feature: add list events GRPC api

Makefile

@@ -36,6 +36,7 @@ CMD_STATICCHECK ?= staticcheck
 CMD_STRIP ?= llvm-strip
 CMD_TOUCH ?= touch
 CMD_TR ?= tr
+CMD_PROTOC ?= protoc
 
 .check_%:
 #
@@ -165,6 +166,7 @@ env:
 	@echo "CMD_STRIP                $(CMD_STRIP)"
 	@echo "CMD_TOUCH                $(CMD_TOUCH)"
 	@echo "CMD_TR                   $(CMD_TR)"
+	@echo "CMD_PROTOC               $(CMD_PROTOC)"
 	@echo ---------------------------------------
 	@echo "LIB_ELF                  $(LIB_ELF)"
 	@echo "LIB_ZLIB                 $(LIB_ZLIB)"
@@ -227,6 +229,8 @@ env:
 	@echo "E2E_INST_DIR             $(E2E_INST_DIR)"
 	@echo "E2E_INST_SRC             $(E2E_INST_SRC)"
 	@echo ---------------------------------------
+	@echo "TRACE_PROTO              $(TRACEE_PROTO)"
+	@echo ---------------------------------------
 
 #
 # usage
@@ -393,6 +397,8 @@ GO_ENV_EBPF += GOARCH=$(GO_ARCH)
 GO_ENV_EBPF += CGO_CFLAGS=$(CUSTOM_CGO_CFLAGS)
 GO_ENV_EBPF += CGO_LDFLAGS=$(CUSTOM_CGO_LDFLAGS)
 
+TRACEE_PROTO = ./types/api/v1beta1/tracee.proto
+
 #
 # btfhub (expensive: only run if ebpf obj changed)
 #
@@ -902,3 +908,16 @@ clean:
 	$(CMD_RM) -f .*.md5
 	$(CMD_RM) -f .check*
 	$(CMD_RM) -f .*-pkgs*
+
+#
+# tracee.proto
+#
+
+.PHONY: protoc
+protoc:
+#
+	$(CMD_PROTOC) \
+		--go_out=. \
+		--go_opt=paths=source_relative \
+		--go-grpc_out=. \
+		--go-grpc_opt=paths=source_relative $(TRACEE_PROTO)

cmd/grpc-client/main.go

@@ -0,0 +1,67 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"log"
+
+	v1beta1 "github.com/aquasecurity/tracee/types/api/v1beta1"
+)
+
+type CloudContext struct {
+	Provider string
+}
+
+type Context_Cloud struct {
+	Cloud                   *CloudContext
+	v1beta1.IContextContext `json:"-"`
+}
+
+func main() {
+	e := v1beta1.Event{
+		Id:   123,
+		Name: "ptrace",
+	}
+
+	e.SetProcessContext(&v1beta1.ProcessContext{
+		Binary:       "/bin/bash",
+		Pid:          10,
+		NamespacePid: 1,
+		UserId:       1,
+		UserName:     "root",
+	})
+	// process := e.GetProcessContext()
+
+	e.SetContainerContext(&v1beta1.ContainerContext{
+		Id:      "lala",
+		Name:    "xx",
+		Started: true,
+	})
+	// container := e.GetContainerContext()
+
+	e.SetKubernetesContext(&v1beta1.KubernetesContext{
+		Name:      "pod-name",
+		Namespace: "prod",
+		Uid:       "uid",
+		Sandbox:   "sandbox",
+	})
+	// kubernetes := e.GetKubernetesContext()
+
+	// fmt.Printf("process: %+v\n", process)
+	// fmt.Printf("container: %+v\n", container)
+	// fmt.Printf("kubernetes: %+v\n", kubernetes)
+
+	cloud := CloudContext{Provider: "gcloud"}
+	// fmt.Printf("cloud: %+v\n\n", cloud)
+	// fmt.Printf("before len: %d\n", len(e.Context))
+	e.Context = append(e.Context, &v1beta1.Context{Context: &Context_Cloud{Cloud: &cloud}})
+	// fmt.Printf("after len: %d\n", len(e.Context))
+
+	// fmt.Printf("event: %+v\n", e)
+
+	b, err := json.Marshal(e)
+	if err != nil {
+		log.Fatal(err)
+	}
+	fmt.Println(string(b))
+}

cmd/tracee-ebpf/main.go

@@ -133,7 +133,7 @@ func main() {
 				Value: false,
 			},
 			&cli.StringFlag{
-				Name:  server.ListenEndpointFlag,
+				Name:  server.HTTPListenEndpointFlag,
 				Usage: "listening address of the metrics endpoint server",
 				Value: ":3366",
 			},

cmd/tracee-rules/main.go

@@ -149,8 +149,8 @@ func main() {
 				return fmt.Errorf("constructing engine: %w", err)
 			}
 
-			httpServer, err := server.PrepareServer(
-				c.String(server.ListenEndpointFlag),
+			httpServer, err := server.PrepareHTTPServer(
+				c.String(server.HTTPListenEndpointFlag),
 				c.Bool(server.MetricsEndpointFlag),
 				c.Bool(server.HealthzEndpointFlag),
 				c.Bool(server.PProfEndpointFlag),
@@ -252,7 +252,7 @@ func main() {
 				Value: false,
 			},
 			&cli.StringFlag{
-				Name:  server.ListenEndpointFlag,
+				Name:  server.HTTPListenEndpointFlag,
 				Usage: "listening address of the metrics endpoint server",
 				Value: ":4466",
 			},

cmd/tracee/cmd/root.go

@@ -256,11 +256,21 @@ func initCmd() error {
 	}
 
 	rootCmd.Flags().String(
-		server.ListenEndpointFlag,
+		server.HTTPListenEndpointFlag,
 		":3366",
 		"<url:port>\t\t\t\tListening address of the metrics endpoint server",
 	)
-	err = viper.BindPFlag(server.ListenEndpointFlag, rootCmd.Flags().Lookup(server.ListenEndpointFlag))
+	err = viper.BindPFlag(server.HTTPListenEndpointFlag, rootCmd.Flags().Lookup(server.HTTPListenEndpointFlag))
+	if err != nil {
+		return errfmt.WrapError(err)
+	}
+
+	rootCmd.Flags().String(
+		server.GRPCListenEndpointFlag,
+		"", // disabled by default
+		"Listening address of the grpc server [protocol:addr] eg: tcp:4466, unix:/tmp/tracee.sock (default: disabled)",
+	)
+	err = viper.BindPFlag(server.GRPCListenEndpointFlag, rootCmd.Flags().Lookup(server.GRPCListenEndpointFlag))
 	if err != nil {
 		return errfmt.WrapError(err)
 	}

go.mod

@@ -28,7 +28,7 @@ require (
 	go.uber.org/zap v1.24.0
 	golang.org/x/sys v0.8.0
 	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1
-	google.golang.org/grpc v1.55.0
+	google.golang.org/grpc v1.56.2
 	google.golang.org/protobuf v1.30.0
 	gopkg.in/yaml.v2 v2.4.0
 	gotest.tools v2.2.0+incompatible
@@ -172,3 +172,5 @@ require (
 )
 
 replace github.com/kubernetes/cri-api => k8s.io/cri-api v0.23.5-rc.0
+
+replace github.com/aquasecurity/tracee/types v0.0.0-20230602152109-e48d0a548fbf => ./types

go.sum

@@ -69,8 +69,6 @@ github.com/aquasecurity/libbpfgo v0.4.8-libbpf-1.2.0.0.20230509162948-80f41e18e6
 github.com/aquasecurity/libbpfgo v0.4.8-libbpf-1.2.0.0.20230509162948-80f41e18e690/go.mod h1:UD3Mfr+JZ/ASK2VMucI/zAdEhb35LtvYXvAUdrdqE9s=
 github.com/aquasecurity/libbpfgo/helpers v0.4.6-0.20230321190037-f591a2c5734f h1:l127H3NqJBmw+XMt+haBOeZIrBppuw7TJz26cWMI9kY=
 github.com/aquasecurity/libbpfgo/helpers v0.4.6-0.20230321190037-f591a2c5734f/go.mod h1:j/TQLmsZpOIdF3CnJODzYngG4yu1YoDCoRMELxkQSSA=
-github.com/aquasecurity/tracee/types v0.0.0-20230602152109-e48d0a548fbf h1:bSWqjqjFPGyn+thqof/rph4A5jSqd2d7xWJK5MGMb0I=
-github.com/aquasecurity/tracee/types v0.0.0-20230602152109-e48d0a548fbf/go.mod h1:kHvgUMXGq5QEqSLPgu4RwGSJEoCuMQJnEkGk8OAcSUc=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=
 github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
@@ -817,8 +815,8 @@ google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA5
 google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
-google.golang.org/grpc v1.55.0 h1:3Oj82/tFSCeUrRTg/5E/7d/W5A1tj6Ky1ABAuZuv5ag=
-google.golang.org/grpc v1.55.0/go.mod h1:iYEXKGkEBhg1PjZQvoYEVPTDkHo1/bjTnfwTeGONTY8=
+google.golang.org/grpc v1.56.2 h1:fVRFRnXvU+x6C4IlHZewvJOVHoOv1TUuQyoRsYnB4bI=
+google.golang.org/grpc v1.56.2/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=

pkg/cmd/cobra/cobra.go

@@ -216,19 +216,24 @@ func GetTraceeRunner(c *cobra.Command, version string) (cmd.Runner, error) {
 
 	// Prepare the server
 
-	httpServer, err := server.PrepareServer(
-		viper.GetString(server.ListenEndpointFlag),
+	httpServer, err := server.PrepareHTTPServer(
+		viper.GetString(server.HTTPListenEndpointFlag),
 		viper.GetBool(server.MetricsEndpointFlag),
 		viper.GetBool(server.HealthzEndpointFlag),
 		viper.GetBool(server.PProfEndpointFlag),
 		viper.GetBool(server.PyroscopeAgentFlag),
 	)
+	if err != nil {
+		return runner, err
+	}
 
+	grpcServer, err := flags.PrepareGRPCServer(viper.GetString(server.GRPCListenEndpointFlag))
 	if err != nil {
 		return runner, err
 	}
 
-	runner.Server = httpServer
+	runner.HTTPServer = httpServer
+	runner.GRPCServer = grpcServer
 	runner.TraceeConfig = cfg
 	runner.Printer = p
 

pkg/cmd/flags/grpc.go

@@ -0,0 +1,26 @@
+package flags
+
+import (
+	"strings"
+
+	"github.com/aquasecurity/tracee/pkg/errfmt"
+	"github.com/aquasecurity/tracee/pkg/server/grpc"
+)
+
+func PrepareGRPCServer(listenAddr string) (*grpc.Server, error) {
+	if len(listenAddr) == 0 {
+		return nil, nil
+	}
+
+	addr := strings.SplitN(listenAddr, ":", 2)
+
+	if addr[0] != "tcp" && addr[0] != "unix" {
+		return nil, errfmt.Errorf("grpc supported protocols are tcp or unix. eg: tcp:4466, unix:/tmp/tracee.sock")
+	}
+
+	if len(addr[1]) == 0 {
+		return nil, errfmt.Errorf("grpc addr cannot be empty")
+	}
+
+	return grpc.New(addr[0], addr[1])
+}

pkg/cmd/flags/server/server.go

@@ -3,15 +3,16 @@ package server
 import (
 	"github.com/aquasecurity/tracee/pkg/errfmt"
 	"github.com/aquasecurity/tracee/pkg/logger"
-	"github.com/aquasecurity/tracee/pkg/server"
+	"github.com/aquasecurity/tracee/pkg/server/http"
 )
 
 const (
-	MetricsEndpointFlag = "metrics"
-	HealthzEndpointFlag = "healthz"
-	PProfEndpointFlag   = "pprof"
-	ListenEndpointFlag  = "listen-addr"
-	PyroscopeAgentFlag  = "pyroscope"
+	MetricsEndpointFlag    = "metrics"
+	HealthzEndpointFlag    = "healthz"
+	PProfEndpointFlag      = "pprof"
+	HTTPListenEndpointFlag = "http-listen-addr"
+	GRPCListenEndpointFlag = "grpc-listen-addr"
+	PyroscopeAgentFlag     = "pyroscope"
 )
 
 // TODO: this should be extract to be under 'pkg/cmd/flags' once we remove the binary tracee-rules.
@@ -20,13 +21,13 @@ const (
 // 'pkf/cmd/flags' directly libbpfgo becomes a dependency and we need to compile it with
 // tracee-rules.
 
-func PrepareServer(listenAddr string, metrics, healthz, pprof, pyro bool) (*server.Server, error) {
+func PrepareHTTPServer(listenAddr string, metrics, healthz, pprof, pyro bool) (*http.Server, error) {
 	if len(listenAddr) == 0 {
-		return nil, errfmt.Errorf("listen address cannot be empty")
+		return nil, errfmt.Errorf("http listen address cannot be empty")
 	}
 
 	if metrics || healthz || pprof {
-		httpServer := server.New(listenAddr)
+		httpServer := http.New(listenAddr)
 
 		if metrics {
 			logger.Debugw("Enabling metrics endpoint")

pkg/cmd/tracee.go

@@ -11,14 +11,16 @@ import (
 	tracee "github.com/aquasecurity/tracee/pkg/ebpf"
 	"github.com/aquasecurity/tracee/pkg/errfmt"
 	"github.com/aquasecurity/tracee/pkg/logger"
-	"github.com/aquasecurity/tracee/pkg/server"
+	"github.com/aquasecurity/tracee/pkg/server/grpc"
+	"github.com/aquasecurity/tracee/pkg/server/http"
 	"github.com/aquasecurity/tracee/pkg/utils"
 )
 
 type Runner struct {
 	TraceeConfig config.Config
 	Printer      printer.EventPrinter
-	Server       *server.Server
+	HTTPServer   *http.Server
+	GRPCServer   *grpc.Server
 }
 
 func (r Runner) Run(ctx context.Context) error {
@@ -30,20 +32,23 @@ func (r Runner) Run(ctx context.Context) error {
 	}
 
 	// Readiness Callback: Tracee is ready to receive events
-
 	t.AddReadyCallback(
 		func(ctx context.Context) {
 			logger.Debugw("Tracee is ready callback")
-			if r.Server == nil {
-				return
-			}
-			if r.Server.MetricsEndpointEnabled() {
-				r.TraceeConfig.MetricsEnabled = true // TODO: is this needed ?
-				if err := t.Stats().RegisterPrometheus(); err != nil {
-					logger.Errorw("Registering prometheus metrics", "error", err)
+			if r.HTTPServer != nil {
+				if r.HTTPServer.MetricsEndpointEnabled() {
+					r.TraceeConfig.MetricsEnabled = true // TODO: is this needed ?
+					if err := t.Stats().RegisterPrometheus(); err != nil {
+						logger.Errorw("Registering prometheus metrics", "error", err)
+					}
 				}
+				go r.HTTPServer.Start(ctx)
+			}
+
+			// start server if one is configured
+			if r.GRPCServer != nil {
+				go r.GRPCServer.Start(ctx)
 			}
-			go r.Server.Start(ctx)
 		},
 	)
 

pkg/cmd/urfave/urfave.go

@@ -163,8 +163,8 @@ func GetTraceeRunner(c *cli.Context, version string) (cmd.Runner, error) {
 
 	cfg.ChanEvents = make(chan trace.Event, 1000)
 
-	httpServer, err := server.PrepareServer(
-		c.String(server.ListenEndpointFlag),
+	httpServer, err := server.PrepareHTTPServer(
+		c.String(server.HTTPListenEndpointFlag),
 		c.Bool(server.MetricsEndpointFlag),
 		c.Bool(server.HealthzEndpointFlag),
 		c.Bool(server.PProfEndpointFlag),
@@ -175,7 +175,7 @@ func GetTraceeRunner(c *cli.Context, version string) (cmd.Runner, error) {
 		return runner, err
 	}
 
-	runner.Server = httpServer
+	runner.HTTPServer = httpServer
 	runner.TraceeConfig = cfg
 	runner.Printer = broadcast