test(dependencies): add e2e integration test for the dependencies man…

…ager

Add e2e tests for the use of the dependencies manager in Tracee.
The test verifies that the ksymbols validation and attachments and detachments work well after the change.

pkg/ebpf/c/common/common.h

@@ -32,7 +32,7 @@ statfunc const char *get_device_name(struct device *dev)
 
     #define has_prefix(p, s, n)                                                                    \
         ({                                                                                         \
-            int rc = 0;                                                                            \
+            int rc = 1;                                                                            \
             char *pre = p, *str = s;                                                               \
             _Pragma("unroll") for (int z = 0; z < n; pre++, str++, z++)                            \
             {                                                                                      \

pkg/ebpf/c/tracee.bpf.c

@@ -6798,3 +6798,50 @@ int sched_process_exit_signal(struct bpf_raw_tracepoint_args *ctx)
 }
 
 // END OF Control Plane Programs
+
+// Tests
+
+SEC("kprobe/empty_kprobe")
+int BPF_KPROBE(empty_kprobe)
+{
+    return 0;
+}
+
+SEC("raw_tracepoint/exec_test")
+int tracepoint__exec_test(struct bpf_raw_tracepoint_args *ctx)
+{
+    // Check if test file was executed
+    struct linux_binprm *bprm = (struct linux_binprm *) ctx->args[2];
+    if (bprm == NULL)
+        return -1;
+    struct file *file = get_file_ptr_from_bprm(bprm);
+    void *file_path = get_path_str(__builtin_preserve_access_index(&file->f_path));
+    if (file_path == NULL || !has_prefix("/tmp/test", file_path, 9))
+        return 0;
+
+    // Submit all test events
+    int ret = 0;
+    program_data_t p = {};
+    if (!init_program_data(&p, ctx, NO_EVENT_SUBMIT))
+        return 0;
+
+    if (!evaluate_scope_filters(&p))
+        return 0;
+
+    if (!reset_event(p.event, EXEC_TEST))
+        return 0;
+    if (evaluate_scope_filters(&p))
+        ret |= events_perf_submit(&p, 0);
+
+    if (!reset_event(p.event, TEST_MISSING_KSYMBOLS))
+        return 0;
+    if (evaluate_scope_filters(&p))
+        ret |= events_perf_submit(&p, 0);
+
+    if (!reset_event(p.event, TEST_FAILED_ATTACH))
+        return 0;
+    if (evaluate_scope_filters(&p))
+        ret |= events_perf_submit(&p, 0);
+
+    return 0;
+}

pkg/ebpf/c/types.h

@@ -130,6 +130,11 @@ enum event_id_e
     SECURITY_BPRM_CREDS_FOR_EXEC,
     MAX_EVENT_ID,
     NO_EVENT_SUBMIT,
+
+    // Test events IDs
+    EXEC_TEST = 8000,
+    TEST_MISSING_KSYMBOLS,
+    TEST_FAILED_ATTACH,
 };
 
 enum signal_event_id_e

pkg/ebpf/probes/probe_group.go

@@ -222,6 +222,10 @@ func NewDefaultProbeGroup(module *bpf.Module, netEnabled bool) (*ProbeGroup, err
 		ExecuteAtFinishedARM:       NewTraceProbe(KretProbe, "__arm64_sys_execveat", "trace_execute_finished"),
 		ExecuteFinishedCompatARM:   NewTraceProbe(KretProbe, "__arm64_compat_sys_execve", "trace_execute_finished"),
 		ExecuteAtFinishedCompatARM: NewTraceProbe(KretProbe, "__arm64_compat_sys_execveat", "trace_execute_finished"),
+
+		TestUnavailableHook: NewTraceProbe(KProbe, "non_existing_func", "empty_kprobe"),
+		ExecTest:            NewTraceProbe(RawTracepoint, "raw_syscalls:sched_process_exec", "tracepoint__exec_test"),
+		EmptyKprobe:         NewTraceProbe(KProbe, "security_bprm_check", "empty_kprobe"),
 	}
 
 	if !netEnabled {

pkg/ebpf/probes/probes.go

@@ -149,3 +149,10 @@ const (
 	ExecuteFinishedCompatARM
 	ExecuteAtFinishedCompatARM
 )
+
+// Test probe handles
+const (
+	TestUnavailableHook = 1000 + iota
+	ExecTest
+	EmptyKprobe
+)

pkg/events/core.go

@@ -173,6 +173,13 @@ const (
 	MaxSignatureID   ID = 6999
 )
 
+// Test events
+const (
+	ExecTest ID = 8000 + iota
+	MissingKsymbol
+	FailedAttach
+)
+
 //
 // All Events
 //
@@ -13624,4 +13631,55 @@ var CoreEvents = map[ID]Definition{
 			{Type: "const char **", Name: "dst_dns"},
 		},
 	},
+
+	// Test Events
+	ExecTest: {
+		id:      ExecTest,
+		id32Bit: Sys32Undefined,
+		name:    "exec_test",
+		version: NewVersion(1, 0, 0),
+		syscall: false,
+		sets:    []string{"tests", "dependencies"},
+		dependencies: Dependencies{
+			probes: []Probe{
+				{handle: probes.ExecTest, required: true},
+				{handle: probes.EmptyKprobe, required: true},
+			},
+		},
+		params: []trace.ArgMeta{},
+	},
+	MissingKsymbol: {
+		id:      MissingKsymbol,
+		id32Bit: Sys32Undefined,
+		name:    "missing_ksymbol",
+		version: NewVersion(1, 0, 0),
+		syscall: false,
+		sets:    []string{"tests", "dependencies"},
+		params:  []trace.ArgMeta{},
+		dependencies: Dependencies{
+			kSymbols: []KSymbol{
+				{symbol: "non_existing_symbol", required: true},
+			},
+			probes: []Probe{
+				{handle: probes.ExecTest, required: true},
+			},
+			ids: []ID{ExecTest},
+		},
+	},
+	FailedAttach: {
+		id:      FailedAttach,
+		id32Bit: Sys32Undefined,
+		name:    "failed_attach",
+		version: NewVersion(1, 0, 0),
+		syscall: false,
+		sets:    []string{"tests", "dependencies"},
+		params:  []trace.ArgMeta{},
+		dependencies: Dependencies{
+			probes: []Probe{
+				{handle: probes.TestUnavailableHook, required: true},
+				{handle: probes.ExecTest, required: true},
+			},
+			ids: []ID{ExecTest},
+		},
+	},
 }

pkg/logger/logger.go

@@ -339,6 +339,11 @@ func SetLogger(l LoggerInterface) {
 	pkgLogger.l = l
 }
 
+// GetLogger gets the package-level base logger
+func GetLogger() LoggerInterface {
+	return pkgLogger.l
+}
+
 // SetLevel sets package-level base logger level,
 // it is threadsafe
 func SetLevel(level Level) {

pkg/policy/v1beta1/policy_file_test.go

@@ -35,7 +35,7 @@ func TestPolicyValidate(t *testing.T) {
 		nil,
 	)
 
-	err := events.Core.Add(9000, fakeSigEventDefinition)
+	err := events.Core.Add(events.StartSignatureID, fakeSigEventDefinition)
 	assert.NilError(t, err)
 
 	tests := []struct {