tracee: 0.8.3 -> 0.9.2

Use our built copy of libbpf.a

nixos/tests/tracee.nix

@@ -14,15 +14,18 @@ import ./make-test-python.nix ({ pkgs, ... }: {
           patches = oa.patches or [] ++ [
             # change the prefix from /usr/bin to /run to find nix processes
             ../../pkgs/tools/security/tracee/test-EventFilters-prefix-nix-friendly.patch
-            # skip magic_write test that currently fails
-            ../../pkgs/tools/security/tracee/test-EventFilters-magic_write-skip.patch
           ];
           buildPhase = ''
             runHook preBuild
             # just build the static lib we need for the go test binary
-            make $makeFlags ''${enableParallelBuilding:+-j$NIX_BUILD_CORES -l$NIX_BUILD_CORES} bpf-core ./dist/btfhub ./dist/libbpf/libbpf.a
+            make $makeFlags ''${enableParallelBuilding:+-j$NIX_BUILD_CORES -l$NIX_BUILD_CORES} bpf-core ./dist/btfhub
+
+            # remove the /usr/bin prefix to work with the patch above
+            substituteInPlace tests/integration/integration_test.go \
+              --replace "/usr/bin/ls" "ls"
+
             # then compile the tests to be ran later
-            CGO_CFLAGS="-I$PWD/dist/libbpf" CGO_LDFLAGS="-lelf -lz $PWD/dist/libbpf/libbpf.a" go test -tags core,ebpf,integration -p 1 -c -o $GOPATH/tracee-integration ./tests/integration/...
+            CGO_LDFLAGS="$(pkg-config --libs libbpf)" go test -tags core,ebpf,integration -p 1 -c -o $GOPATH/tracee-integration ./tests/integration/...
             runHook postBuild
           '';
           doCheck = false;

pkgs/tools/security/tracee/default.nix

@@ -19,23 +19,26 @@ let
 in
 buildGoModule rec {
   pname = "tracee";
-  version = "0.8.3";
+  version = "0.9.2";
 
   src = fetchFromGitHub {
     owner = "aquasecurity";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-VxTJcl7gHRZEXpFbxU4iMwqxuR1r0BNSseWQ5ijWHU4=";
+    sha256 = "sha256-w/x7KhopkADKvpDc5TE5Kf34pRY6HP3kX1Lqujnl0b8=";
   };
-  vendorSha256 = "sha256-szPoJUtzya3+8dOnkDxHEs3+a1LTVoMMLjUSrUlfiGg=";
+  vendorSha256 = "sha256-5RXNRNoMydFcemNGgyfqcUPtfMVgMYdiyWo/sZi8GQw=";
+
+  patches = [
+    ./use-our-libbpf.patch
+  ];
 
   enableParallelBuilding = true;
   # needed to build bpf libs
   hardeningDisable = [ "stackprotector" ];
 
   nativeBuildInputs = [ pkg-config clang ];
-  # ensure libbpf version exactly matches the version added as a submodule
+  buildInputs = [ elfutils libbpf zlib ];
-  buildInputs = [ libbpf zlib elfutils ];
 
   makeFlags = [
     "VERSION=v${version}"
@@ -44,16 +47,9 @@ buildGoModule rec {
     "CMD_GIT=echo"
   ];
 
-  # TODO: patch tracee to take libbpf.a and headers via include path
-  preBuild = ''
-    mkdir -p 3rdparty/libbpf/src
-    mkdir -p ./dist
-    cp -r ${libbpf}/lib ./dist/libbpf
-    chmod +w ./dist/libbpf
-    cp -r ${libbpf}/include/bpf ./dist/libbpf/
-  '';
   buildPhase = ''
     runHook preBuild
+    mkdir -p ./dist
     make $makeFlags ''${enableParallelBuilding:+-j$NIX_BUILD_CORES} bpf-core all
     runHook postBuild
   '';

pkgs/tools/security/tracee/test-EventFilters-magic_write-skip.patch

@@ -1,16 +0,0 @@
-diff --git a/tests/integration/integration_test.go b/tests/integration/integration_test.go
-index afbc5330..3b38a1b8 100644
---- a/tests/integration/integration_test.go
-+++ b/tests/integration/integration_test.go
-@@ -205,11 +205,6 @@ func Test_EventFilters(t *testing.T) {
- 		filterArgs []string
- 		eventFunc  func(*testing.T, *[]trace.Event)
- 	}{
--		{
--			name:       "do a file write",
--			filterArgs: []string{"event=magic_write"},
--			eventFunc:  checkMagicwrite,
--		},
- 		{
- 			name:       "execute a command",
- 			filterArgs: []string{"comm=ls"},

pkgs/tools/security/tracee/use-our-libbpf.patch

@@ -0,0 +1,129 @@
+diff --git a/Makefile b/Makefile
+index c72cf63d..e96b7eed 100644
+--- a/Makefile
++++ b/Makefile
+@@ -50,6 +50,7 @@ CMD_STATICCHECK ?= staticcheck
+ # libs
+ #
+ 
++LIB_BPF ?= libbpf
+ LIB_ELF ?= libelf
+ LIB_ZLIB ?= zlib
+ 
+@@ -172,10 +173,6 @@ env:
+ 	@echo "KERN_BUILD_PATH          $(KERN_BUILD_PATH)"
+ 	@echo "KERN_SRC_PATH            $(KERN_SRC_PATH)"
+ 	@echo ---------------------------------------
+-	@echo "LIBBPF_CFLAGS            $(LIBBPF_CFLAGS)"
+-	@echo "LIBBPF_LDLAGS            $(LIBBPF_LDFLAGS)"
+-	@echo "LIBBPF_SRC               $(LIBBPF_SRC)"
+-	@echo ---------------------------------------
+ 	@echo "STATIC                   $(STATIC)"
+ 	@echo ---------------------------------------
+ 	@echo "BPF_VCPU                 $(BPF_VCPU)"
+@@ -274,8 +271,6 @@ OUTPUT_DIR = ./dist
+ $(OUTPUT_DIR):
+ #
+ 	@$(CMD_MKDIR) -p $@
+-	@$(CMD_MKDIR) -p $@/libbpf
+-	@$(CMD_MKDIR) -p $@/libbpf/obj
+ 
+ #
+ # embedded btfhub
+@@ -286,37 +281,6 @@ $(OUTPUT_DIR)/btfhub:
+ 	@$(CMD_MKDIR) -p $@
+ 	@$(CMD_TOUCH) $@/.place-holder # needed for embed.FS
+ 
+-#
+-# libbpf
+-#
+-
+-LIBBPF_CFLAGS = "-fPIC"
+-LIBBPF_LDLAGS =
+-LIBBPF_SRC = ./3rdparty/libbpf/src
+-
+-$(OUTPUT_DIR)/libbpf/libbpf.a: \
+-	$(LIBBPF_SRC) \
+-	$(wildcard $(LIBBPF_SRC)/*.[ch]) \
+-	| .checkver_$(CMD_CLANG) $(OUTPUT_DIR)
+-#
+-	CC="$(CMD_CLANG)" \
+-		CFLAGS="$(LIBBPF_CFLAGS)" \
+-		LD_FLAGS="$(LIBBPF_LDFLAGS)" \
+-		$(MAKE) \
+-		-C $(LIBBPF_SRC) \
+-		BUILD_STATIC_ONLY=1 \
+-		DESTDIR=$(abspath ./$(OUTPUT_DIR)/libbpf/) \
+-		OBJDIR=$(abspath ./$(OUTPUT_DIR)/libbpf/obj) \
+-		INCLUDEDIR= LIBDIR= UAPIDIR= prefix= libdir= \
+-		install install_uapi_headers
+-
+-$(LIBBPF_SRC): \
+-	| .check_$(CMD_GIT)
+-#
+-ifeq ($(wildcard $@), )
+-	@$(CMD_GIT) submodule update --init --recursive
+-endif
+-
+ #
+ # non co-re ebpf
+ #
+@@ -333,7 +297,6 @@ BPF_NOCORE_TAG = $(subst .,_,$(KERN_RELEASE)).$(subst .,_,$(VERSION))
+ bpf-nocore: $(OUTPUT_DIR)/tracee.bpf.$(BPF_NOCORE_TAG).o
+ 
+ $(OUTPUT_DIR)/tracee.bpf.$(BPF_NOCORE_TAG).o: \
+-	$(OUTPUT_DIR)/libbpf/libbpf.a \
+ 	$(TRACEE_EBPF_OBJ_SRC)
+ #
+ 	MAKEFLAGS="--no-print-directory"
+@@ -351,7 +314,6 @@ $(OUTPUT_DIR)/tracee.bpf.$(BPF_NOCORE_TAG).o: \
+ 		-I $(KERN_SRC_PATH)/include/uapi \
+ 		-I $(KERN_BUILD_PATH)/include/generated \
+ 		-I $(KERN_BUILD_PATH)/include/generated/uapi \
+-		-I $(OUTPUT_DIR)/libbpf \
+ 		-I ./3rdparty/include \
+ 		-Wunused \
+ 		-Wall \
+@@ -412,7 +374,6 @@ TRACEE_EBPF_OBJ_CORE_HEADERS = $(shell find pkg/ebpf/c -name *.h)
+ bpf-core: $(OUTPUT_DIR)/tracee.bpf.core.o
+ 
+ $(OUTPUT_DIR)/tracee.bpf.core.o: \
+-	$(OUTPUT_DIR)/libbpf/libbpf.a \
+ 	$(TRACEE_EBPF_OBJ_SRC) \
+ 	$(TRACEE_EBPF_OBJ_CORE_HEADERS)
+ #
+@@ -421,7 +382,6 @@ $(OUTPUT_DIR)/tracee.bpf.core.o: \
+ 		-D__BPF_TRACING__ \
+ 		-DCORE \
+ 		-I./pkg/ebpf/c/ \
+-		-I$(OUTPUT_DIR)/libbpf/ \
+ 		-I ./3rdparty/include \
+ 		-target bpf \
+ 		-O2 -g \
+@@ -447,8 +407,8 @@ ifeq ($(STATIC), 1)
+     GO_TAGS_EBPF := $(GO_TAGS_EBPF),netgo
+ endif
+ 
+-CUSTOM_CGO_CFLAGS = "-I$(abspath $(OUTPUT_DIR)/libbpf)"
+-CUSTOM_CGO_LDFLAGS = "$(shell $(call pkg_config, $(LIB_ELF))) $(shell $(call pkg_config, $(LIB_ZLIB))) $(abspath $(OUTPUT_DIR)/libbpf/libbpf.a)"
++CUSTOM_CGO_CFLAGS = ""
++CUSTOM_CGO_LDFLAGS = "$(shell $(call pkg_config, $(LIB_BPF))) $(shell $(call pkg_config, $(LIB_ELF))) $(shell $(call pkg_config, $(LIB_ZLIB)))"
+ 
+ GO_ENV_EBPF =
+ GO_ENV_EBPF += GOOS=linux
+@@ -468,6 +428,7 @@ $(OUTPUT_DIR)/tracee-ebpf: \
+ 	$(TRACEE_EBPF_SRC) \
+ 	./embedded-ebpf.go \
+ 	| .checkver_$(CMD_GO) \
++	.checklib_$(LIB_BPF) \
+ 	.checklib_$(LIB_ELF) \
+ 	.checklib_$(LIB_ZLIB) \
+ 	btfhub
+@@ -658,7 +619,6 @@ test-rules: \
+ .PHONY: test-upstream-libbpfgo
+ test-upstream-libbpfgo: \
+ 	.checkver_$(CMD_GO) \
+-	$(OUTPUT_DIR)/libbpf/libbpf.a
+ #
+ 	./tests/libbpfgo.sh $(GO_ENV_EBPF)
+ 

pkgs/top-level/all-packages.nix

@@ -12074,7 +12074,7 @@ with pkgs;
   tracebox = callPackage ../tools/networking/tracebox { stdenv = gcc10StdenvCompat; };
 
   tracee = callPackage ../tools/security/tracee {
-    buildGoModule = buildGo118Module; # tests fail with 1.19
+    libbpf = libbpf_1; # keep inline with their submodule
   };
 
   tracefilegen = callPackage ../development/tools/analysis/garcosim/tracefilegen { };