logger callbacks

[geyslan]

commit 761bb03

selftest: add log-callbacks

commit 56803f4

logger: introduce logger callbacks

loggerCallback() calls callbacks, log() and []logFnFilters(),
which can be set by the libbpfgo consumer via SetLoggerCbs().

This moves output filtering from C libbpf_print_fn() to
Go filterOutput() which can be set as one of the slice of filter funcs.

This also introduces LogWarnLevel, LogInfoLevel and LogDebugLevel
constants.

Fixes: #276
Fixes: #6
Fixes: #55
Fixex: aquasecurity/tracee#2417

• Print libbpf and libbpfgo logs to logger tracee#2417
• Make libbpf_print_fn callback logic clearer #276
• Print debug messages if debug flag was chosen #6
• libbpf_print_fn function to display CO-RE relocations debug information #55

Related fix during the work:

• libbpf_print_fn: va_arg mismatched pair #285

Tests

libbpfgo/selftest/log-callbacks on  2417-logger-callback [$!?]
❯ make
make -C /home/gg/code/libbpfgo libbpfgo-static
make[1]: Entering directory '/home/gg/code/libbpfgo'
CC=clang \
        CGO_CFLAGS="-I/home/gg/code/libbpfgo/output" \
        CGO_LDFLAGS="-lelf -lz /home/gg/code/libbpfgo/output/libbpf.a" \
        GOOS=linux GOARCH=amd64 \
        go build \
        -tags netgo -ldflags '-w -extldflags "-static"' \
        .
...

libbpfgo/selftest/log-callbacks on  2417-logger-callback [$!?]
❯ sudo ./main-static                     

libbpfgo/selftest/log-callbacks on  2417-logger-callback [$!?]
❯ echo $?                                
0

Changing one filter callback for tests purpose only (== instead of !=):

func(libLevel int, msg string) bool {
    return libLevel == C.LIBBPF_WARN
},

tracee on  main [$!?⇡] via 🐹 v1.19.5 via ⍱ v2.3.4 took 3s 
❯ sudo ./dist/tracee -t uid=1000 -t comm=who --log warn 2>&1 | head -20
{"level":"warn","ts":1675175312.2060382,"msg":"libbpf: loading object 'embedded-core' from buffer"}
{"level":"warn","ts":1675175312.2061195,"msg":"libbpf: elf: section(3) raw_tracepoint/sys_enter, size 248, link 0, flags 6, type=1"}
{"level":"warn","ts":1675175312.2061718,"msg":"libbpf: sec 'raw_tracepoint/sys_enter': found program 'tracepoint__raw_syscalls__sys_enter' at insn offset 0 (0 bytes), code size 31 insns (248 bytes)"}
{"level":"warn","ts":1675175312.2062,"msg":"libbpf: elf: section(4) .relraw_tracepoint/sys_enter, size 32, link 223, flags 40, type=9"}
{"level":"warn","ts":1675175312.2062263,"msg":"libbpf: elf: section(5) raw_tracepoint/sys_enter_init, size 2368, link 0, flags 6, type=1"}
{"level":"warn","ts":1675175312.2062707,"msg":"libbpf: sec 'raw_tracepoint/sys_enter_init': found program 'sys_enter_init' at insn offset 0 (0 bytes), code size 296 insns (2368 bytes)"}
{"level":"warn","ts":1675175312.206299,"msg":"libbpf: elf: section(6) .relraw_tracepoint/sys_enter_init, size 160, link 223, flags 40, type=9"}
{"level":"warn","ts":1675175312.206323,"msg":"libbpf: elf: section(7) raw_tracepoint/sys_enter_submit, size 24904, link 0, flags 6, type=1"}
{"level":"warn","ts":1675175312.2063725,"msg":"libbpf: sec 'raw_tracepoint/sys_enter_submit': found program 'sys_enter_submit' at insn offset 0 (0 bytes), code size 3113 insns (24904 bytes)"}
{"level":"warn","ts":1675175312.2064219,"msg":"libbpf: elf: section(8) .relraw_tracepoint/sys_enter_submit, size 416, link 223, flags 40, type=9"}
{"level":"warn","ts":1675175312.2064548,"msg":"libbpf: elf: section(9) raw_tracepoint/sys_exit, size 312, link 0, flags 6, type=1"}
{"level":"warn","ts":1675175312.2065027,"msg":"libbpf: sec 'raw_tracepoint/sys_exit': found program 'tracepoint__raw_syscalls__sys_exit' at insn offset 0 (0 bytes), code size 39 insns (312 bytes)"}
{"level":"warn","ts":1675175312.2065287,"msg":"libbpf: elf: section(10) .relraw_tracepoint/sys_exit, size 32, link 223, flags 40, type=9"}
{"level":"warn","ts":1675175312.2065518,"msg":"libbpf: elf: section(11) raw_tracepoint/sys_exit_init, size 1200, link 0, flags 6, type=1"}
{"level":"warn","ts":1675175312.2065969,"msg":"libbpf: sec 'raw_tracepoint/sys_exit_init': found program 'sys_exit_init' at insn offset 0 (0 bytes), code size 150 insns (1200 bytes)"}
{"level":"warn","ts":1675175312.2066414,"msg":"libbpf: elf: section(12) .relraw_tracepoint/sys_exit_init, size 144, link 223, flags 40, type=9"}
{"level":"warn","ts":1675175312.2066822,"msg":"libbpf: elf: section(13) raw_tracepoint/sys_exit_submit, size 18976, link 0, flags 6, type=1"}
{"level":"warn","ts":1675175312.2067318,"msg":"libbpf: sec 'raw_tracepoint/sys_exit_submit': found program 'sys_exit_submit' at insn offset 0 (0 bytes), code size 2372 insns (18976 bytes)"}
{"level":"warn","ts":1675175312.2067814,"msg":"libbpf: elf: section(14) .relraw_tracepoint/sys_exit_submit, size 416, link 223, flags 40, type=9"}
{"level":"warn","ts":1675175312.206826,"msg":"libbpf: elf: section(15) raw_tracepoint/trace_sys_enter, size 8120, link 0, flags 6, type=1"}

Context

• feat: make logger a standalone package tracee#2600

[rafaeldtinoco]

LGTM after the small changes I requested (if you agree).

[geyslan]

LGTM after the small changes I requested (if you agree).

@rafaeldtinoco thanks for reviewing this.

As aquasecurity/tracee#2600 (review) concluded, we'll tackle this creating a libbpfgo.Logger interface.

Returing to this soon.

[geyslan]

Despite having passed all the tests, I need to define the callbacks on them to make them silent.

[mozillazg]

LGTM

[NDStrahilevitz]

Could you please give an example of how this is used with different settings and what they entail? Because i'm not sure how this looks work out in the end.
I had to look at the equivalent tracee PR to understand the first setting, and I have no idea how the filtering would work, maybe tests could help here.

[rafaeldtinoco]

@geyslan minor nits and then we merge. LGTM. Please link the issue to the comment (about making the log filter function generic). BTW, make sure to address comment from @NDStrahilevitz about the regex compilation first.

[geyslan]

After merging this and aquasecurity/tracee#2663, I'll open an issue in both projects to tackle the hard-coded filters move.

[rafaeldtinoco]

LGTM

[rafaeldtinoco]

Feel free to undraft tracee's change and move on there. Thanks!