libbpfgo icon indicating copy to clipboard operation
libbpfgo copied to clipboard
verified publisher icon aquasecurity

Make helpers package into its own go module

Open grantseltzer opened this issue 3 years ago • 8 comments

If consumers of the helpers package want to import a new version without upgrading libbpfgo, it becomes impossible because it's a single module.

grantseltzer avatar Sep 13 '22 14:09 grantseltzer

Hi, it would also be nice if libbpfgo could be decoupled from it dependency wise as well, otherwise if I try to use it for writing a tracee signature for example I get this error:

../go/pkg/mod/github.com/aquasecurity/[email protected]/libbpfgo.go:76:13: error: no member named 'sz' in 'struct perf_buffer_opts'
    pb_opts.sz = sizeof(struct perf_buffer_opts);
    ~~~~~~~ ^
../go/pkg/mod/github.com/aquasecurity/[email protected]/libbpfgo.go:78:59: error: too many arguments to function call, expected 3, have 6
    pb = perf_buffer__new(map_fd, page_cnt, perfCallback, perfLostCallback,
         ~~~~~~~~~~~~~~~~                                 ^~~~~~~~~~~~~~~~~
/usr/include/bpf/libbpf.h:682:1: note: 'perf_buffer__new' declared here
perf_buffer__new(int map_fd, size_t page_cnt,
^
2 errors generated.

This would be useful because then you could use the direct argument values defined in the argument parsers instead of relying on argument parsing before signatures (for exmaple use the PTRACE_TRACME const instead of the string "PTRACE_TRACEME".

NDStrahilevitz avatar Oct 09 '22 13:10 NDStrahilevitz

@NDStrahilevitz Do you mean to say you think helpers shouldn't import libbpfgo?

grantseltzer avatar Oct 10 '22 14:10 grantseltzer

@NDStrahilevitz Do you mean to say you think helpers shouldn't import libbpfgo?

Yes, otherwise you can't really use the helpers independently.

NDStrahilevitz avatar Oct 10 '22 15:10 NDStrahilevitz

@NDStrahilevitz Where do you get the above error? When building or running go get? How can I reproduce?

grantseltzer avatar Oct 11 '22 14:10 grantseltzer

I made a new go signature using PR #2220 in tracee. Code is the following

package main

import (
	"fmt"

	"github.com/aquasecurity/tracee/types/protocol"

	args "github.com/aquasecurity/libbpfgo/helpers"
	"github.com/aquasecurity/tracee/signatures/helpers"

	"github.com/aquasecurity/tracee/types/detect"
	"github.com/aquasecurity/tracee/types/trace"
)

type AntiDebuggingPtraceme struct {
	cb detect.SignatureHandler
}

...

func (sig *AntiDebuggingPtraceme) OnEvent(e protocol.Event) error {
	// casting to tracee event
	eventObj, ok := e.Payload.(trace.Event)
	if !ok {
		return fmt.Errorf("invalid event")
	}

	switch eventObj.EventName {

	case "ptrace":
		requestArg, err := helpers.GetTraceeArgumentByName(eventObj, "request")
		if err != nil {
			return err
		}

		if requestArg.Value == args.PTRACE_TRACEME {
			// metadata, err := sig.GetMetadata()
			// if err != nil {
			// 	return err
			// }
		}

	}
	return nil
}

...

And I got the errors i've written above when compiling to a .so plugin.

NDStrahilevitz avatar Oct 11 '22 15:10 NDStrahilevitz

Can you provide the command you use to compile? @NDStrahilevitz

grantseltzer avatar Oct 11 '22 15:10 grantseltzer

This was standard signature compilation in tracee so just make rules. Internally:

GOSIGNATURES_DIR ?= signatures/golang
GOSIGNATURES_SRC :=	$(shell find $(GOSIGNATURES_DIR) \
			-type f \
			-name '*.go' \
			! -name '*_test.go' \
			! -path '$(GOSIGNATURES_DIR)/examples/*' \
			)

NDStrahilevitz avatar Oct 11 '22 16:10 NDStrahilevitz

@NDStrahilevitz is this still relevant? Perhaps correlated to #297?

geyslan avatar May 26 '23 13:05 geyslan

https://github.com/aquasecurity/tracee/pull/4090

geyslan avatar Jun 19 '24 20:06 geyslan