build distributable binary (#71)

.gitignore

@@ -1,6 +1,6 @@
 .vscode
 .idea
-/tracee_*
+/dist
 *__pycache__*
 venv
 *.pyc

Dockerfile

@@ -26,6 +26,6 @@ COPY --from=aquasec/bcc-builder:latest /root/bcc/libbcc_*.deb /bcc/
 RUN DEBIAN_FRONTEND=noninteractive dpkg -i libbcc_*.deb && rm -rf /bcc
 
 WORKDIR /tracee
-COPY --from=builder /tracee/tracee_linux /tracee/entrypoint.sh ./
-COPY --from=builder /tracee/tracee/event_monitor_ebpf.c ./tracee/
-ENTRYPOINT ["./entrypoint.sh", "./tracee_linux"]
+COPY --from=builder /tracee/tracee /tracee/entrypoint.sh ./
+COPY --from=builder ./tracee/
+ENTRYPOINT ["./entrypoint.sh", "./tracee"]

Makefile

@@ -1,19 +1,18 @@
-os ?= $(shell uname -s | tr '[:upper:]' '[:lower:]')
-
 .PHONY: build
-build: tracee_$(os)
+build: dist/tracee tracee/event_monitor_ebpf.c
 
 SRC = $(shell find . -type f -name '*.go' ! -name '*_test.go' )
-tracee_%: $(SRC)
-	GOOS=$* go build -o $(@F)
+ebpfProgramBase64 = $(shell base64 -w 0 tracee/event_monitor_ebpf.c)
+dist/tracee: $(SRC)
+	GOOS=linux go build -v -o dist/tracee -ldflags "-X github.com/aquasecurity/tracee/tracee.ebpfProgramBase64Injected=$(ebpfProgramBase64)"
 
 .PHONY: test
 test:
 	go test -v ./...
 
 .PHONY: clean
 clean:
-	rm tracee_*
+	rm -rf dist || true
 
 python-test:
 	python -m unittest -v test_container_tracer

README.md

@@ -18,7 +18,7 @@ For convenience we provide a Docker container of Tracee that includes glibc and
 ### Getting Tracee
 Currently we don't yet have a release process for Tracee. You can build Tracee from source using `make build` or use the Docker image: `aquasec/tracee` from Docker Hub.
 
-If you build Tracee from source code, you can run it directly as an executable on the host. It will look for the file `./tracee/event_monitor_ebpf.c` so make sure it's available, and you'll need to run it with root permissions in order to load the eBPF code. 
+If run Tracee binary, you'll need to run it with root permissions in order to load the eBPF code. 
 If you use the Docker container, you should run it with the `--privileged` flag.
 
 ### Quickstart

test/loader.sh

@@ -3,7 +3,7 @@
 # example: `./loader.sh ls 4 5`
 # will run 4 threads that continuously run `ls` in a loop for 5 seconds
 # then run tracee with small buffer size to increase the chance for lost events:
-# `make build && sudo ./tracee_linux -e mmap -e close -e mprotect -e openat -e security_file_open -b 1`
+# `make build && sudo ./tracee -e mmap -e close -e mprotect -e openat -e security_file_open -b 1`
 
 set -e
 command="$1"

tracee/tracee.go

@@ -2,12 +2,14 @@ package tracee
 
 import (
 	"bytes"
+	"encoding/base64"
 	"encoding/binary"
 	"fmt"
 	"io"
 	"io/ioutil"
 	"os"
 	"os/signal"
+	"path/filepath"
 	"strconv"
 	"strings"
 
@@ -122,18 +124,44 @@ func NewConfig(eventsToTrace []string, containerMode bool, detectOriginalSyscall
 	return &tc, nil
 }
 
+// This var is supposed to be injected *at build time* with the contents of the ebpf c program
+var ebpfProgramBase64Injected string
+
+func getEBPFProgram() (string, error) {
+	// if there's a local file, use it
+	exePath, err := os.Executable()
+	if err != nil {
+		return "", err
+	}
+	ebpfFilePath := filepath.Join(filepath.Dir(exePath), "./event_monitor_ebpf.c")
+	_, err = os.Stat(ebpfFilePath)
+	if !os.IsNotExist(err) {
+		p, err := ioutil.ReadFile(ebpfFilePath)
+		return string(p), err
+	}
+	// if there's no local file, try injected variable
+	if ebpfProgramBase64Injected != "" {
+		p, err := base64.StdEncoding.DecodeString(ebpfProgramBase64Injected)
+		if err != nil {
+			return "", err
+		}
+		return string(p), nil
+	}
+
+	return "", fmt.Errorf("could not find ebpf program")
+}
+
 // Tracee traces system calls and system events using eBPF
 type Tracee struct {
-	config         TraceeConfig
-	bpfProgramPath string
-	bpfModule      *bpf.Module
-	bpfPerfMap     *bpf.PerfMap
-	eventsChannel  chan []byte
-	lostChannel    chan uint64
-	printer        eventPrinter
-	eventCounter   int
-	errorCounter   int
-	lostCounter    int
+	config        TraceeConfig
+	bpfModule     *bpf.Module
+	bpfPerfMap    *bpf.PerfMap
+	eventsChannel chan []byte
+	lostChannel   chan uint64
+	printer       eventPrinter
+	eventCounter  int
+	errorCounter  int
+	lostCounter   int
 }
 
 // New creates a new Tracee instance based on a given valid TraceeConfig
@@ -144,16 +172,10 @@ func New(cfg TraceeConfig) (*Tracee, error) {
 	if err != nil {
 		return nil, fmt.Errorf("validation error: %v", err)
 	}
-	bpfFile := "./tracee/event_monitor_ebpf.c"
-	_, err = os.Stat(bpfFile)
-	if os.IsNotExist(err) {
-		return nil, fmt.Errorf("error finding bpf C file at: %s", bpfFile)
-	}
 
 	// create tracee
 	t := &Tracee{
-		config:         cfg,
-		bpfProgramPath: bpfFile,
+		config: cfg,
 	}
 	switch t.config.OutputFormat {
 	case "table":
@@ -164,7 +186,11 @@ func New(cfg TraceeConfig) (*Tracee, error) {
 		t.printer = jsonEventPrinter{}
 	}
 
-	err = t.initBPF()
+	p, err := getEBPFProgram()
+	if err != nil {
+		return nil, err
+	}
+	err = t.initBPF(p)
 	if err != nil {
 		t.Close()
 		return nil, err
@@ -173,14 +199,10 @@ func New(cfg TraceeConfig) (*Tracee, error) {
 	return t, nil
 }
 
-func (t *Tracee) initBPF() error {
+func (t *Tracee) initBPF(ebpfProgram string) error {
 	var err error
 
-	bpfText, err := ioutil.ReadFile(t.bpfProgramPath)
-	if err != nil {
-		return fmt.Errorf("error reading ebpf program file: %v", err)
-	}
-	t.bpfModule = bpf.NewModule(string(bpfText), []string{})
+	t.bpfModule = bpf.NewModule(ebpfProgram, []string{})
 
 	// compile final list of events to trace including essential events while at the same time record which essentials were requested by the user
 	// to build this list efficiently we use the `tmpset` variable as follows: