tracee: init at 0.7.0

pkgs/tools/security/tracee/bpf-core-clang-bpf.patch

@@ -0,0 +1,13 @@
+diff --git a/Makefile b/Makefile
+index d5cd754..db1c1d3 100644
+--- a/Makefile
++++ b/Makefile
+@@ -411,7 +411,7 @@ $(OUTPUT_DIR)/tracee.bpf.core.o: \
+ 	$(TRACEE_EBPF_OBJ_CORE_HEADERS)
+ #
+ 	$(MAKE) $(OUTPUT_DIR)/tracee.bpf
+-	$(CMD_CLANG) \
++	$(CMD_CLANG_BPF) \
+ 		-D__TARGET_ARCH_$(LINUX_ARCH) \
+ 		-D__BPF_TRACING__ \
+ 		-DCORE \

pkgs/tools/security/tracee/default.nix

@@ -0,0 +1,113 @@
+{ lib
+, buildGoModule
+, fetchFromGitHub
+
+, llvmPackages_13
+, pkg-config
+
+, zlib
+, libelf
+}:
+
+let
+  inherit (llvmPackages_13) clang;
+  clang-with-bpf =
+    (clang.overrideAttrs (o: { pname = o.pname + "-with-bpf"; })).override (o: {
+      extraBuildCommands = o.extraBuildCommands + ''
+        # make a separate wrapped clang we can target at bpf
+        cp $out/bin/clang $out/bin/clang-bpf
+        # extra flags to append after the cc-cflags
+        echo '-target bpf -fno-stack-protector' > $out/nix-support/cc-cflags-bpf
+        # use sed to attach the cc-cflags-bpf after cc-cflags
+        sed -i -E "s@^(extraAfter=\(\\$\NIX_CFLAGS_COMPILE_.*)(\))\$@\1 $(cat $out/nix-support/cc-cflags-bpf)\2@" $out/bin/clang-bpf
+      '';
+    });
+in
+buildGoModule rec {
+  pname = "tracee";
+  version = "0.7.0";
+
+  src = fetchFromGitHub {
+    owner = "aquasecurity";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-Y++FWxADnj1W5S3VrAlJAnotFYb6biCPJ6dpQ0Nin8o=";
+    # Once libbpf hits 1.0 we will migrate to the nixpkgs libbpf rather than the
+    # pinned copy in submodules
+    fetchSubmodules = true;
+  };
+  vendorSha256 = "sha256-C2RExp67qax8+zJIgyMJ18sBtn/xEYj4tAvGCCpBssQ=";
+
+  patches = [
+    # bpf-core can't be compiled with wrapped clang since it forces the target
+    # we need to be able to replace it with another wrapped clang that has
+    # it's target as bpf
+    ./bpf-core-clang-bpf.patch
+    # add -s to ldflags for smaller binaries
+    ./disable-go-symbol-table.patch
+  ];
+
+
+  enableParallelBuilding = true;
+
+  strictDeps = true;
+  nativeBuildInputs = [ pkg-config clang-with-bpf ];
+  buildInputs = [ zlib libelf ];
+
+  makeFlags = [
+    "VERSION=v${version}"
+    "CMD_CLANG_BPF=clang-bpf"
+    # don't actually need git but the Makefile checks for it
+    "CMD_GIT=echo"
+  ];
+
+  buildPhase = ''
+    runHook preBuild
+    make $makeFlags ''${enableParallelBuilding:+-j$NIX_BUILD_CORES -l$NIX_BUILD_CORES}
+    runHook postBuild
+  '';
+
+  doCheck = false;
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/{bin,share/tracee}
+
+    cp ./dist/tracee-ebpf $out/bin
+    cp ./dist/tracee-rules $out/bin
+
+    cp -r ./dist/rules $out/share/tracee/
+    cp -r ./cmd/tracee-rules/templates $out/share/tracee/
+
+    runHook postInstall
+  '';
+
+  doInstallCheck = true;
+  installCheckPhase = ''
+    runHook preInstallCheck
+
+    $out/bin/tracee-ebpf --help
+    $out/bin/tracee-ebpf --version | grep "v${version}"
+
+    $out/bin/tracee-rules --help
+
+    runHook postInstallCheck
+  '';
+
+  meta = with lib; {
+    homepage = "https://aquasecurity.github.io/tracee/latest/";
+    changelog = "https://github.com/aquasecurity/tracee/releases/tag/v${version}";
+    description = "Linux Runtime Security and Forensics using eBPF";
+    longDescription = ''
+      Tracee is a Runtime Security and forensics tool for Linux. It is using
+      Linux eBPF technology to trace your system and applications at runtime,
+      and analyze collected events to detect suspicious behavioral patterns. It
+      is delivered as a Docker image that monitors the OS and detects suspicious
+      behavior based on a pre-defined set of behavioral patterns.
+    '';
+    license = licenses.asl20;
+    maintainers = with maintainers; [ jk ];
+    platforms = [ "x86_64-linux" ];
+  };
+}

pkgs/tools/security/tracee/disable-go-symbol-table.patch

@@ -0,0 +1,22 @@
+diff --git a/Makefile b/Makefile
+index d5cd754..0b74a79 100644
+--- a/Makefile
++++ b/Makefile
+@@ -471,7 +471,7 @@ ifeq ($(BTFHUB), 1)
+ endif
+ 	$(GO_ENV_EBPF) $(CMD_GO) build \
+ 		-tags $(GO_TAGS_EBPF) \
+-		-ldflags="-w \
++		-ldflags="-s -w \
+ 			-extldflags \"$(CGO_EXT_LDFLAGS_EBPF)\" \
+ 			-X main.version=\"$(VERSION)\" \
+ 			" \
+@@ -552,7 +552,7 @@ $(OUTPUT_DIR)/tracee-rules: \
+ #
+ 	$(GO_ENV_RULES) $(CMD_GO) build \
+ 		-tags $(GO_TAGS_RULES) \
+-		-ldflags="-w \
++		-ldflags="-s -w \
+ 			-extldflags \"$(CGO_EXT_LDFLAGS_RULES)\" \
+ 			" \
+ 		-v -o $@ \

pkgs/top-level/all-packages.nix

@@ -11033,6 +11033,8 @@ with pkgs;
 
   tracebox = callPackage ../tools/networking/tracebox { };
 
+  tracee = callPackage ../tools/security/tracee { };
+
   tracefilegen = callPackage ../development/tools/analysis/garcosim/tracefilegen { };
 
   tracefilesim = callPackage ../development/tools/analysis/garcosim/tracefilesim { };