···

       
1
       
1
       
 
       
import ./make-test-python.nix ({ pkgs, ... }: {

     

       
2
       
2
       
 
       
  name = "tracee-integration";

     

       
3
       
3
       
+
       
  meta.maintainers = pkgs.tracee.meta.maintainers;

     

       
4
       
4
       
+
       


     

       
3
       
5
       
 
       
  nodes = {

     

       
4
       
6
       
 
       
    machine = { config, pkgs, ... }: {

     

       
5
       
7
       
 
       
      # EventFilters/trace_only_events_from_new_containers and

     
···

       
7
       
9
       
 
       
      # require docker/dockerd

     

       
8
       
10
       
 
       
      virtualisation.docker.enable = true;

     

       
9
       
11
       
 
       


     

       
10
       
10
       
-
       
      environment.systemPackages = [

     

       
12
       
12
       
+
       
      environment.systemPackages = with pkgs; [

     

       
11
       
13
       
 
       
        # required by Test_EventFilters/trace_events_from_ls_and_which_binary_in_separate_scopes

     

       
12
       
12
       
-
       
        pkgs.which

     

       
14
       
14
       
+
       
        which

     

       
13
       
15
       
 
       
        # build the go integration tests as a binary

     

       
14
       
14
       
-
       
        (pkgs.tracee.overrideAttrs (oa: {

     

       
16
       
16
       
+
       
        (tracee.overrideAttrs (oa: {

     

       
15
       
17
       
 
       
          pname = oa.pname + "-integration";

     

       
16
       
18
       
 
       
          postPatch = oa.postPatch or "" + ''

     

       
17
       
19
       
 
       
            # prepare tester.sh (which will be embedded in the test binary)

     
···

       
20
       
22
       
 
       
            # fix the test to look at nixos paths for running programs

     

       
21
       
23
       
 
       
            substituteInPlace tests/integration/integration_test.go \

     

       
22
       
24
       
 
       
              --replace "bin=/usr/bin/" "comm=" \

     

       
25
       
25
       
+
       
              --replace "binary=/usr/bin/" "comm=" \

     

       
23
       
26
       
 
       
              --replace "/usr/bin/dockerd" "dockerd" \

     

       
24
       
27
       
 
       
              --replace "/usr/bin" "/run/current-system/sw/bin"

     

       
25
       
28
       
 
       
          '';

     

       
26
       
26
       
-
       
          nativeBuildInputs = oa.nativeBuildInputs or [ ] ++ [ pkgs.makeWrapper ];

     

       
29
       
29
       
+
       
          nativeBuildInputs = oa.nativeBuildInputs or [ ] ++ [ makeWrapper ];

     

       
27
       
30
       
 
       
          buildPhase = ''

     

       
28
       
31
       
 
       
            runHook preBuild

     

       
29
       
32
       
 
       
            # just build the static lib we need for the go test binary

     
···

       
34
       
37
       
 
       
            runHook postBuild

     

       
35
       
38
       
 
       
          '';

     

       
36
       
39
       
 
       
          doCheck = false;

     

       
40
       
40
       
+
       
          outputs = [ "out" ];

     

       
37
       
41
       
 
       
          installPhase = ''

     

       
38
       
42
       
 
       
            mkdir -p $out/bin

     

       
39
       
43
       
 
       
            mv $GOPATH/tracee-integration $out/bin/

     

···

       
2
       
2
       
 
       
, buildGoModule

     

       
3
       
3
       
 
       
, fetchFromGitHub

     

       
4
       
4
       
 
       


     

       
5
       
5
       
-
       
, llvmPackages_13

     

       
5
       
5
       
+
       
, clang

     

       
6
       
6
       
 
       
, pkg-config

     

       
7
       
7
       
 
       


     

       
8
       
8
       
 
       
, zlib

     
···

       
14
       
14
       
 
       
, tracee

     

       
15
       
15
       
 
       
}:

     

       
16
       
16
       
 
       


     

       
17
       
17
       
-
       
let

     

       
18
       
18
       
-
       
  inherit (llvmPackages_13) clang;

     

       
19
       
19
       
-
       
in

     

       
20
       
17
       
 
       
buildGoModule rec {

     

       
21
       
18
       
 
       
  pname = "tracee";

     

       
22
       
22
       
-
       
  version = "0.11.0";

     

       
19
       
19
       
+
       
  version = "0.13.0";

     

       
23
       
20
       
 
       


     

       
24
       
21
       
 
       
  src = fetchFromGitHub {

     

       
25
       
22
       
 
       
    owner = "aquasecurity";

     

       
26
       
23
       
 
       
    repo = pname;

     

       
27
       
24
       
 
       
    rev = "v${version}";

     

       
28
       
28
       
-
       
    sha256 = "sha256-fAbii/DEXx9WJpolc7amqF9TQj4oE5x0TCiNOtVasGo=";

     

       
25
       
25
       
+
       
    hash = "sha256-55+eyulFbzR2ZzKbTN5sHIickpwXY8eJDDzf6Gzwhsk=";

     

       
29
       
26
       
 
       
  };

     

       
30
       
30
       
-
       
  vendorSha256 = "sha256-eenhIsiJhPLgwJo2spIGURPkcsec3kO4L5UJ0FWniQc=";

     

       
27
       
27
       
+
       
  vendorHash = "sha256-qEubjzYGdiBntPOJw8dR/THcvK2Bml97SXHImIWbDm0=";

     

       
31
       
28
       
 
       


     

       
32
       
29
       
 
       
  patches = [

     

       
33
       
30
       
 
       
    ./use-our-libbpf.patch

     
···

       
59
       
56
       
 
       
  # see passthru.tests.integration

     

       
60
       
57
       
 
       
  doCheck = false;

     

       
61
       
58
       
 
       


     

       
59
       
59
       
+
       
  outputs = [ "out" "lib" "share" ];

     

       
60
       
60
       
+
       


     

       
62
       
61
       
 
       
  installPhase = ''

     

       
63
       
62
       
 
       
    runHook preInstall

     

       
64
       
63
       
 
       


     

       
65
       
65
       
-
       
    mkdir -p $out/{bin,share/tracee}

     

       
64
       
64
       
+
       
    mkdir -p $out/bin $lib/lib/tracee $share/share/tracee

     

       
66
       
65
       
 
       


     

       
67
       
67
       
-
       
    mv ./dist/tracee-{ebpf,rules} $out/bin/

     

       
68
       
68
       
-
       


     

       
69
       
69
       
-
       
    mv ./dist/rules $out/share/tracee/

     

       
70
       
70
       
-
       
    mv ./cmd/tracee-rules/templates $out/share/tracee/

     

       
66
       
66
       
+
       
    mv ./dist/tracee $out/bin/

     

       
67
       
67
       
+
       
    mv ./dist/tracee.bpf.core.o $lib/lib/tracee/

     

       
68
       
68
       
+
       
    mv ./cmd/tracee-rules/templates $share/share/tracee/

     

       
71
       
69
       
 
       


     

       
72
       
70
       
 
       
    runHook postInstall

     

       
73
       
71
       
 
       
  '';

     
···

       
76
       
74
       
 
       
  installCheckPhase = ''

     

       
77
       
75
       
 
       
    runHook preInstallCheck

     

       
78
       
76
       
 
       


     

       
79
       
79
       
-
       
    $out/bin/tracee-ebpf --help

     

       
80
       
80
       
-
       
    $out/bin/tracee-ebpf --version | grep "v${version}"

     

       
81
       
81
       
-
       


     

       
82
       
82
       
-
       
    $out/bin/tracee-rules --help

     

       
77
       
77
       
+
       
    $out/bin/tracee --help

     

       
78
       
78
       
+
       
    $out/bin/tracee --version | grep "v${version}"

     

       
83
       
79
       
 
       


     

       
84
       
80
       
 
       
    runHook postInstallCheck

     

       
85
       
81
       
 
       
  '';

     
···

       
89
       
85
       
 
       
    version = testers.testVersion {

     

       
90
       
86
       
 
       
      package = tracee;

     

       
91
       
87
       
 
       
      version = "v${version}";

     

       
92
       
92
       
-
       
      command = "tracee-ebpf --version";

     

       
88
       
88
       
+
       
      command = "tracee --version";

     

       
93
       
89
       
 
       
    };

     

       
94
       
90
       
 
       
  };

     

       
95
       
91
       
 
       


     
···

       
111
       
107
       
 
       
      gpl2Plus

     

       
112
       
108
       
 
       
    ];

     

       
113
       
109
       
 
       
    maintainers = with maintainers; [ jk ];

     

       
114
       
114
       
-
       
    platforms = [ "x86_64-linux" ];

     

       
110
       
110
       
+
       
    platforms = [ "x86_64-linux" "aarch64-linux" ];

     

       
111
       
111
       
+
       
    outputsToInstall = [ "out" "share" ];

     

       
115
       
112
       
 
       
  };

     

       
116
       
113
       
 
       
}

     

···

       
1
       
1
       
 
       
diff --git a/Makefile b/Makefile

     

       
2
       
2
       
-
       
index c72cf63d..e96b7eed 100644

     

       
2
       
2
       
+
       
index d7596a1a..dd7b97b6 100644

     

       
3
       
3
       
 
       
--- a/Makefile

     

       
4
       
4
       
 
       
+++ b/Makefile

     

       
5
       
5
       
 
       
@@ -50,6 +50,7 @@ CMD_STATICCHECK ?= staticcheck

     
···

       
10
       
10
       
 
       
 LIB_ELF ?= libelf

     

       
11
       
11
       
 
       
 LIB_ZLIB ?= zlib

     

       
12
       
12
       
 
       
 

     

       
13
       
13
       
-
       
@@ -172,10 +173,6 @@ env:

     

       
14
       
14
       
-
       
 	@echo "KERN_BUILD_PATH          $(KERN_BUILD_PATH)"

     

       
15
       
15
       
-
       
 	@echo "KERN_SRC_PATH            $(KERN_SRC_PATH)"

     

       
16
       
16
       
-
       
 	@echo ---------------------------------------

     

       
17
       
17
       
-
       
-	@echo "LIBBPF_CFLAGS            $(LIBBPF_CFLAGS)"

     

       
18
       
18
       
-
       
-	@echo "LIBBPF_LDLAGS            $(LIBBPF_LDFLAGS)"

     

       
19
       
19
       
-
       
-	@echo "LIBBPF_SRC               $(LIBBPF_SRC)"

     

       
20
       
20
       
-
       
-	@echo ---------------------------------------

     

       
21
       
21
       
-
       
 	@echo "STATIC                   $(STATIC)"

     

       
22
       
22
       
-
       
 	@echo ---------------------------------------

     

       
23
       
23
       
-
       
 	@echo "BPF_VCPU                 $(BPF_VCPU)"

     

       
24
       
24
       
-
       
@@ -274,8 +271,6 @@ OUTPUT_DIR = ./dist

     

       
13
       
13
       
+
       
@@ -279,8 +280,6 @@ OUTPUT_DIR = ./dist

     

       
25
       
14
       
 
       
 $(OUTPUT_DIR):

     

       
26
       
15
       
 
       
 #

     

       
27
       
16
       
 
       
 	@$(CMD_MKDIR) -p $@

     
···

       
30
       
19
       
 
       
 

     

       
31
       
20
       
 
       
 #

     

       
32
       
21
       
 
       
 # embedded btfhub

     

       
33
       
33
       
-
       
@@ -286,37 +281,6 @@ $(OUTPUT_DIR)/btfhub:

     

       
34
       
34
       
-
       
 	@$(CMD_MKDIR) -p $@

     

       
35
       
35
       
-
       
 	@$(CMD_TOUCH) $@/.place-holder # needed for embed.FS

     

       
36
       
36
       
-
       
 

     

       
37
       
37
       
-
       
-#

     

       
38
       
38
       
-
       
-# libbpf

     

       
39
       
39
       
-
       
-#

     

       
40
       
40
       
-
       
-

     

       
41
       
41
       
-
       
-LIBBPF_CFLAGS = "-fPIC"

     

       
42
       
42
       
-
       
-LIBBPF_LDLAGS =

     

       
43
       
43
       
-
       
-LIBBPF_SRC = ./3rdparty/libbpf/src

     

       
44
       
44
       
-
       
-

     

       
45
       
45
       
-
       
-$(OUTPUT_DIR)/libbpf/libbpf.a: \

     

       
46
       
46
       
-
       
-	$(LIBBPF_SRC) \

     

       
47
       
47
       
-
       
-	$(wildcard $(LIBBPF_SRC)/*.[ch]) \

     

       
48
       
48
       
-
       
-	| .checkver_$(CMD_CLANG) $(OUTPUT_DIR)

     

       
49
       
49
       
-
       
-#

     

       
50
       
50
       
-
       
-	CC="$(CMD_CLANG)" \

     

       
51
       
51
       
-
       
-		CFLAGS="$(LIBBPF_CFLAGS)" \

     

       
52
       
52
       
-
       
-		LD_FLAGS="$(LIBBPF_LDFLAGS)" \

     

       
53
       
53
       
-
       
-		$(MAKE) \

     

       
54
       
54
       
-
       
-		-C $(LIBBPF_SRC) \

     

       
55
       
55
       
-
       
-		BUILD_STATIC_ONLY=1 \

     

       
56
       
56
       
-
       
-		DESTDIR=$(abspath ./$(OUTPUT_DIR)/libbpf/) \

     

       
57
       
57
       
-
       
-		OBJDIR=$(abspath ./$(OUTPUT_DIR)/libbpf/obj) \

     

       
58
       
58
       
-
       
-		INCLUDEDIR= LIBDIR= UAPIDIR= prefix= libdir= \

     

       
59
       
59
       
-
       
-		install install_uapi_headers

     

       
60
       
60
       
-
       
-

     

       
61
       
61
       
-
       
-$(LIBBPF_SRC): \

     

       
62
       
62
       
-
       
-	| .check_$(CMD_GIT)

     

       
63
       
63
       
-
       
-#

     

       
64
       
64
       
-
       
-ifeq ($(wildcard $@), )

     

       
65
       
65
       
-
       
-	@$(CMD_GIT) submodule update --init --recursive

     

       
66
       
66
       
-
       
-endif

     

       
67
       
67
       
-
       
-

     

       
68
       
68
       
-
       
 #

     

       
69
       
69
       
-
       
 # non co-re ebpf

     

       
70
       
70
       
-
       
 #

     

       
71
       
71
       
-
       
@@ -333,7 +297,6 @@ BPF_NOCORE_TAG = $(subst .,_,$(KERN_RELEASE)).$(subst .,_,$(VERSION))

     

       
72
       
72
       
-
       
 bpf-nocore: $(OUTPUT_DIR)/tracee.bpf.$(BPF_NOCORE_TAG).o

     

       
73
       
73
       
-
       
 

     

       
74
       
74
       
-
       
 $(OUTPUT_DIR)/tracee.bpf.$(BPF_NOCORE_TAG).o: \

     

       
75
       
75
       
-
       
-	$(OUTPUT_DIR)/libbpf/libbpf.a \

     

       
76
       
76
       
-
       
 	$(TRACEE_EBPF_OBJ_SRC)

     

       
77
       
77
       
-
       
 #

     

       
78
       
78
       
-
       
 	MAKEFLAGS="--no-print-directory"

     

       
79
       
79
       
-
       
@@ -351,7 +314,6 @@ $(OUTPUT_DIR)/tracee.bpf.$(BPF_NOCORE_TAG).o: \

     

       
80
       
80
       
-
       
 		-I $(KERN_SRC_PATH)/include/uapi \

     

       
81
       
81
       
-
       
 		-I $(KERN_BUILD_PATH)/include/generated \

     

       
82
       
82
       
-
       
 		-I $(KERN_BUILD_PATH)/include/generated/uapi \

     

       
83
       
83
       
-
       
-		-I $(OUTPUT_DIR)/libbpf \

     

       
84
       
84
       
-
       
 		-I ./3rdparty/include \

     

       
85
       
85
       
-
       
 		-Wunused \

     

       
86
       
86
       
-
       
 		-Wall \

     

       
87
       
87
       
-
       
@@ -412,7 +374,6 @@ TRACEE_EBPF_OBJ_CORE_HEADERS = $(shell find pkg/ebpf/c -name *.h)

     

       
22
       
22
       
+
       
@@ -418,7 +417,6 @@ TRACEE_EBPF_OBJ_CORE_HEADERS = $(shell find pkg/ebpf/c -name *.h)

     

       
88
       
23
       
 
       
 bpf-core: $(OUTPUT_DIR)/tracee.bpf.core.o

     

       
89
       
24
       
 
       
 

     

       
90
       
25
       
 
       
 $(OUTPUT_DIR)/tracee.bpf.core.o: \

     
···

       
92
       
27
       
 
       
 	$(TRACEE_EBPF_OBJ_SRC) \

     

       
93
       
28
       
 
       
 	$(TRACEE_EBPF_OBJ_CORE_HEADERS)

     

       
94
       
29
       
 
       
 #

     

       
95
       
95
       
-
       
@@ -421,7 +382,6 @@ $(OUTPUT_DIR)/tracee.bpf.core.o: \

     

       
96
       
96
       
-
       
 		-D__BPF_TRACING__ \

     

       
97
       
97
       
-
       
 		-DCORE \

     

       
98
       
98
       
-
       
 		-I./pkg/ebpf/c/ \

     

       
99
       
99
       
-
       
-		-I$(OUTPUT_DIR)/libbpf/ \

     

       
100
       
100
       
-
       
 		-I ./3rdparty/include \

     

       
101
       
101
       
-
       
 		-target bpf \

     

       
102
       
102
       
-
       
 		-O2 -g \

     

       
103
       
103
       
-
       
@@ -447,8 +407,8 @@ ifeq ($(STATIC), 1)

     

       
30
       
30
       
+
       
@@ -453,8 +451,8 @@ ifeq ($(STATIC), 1)

     

       
104
       
31
       
 
       
     GO_TAGS_EBPF := $(GO_TAGS_EBPF),netgo

     

       
105
       
32
       
 
       
 endif

     

       
106
       
33
       
 
       
 

     
···

       
111
       
38
       
 
       
 

     

       
112
       
39
       
 
       
 GO_ENV_EBPF =

     

       
113
       
40
       
 
       
 GO_ENV_EBPF += GOOS=linux

     

       
114
       
114
       
-
       
@@ -468,6 +428,7 @@ $(OUTPUT_DIR)/tracee-ebpf: \

     

       
41
       
41
       
+
       
@@ -474,6 +472,7 @@ $(OUTPUT_DIR)/tracee-ebpf: \

     

       
115
       
42
       
 
       
 	$(TRACEE_EBPF_SRC) \

     

       
116
       
43
       
 
       
 	./embedded-ebpf.go \

     

       
117
       
44
       
 
       
 	| .checkver_$(CMD_GO) \

     
···

       
119
       
46
       
 
       
 	.checklib_$(LIB_ELF) \

     

       
120
       
47
       
 
       
 	.checklib_$(LIB_ZLIB) \

     

       
121
       
48
       
 
       
 	btfhub

     

       
122
       
122
       
-
       
@@ -658,7 +619,6 @@ test-rules: \

     

       
123
       
123
       
-
       
 .PHONY: test-upstream-libbpfgo

     

       
124
       
124
       
-
       
 test-upstream-libbpfgo: \

     

       
125
       
125
       
-
       
 	.checkver_$(CMD_GO) \

     

       
126
       
126
       
-
       
-	$(OUTPUT_DIR)/libbpf/libbpf.a

     

       
127
       
127
       
-
       
 #

     

       
128
       
128
       
-
       
 	./tests/libbpfgo.sh $(GO_ENV_EBPF)

     

       
129
       
129
       
-
       
 

     

···

       
12944
       
12944
       
 
       


     

       
12945
       
12945
       
 
       
  tracebox = callPackage ../tools/networking/tracebox { stdenv = gcc10StdenvCompat; };

     

       
12946
       
12946
       
 
       


     

       
12947
       
12947
       
-
       
  tracee = callPackage ../tools/security/tracee { };

     

       
12947
       
12947
       
+
       
  tracee = callPackage ../tools/security/tracee {

     

       
12948
       
12948
       
+
       
    clang = clang_14;

     

       
12949
       
12949
       
+
       
  };

     

       
12948
       
12950
       
 
       


     

       
12949
       
12951
       
 
       
  tracefilegen = callPackage ../development/tools/analysis/garcosim/tracefilegen { };

     

       
12950
       
12952