GPL source unavailable for Falcon Linux kernel module

[benjaminrsherman]

I cannot find the GPL-licensed source code for the CrowdStrike Falcon Linux kernel module. What is the best method to acquire the source code?

[johnnyapol]

Commenting to follow.

[Prasantacharya]

Id also like to inquire about the source code.

[shawndwells]

Recent versions of the falcon-sensor RPM are distributed via a Proprietary license. For reference:

# rpm -qai falcon-sensor
Name        : falcon-sensor
Version     : 6.16.0
Release     : 11308.el8
Architecture: x86_64
Install Date: Wed Mar 17 20:42:23 2021
Group       : System Environment/Daemons
Size        : 5781606
License     : Proprietary
Signature   : RSA/SHA256, Tue Feb 23 00:06:39 2021, Key ID 676affafb88c500b
Source RPM  : falcon-sensor-6.16.0-11308.el8.src.rpm
Build Date  : Tue Feb 23 00:06:36 2021
Build Host  : 4962c3e73bc9
Relocations : (not relocatable)
URL         : crowdstrike.com
Summary     : Crowdstrike Falcon Sensor
Description :
The falcon-sensor package provides the Crowdstrike Falcon Sensor daemon and kernel modules.

The licensing appears to have been different years ago. Here's an old thread for reference:
https://opensource.stackexchange.com/questions/7790/source-request-for-a-gpl-licensed-linux-kernel-module

If someone can dig up a specific falcon-sensor RPM version that was licensed this way, would encourage them to reach out to legal@crowdstrike.com to enquire about any GPL-licensed source code.

To be clear, that sentence is not meant to be sly or nuanced. If a specific GPL licensed RPM is found (or any GPL CrowdStrike code for that matter), the formal process would be to include the exact version in a request to legal@crowdstrike.com.

We'll get this process better documented. Thanks for the nudge!

-Shawn

Shawn Wells
VP, Global Solution Architecture
shawn.wells@crowdstrike.com || (+1) 443-534-0130 (US EST)

[shawndwells]

Asked around a bit internally to CrowdStrike. Double confirmed formal process to request any GPL'd code would be to email legal@crowdstrike.com.

Will go ahead and close this ticket. Feel free to re-open if there are additional comments or questions!

[blurayne]

Not only that - I found:

• CrowdStrike Network Containment Security Module (Proprietary)
• CrowdStrike KAL Module (GPL)
• CrowdStrike Pinned Security Module (GPL)

Check: https://falcon.crowdstrike.com/login/open-source

[ringerc]

(I speak personally, and not as a representative of my employer or anybody else):

From what I can see the Linux kernel modules still use license=GPL in their module files. They claim they are GPL, but are not distributed with sources, or a written offer for sources with a contact address.

e.g.

➜  falcon-sensor-kernel-modules strings 1448351671-1448565855.elf64_extract/carved.elf| grep -A10 '^falcon_kal' 
falcon_kal
version=0.0.0
author=CrowdStrike, Inc.
description=CrowdStrike KAL Module
license=GPL
intree=N
srcversion=533BB7E5866E52F63B9ACCB
depends=
retpoline=Y
name=falcon_kal
distro=ubuntu22

I'm not a Linux kernel copyright holder for any of the relevant kernel code, so it's not something I can act on. But it's something CS might want to be aware of, as it's probably actionable by someone who holds kernel copyright in the network or Linux Security Module subsystems.

If you want to look at the CS Falcon agent's modules on an install, you can use https://unblob.org/ on their /opt/CrowdStrike/KernelModuleArchive to unpack it from whatever custom/obfuscated archive format they're using. Or just dd by looking for \x7fELF offsets with grep --only-matching --byte-offset --text --perl-regexp '\x7fELF' /path/to/unxzed/archive.