool,
 }
 #[derive(Clone, PartialEq, ::prost::Message)]
 pub struct WorkloadStatus {
@@ -423,8 +456,10 @@ pub struct WorkloadBlockDeviceInfo {
     pub block_index: u32,
     #[prost(uint64, tag="2")]
     pub device_id: u64,
-    #[prost(string, tag="3")]
-    pub loop_device: ::prost::alloc::string::String,
+    #[prost(string, tag="4")]
+    pub device: ::prost::alloc::string::String,
+    #[prost(bool, tag="5")]
+    pub loop_dev: bool,
 }
 #[derive(Clone, PartialEq, ::prost::Message)]
 pub struct WorkloadBlockDeviceStatus {
@@ -433,21 +468,17 @@ pub struct WorkloadBlockDeviceStatus {
 }
 #[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
 pub struct WorkloadMountInfo {
-    #[prost(uint64, tag="1")]
-    pub device_id: u64,
     #[prost(string, tag="2")]
     pub tag: ::prost::alloc::string::String,
     #[prost(string, tag="3")]
-    pub host_directory: ::prost::alloc::string::String,
-    #[prost(string, tag="4")]
-    pub host_file: ::prost::alloc::string::String,
+    pub host_path: ::prost::alloc::string::String,
     #[prost(string, tag="5")]
     pub target_path: ::prost::alloc::string::String,
 }
 #[derive(Clone, PartialEq, ::prost::Message)]
 pub struct WorkloadMountStatus {
-    #[prost(message, repeated, tag="1")]
-    pub devices: ::prost::alloc::vec::Vec<WorkloadMountInfo>,
+    #[prost(message, repeated, tag="2")]
+    pub mounts: ::prost::alloc::vec::Vec<WorkloadMountInfo>,
 }
 #[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Message)]
 pub struct WorkloadExitStatus {
@@ -586,6 +617,8 @@ pub struct ZoneScratchDiskSpecStaticBlock {
 pub struct ZoneDeviceStatus {
     #[prost(message, repeated, tag="1")]
     pub disks: ::prost::alloc::vec::Vec<ZoneDiskStatus>,
+    #[prost(message, optional, tag="2")]
+    pub mount: ::core::option::Option<ZoneMountStatus>,
 }
 #[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
 pub struct ZoneDiskStatus {
@@ -603,6 +636,15 @@ pub struct ZoneDiskStatus {
     pub delete: bool,
 }
 #[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
+pub struct ZoneMountStatus {
+    #[prost(uint64, tag="1")]
+    pub device_id: u64,
+    #[prost(string, tag="2")]
+    pub host_path: ::prost::alloc::string::String,
+    #[prost(string, tag="3")]
+    pub tag: ::prost::alloc::string::String,
+}
+#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
 pub struct OciRegistryUsernamePassword {
     /// username to provide, empty means no username.
     #[prost(string, tag="1")]
@@ -709,6 +751,7 @@ pub enum ZoneVirtualizationBackend {
     Unknown = 0,
     Pv = 1,
     Pvh = 2,
+    Automatic = 3,
 }
 impl ZoneVirtualizationBackend {
     /// String value of the enum field names used in the ProtoBuf definition.
@@ -720,6 +763,7 @@ impl ZoneVirtualizationBackend {
             Self::Unknown => "ZONE_VIRTUALIZATION_BACKEND_UNKNOWN",
             Self::Pv => "ZONE_VIRTUALIZATION_BACKEND_PV",
             Self::Pvh => "ZONE_VIRTUALIZATION_BACKEND_PVH",
+            Self::Automatic => "ZONE_VIRTUALIZATION_BACKEND_AUTOMATIC",
         }
     }
     /// Creates an enum from field names used in the ProtoBuf definition.
@@ -728,6 +772,7 @@ impl ZoneVirtualizationBackend {
             "ZONE_VIRTUALIZATION_BACKEND_UNKNOWN" => Some(Self::Unknown),
             "ZONE_VIRTUALIZATION_BACKEND_PV" => Some(Self::Pv),
             "ZONE_VIRTUALIZATION_BACKEND_PVH" => Some(Self::Pvh),
+            "ZONE_VIRTUALIZATION_BACKEND_AUTOMATIC" => Some(Self::Automatic),
             _ => None,
         }
     }
@@ -927,6 +972,7 @@ pub enum WorkloadState {
     Destroying = 5,
     Destroyed = 6,
     Failed = 7,
+    Oomkilled = 8,
 }
 impl WorkloadState {
     /// String value of the enum field names used in the ProtoBuf definition.
@@ -943,6 +989,7 @@ impl WorkloadState {
             Self::Destroying => "WORKLOAD_STATE_DESTROYING",
             Self::Destroyed => "WORKLOAD_STATE_DESTROYED",
             Self::Failed => "WORKLOAD_STATE_FAILED",
+            Self::Oomkilled => "WORKLOAD_STATE_OOMKILLED",
         }
     }
     /// Creates an enum from field names used in the ProtoBuf definition.
@@ -956,6 +1003,7 @@ impl WorkloadState {
             "WORKLOAD_STATE_DESTROYING" => Some(Self::Destroying),
             "WORKLOAD_STATE_DESTROYED" => Some(Self::Destroyed),
             "WORKLOAD_STATE_FAILED" => Some(Self::Failed),
+            "WORKLOAD_STATE_OOMKILLED" => Some(Self::Oomkilled),
             _ => None,
         }
     }
@@ -1156,6 +1204,8 @@ pub struct GetHostStatusReply {
     pub host_ipv6: ::prost::alloc::string::String,
     #[prost(string, tag="6")]
     pub host_mac: ::prost::alloc::string::String,
+    #[prost(uint64, optional, tag="7")]
+    pub hyp_free_mem: ::core::option::Option<u64>,
 }
 #[derive(Clone, PartialEq, ::prost::Message)]
 pub struct CreateZoneRequest {
@@ -1856,6 +1906,8 @@ pub struct StartWorkloadReply {
 pub struct StopWorkloadRequest {
     #[prost(string, tag="1")]
     pub workload_id: ::prost::alloc::string::String,
+    #[prost(uint64, tag="2")]
+    pub timeout: u64,
 }
 #[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Message)]
 pub struct StopWorkloadReply {