diff --git a/pkgs/tools/security/tracee/bpf-core-clang-bpf.patch b/pkgs/tools/security/tracee/bpf-core-clang-bpf.patch new file mode 100644 index 000000000000..f73e52841d3e --- /dev/null +++ b/pkgs/tools/security/tracee/bpf-core-clang-bpf.patch @@ -0,0 +1,13 @@ +diff --git a/Makefile b/Makefile +index d5cd754..db1c1d3 100644 +--- a/Makefile ++++ b/Makefile +@@ -411,7 +411,7 @@ $(OUTPUT_DIR)/tracee.bpf.core.o: \ + $(TRACEE_EBPF_OBJ_CORE_HEADERS) + # + $(MAKE) $(OUTPUT_DIR)/tracee.bpf +- $(CMD_CLANG) \ ++ $(CMD_CLANG_BPF) \ + -D__TARGET_ARCH_$(LINUX_ARCH) \ + -D__BPF_TRACING__ \ + -DCORE \ diff --git a/pkgs/tools/security/tracee/default.nix b/pkgs/tools/security/tracee/default.nix new file mode 100644 index 000000000000..48d102e619d4 --- /dev/null +++ b/pkgs/tools/security/tracee/default.nix @@ -0,0 +1,113 @@ +{ lib +, buildGoModule +, fetchFromGitHub + +, llvmPackages_13 +, pkg-config + +, zlib +, libelf +}: + +let + inherit (llvmPackages_13) clang; + clang-with-bpf = + (clang.overrideAttrs (o: { pname = o.pname + "-with-bpf"; })).override (o: { + extraBuildCommands = o.extraBuildCommands + '' + # make a separate wrapped clang we can target at bpf + cp $out/bin/clang $out/bin/clang-bpf + # extra flags to append after the cc-cflags + echo '-target bpf -fno-stack-protector' > $out/nix-support/cc-cflags-bpf + # use sed to attach the cc-cflags-bpf after cc-cflags + sed -i -E "s@^(extraAfter=\(\\$\NIX_CFLAGS_COMPILE_.*)(\))\$@\1 $(cat $out/nix-support/cc-cflags-bpf)\2@" $out/bin/clang-bpf + ''; + }); +in +buildGoModule rec { + pname = "tracee"; + version = "0.7.0"; + + src = fetchFromGitHub { + owner = "aquasecurity"; + repo = pname; + rev = "v${version}"; + sha256 = "sha256-Y++FWxADnj1W5S3VrAlJAnotFYb6biCPJ6dpQ0Nin8o="; + # Once libbpf hits 1.0 we will migrate to the nixpkgs libbpf rather than the + # pinned copy in submodules + fetchSubmodules = true; + }; + vendorSha256 = "sha256-C2RExp67qax8+zJIgyMJ18sBtn/xEYj4tAvGCCpBssQ="; + + patches = [ + # bpf-core can't be compiled with wrapped clang since it forces the target + # we need to be able to replace it with another wrapped clang that has + # it's target as bpf + ./bpf-core-clang-bpf.patch + # add -s to ldflags for smaller binaries + ./disable-go-symbol-table.patch + ]; + + + enableParallelBuilding = true; + + strictDeps = true; + nativeBuildInputs = [ pkg-config clang-with-bpf ]; + buildInputs = [ zlib libelf ]; + + makeFlags = [ + "VERSION=v${version}" + "CMD_CLANG_BPF=clang-bpf" + # don't actually need git but the Makefile checks for it + "CMD_GIT=echo" + ]; + + buildPhase = '' + runHook preBuild + make $makeFlags ''${enableParallelBuilding:+-j$NIX_BUILD_CORES -l$NIX_BUILD_CORES} + runHook postBuild + ''; + + doCheck = false; + + installPhase = '' + runHook preInstall + + mkdir -p $out/{bin,share/tracee} + + cp ./dist/tracee-ebpf $out/bin + cp ./dist/tracee-rules $out/bin + + cp -r ./dist/rules $out/share/tracee/ + cp -r ./cmd/tracee-rules/templates $out/share/tracee/ + + runHook postInstall + ''; + + doInstallCheck = true; + installCheckPhase = '' + runHook preInstallCheck + + $out/bin/tracee-ebpf --help + $out/bin/tracee-ebpf --version | grep "v${version}" + + $out/bin/tracee-rules --help + + runHook postInstallCheck + ''; + + meta = with lib; { + homepage = "https://aquasecurity.github.io/tracee/latest/"; + changelog = "https://github.com/aquasecurity/tracee/releases/tag/v${version}"; + description = "Linux Runtime Security and Forensics using eBPF"; + longDescription = '' + Tracee is a Runtime Security and forensics tool for Linux. It is using + Linux eBPF technology to trace your system and applications at runtime, + and analyze collected events to detect suspicious behavioral patterns. It + is delivered as a Docker image that monitors the OS and detects suspicious + behavior based on a pre-defined set of behavioral patterns. + ''; + license = licenses.asl20; + maintainers = with maintainers; [ jk ]; + platforms = [ "x86_64-linux" ]; + }; +} diff --git a/pkgs/tools/security/tracee/disable-go-symbol-table.patch b/pkgs/tools/security/tracee/disable-go-symbol-table.patch new file mode 100644 index 000000000000..2aba5f5c338f --- /dev/null +++ b/pkgs/tools/security/tracee/disable-go-symbol-table.patch @@ -0,0 +1,22 @@ +diff --git a/Makefile b/Makefile +index d5cd754..0b74a79 100644 +--- a/Makefile ++++ b/Makefile +@@ -471,7 +471,7 @@ ifeq ($(BTFHUB), 1) + endif + $(GO_ENV_EBPF) $(CMD_GO) build \ + -tags $(GO_TAGS_EBPF) \ +- -ldflags="-w \ ++ -ldflags="-s -w \ + -extldflags \"$(CGO_EXT_LDFLAGS_EBPF)\" \ + -X main.version=\"$(VERSION)\" \ + " \ +@@ -552,7 +552,7 @@ $(OUTPUT_DIR)/tracee-rules: \ + # + $(GO_ENV_RULES) $(CMD_GO) build \ + -tags $(GO_TAGS_RULES) \ +- -ldflags="-w \ ++ -ldflags="-s -w \ + -extldflags \"$(CGO_EXT_LDFLAGS_RULES)\" \ + " \ + -v -o $@ \ diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 0fdd0865d0e8..6ea48247cffb 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -11033,6 +11033,8 @@ with pkgs; tracebox = callPackage ../tools/networking/tracebox { }; + tracee = callPackage ../tools/security/tracee { }; + tracefilegen = callPackage ../development/tools/analysis/garcosim/tracefilegen { }; tracefilesim = callPackage ../development/tools/analysis/garcosim/tracefilesim { };