chore: Integrate libbpfgo packages into project

This commit integrates the libbpfgo packages into the tracee repository.
These packages were previously copied over from libbpfgo in a separate
PR (#4090) to resolve dependency issues. Now, tracee is utilizing these
packages, providing better compatibility and ensuring smoother
development.

pkg/bufferdecoder/eventsreader.go

@@ -7,10 +7,9 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/aquasecurity/libbpfgo/helpers"
-
 	"github.com/aquasecurity/tracee/pkg/errfmt"
 	"github.com/aquasecurity/tracee/pkg/events"
+	"github.com/aquasecurity/tracee/pkg/events/parsers"
 	"github.com/aquasecurity/tracee/pkg/logger"
 	"github.com/aquasecurity/tracee/types/trace"
 )
@@ -255,9 +254,9 @@ func readSockaddrFromBuff(ebpfMsgDecoder *EbpfDecoder) (map[string]string, error
 	if err != nil {
 		return nil, errfmt.WrapError(err)
 	}
-	socketDomainArg, err := helpers.ParseSocketDomainArgument(uint64(family))
+	socketDomainArg, err := parsers.ParseSocketDomainArgument(uint64(family))
 	if err != nil {
-		socketDomainArg = helpers.AF_UNSPEC
+		socketDomainArg = parsers.AF_UNSPEC
 	}
 	res["sa_family"] = socketDomainArg.String()
 	switch family {

pkg/cmd/cobra/cobra.go

@@ -6,8 +6,6 @@ import (
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 
-	"github.com/aquasecurity/libbpfgo/helpers"
-
 	"github.com/aquasecurity/tracee/pkg/cmd"
 	"github.com/aquasecurity/tracee/pkg/cmd/flags"
 	"github.com/aquasecurity/tracee/pkg/cmd/flags/server"
@@ -22,6 +20,7 @@ import (
 	"github.com/aquasecurity/tracee/pkg/policy"
 	"github.com/aquasecurity/tracee/pkg/signatures/engine"
 	"github.com/aquasecurity/tracee/pkg/signatures/signature"
+	"github.com/aquasecurity/tracee/pkg/utils/environment"
 )
 
 func GetTraceeRunner(c *cobra.Command, version string) (cmd.Runner, error) {
@@ -80,10 +79,10 @@ func GetTraceeRunner(c *cobra.Command, version string) (cmd.Runner, error) {
 
 	// OS release information
 
-	osInfo, err := helpers.GetOSInfo()
+	osInfo, err := environment.GetOSInfo()
 	if err != nil {
 		logger.Debugw("OSInfo", "warning: os-release file could not be found", "error", err) // only to be enforced when BTF needs to be downloaded, later on
-		logger.Debugw("OSInfo", "os_release_field", helpers.OS_KERNEL_RELEASE, "OS_KERNEL_RELEASE", osInfo.GetOSReleaseFieldValue(helpers.OS_KERNEL_RELEASE))
+		logger.Debugw("OSInfo", "os_release_field", environment.OS_KERNEL_RELEASE, "OS_KERNEL_RELEASE", osInfo.GetOSReleaseFieldValue(environment.OS_KERNEL_RELEASE))
 	} else {
 		osInfoSlice := make([]interface{}, 0)
 		for k, v := range osInfo.GetOSReleaseAllFieldValues() {
@@ -259,19 +258,19 @@ func GetTraceeRunner(c *cobra.Command, version string) (cmd.Runner, error) {
 
 	// Check kernel lockdown
 
-	lockdown, err := helpers.Lockdown()
+	lockdown, err := environment.Lockdown()
 	if err != nil {
 		logger.Debugw("OSInfo", "lockdown", err)
 	}
-	if err == nil && lockdown == helpers.CONFIDENTIALITY {
+	if err == nil && lockdown == environment.CONFIDENTIALITY {
 		return runner, errfmt.Errorf("kernel lockdown is set to 'confidentiality', can't load eBPF programs")
 	}
 
 	logger.Debugw("OSInfo", "security_lockdown", lockdown)
 
 	// Check if ftrace is enabled
 
-	enabled, err := helpers.FtraceEnabled()
+	enabled, err := environment.FtraceEnabled()
 	if err != nil {
 		return runner, err
 	}

pkg/cmd/initialize/bpfobject.go

@@ -7,21 +7,20 @@ import (
 	"path/filepath"
 	"strings"
 
-	"github.com/aquasecurity/libbpfgo/helpers"
-
 	embed "github.com/aquasecurity/tracee"
 	"github.com/aquasecurity/tracee/pkg/config"
 	"github.com/aquasecurity/tracee/pkg/errfmt"
 	"github.com/aquasecurity/tracee/pkg/logger"
+	"github.com/aquasecurity/tracee/pkg/utils/environment"
 )
 
 // BpfObject sets up and configures a BPF object for tracing and monitoring
 // system events within the kernel. It takes pointers to tracee.Config,
-// helpers.KernelConfig, and helpers.OSInfo structures, as well as an
+// environment.KernelConfig, and environment.OSInfo structures, as well as an
 // installation path and a version string. The function unpacks the CO-RE eBPF
 // object binary, checks if BTF is enabled, unpacks the BTF file from BTF Hub if
 // necessary, and assigns the kernel configuration and BPF object bytes.
-func BpfObject(cfg *config.Config, kConfig *helpers.KernelConfig, osInfo *helpers.OSInfo, installPath string, version string) error {
+func BpfObject(cfg *config.Config, kConfig *environment.KernelConfig, osInfo *environment.OSInfo, installPath string, version string) error {
 	btfFilePath, err := checkEnvPath("TRACEE_BTF_FILE")
 	if btfFilePath == "" && err != nil {
 		return errfmt.WrapError(err)
@@ -39,7 +38,7 @@ func BpfObject(cfg *config.Config, kConfig *helpers.KernelConfig, osInfo *helper
 
 	// BTF unavailable: check embedded BTF files
 
-	if !helpers.OSBTFEnabled() && btfFilePath == "" {
+	if !environment.OSBTFEnabled() && btfFilePath == "" {
 		unpackBTFFile := filepath.Join(installPath, "/tracee.btf")
 		err = unpackBTFHub(unpackBTFFile, osInfo)
 		if err == nil {
@@ -86,13 +85,13 @@ func unpackCOREBinary() ([]byte, error) {
 // an OSInfo struct containing information about the OS, including OS ID,
 // version ID, kernel release, and architecture. It returns an error if any of
 // the directory creation, file opening, or file copying operations fail.
-func unpackBTFHub(outFilePath string, osInfo *helpers.OSInfo) error {
+func unpackBTFHub(outFilePath string, osInfo *environment.OSInfo) error {
 	var btfFilePath string
 
-	osId := osInfo.GetOSReleaseFieldValue(helpers.OS_ID)
-	versionId := strings.Replace(osInfo.GetOSReleaseFieldValue(helpers.OS_VERSION_ID), "\"", "", -1)
-	kernelRelease := osInfo.GetOSReleaseFieldValue(helpers.OS_KERNEL_RELEASE)
-	arch := osInfo.GetOSReleaseFieldValue(helpers.OS_ARCH)
+	osId := osInfo.GetOSReleaseFieldValue(environment.OS_ID)
+	versionId := strings.Replace(osInfo.GetOSReleaseFieldValue(environment.OS_VERSION_ID), "\"", "", -1)
+	kernelRelease := osInfo.GetOSReleaseFieldValue(environment.OS_KERNEL_RELEASE)
+	arch := osInfo.GetOSReleaseFieldValue(environment.OS_ARCH)
 
 	if err := os.MkdirAll(filepath.Dir(outFilePath), 0755); err != nil {
 		return errfmt.Errorf("could not create temp dir: %s", err.Error())

pkg/cmd/initialize/kernelconfig.go

@@ -1,24 +1,23 @@
 package initialize
 
 import (
-	"github.com/aquasecurity/libbpfgo/helpers"
-
 	"github.com/aquasecurity/tracee/pkg/logger"
+	"github.com/aquasecurity/tracee/pkg/utils/environment"
 )
 
-func KernelConfig() (*helpers.KernelConfig, error) {
-	kernelConfig, err := helpers.InitKernelConfig()
+func KernelConfig() (*environment.KernelConfig, error) {
+	kernelConfig, err := environment.InitKernelConfig()
 	if err != nil {
 		// do not fail if we cannot init kconfig - print out warning messages
 		logger.Warnw("KConfig: could not check enabled kconfig features", "error", err)
 		logger.Warnw("KConfig: assuming kconfig values, might have unexpected behavior")
 		return kernelConfig, nil
 	}
 
-	kernelConfig.AddNeeded(helpers.CONFIG_BPF, helpers.BUILTIN)
-	kernelConfig.AddNeeded(helpers.CONFIG_BPF_SYSCALL, helpers.BUILTIN)
-	kernelConfig.AddNeeded(helpers.CONFIG_KPROBE_EVENTS, helpers.BUILTIN)
-	kernelConfig.AddNeeded(helpers.CONFIG_BPF_EVENTS, helpers.BUILTIN)
+	kernelConfig.AddNeeded(environment.CONFIG_BPF, environment.BUILTIN)
+	kernelConfig.AddNeeded(environment.CONFIG_BPF_SYSCALL, environment.BUILTIN)
+	kernelConfig.AddNeeded(environment.CONFIG_KPROBE_EVENTS, environment.BUILTIN)
+	kernelConfig.AddNeeded(environment.CONFIG_BPF_EVENTS, environment.BUILTIN)
 	missing := kernelConfig.CheckMissing()
 	if len(missing) > 0 {
 		// do not fail if there are missing options, let it fail later by trying

pkg/cmd/urfave/urfave.go

@@ -3,8 +3,6 @@ package urfave
 import (
 	cli "github.com/urfave/cli/v2"
 
-	"github.com/aquasecurity/libbpfgo/helpers"
-
 	"github.com/aquasecurity/tracee/pkg/cmd"
 	"github.com/aquasecurity/tracee/pkg/cmd/flags"
 	"github.com/aquasecurity/tracee/pkg/cmd/flags/server"
@@ -14,6 +12,7 @@ import (
 	"github.com/aquasecurity/tracee/pkg/errfmt"
 	"github.com/aquasecurity/tracee/pkg/logger"
 	"github.com/aquasecurity/tracee/pkg/policy"
+	"github.com/aquasecurity/tracee/pkg/utils/environment"
 )
 
 func GetTraceeRunner(c *cli.Context, version string) (cmd.Runner, error) {
@@ -48,10 +47,10 @@ func GetTraceeRunner(c *cli.Context, version string) (cmd.Runner, error) {
 
 	// OS release information
 
-	osInfo, err := helpers.GetOSInfo()
+	osInfo, err := environment.GetOSInfo()
 	if err != nil {
 		logger.Debugw("OSInfo", "warning: os-release file could not be found", "error", err) // only to be enforced when BTF needs to be downloaded, later on
-		logger.Debugw("OSInfo", "os_release_field", helpers.OS_KERNEL_RELEASE, "OS_KERNEL_RELEASE", osInfo.GetOSReleaseFieldValue(helpers.OS_KERNEL_RELEASE))
+		logger.Debugw("OSInfo", "os_release_field", environment.OS_KERNEL_RELEASE, "OS_KERNEL_RELEASE", osInfo.GetOSReleaseFieldValue(environment.OS_KERNEL_RELEASE))
 	} else {
 		osInfoSlice := make([]interface{}, 0)
 		for k, v := range osInfo.GetOSReleaseAllFieldValues() {
@@ -139,19 +138,19 @@ func GetTraceeRunner(c *cli.Context, version string) (cmd.Runner, error) {
 
 	// Check kernel lockdown
 
-	lockdown, err := helpers.Lockdown()
+	lockdown, err := environment.Lockdown()
 	if err != nil {
 		logger.Debugw("OSInfo", "lockdown", err)
 	}
-	if err == nil && lockdown == helpers.CONFIDENTIALITY {
+	if err == nil && lockdown == environment.CONFIDENTIALITY {
 		return runner, errfmt.Errorf("kernel lockdown is set to 'confidentiality', can't load eBPF programs")
 	}
 
 	logger.Debugw("OSInfo", "security_lockdown", lockdown)
 
 	// Check if ftrace is enabled
 
-	enabled, err := helpers.FtraceEnabled()
+	enabled, err := environment.FtraceEnabled()
 	if err != nil {
 		return runner, err
 	}

pkg/config/config.go

@@ -3,15 +3,14 @@ package config
 import (
 	"io"
 
-	"github.com/aquasecurity/libbpfgo/helpers"
-
 	"github.com/aquasecurity/tracee/pkg/containers/runtime"
 	"github.com/aquasecurity/tracee/pkg/dnscache"
 	"github.com/aquasecurity/tracee/pkg/errfmt"
 	"github.com/aquasecurity/tracee/pkg/events/queue"
 	"github.com/aquasecurity/tracee/pkg/policy"
 	"github.com/aquasecurity/tracee/pkg/proctree"
 	"github.com/aquasecurity/tracee/pkg/signatures/engine"
+	"github.com/aquasecurity/tracee/pkg/utils/environment"
 )
 
 // Config is a struct containing user defined configuration of tracee
@@ -27,8 +26,8 @@ type Config struct {
 	MaxPidsCache       int // maximum number of pids to cache per mnt ns (in Tracee.pidsInMntns)
 	BTFObjPath         string
 	BPFObjBytes        []byte
-	KernelConfig       *helpers.KernelConfig
-	OSInfo             *helpers.OSInfo
+	KernelConfig       *environment.KernelConfig
+	OSInfo             *environment.OSInfo
 	Sockets            runtime.Sockets
 	NoContainersEnrich bool
 	EngineConfig       engine.Config

pkg/ebpf/hooked_syscall_table.go

@@ -8,13 +8,13 @@ import (
 	"unsafe"
 
 	bpf "github.com/aquasecurity/libbpfgo"
-	"github.com/aquasecurity/libbpfgo/helpers"
 
 	"github.com/aquasecurity/tracee/pkg/capabilities"
 	"github.com/aquasecurity/tracee/pkg/events"
 	"github.com/aquasecurity/tracee/pkg/events/derive"
 	"github.com/aquasecurity/tracee/pkg/logger"
 	"github.com/aquasecurity/tracee/pkg/utils"
+	"github.com/aquasecurity/tracee/pkg/utils/environment"
 )
 
 var expectedSyscallTableInit = false
@@ -78,7 +78,7 @@ func (t *Tracee) isAboveSatisfied(aboveRequirement string) (bool, error) {
 		return false, err
 	}
 
-	if kerVerCmpAbove == helpers.KernelVersionOlder || kerVerCmpAbove == helpers.KernelVersionEqual { // above requirement is older/equal running kernel (aka satisfies requirement)
+	if kerVerCmpAbove == environment.KernelVersionOlder || kerVerCmpAbove == environment.KernelVersionEqual { // above requirement is older/equal running kernel (aka satisfies requirement)
 		return true, nil
 	}
 
@@ -92,7 +92,7 @@ func (t *Tracee) isBelowSatisfied(belowRequirement string) (bool, error) {
 		return false, err
 	}
 
-	if kerVerCmpBelow == helpers.KernelVersionNewer { // below requirement is newer than running kernel (aka satisfies requirement)
+	if kerVerCmpBelow == environment.KernelVersionNewer { // below requirement is newer than running kernel (aka satisfies requirement)
 		return true, nil
 	}
 

pkg/ebpf/initialization/kconfig.go

@@ -1,25 +1,24 @@
 package initialization
 
 import (
-	"github.com/aquasecurity/libbpfgo/helpers"
-
 	"github.com/aquasecurity/tracee/pkg/errfmt"
 	"github.com/aquasecurity/tracee/pkg/logger"
+	"github.com/aquasecurity/tracee/pkg/utils/environment"
 )
 
 // Custom KernelConfigOption's to extend kernel_config helper support
 // Add here all kconfig variables used within tracee.bpf.c
 const (
-	CONFIG_ARCH_HAS_SYSCALL_WRAPPER helpers.KernelConfigOption = iota + helpers.CUSTOM_OPTION_START
+	CONFIG_ARCH_HAS_SYSCALL_WRAPPER environment.KernelConfigOption = iota + environment.CUSTOM_OPTION_START
 )
 
-var kconfigUsed = map[helpers.KernelConfigOption]string{
+var kconfigUsed = map[environment.KernelConfigOption]string{
 	CONFIG_ARCH_HAS_SYSCALL_WRAPPER: "CONFIG_ARCH_HAS_SYSCALL_WRAPPER",
 }
 
 // LoadKconfigValues load all kconfig variables used within tracee.bpf.c
-func LoadKconfigValues(kc *helpers.KernelConfig) (map[helpers.KernelConfigOption]helpers.KernelConfigOptionValue, error) {
-	values := make(map[helpers.KernelConfigOption]helpers.KernelConfigOptionValue)
+func LoadKconfigValues(kc *environment.KernelConfig) (map[environment.KernelConfigOption]environment.KernelConfigOptionValue, error) {
+	values := make(map[environment.KernelConfigOption]environment.KernelConfigOptionValue)
 	var err error
 	for key, keyString := range kconfigUsed {
 		if err = kc.AddCustomKernelConfig(key, keyString); err != nil {
@@ -31,9 +30,9 @@ func LoadKconfigValues(kc *helpers.KernelConfig) (map[helpers.KernelConfigOption
 	if err = kc.LoadKernelConfig(); err != nil { // invalid kconfig file: assume values then
 		logger.Debugw("KConfig: warning: assuming kconfig values, might have unexpected behavior")
 		for key := range kconfigUsed {
-			values[key] = helpers.UNDEFINED
+			values[key] = environment.UNDEFINED
 		}
-		values[CONFIG_ARCH_HAS_SYSCALL_WRAPPER] = helpers.BUILTIN // assume CONFIG_ARCH_HAS_SYSCALL_WRAPPER is a BUILTIN option
+		values[CONFIG_ARCH_HAS_SYSCALL_WRAPPER] = environment.BUILTIN // assume CONFIG_ARCH_HAS_SYSCALL_WRAPPER is a BUILTIN option
 	} else {
 		for key := range kconfigUsed {
 			values[key] = kc.GetValue(key) // undefined, builtin OR module

pkg/ebpf/probes/probe_group.go

@@ -4,17 +4,17 @@ import (
 	"sync"
 
 	bpf "github.com/aquasecurity/libbpfgo"
-	"github.com/aquasecurity/libbpfgo/helpers"
 
 	"github.com/aquasecurity/tracee/pkg/errfmt"
 	"github.com/aquasecurity/tracee/pkg/logger"
+	"github.com/aquasecurity/tracee/pkg/utils/environment"
 )
 
 //
 // ProbeGroup
 //
 
-var kernelSymbolTable *helpers.KernelSymbolTable
+var kernelSymbolTable *environment.KernelSymbolTable
 
 // ProbeGroup is a collection of probes.
 type ProbeGroup struct {
@@ -106,7 +106,7 @@ func (p *ProbeGroup) GetProbeByHandle(handle Handle) Probe {
 }
 
 // NewDefaultProbeGroup initializes the default ProbeGroup (TODO: extensions will use probe groups)
-func NewDefaultProbeGroup(module *bpf.Module, netEnabled bool, kSyms *helpers.KernelSymbolTable) (*ProbeGroup, error) {
+func NewDefaultProbeGroup(module *bpf.Module, netEnabled bool, kSyms *environment.KernelSymbolTable) (*ProbeGroup, error) {
 	if kSyms == nil {
 		return nil, errfmt.Errorf("kernel symbol table is nil")
 	}

pkg/ebpf/probes/uprobe.go

@@ -2,9 +2,9 @@ package probes
 
 import (
 	bpf "github.com/aquasecurity/libbpfgo"
-	"github.com/aquasecurity/libbpfgo/helpers"
 
 	"github.com/aquasecurity/tracee/pkg/errfmt"
+	"github.com/aquasecurity/tracee/pkg/utils"
 )
 
 // NOTE: thread-safety guaranteed by the ProbeGroup big lock.
@@ -63,7 +63,7 @@ func (p *Uprobe) attach(module *bpf.Module, args ...interface{}) error {
 		return errfmt.WrapError(err)
 	}
 
-	offset, err := helpers.SymbolToOffset(p.binaryPath, p.symbolName)
+	offset, err := utils.SymbolToOffset(p.binaryPath, p.symbolName)
 	if err != nil {
 		return errfmt.Errorf("error finding %s function offset: %v", p.symbolName, err)
 	}