Merge branch 'main' of https://github.com/aquasecurity/tracee into co…

…ntributing_docs
aquasecurity · Dec 24, 2024 · 5b9a520 · 5b9a520
2 parents 4aae9c7 + 6fda8d0
commit 5b9a520
Show file tree

Hide file tree

Showing 126 changed files with 2,605 additions and 5,359 deletions.
diff --git a/.github/actions/build-dependencies/action.yaml b/.github/actions/build-dependencies/action.yaml
@@ -64,11 +64,6 @@ runs:
         sudo ln -s /usr/local/clang/bin/llvm-readelf /usr/bin/llvm-readelf
         sudo ln -s /usr/local/clang/bin/opt /usr/bin/opt
       shell: bash
-    - name: Install OPA
-      run: |
-        sudo curl -L -o /usr/bin/opa https://github.com/open-policy-agent/opa/releases/download/v0.63.0/opa_linux_amd64_static
-        sudo chmod 755 /usr/bin/opa
-      shell: bash
     - name: Install staticchecker
       run: |
         GOROOT=/usr/local/go GOPATH=$HOME/go go install honnef.co/go/tools/cmd/[email protected]

diff --git a/.github/labeler.yml b/.github/labeler.yml
@@ -56,12 +56,10 @@ area/signatures:
   - pkg/signatures/**/*
   - signatures/*
   - signatures/**/*
-  - "**/*.rego"
 area/testing:
   - tests/*
   - tests/**/*
   - "**/*_test.go"
-  - "**/*_test.rego"
 # area/uprobe:
 area/UX:
   - pkg/cmd/*

diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
@@ -75,6 +75,7 @@ env:
     PROCTREE_DATA_SOURCE
     DNS_DATA_SOURCE
     WRITABLE_DATA_SOURCE
+    SECURITY_PATH_NOTIFY
     SET_FS_PWD
     SUSPICIOUS_SYSCALL_SOURCE
 jobs:
@@ -160,27 +161,6 @@ jobs:
         run: |
           make check-err
   #
-  # SIGNATURES CODE VERIFICATION
-  #
-  verify-signatures:
-    name: Verify Signatures
-    needs:
-      - verify-analyze-code
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout Code
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-        with:
-          submodules: true
-      - name: Install Dependencies
-        uses: ./.github/actions/build-dependencies
-      - name: Build Signatures
-        run: |
-          make signatures
-      - name: Test Signatures
-        run: |
-          make test-signatures
-  #
   # TOOLS BUILD VERIFICATION
   #
   verify-tools:
@@ -301,6 +281,10 @@ jobs:
               ["Mantic 6.5 aarch64"]="0387f77c4820c98db aarch64"
               ["Mantic 6.6 x86_64"]="05b5ac8f6c43b3ca5 x86_64"
               ["Mantic 6.6 aarch64"]="05c9d6cd9343f0a43 aarch64"
+              ["Noble 6.8 x86_64"]="0cc63426ae75d47c8 x86_64"
+              ["Noble 6.8 aarch64"]="0f5260685b3ec2293 aarch64"
+              ["Noble 6.10 x86_64"]="0ae23eabda70efc60 x86_64"
+              ["Noble 6.10 aarch64"]="01ce0f71400b5ff38 aarch64"
               # expand as needed
           )
           for num in 01; do

diff --git a/.github/workflows/release-snapshot.yaml b/.github/workflows/release-snapshot.yaml
@@ -38,7 +38,7 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Build
         run: |
-          make -f builder/Makefile.release SNAPSHOT=1
+          make -f builder/Makefile.release snapshot
       - name: Scan Docker Image for Vulnerabilities
         uses: aquasecurity/trivy-action@master
         with:
@@ -81,7 +81,7 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Build
         run: |
-          make -f builder/Makefile.release SNAPSHOT=1
+          make -f builder/Makefile.release snapshot
       - name: Scan Docker Image for Vulnerabilities
         uses: aquasecurity/trivy-action@master
         with:

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -16,6 +16,7 @@ jobs:
     runs-on: 
       - graas_ami-0cdf7ad6d9627da45_${{ github.event.number }}${{ github.run_attempt }}-${{ github.run_id }}
       - EXECUTION_TYPE=LONG
+      - INSTANCE_TYPE=2XLARGE
     permissions:
       contents: write
       packages: write
@@ -38,7 +39,7 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Build
         run: |
-          make -f builder/Makefile.release
+          make -f builder/Makefile.release release
         shell: bash
       - name: Publish to docker.io registry
         run: |
@@ -60,6 +61,7 @@ jobs:
     runs-on:
       - graas_ami-07740487fa433aa54_${{ github.event.number }}${{ github.run_attempt }}-${{ github.run_id }}
       - EXECUTION_TYPE=LONG
+      - INSTANCE_TYPE=LARGE
     permissions:
       contents: write
       packages: write
@@ -82,7 +84,7 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Build
         run: |
-          make -f builder/Makefile.release
+          make -f builder/Makefile.release release
         shell: bash
       - name: Publish to docker.io registry
         run: |

diff --git a/Makefile b/Makefile
@@ -37,7 +37,6 @@ CMD_INSTALL ?= install
 CMD_LLC ?= llc
 CMD_MD5 ?= md5sum
 CMD_MKDIR ?= mkdir
-CMD_OPA ?= opa
 CMD_PKGCONFIG ?= pkg-config
 CMD_RM ?= rm
 CMD_SED ?= sed
@@ -150,8 +149,9 @@ GO_VERSION_MIN = $(shell echo $(GO_VERSION) | $(CMD_CUT) -d'.' -f2)
 # version
 #
 
-LAST_GIT_TAG ?= $(shell $(CMD_GIT) describe --tags --match 'v*' 2>/dev/null)
-VERSION ?= $(if $(RELEASE_TAG),$(RELEASE_TAG),$(LAST_GIT_TAG))
+# LAST_GIT format: <branch>-<commit>
+LAST_GIT ?= $(shell $(CMD_GIT) symbolic-ref --short HEAD 2>/dev/null)-$(shell $(CMD_GIT) rev-parse --short HEAD)
+VERSION ?= $(if $(RELEASE_VERSION),$(RELEASE_VERSION),$(LAST_GIT))
 
 #
 # environment
@@ -205,7 +205,6 @@ env:
 	@echo "CMD_LLC                  $(CMD_LLC)"
 	@echo "CMD_MD5                  $(CMD_MD5)"
 	@echo "CMD_MKDIR                $(CMD_MKDIR)"
-	@echo "CMD_OPA                  $(CMD_OPA)"
 	@echo "CMD_PKGCONFIG            $(CMD_PKGCONFIG)"
 	@echo "CMD_RM                   $(CMD_RM)"
 	@echo "CMD_SED                  $(CMD_SED)"
@@ -218,7 +217,7 @@ env:
 	@echo "LIB_BPF                  $(LIB_BPF)"
 	@echo ---------------------------------------
 	@echo "VERSION                  $(VERSION)"
-	@echo "LAST_GIT_TAG             $(LAST_GIT_TAG)"
+	@echo "LAST_GIT                 $(LAST_GIT)"
 	@echo ---------------------------------------
 	@echo "UNAME_M                  $(UNAME_M)"
 	@echo "UNAME_R                  $(UNAME_R)"
@@ -266,9 +265,6 @@ env:
 	@echo "GOSIGNATURES_DIR         $(GOSIGNATURES_DIR)"
 	@echo "GOSIGNATURES_SRC         $(GOSIGNATURES_SRC)"
 	@echo ---------------------------------------
-	@echo "REGO_SIGNATURES_DIR      $(REGO_SIGNATURES_DIR)"
-	@echo "REGO_SIGNATURES_SRC      $(REGO_SIGNATURES_SRC)"
-	@echo ---------------------------------------
 	@echo "E2E_NET_DIR              $(E2E_NET_DIR)"
 	@echo "E2E_NET_SRC              $(E2E_NET_SRC)"
 	@echo "E2E_INST_DIR             $(E2E_INST_DIR)"
@@ -591,20 +587,11 @@ GOSIGNATURES_SRC :=	$(shell find $(GOSIGNATURES_DIR) \
 			! -path '$(GOSIGNATURES_DIR)/examples/*' \
 			)
 
-REGO_SIGNATURES_DIR ?= signatures/rego
-REGO_SIGNATURES_SRC :=	$(shell find $(REGO_SIGNATURES_DIR) \
-			-type f \
-			-name '*.rego' \
-			! -name '*_test.rego' \
-			! -path '$(REGO_SIGNATURES_DIR)/examples/*' \
-			)
-
 .PHONY: signatures
 signatures: $(OUTPUT_DIR)/signatures
 
 $(OUTPUT_DIR)/signatures: \
 	$(GOSIGNATURES_SRC) \
-	$(REGO_SIGNATURES_SRC) \
 	| .eval_goenv \
 	.checkver_$(CMD_GO) \
 	.check_$(CMD_INSTALL) \
@@ -615,8 +602,6 @@ $(OUTPUT_DIR)/signatures: \
 		--buildmode=plugin \
 		-o $@/builtin.so \
 		$(GOSIGNATURES_SRC)
-	# disable rego signatures by default (keep golang signatures only)
-	# $(CMD_INSTALL) -m 0644 $(REGO_SIGNATURES_SRC) $@
 
 .PHONY: clean-signatures
 clean-signatures:
@@ -823,12 +808,6 @@ test-integration: \
 		-count=1 \
 		./tests/integration/... \
 
-.PHONY: test-signatures
-test-signatures: \
-	| .check_$(CMD_OPA)
-#
-	$(CMD_OPA) test $(REGO_SIGNATURES_DIR) --verbose
-
 .PHONY: test-upstream-libbpfgo
 test-upstream-libbpfgo: \
 	| .eval_goenv \

diff --git a/Vagrantfile b/Vagrantfile
@@ -131,7 +131,6 @@ Vagrant.configure("2") do |config|
       HOME="/home/#{vm_user}"
       LLVM_VERSION="14"
       GO_VERSION="1.22.3"
-      OPA_VERSION="v0.63.0"
       KUBECTL_VERSION="v1.29"
       VM_TYPE="#{vm_type}"
 
@@ -224,13 +223,6 @@ Vagrant.configure("2") do |config|
       apt-get install --yes docker.io
       usermod -aG docker ${USER}
 
-      #
-      # opa
-      #
-
-      echo ">>> Installing opa"
-      curl -L -o /usr/bin/opa https://github.com/open-policy-agent/opa/releases/download/${OPA_VERSION}/opa_linux_${ARCH}_static
-      chmod 755 /usr/bin/opa
     SHELL
 
     vm_config.vm.provision "shell", privileged: true, reboot: true, inline: <<-SHELL

diff --git a/builder/Dockerfile.alpine-tracee-container b/builder/Dockerfile.alpine-tracee-container
@@ -10,15 +10,8 @@ ARG FLAVOR=tracee-ebpf-core
 #
 
 ARG GO_VERSION=1.22.0
-ARG OPA_VERSION=v0.63.0
 
 
-# This workaround is required since OPA 0.65.0 (latest published release) has cve-2024-24790.
-# After solved we can rollback to the commented installation lines below.
-#
-# Stage 1: Set the base image to get the OPA binary
-FROM openpolicyagent/opa:0.66.0-dev-static AS opa-extractor
-
 #
 # tracee-base
 #
@@ -35,15 +28,6 @@ RUN apk --no-cache update && \
     apk --no-cache add libelf zlib zstd && \
     apk --no-cache add libc6-compat
 
-# install OPA
-
-# ARG OPA_VERSION
-# RUN curl -L -o /usr/bin/opa https://github.com/open-policy-agent/opa/releases/download/${OPA_VERSION}/opa_linux_${TARGETARCH}_static && \
-# chmod 755 /usr/bin/opa
-
-# Stage 2: Copy the OPA binary from the OPA extractor
-COPY --from=opa-extractor /opa /usr/bin/opa
-
 #
 # tracee-make-base
 #
@@ -124,6 +108,8 @@ RUN cd /tmp && \
 FROM tracee-make-base AS tracee-make
 LABEL AS=tracee-make
 ARG BTFHUB
+ARG STATIC
+ARG RELEASE_VERSION
 USER root
 ENV HOME=/tracee
 WORKDIR /tracee
@@ -132,8 +118,7 @@ COPY . /tracee
 
 RUN source /etc/profile && \
     make clean && \
-    BTFHUB=$BTFHUB make tracee && \
-    BTFHUB=$BTFHUB make tracee-ebpf && \
+    BTFHUB=$BTFHUB STATIC=$STATIC RELEASE_VERSION=$RELEASE_VERSION make tracee tracee-ebpf && \
     make tracee-rules && \
     make tracee-operator && \
     make signatures && \

diff --git a/builder/Dockerfile.alpine-tracee-make b/builder/Dockerfile.alpine-tracee-make
@@ -40,11 +40,6 @@ RUN cd /tmp && \
     cd ./btfhub && \
     ./3rdparty/bpftool.sh
 
-# install OPA
-RUN TARGETARCH=$(uname -m | sed 's:x86_64:amd64:g' | sed 's:aarch64:arm64:g') && \
-    curl -L -o /usr/bin/opa https://github.com/open-policy-agent/opa/releases/download/v0.63.0/opa_linux_${TARGETARCH}_static && \
-    chmod 755 /usr/bin/opa
-
 # install extra tools for testing things
 RUN apk --no-cache add man-pages man-pages-posix bash-completion vim iproute2 vlan bridge-utils net-tools \
     netcat-openbsd iputils wget lynx w3m stress-ng

diff --git a/builder/Dockerfile.ubuntu-tracee-make b/builder/Dockerfile.ubuntu-tracee-make
@@ -12,7 +12,6 @@ ARG gid=1000
 #
 
 ARG GO_VERSION=1.22.0
-ARG OPA_VERSION=v0.63.0
 
 # install needed environment
 
@@ -36,11 +35,6 @@ RUN cd /tmp && \
     cd ./btfhub && \
     ./3rdparty/bpftool.sh
 
-# install OPA
-RUN altarch=$(uname -m | sed 's:x86_64:amd64:g' | sed 's:aarch64:arm64:g') && \
-    curl -L -o /usr/bin/opa https://github.com/open-policy-agent/opa/releases/download/${OPA_VERSION}/opa_linux_${altarch}_static && \
-    chmod 755 /usr/bin/opa
-
 # extra tools for testing things
 
 RUN export DEBIAN_FRONTEND=noninteractive && \