diff --git a/pkg/bufferdecoder/eventsreader.go b/pkg/bufferdecoder/eventsreader.go index 5c3b40a74987..d6e179a1bcd7 100644 --- a/pkg/bufferdecoder/eventsreader.go +++ b/pkg/bufferdecoder/eventsreader.go @@ -7,10 +7,9 @@ import ( "strconv" "strings" - "github.com/aquasecurity/libbpfgo/helpers" - "github.com/aquasecurity/tracee/pkg/errfmt" "github.com/aquasecurity/tracee/pkg/events" + "github.com/aquasecurity/tracee/pkg/events/parsers" "github.com/aquasecurity/tracee/pkg/logger" "github.com/aquasecurity/tracee/types/trace" ) @@ -255,9 +254,9 @@ func readSockaddrFromBuff(ebpfMsgDecoder *EbpfDecoder) (map[string]string, error if err != nil { return nil, errfmt.WrapError(err) } - socketDomainArg, err := helpers.ParseSocketDomainArgument(uint64(family)) + socketDomainArg, err := parsers.ParseSocketDomainArgument(uint64(family)) if err != nil { - socketDomainArg = helpers.AF_UNSPEC + socketDomainArg = parsers.AF_UNSPEC } res["sa_family"] = socketDomainArg.String() switch family { diff --git a/pkg/cmd/cobra/cobra.go b/pkg/cmd/cobra/cobra.go index f7cd22139d66..71299f8a2783 100644 --- a/pkg/cmd/cobra/cobra.go +++ b/pkg/cmd/cobra/cobra.go @@ -6,8 +6,6 @@ import ( "github.com/spf13/cobra" "github.com/spf13/viper" - "github.com/aquasecurity/libbpfgo/helpers" - "github.com/aquasecurity/tracee/pkg/cmd" "github.com/aquasecurity/tracee/pkg/cmd/flags" "github.com/aquasecurity/tracee/pkg/cmd/flags/server" @@ -22,6 +20,7 @@ import ( "github.com/aquasecurity/tracee/pkg/policy" "github.com/aquasecurity/tracee/pkg/signatures/engine" "github.com/aquasecurity/tracee/pkg/signatures/signature" + "github.com/aquasecurity/tracee/pkg/utils/environment" ) func GetTraceeRunner(c *cobra.Command, version string) (cmd.Runner, error) { @@ -80,10 +79,10 @@ func GetTraceeRunner(c *cobra.Command, version string) (cmd.Runner, error) { // OS release information - osInfo, err := helpers.GetOSInfo() + osInfo, err := environment.GetOSInfo() if err != nil { logger.Debugw("OSInfo", "warning: os-release file could not be found", "error", err) // only to be enforced when BTF needs to be downloaded, later on - logger.Debugw("OSInfo", "os_release_field", helpers.OS_KERNEL_RELEASE, "OS_KERNEL_RELEASE", osInfo.GetOSReleaseFieldValue(helpers.OS_KERNEL_RELEASE)) + logger.Debugw("OSInfo", "os_release_field", environment.OS_KERNEL_RELEASE, "OS_KERNEL_RELEASE", osInfo.GetOSReleaseFieldValue(environment.OS_KERNEL_RELEASE)) } else { osInfoSlice := make([]interface{}, 0) for k, v := range osInfo.GetOSReleaseAllFieldValues() { @@ -259,11 +258,11 @@ func GetTraceeRunner(c *cobra.Command, version string) (cmd.Runner, error) { // Check kernel lockdown - lockdown, err := helpers.Lockdown() + lockdown, err := environment.Lockdown() if err != nil { logger.Debugw("OSInfo", "lockdown", err) } - if err == nil && lockdown == helpers.CONFIDENTIALITY { + if err == nil && lockdown == environment.CONFIDENTIALITY { return runner, errfmt.Errorf("kernel lockdown is set to 'confidentiality', can't load eBPF programs") } @@ -271,7 +270,7 @@ func GetTraceeRunner(c *cobra.Command, version string) (cmd.Runner, error) { // Check if ftrace is enabled - enabled, err := helpers.FtraceEnabled() + enabled, err := environment.FtraceEnabled() if err != nil { return runner, err } diff --git a/pkg/cmd/initialize/bpfobject.go b/pkg/cmd/initialize/bpfobject.go index 36fc47b1e98d..be4540a1143a 100644 --- a/pkg/cmd/initialize/bpfobject.go +++ b/pkg/cmd/initialize/bpfobject.go @@ -7,21 +7,20 @@ import ( "path/filepath" "strings" - "github.com/aquasecurity/libbpfgo/helpers" - embed "github.com/aquasecurity/tracee" "github.com/aquasecurity/tracee/pkg/config" "github.com/aquasecurity/tracee/pkg/errfmt" "github.com/aquasecurity/tracee/pkg/logger" + "github.com/aquasecurity/tracee/pkg/utils/environment" ) // BpfObject sets up and configures a BPF object for tracing and monitoring // system events within the kernel. It takes pointers to tracee.Config, -// helpers.KernelConfig, and helpers.OSInfo structures, as well as an +// environment.KernelConfig, and environment.OSInfo structures, as well as an // installation path and a version string. The function unpacks the CO-RE eBPF // object binary, checks if BTF is enabled, unpacks the BTF file from BTF Hub if // necessary, and assigns the kernel configuration and BPF object bytes. -func BpfObject(cfg *config.Config, kConfig *helpers.KernelConfig, osInfo *helpers.OSInfo, installPath string, version string) error { +func BpfObject(cfg *config.Config, kConfig *environment.KernelConfig, osInfo *environment.OSInfo, installPath string, version string) error { btfFilePath, err := checkEnvPath("TRACEE_BTF_FILE") if btfFilePath == "" && err != nil { return errfmt.WrapError(err) @@ -39,7 +38,7 @@ func BpfObject(cfg *config.Config, kConfig *helpers.KernelConfig, osInfo *helper // BTF unavailable: check embedded BTF files - if !helpers.OSBTFEnabled() && btfFilePath == "" { + if !environment.OSBTFEnabled() && btfFilePath == "" { unpackBTFFile := filepath.Join(installPath, "/tracee.btf") err = unpackBTFHub(unpackBTFFile, osInfo) if err == nil { @@ -86,13 +85,13 @@ func unpackCOREBinary() ([]byte, error) { // an OSInfo struct containing information about the OS, including OS ID, // version ID, kernel release, and architecture. It returns an error if any of // the directory creation, file opening, or file copying operations fail. -func unpackBTFHub(outFilePath string, osInfo *helpers.OSInfo) error { +func unpackBTFHub(outFilePath string, osInfo *environment.OSInfo) error { var btfFilePath string - osId := osInfo.GetOSReleaseFieldValue(helpers.OS_ID) - versionId := strings.Replace(osInfo.GetOSReleaseFieldValue(helpers.OS_VERSION_ID), "\"", "", -1) - kernelRelease := osInfo.GetOSReleaseFieldValue(helpers.OS_KERNEL_RELEASE) - arch := osInfo.GetOSReleaseFieldValue(helpers.OS_ARCH) + osId := osInfo.GetOSReleaseFieldValue(environment.OS_ID) + versionId := strings.Replace(osInfo.GetOSReleaseFieldValue(environment.OS_VERSION_ID), "\"", "", -1) + kernelRelease := osInfo.GetOSReleaseFieldValue(environment.OS_KERNEL_RELEASE) + arch := osInfo.GetOSReleaseFieldValue(environment.OS_ARCH) if err := os.MkdirAll(filepath.Dir(outFilePath), 0755); err != nil { return errfmt.Errorf("could not create temp dir: %s", err.Error()) diff --git a/pkg/cmd/initialize/kernelconfig.go b/pkg/cmd/initialize/kernelconfig.go index d21513356c73..d9bec28c2eea 100644 --- a/pkg/cmd/initialize/kernelconfig.go +++ b/pkg/cmd/initialize/kernelconfig.go @@ -1,13 +1,12 @@ package initialize import ( - "github.com/aquasecurity/libbpfgo/helpers" - "github.com/aquasecurity/tracee/pkg/logger" + "github.com/aquasecurity/tracee/pkg/utils/environment" ) -func KernelConfig() (*helpers.KernelConfig, error) { - kernelConfig, err := helpers.InitKernelConfig() +func KernelConfig() (*environment.KernelConfig, error) { + kernelConfig, err := environment.InitKernelConfig() if err != nil { // do not fail if we cannot init kconfig - print out warning messages logger.Warnw("KConfig: could not check enabled kconfig features", "error", err) @@ -15,10 +14,10 @@ func KernelConfig() (*helpers.KernelConfig, error) { return kernelConfig, nil } - kernelConfig.AddNeeded(helpers.CONFIG_BPF, helpers.BUILTIN) - kernelConfig.AddNeeded(helpers.CONFIG_BPF_SYSCALL, helpers.BUILTIN) - kernelConfig.AddNeeded(helpers.CONFIG_KPROBE_EVENTS, helpers.BUILTIN) - kernelConfig.AddNeeded(helpers.CONFIG_BPF_EVENTS, helpers.BUILTIN) + kernelConfig.AddNeeded(environment.CONFIG_BPF, environment.BUILTIN) + kernelConfig.AddNeeded(environment.CONFIG_BPF_SYSCALL, environment.BUILTIN) + kernelConfig.AddNeeded(environment.CONFIG_KPROBE_EVENTS, environment.BUILTIN) + kernelConfig.AddNeeded(environment.CONFIG_BPF_EVENTS, environment.BUILTIN) missing := kernelConfig.CheckMissing() if len(missing) > 0 { // do not fail if there are missing options, let it fail later by trying diff --git a/pkg/cmd/urfave/urfave.go b/pkg/cmd/urfave/urfave.go index 9c82380218c2..2c28fb95dd89 100644 --- a/pkg/cmd/urfave/urfave.go +++ b/pkg/cmd/urfave/urfave.go @@ -3,8 +3,6 @@ package urfave import ( cli "github.com/urfave/cli/v2" - "github.com/aquasecurity/libbpfgo/helpers" - "github.com/aquasecurity/tracee/pkg/cmd" "github.com/aquasecurity/tracee/pkg/cmd/flags" "github.com/aquasecurity/tracee/pkg/cmd/flags/server" @@ -14,6 +12,7 @@ import ( "github.com/aquasecurity/tracee/pkg/errfmt" "github.com/aquasecurity/tracee/pkg/logger" "github.com/aquasecurity/tracee/pkg/policy" + "github.com/aquasecurity/tracee/pkg/utils/environment" ) func GetTraceeRunner(c *cli.Context, version string) (cmd.Runner, error) { @@ -48,10 +47,10 @@ func GetTraceeRunner(c *cli.Context, version string) (cmd.Runner, error) { // OS release information - osInfo, err := helpers.GetOSInfo() + osInfo, err := environment.GetOSInfo() if err != nil { logger.Debugw("OSInfo", "warning: os-release file could not be found", "error", err) // only to be enforced when BTF needs to be downloaded, later on - logger.Debugw("OSInfo", "os_release_field", helpers.OS_KERNEL_RELEASE, "OS_KERNEL_RELEASE", osInfo.GetOSReleaseFieldValue(helpers.OS_KERNEL_RELEASE)) + logger.Debugw("OSInfo", "os_release_field", environment.OS_KERNEL_RELEASE, "OS_KERNEL_RELEASE", osInfo.GetOSReleaseFieldValue(environment.OS_KERNEL_RELEASE)) } else { osInfoSlice := make([]interface{}, 0) for k, v := range osInfo.GetOSReleaseAllFieldValues() { @@ -139,11 +138,11 @@ func GetTraceeRunner(c *cli.Context, version string) (cmd.Runner, error) { // Check kernel lockdown - lockdown, err := helpers.Lockdown() + lockdown, err := environment.Lockdown() if err != nil { logger.Debugw("OSInfo", "lockdown", err) } - if err == nil && lockdown == helpers.CONFIDENTIALITY { + if err == nil && lockdown == environment.CONFIDENTIALITY { return runner, errfmt.Errorf("kernel lockdown is set to 'confidentiality', can't load eBPF programs") } @@ -151,7 +150,7 @@ func GetTraceeRunner(c *cli.Context, version string) (cmd.Runner, error) { // Check if ftrace is enabled - enabled, err := helpers.FtraceEnabled() + enabled, err := environment.FtraceEnabled() if err != nil { return runner, err } diff --git a/pkg/config/config.go b/pkg/config/config.go index 6361ddcbc2f4..c60c202612db 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -3,8 +3,6 @@ package config import ( "io" - "github.com/aquasecurity/libbpfgo/helpers" - "github.com/aquasecurity/tracee/pkg/containers/runtime" "github.com/aquasecurity/tracee/pkg/dnscache" "github.com/aquasecurity/tracee/pkg/errfmt" @@ -12,6 +10,7 @@ import ( "github.com/aquasecurity/tracee/pkg/policy" "github.com/aquasecurity/tracee/pkg/proctree" "github.com/aquasecurity/tracee/pkg/signatures/engine" + "github.com/aquasecurity/tracee/pkg/utils/environment" ) // Config is a struct containing user defined configuration of tracee @@ -27,8 +26,8 @@ type Config struct { MaxPidsCache int // maximum number of pids to cache per mnt ns (in Tracee.pidsInMntns) BTFObjPath string BPFObjBytes []byte - KernelConfig *helpers.KernelConfig - OSInfo *helpers.OSInfo + KernelConfig *environment.KernelConfig + OSInfo *environment.OSInfo Sockets runtime.Sockets NoContainersEnrich bool EngineConfig engine.Config diff --git a/pkg/ebpf/hooked_syscall_table.go b/pkg/ebpf/hooked_syscall_table.go index 2321f6ac2c99..4ef19f503f92 100644 --- a/pkg/ebpf/hooked_syscall_table.go +++ b/pkg/ebpf/hooked_syscall_table.go @@ -8,13 +8,13 @@ import ( "unsafe" bpf "github.com/aquasecurity/libbpfgo" - "github.com/aquasecurity/libbpfgo/helpers" "github.com/aquasecurity/tracee/pkg/capabilities" "github.com/aquasecurity/tracee/pkg/events" "github.com/aquasecurity/tracee/pkg/events/derive" "github.com/aquasecurity/tracee/pkg/logger" "github.com/aquasecurity/tracee/pkg/utils" + "github.com/aquasecurity/tracee/pkg/utils/environment" ) var expectedSyscallTableInit = false @@ -78,7 +78,7 @@ func (t *Tracee) isAboveSatisfied(aboveRequirement string) (bool, error) { return false, err } - if kerVerCmpAbove == helpers.KernelVersionOlder || kerVerCmpAbove == helpers.KernelVersionEqual { // above requirement is older/equal running kernel (aka satisfies requirement) + if kerVerCmpAbove == environment.KernelVersionOlder || kerVerCmpAbove == environment.KernelVersionEqual { // above requirement is older/equal running kernel (aka satisfies requirement) return true, nil } @@ -92,7 +92,7 @@ func (t *Tracee) isBelowSatisfied(belowRequirement string) (bool, error) { return false, err } - if kerVerCmpBelow == helpers.KernelVersionNewer { // below requirement is newer than running kernel (aka satisfies requirement) + if kerVerCmpBelow == environment.KernelVersionNewer { // below requirement is newer than running kernel (aka satisfies requirement) return true, nil } diff --git a/pkg/ebpf/initialization/kconfig.go b/pkg/ebpf/initialization/kconfig.go index 3a9ad31ba4b7..b0efbc8c4f12 100644 --- a/pkg/ebpf/initialization/kconfig.go +++ b/pkg/ebpf/initialization/kconfig.go @@ -1,25 +1,24 @@ package initialization import ( - "github.com/aquasecurity/libbpfgo/helpers" - "github.com/aquasecurity/tracee/pkg/errfmt" "github.com/aquasecurity/tracee/pkg/logger" + "github.com/aquasecurity/tracee/pkg/utils/environment" ) // Custom KernelConfigOption's to extend kernel_config helper support // Add here all kconfig variables used within tracee.bpf.c const ( - CONFIG_ARCH_HAS_SYSCALL_WRAPPER helpers.KernelConfigOption = iota + helpers.CUSTOM_OPTION_START + CONFIG_ARCH_HAS_SYSCALL_WRAPPER environment.KernelConfigOption = iota + environment.CUSTOM_OPTION_START ) -var kconfigUsed = map[helpers.KernelConfigOption]string{ +var kconfigUsed = map[environment.KernelConfigOption]string{ CONFIG_ARCH_HAS_SYSCALL_WRAPPER: "CONFIG_ARCH_HAS_SYSCALL_WRAPPER", } // LoadKconfigValues load all kconfig variables used within tracee.bpf.c -func LoadKconfigValues(kc *helpers.KernelConfig) (map[helpers.KernelConfigOption]helpers.KernelConfigOptionValue, error) { - values := make(map[helpers.KernelConfigOption]helpers.KernelConfigOptionValue) +func LoadKconfigValues(kc *environment.KernelConfig) (map[environment.KernelConfigOption]environment.KernelConfigOptionValue, error) { + values := make(map[environment.KernelConfigOption]environment.KernelConfigOptionValue) var err error for key, keyString := range kconfigUsed { if err = kc.AddCustomKernelConfig(key, keyString); err != nil { @@ -31,9 +30,9 @@ func LoadKconfigValues(kc *helpers.KernelConfig) (map[helpers.KernelConfigOption if err = kc.LoadKernelConfig(); err != nil { // invalid kconfig file: assume values then logger.Debugw("KConfig: warning: assuming kconfig values, might have unexpected behavior") for key := range kconfigUsed { - values[key] = helpers.UNDEFINED + values[key] = environment.UNDEFINED } - values[CONFIG_ARCH_HAS_SYSCALL_WRAPPER] = helpers.BUILTIN // assume CONFIG_ARCH_HAS_SYSCALL_WRAPPER is a BUILTIN option + values[CONFIG_ARCH_HAS_SYSCALL_WRAPPER] = environment.BUILTIN // assume CONFIG_ARCH_HAS_SYSCALL_WRAPPER is a BUILTIN option } else { for key := range kconfigUsed { values[key] = kc.GetValue(key) // undefined, builtin OR module diff --git a/pkg/ebpf/probes/probe_group.go b/pkg/ebpf/probes/probe_group.go index 8ca1d1d49f20..5df29aacc9ad 100644 --- a/pkg/ebpf/probes/probe_group.go +++ b/pkg/ebpf/probes/probe_group.go @@ -4,17 +4,17 @@ import ( "sync" bpf "github.com/aquasecurity/libbpfgo" - "github.com/aquasecurity/libbpfgo/helpers" "github.com/aquasecurity/tracee/pkg/errfmt" "github.com/aquasecurity/tracee/pkg/logger" + "github.com/aquasecurity/tracee/pkg/utils/environment" ) // // ProbeGroup // -var kernelSymbolTable *helpers.KernelSymbolTable +var kernelSymbolTable *environment.KernelSymbolTable // ProbeGroup is a collection of probes. type ProbeGroup struct { @@ -106,7 +106,7 @@ func (p *ProbeGroup) GetProbeByHandle(handle Handle) Probe { } // NewDefaultProbeGroup initializes the default ProbeGroup (TODO: extensions will use probe groups) -func NewDefaultProbeGroup(module *bpf.Module, netEnabled bool, kSyms *helpers.KernelSymbolTable) (*ProbeGroup, error) { +func NewDefaultProbeGroup(module *bpf.Module, netEnabled bool, kSyms *environment.KernelSymbolTable) (*ProbeGroup, error) { if kSyms == nil { return nil, errfmt.Errorf("kernel symbol table is nil") } diff --git a/pkg/ebpf/probes/uprobe.go b/pkg/ebpf/probes/uprobe.go index 388fbc492831..e693d352912b 100644 --- a/pkg/ebpf/probes/uprobe.go +++ b/pkg/ebpf/probes/uprobe.go @@ -2,9 +2,9 @@ package probes import ( bpf "github.com/aquasecurity/libbpfgo" - "github.com/aquasecurity/libbpfgo/helpers" "github.com/aquasecurity/tracee/pkg/errfmt" + "github.com/aquasecurity/tracee/pkg/utils" ) // NOTE: thread-safety guaranteed by the ProbeGroup big lock. @@ -63,7 +63,7 @@ func (p *Uprobe) attach(module *bpf.Module, args ...interface{}) error { return errfmt.WrapError(err) } - offset, err := helpers.SymbolToOffset(p.binaryPath, p.symbolName) + offset, err := utils.SymbolToOffset(p.binaryPath, p.symbolName) if err != nil { return errfmt.Errorf("error finding %s function offset: %v", p.symbolName, err) } diff --git a/pkg/ebpf/processor.go b/pkg/ebpf/processor.go index 46da50103a1b..72a7ffb9bfd1 100644 --- a/pkg/ebpf/processor.go +++ b/pkg/ebpf/processor.go @@ -4,11 +4,10 @@ import ( "fmt" "sync" - "github.com/aquasecurity/libbpfgo/helpers" - "github.com/aquasecurity/tracee/pkg/events" "github.com/aquasecurity/tracee/pkg/logger" "github.com/aquasecurity/tracee/pkg/proctree" + "github.com/aquasecurity/tracee/pkg/utils/environment" "github.com/aquasecurity/tracee/types/trace" ) @@ -138,7 +137,7 @@ func initKernelReadFileTypes() { // simply check for the enum value in bpf code. This will make the event more stable for // existing kernels as well as future kernels as well. - osInfo, err := helpers.GetOSInfo() + osInfo, err := environment.GetOSInfo() if err != nil { return } @@ -164,7 +163,7 @@ func initKernelReadFileTypes() { return } - if kernel593ComparedToRunningKernel == helpers.KernelVersionOlder { + if kernel593ComparedToRunningKernel == environment.KernelVersionOlder { // running kernel version: >=5.9.3 kernelReadFileTypes = map[int32]trace.KernelReadType{ 0: trace.KernelReadUnknown, @@ -175,9 +174,9 @@ func initKernelReadFileTypes() { 5: trace.KernelReadSecurityPolicy, 6: trace.KernelReadx509Certificate, } - } else if kernel570ComparedToRunningKernel == helpers.KernelVersionOlder /* Running kernel is newer than 5.7.0 */ && - kernel592ComparedToRunningKernel != helpers.KernelVersionOlder /* Running kernel is equal or older than 5.9.2*/ && - kernel5818ComparedToRunningKernel != helpers.KernelVersionEqual /* Running kernel is not 5.8.18 */ { + } else if kernel570ComparedToRunningKernel == environment.KernelVersionOlder /* Running kernel is newer than 5.7.0 */ && + kernel592ComparedToRunningKernel != environment.KernelVersionOlder /* Running kernel is equal or older than 5.9.2*/ && + kernel5818ComparedToRunningKernel != environment.KernelVersionEqual /* Running kernel is not 5.8.18 */ { // running kernel version: >=5.7 && <=5.9.2 && !=5.8.18 kernelReadFileTypes = map[int32]trace.KernelReadType{ 0: trace.KernelReadUnknown, @@ -190,9 +189,9 @@ func initKernelReadFileTypes() { 7: trace.KernelReadSecurityPolicy, 8: trace.KernelReadx509Certificate, } - } else if kernel5818ComparedToRunningKernel == helpers.KernelVersionEqual /* Running kernel is 5.8.18 */ || - (kernel570ComparedToRunningKernel == helpers.KernelVersionNewer && /* Running kernel is older than 5.7.0 */ - kernel4180ComparedToRunningKernel != helpers.KernelVersionOlder) /* Running kernel is 4.18 or newer */ { + } else if kernel5818ComparedToRunningKernel == environment.KernelVersionEqual /* Running kernel is 5.8.18 */ || + (kernel570ComparedToRunningKernel == environment.KernelVersionNewer && /* Running kernel is older than 5.7.0 */ + kernel4180ComparedToRunningKernel != environment.KernelVersionOlder) /* Running kernel is 4.18 or newer */ { // running kernel version: ==5.8.18 || (<5.7 && >=4.18) kernelReadFileTypes = map[int32]trace.KernelReadType{ 0: trace.KernelReadUnknown, diff --git a/pkg/ebpf/tracee.go b/pkg/ebpf/tracee.go index 968d372e803a..8cb378bc4c58 100644 --- a/pkg/ebpf/tracee.go +++ b/pkg/ebpf/tracee.go @@ -14,7 +14,6 @@ import ( "kernel.org/pub/linux/libs/security/libcap/cap" bpf "github.com/aquasecurity/libbpfgo" - "github.com/aquasecurity/libbpfgo/helpers" "github.com/aquasecurity/tracee/pkg/bucketscache" "github.com/aquasecurity/tracee/pkg/bufferdecoder" @@ -42,6 +41,7 @@ import ( "github.com/aquasecurity/tracee/pkg/signatures/engine" "github.com/aquasecurity/tracee/pkg/streams" "github.com/aquasecurity/tracee/pkg/utils" + "github.com/aquasecurity/tracee/pkg/utils/environment" "github.com/aquasecurity/tracee/pkg/utils/proc" "github.com/aquasecurity/tracee/pkg/utils/sharedobjs" "github.com/aquasecurity/tracee/types/trace" @@ -79,7 +79,7 @@ type Tracee struct { // Internal Data readFiles map[string]string pidsInMntns bucketscache.BucketsCache // first n PIDs in each mountns - kernelSymbols *helpers.KernelSymbolTable + kernelSymbols *environment.KernelSymbolTable // eBPF bpfModule *bpf.Module probes *probes.ProbeGroup @@ -388,7 +388,7 @@ func (t *Tracee) Init(ctx gocontext.Context) error { err = capabilities.GetInstance().Specific( func() error { - t.kernelSymbols, err = helpers.NewKernelSymbolTable() + t.kernelSymbols, err = environment.NewKernelSymbolTable() return err }, cap.SYSLOG, diff --git a/pkg/events/derive/hooked_seq_ops.go b/pkg/events/derive/hooked_seq_ops.go index 585cd9f315ef..08af6ba5fe5f 100644 --- a/pkg/events/derive/hooked_seq_ops.go +++ b/pkg/events/derive/hooked_seq_ops.go @@ -1,12 +1,11 @@ package derive import ( - "github.com/aquasecurity/libbpfgo/helpers" - "github.com/aquasecurity/tracee/pkg/errfmt" "github.com/aquasecurity/tracee/pkg/events" "github.com/aquasecurity/tracee/pkg/events/parse" "github.com/aquasecurity/tracee/pkg/utils" + "github.com/aquasecurity/tracee/pkg/utils/environment" "github.com/aquasecurity/tracee/types/trace" ) @@ -28,11 +27,11 @@ var NetSeqOpsFuncs = [4]string{ "stop", } -func HookedSeqOps(kernelSymbols *helpers.KernelSymbolTable) DeriveFunction { +func HookedSeqOps(kernelSymbols *environment.KernelSymbolTable) DeriveFunction { return deriveSingleEvent(events.HookedSeqOps, deriveHookedSeqOpsArgs(kernelSymbols)) } -func deriveHookedSeqOpsArgs(kernelSymbols *helpers.KernelSymbolTable) deriveArgsFunction { +func deriveHookedSeqOpsArgs(kernelSymbols *environment.KernelSymbolTable) deriveArgsFunction { return func(event trace.Event) ([]interface{}, error) { seqOpsArr, err := parse.ArgVal[[]uint64](event.Args, "net_seq_ops") if err != nil || len(seqOpsArr) < 1 { diff --git a/pkg/events/derive/hooked_syscall.go b/pkg/events/derive/hooked_syscall.go index c1aacb8c7838..9160e274f346 100644 --- a/pkg/events/derive/hooked_syscall.go +++ b/pkg/events/derive/hooked_syscall.go @@ -5,11 +5,10 @@ import ( lru "github.com/hashicorp/golang-lru/v2" - "github.com/aquasecurity/libbpfgo/helpers" - "github.com/aquasecurity/tracee/pkg/errfmt" "github.com/aquasecurity/tracee/pkg/events" "github.com/aquasecurity/tracee/pkg/events/parse" + "github.com/aquasecurity/tracee/pkg/utils/environment" "github.com/aquasecurity/tracee/types/trace" ) @@ -28,11 +27,11 @@ func InitHookedSyscall() error { return err } -func DetectHookedSyscall(kernelSymbols *helpers.KernelSymbolTable) DeriveFunction { +func DetectHookedSyscall(kernelSymbols *environment.KernelSymbolTable) DeriveFunction { return deriveSingleEvent(events.HookedSyscall, deriveDetectHookedSyscallArgs(kernelSymbols)) } -func deriveDetectHookedSyscallArgs(kernelSymbols *helpers.KernelSymbolTable) deriveArgsFunction { +func deriveDetectHookedSyscallArgs(kernelSymbols *environment.KernelSymbolTable) deriveArgsFunction { return func(event trace.Event) ([]interface{}, error) { syscallId, err := parse.ArgVal[int32](event.Args, "syscall_id") if err != nil { diff --git a/pkg/events/parse_args.go b/pkg/events/parse_args.go index 0a61b1f9e337..c646d211fd05 100644 --- a/pkg/events/parse_args.go +++ b/pkg/events/parse_args.go @@ -7,9 +7,9 @@ import ( "unsafe" bpf "github.com/aquasecurity/libbpfgo" - "github.com/aquasecurity/libbpfgo/helpers" "github.com/aquasecurity/tracee/pkg/errfmt" + "github.com/aquasecurity/tracee/pkg/events/parsers" "github.com/aquasecurity/tracee/types/trace" ) @@ -28,7 +28,7 @@ func ParseArgs(event *trace.Event) error { arg.Value = "" } - parseOrEmptyString := func(arg *trace.Argument, sysArg helpers.SystemFunctionArgument, err error) { + parseOrEmptyString := func(arg *trace.Argument, sysArg parsers.SystemFunctionArgument, err error) { emptyString(arg) if err == nil { arg.Value = sysArg.String() @@ -45,13 +45,13 @@ func ParseArgs(event *trace.Event) error { } if protArg := GetArg(event, "prot"); protArg != nil { if prot, isInt32 := protArg.Value.(int32); isInt32 { - mmapProtArgument := helpers.ParseMmapProt(uint64(prot)) + mmapProtArgument := parsers.ParseMmapProt(uint64(prot)) parseOrEmptyString(protArg, mmapProtArgument, nil) } } if prevProtArg := GetArg(event, "prev_prot"); prevProtArg != nil { if prevProt, isInt32 := prevProtArg.Value.(int32); isInt32 { - mmapProtArgument := helpers.ParseMmapProt(uint64(prevProt)) + mmapProtArgument := parsers.ParseMmapProt(uint64(prevProt)) parseOrEmptyString(prevProtArg, mmapProtArgument, nil) } } @@ -70,130 +70,130 @@ func ParseArgs(event *trace.Event) error { case CapCapable: if capArg := GetArg(event, "cap"); capArg != nil { if capability, isInt32 := capArg.Value.(int32); isInt32 { - capabilityFlagArgument, err := helpers.ParseCapability(uint64(capability)) + capabilityFlagArgument, err := parsers.ParseCapability(uint64(capability)) parseOrEmptyString(capArg, capabilityFlagArgument, err) } } case SecurityMmapFile, DoMmap: if protArg := GetArg(event, "prot"); protArg != nil { if prot, isUint64 := protArg.Value.(uint64); isUint64 { - mmapProtArgument := helpers.ParseMmapProt(prot) + mmapProtArgument := parsers.ParseMmapProt(prot) parseOrEmptyString(protArg, mmapProtArgument, nil) } } case Mmap, Mprotect, PkeyMprotect: if protArg := GetArg(event, "prot"); protArg != nil { if prot, isInt32 := protArg.Value.(int32); isInt32 { - mmapProtArgument := helpers.ParseMmapProt(uint64(prot)) + mmapProtArgument := parsers.ParseMmapProt(uint64(prot)) parseOrEmptyString(protArg, mmapProtArgument, nil) } } case SecurityFileMprotect: if protArg := GetArg(event, "prot"); protArg != nil { if prot, isInt32 := protArg.Value.(int32); isInt32 { - mmapProtArgument := helpers.ParseMmapProt(uint64(prot)) + mmapProtArgument := parsers.ParseMmapProt(uint64(prot)) parseOrEmptyString(protArg, mmapProtArgument, nil) } } if prevProtArg := GetArg(event, "prev_prot"); prevProtArg != nil { if prevProt, isInt32 := prevProtArg.Value.(int32); isInt32 { - mmapProtArgument := helpers.ParseMmapProt(uint64(prevProt)) + mmapProtArgument := parsers.ParseMmapProt(uint64(prevProt)) parseOrEmptyString(prevProtArg, mmapProtArgument, nil) } } case Ptrace: if reqArg := GetArg(event, "request"); reqArg != nil { if req, isInt64 := reqArg.Value.(int64); isInt64 { - ptraceRequestArgument, err := helpers.ParsePtraceRequestArgument(uint64(req)) + ptraceRequestArgument, err := parsers.ParsePtraceRequestArgument(uint64(req)) parseOrEmptyString(reqArg, ptraceRequestArgument, err) } } case Prctl: if optArg := GetArg(event, "option"); optArg != nil { if opt, isInt32 := optArg.Value.(int32); isInt32 { - prctlOptionArgument, err := helpers.ParsePrctlOption(uint64(opt)) + prctlOptionArgument, err := parsers.ParsePrctlOption(uint64(opt)) parseOrEmptyString(optArg, prctlOptionArgument, err) } } case Socketcall: if callArg := GetArg(event, "call"); callArg != nil { if call, isInt32 := callArg.Value.(int32); isInt32 { - socketcallArgument, err := helpers.ParseSocketcallCall(uint64(call)) + socketcallArgument, err := parsers.ParseSocketcallCall(uint64(call)) parseOrEmptyString(callArg, socketcallArgument, err) } } case Socket: if domArg := GetArg(event, "domain"); domArg != nil { if dom, isInt32 := domArg.Value.(int32); isInt32 { - socketDomainArgument, err := helpers.ParseSocketDomainArgument(uint64(dom)) + socketDomainArgument, err := parsers.ParseSocketDomainArgument(uint64(dom)) parseOrEmptyString(domArg, socketDomainArgument, err) } } if typeArg := GetArg(event, "type"); typeArg != nil { if typ, isInt32 := typeArg.Value.(int32); isInt32 { - socketTypeArgument, err := helpers.ParseSocketType(uint64(typ)) + socketTypeArgument, err := parsers.ParseSocketType(uint64(typ)) parseOrEmptyString(typeArg, socketTypeArgument, err) } } case SecuritySocketCreate, SecuritySocketConnect: if domArg := GetArg(event, "family"); domArg != nil { if dom, isInt32 := domArg.Value.(int32); isInt32 { - socketDomainArgument, err := helpers.ParseSocketDomainArgument(uint64(dom)) + socketDomainArgument, err := parsers.ParseSocketDomainArgument(uint64(dom)) parseOrEmptyString(domArg, socketDomainArgument, err) } } if typeArg := GetArg(event, "type"); typeArg != nil { if typ, isInt32 := typeArg.Value.(int32); isInt32 { - socketTypeArgument, err := helpers.ParseSocketType(uint64(typ)) + socketTypeArgument, err := parsers.ParseSocketType(uint64(typ)) parseOrEmptyString(typeArg, socketTypeArgument, err) } } case Access, Faccessat: if modeArg := GetArg(event, "mode"); modeArg != nil { if mode, isInt32 := modeArg.Value.(int32); isInt32 { - accessModeArgument, err := helpers.ParseAccessMode(uint64(mode)) + accessModeArgument, err := parsers.ParseAccessMode(uint64(mode)) parseOrEmptyString(modeArg, accessModeArgument, err) } } case Execveat: if flagsArg := GetArg(event, "flags"); flagsArg != nil { if flags, isInt32 := flagsArg.Value.(int32); isInt32 { - execFlagArgument, err := helpers.ParseExecFlag(uint64(flags)) + execFlagArgument, err := parsers.ParseExecFlag(uint64(flags)) parseOrEmptyString(flagsArg, execFlagArgument, err) } } case Open, Openat, SecurityFileOpen: if flagsArg := GetArg(event, "flags"); flagsArg != nil { if flags, isInt32 := flagsArg.Value.(int32); isInt32 { - openFlagArgument, err := helpers.ParseOpenFlagArgument(uint64(flags)) + openFlagArgument, err := parsers.ParseOpenFlagArgument(uint64(flags)) parseOrEmptyString(flagsArg, openFlagArgument, err) } } case Mknod, Mknodat, Chmod, Fchmod, Fchmodat: if modeArg := GetArg(event, "mode"); modeArg != nil { if mode, isUint32 := modeArg.Value.(uint32); isUint32 { - inodeModeArgument, err := helpers.ParseInodeMode(uint64(mode)) + inodeModeArgument, err := parsers.ParseInodeMode(uint64(mode)) parseOrEmptyString(modeArg, inodeModeArgument, err) } } case SecurityInodeMknod: if modeArg := GetArg(event, "mode"); modeArg != nil { if mode, isUint16 := modeArg.Value.(uint16); isUint16 { - inodeModeArgument, err := helpers.ParseInodeMode(uint64(mode)) + inodeModeArgument, err := parsers.ParseInodeMode(uint64(mode)) parseOrEmptyString(modeArg, inodeModeArgument, err) } } case Clone: if flagsArg := GetArg(event, "flags"); flagsArg != nil { if flags, isUint64 := flagsArg.Value.(uint64); isUint64 { - cloneFlagArgument, err := helpers.ParseCloneFlags(uint64(flags)) + cloneFlagArgument, err := parsers.ParseCloneFlags(uint64(flags)) parseOrEmptyString(flagsArg, cloneFlagArgument, err) } } case Bpf, SecurityBPF: if cmdArg := GetArg(event, "cmd"); cmdArg != nil { if cmd, isInt32 := cmdArg.Value.(int32); isInt32 { - bpfCommandArgument, err := helpers.ParseBPFCmd(uint64(cmd)) + bpfCommandArgument, err := parsers.ParseBPFCmd(uint64(cmd)) parseOrEmptyString(cmdArg, bpfCommandArgument, err) } } @@ -207,32 +207,32 @@ func ParseArgs(event *trace.Event) error { case SchedProcessExec: if modeArg := GetArg(event, "stdin_type"); modeArg != nil { if mode, isUint16 := modeArg.Value.(uint16); isUint16 { - inodeModeArgument, err := helpers.ParseInodeMode(uint64(mode)) + inodeModeArgument, err := parsers.ParseInodeMode(uint64(mode)) parseOrEmptyString(modeArg, inodeModeArgument, err) } } case DirtyPipeSplice: if modeArg := GetArg(event, "in_file_type"); modeArg != nil { if mode, isUint16 := modeArg.Value.(uint16); isUint16 { - inodeModeArgument, err := helpers.ParseInodeMode(uint64(mode)) + inodeModeArgument, err := parsers.ParseInodeMode(uint64(mode)) parseOrEmptyString(modeArg, inodeModeArgument, err) } } case SecuritySocketSetsockopt, Setsockopt, Getsockopt: if levelArg := GetArg(event, "level"); levelArg != nil { if level, isInt := levelArg.Value.(int32); isInt { - levelArgument, err := helpers.ParseSocketLevel(uint64(level)) + levelArgument, err := parsers.ParseSocketLevel(uint64(level)) parseOrEmptyString(levelArg, levelArgument, err) } } if optionNameArg := GetArg(event, "optname"); optionNameArg != nil { if opt, isInt := optionNameArg.Value.(int32); isInt { - var optionNameArgument helpers.SocketOptionArgument + var optionNameArgument parsers.SocketOptionArgument var err error if ID(event.EventID) == Getsockopt { - optionNameArgument, err = helpers.ParseGetSocketOption(uint64(opt)) + optionNameArgument, err = parsers.ParseGetSocketOption(uint64(opt)) } else { - optionNameArgument, err = helpers.ParseSetSocketOption(uint64(opt)) + optionNameArgument, err = parsers.ParseSetSocketOption(uint64(opt)) } parseOrEmptyString(optionNameArg, optionNameArgument, err) } @@ -240,7 +240,7 @@ func ParseArgs(event *trace.Event) error { case BpfAttach: if progTypeArg := GetArg(event, "prog_type"); progTypeArg != nil { if progType, isInt := progTypeArg.Value.(int32); isInt { - progTypeArgument, err := helpers.ParseBPFProgType(uint64(progType)) + progTypeArgument, err := parsers.ParseBPFProgType(uint64(progType)) parseOrEmptyString(progTypeArg, progTypeArgument, err) } } @@ -266,7 +266,7 @@ func ParseArgs(event *trace.Event) error { case SecurityBpfProg: if progTypeArg := GetArg(event, "type"); progTypeArg != nil { if progType, isInt := progTypeArg.Value.(int32); isInt { - progTypeArgument, err := helpers.ParseBPFProgType(uint64(progType)) + progTypeArgument, err := parsers.ParseBPFProgType(uint64(progType)) parseOrEmptyString(progTypeArg, progTypeArgument, err) } } @@ -283,13 +283,13 @@ func ParseArgs(event *trace.Event) error { case SecurityPathNotify: if maskArg := GetArg(event, "mask"); maskArg != nil { if mask, isUint64 := maskArg.Value.(uint64); isUint64 { - fsNotifyMaskArgument := helpers.ParseFsNotifyMask(mask) + fsNotifyMaskArgument := parsers.ParseFsNotifyMask(mask) parseOrEmptyString(maskArg, fsNotifyMaskArgument, nil) } } if objTypeArg := GetArg(event, "obj_type"); objTypeArg != nil { if objType, isUint := objTypeArg.Value.(uint32); isUint { - objTypeArgument, err := helpers.ParseFsNotifyObjType(uint64(objType)) + objTypeArgument, err := parsers.ParseFsNotifyObjType(uint64(objType)) parseOrEmptyString(objTypeArg, objTypeArgument, err) } } @@ -351,7 +351,7 @@ func parseBpfHelpersUsage(helpersList []uint64) ([]string, error) { for i := 0; i < len(helpersList)*64; i++ { if (helpersList[i/64] & (1 << (i % 64))) > 0 { // helper number is used. get its name from libbpfgo - bpfHelper, err := helpers.ParseBPFFunc(uint64(i)) + bpfHelper, err := parsers.ParseBPFFunc(uint64(i)) if err != nil { continue } diff --git a/pkg/events/parse_args_test.go b/pkg/events/parse_args_test.go index 30a8c7872a26..da90e2bf56b8 100644 --- a/pkg/events/parse_args_test.go +++ b/pkg/events/parse_args_test.go @@ -6,8 +6,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/aquasecurity/libbpfgo/helpers" - + "github.com/aquasecurity/tracee/pkg/events/parsers" "github.com/aquasecurity/tracee/types/trace" ) @@ -30,14 +29,14 @@ func TestParseArgs(t *testing.T) { Name: "optname", Type: "int", }, - Value: int32(helpers.SO_LOCK_FILTER.Value()), + Value: int32(parsers.SO_LOCK_FILTER.Value()), }, { ArgMeta: trace.ArgMeta{ Name: "level", Type: "int", }, - Value: int32(helpers.SOL_IP.Value()), + Value: int32(parsers.SOL_IP.Value()), }, }, expectedArgs: []trace.Argument{ @@ -46,14 +45,14 @@ func TestParseArgs(t *testing.T) { Name: "optname", Type: "string", }, - Value: helpers.SO_LOCK_FILTER.String(), + Value: parsers.SO_LOCK_FILTER.String(), }, { ArgMeta: trace.ArgMeta{ Name: "level", Type: "string", }, - Value: helpers.SOL_IP.String(), + Value: parsers.SOL_IP.String(), }, }, }, @@ -65,7 +64,7 @@ func TestParseArgs(t *testing.T) { Name: "optname", Type: "int", }, - Value: int32(helpers.SO_ATTACH_FILTER.Value()), + Value: int32(parsers.SO_ATTACH_FILTER.Value()), }, }, expectedArgs: []trace.Argument{ @@ -86,7 +85,7 @@ func TestParseArgs(t *testing.T) { Name: "optname", Type: "int", }, - Value: int32(helpers.SO_LOCK_FILTER.Value()), + Value: int32(parsers.SO_LOCK_FILTER.Value()), }, }, expectedArgs: []trace.Argument{ @@ -95,7 +94,7 @@ func TestParseArgs(t *testing.T) { Name: "optname", Type: "string", }, - Value: helpers.SO_LOCK_FILTER.String(), + Value: parsers.SO_LOCK_FILTER.String(), }, }, }, @@ -137,14 +136,14 @@ func TestParseArgs(t *testing.T) { Name: "optname", Type: "int", }, - Value: int32(helpers.SO_LOCK_FILTER.Value()), + Value: int32(parsers.SO_LOCK_FILTER.Value()), }, { ArgMeta: trace.ArgMeta{ Name: "level", Type: "int", }, - Value: int32(helpers.SOL_IP.Value()), + Value: int32(parsers.SOL_IP.Value()), }, }, expectedArgs: []trace.Argument{ @@ -153,14 +152,14 @@ func TestParseArgs(t *testing.T) { Name: "optname", Type: "string", }, - Value: helpers.SO_LOCK_FILTER.String(), + Value: parsers.SO_LOCK_FILTER.String(), }, { ArgMeta: trace.ArgMeta{ Name: "level", Type: "string", }, - Value: helpers.SOL_IP.String(), + Value: parsers.SOL_IP.String(), }, }, }, @@ -172,7 +171,7 @@ func TestParseArgs(t *testing.T) { Name: "optname", Type: "int", }, - Value: int32(helpers.SO_GET_FILTER.Value()), + Value: int32(parsers.SO_GET_FILTER.Value()), }, }, expectedArgs: []trace.Argument{ diff --git a/pkg/utils/utils.go b/pkg/utils/utils.go index 9db7e8f517f1..017bcbab2f90 100644 --- a/pkg/utils/utils.go +++ b/pkg/utils/utils.go @@ -5,7 +5,7 @@ import ( "strings" "time" - "github.com/aquasecurity/libbpfgo/helpers" + "github.com/aquasecurity/tracee/pkg/utils/environment" ) // Cloner is a generic interface for objects that can clone themselves. @@ -22,12 +22,12 @@ type Iterator[T any] interface { Next() T } -func ParseSymbol(address uint64, table *helpers.KernelSymbolTable) helpers.KernelSymbol { - var hookingFunction helpers.KernelSymbol +func ParseSymbol(address uint64, table *environment.KernelSymbolTable) environment.KernelSymbol { + var hookingFunction environment.KernelSymbol symbols, err := table.GetSymbolByAddr(address) if err != nil { - hookingFunction = helpers.KernelSymbol{} + hookingFunction = environment.KernelSymbol{} hookingFunction.Owner = "hidden" } else { hookingFunction = symbols[0] diff --git a/tests/e2e-inst-signatures/e2e-process_execute_failed.go b/tests/e2e-inst-signatures/e2e-process_execute_failed.go index fbab3405687f..7ea7d65c5edf 100644 --- a/tests/e2e-inst-signatures/e2e-process_execute_failed.go +++ b/tests/e2e-inst-signatures/e2e-process_execute_failed.go @@ -5,8 +5,7 @@ import ( "strings" "sync" - bpfhelpers "github.com/aquasecurity/libbpfgo/helpers" - + "github.com/aquasecurity/tracee/pkg/environment" "github.com/aquasecurity/tracee/signatures/helpers" "github.com/aquasecurity/tracee/types/detect" "github.com/aquasecurity/tracee/types/protocol" @@ -15,14 +14,14 @@ import ( type e2eProcessExecuteFailed struct { cb detect.SignatureHandler - osInfo *bpfhelpers.OSInfo + osInfo *environment.OSInfo markUnsupportedKernel sync.Once } func (sig *e2eProcessExecuteFailed) Init(ctx detect.SignatureContext) error { sig.cb = ctx.Callback var err error - sig.osInfo, err = bpfhelpers.GetOSInfo() + sig.osInfo, err = environment.GetOSInfo() if err != nil { return err } @@ -61,12 +60,12 @@ func (sig *e2eProcessExecuteFailed) OnEvent(event protocol.Event) error { var err error sig.markUnsupportedKernel.Do( func() { - var comp bpfhelpers.KernelVersionComparison + var comp environment.KernelVersionComparison comp, err = sig.osInfo.CompareOSBaseKernelRelease("5.7") if err != nil { return } - if comp == bpfhelpers.KernelVersionNewer { // < V5.8 + if comp == environment.KernelVersionNewer { // < V5.8 m, _ := sig.GetMetadata() sig.cb(&detect.Finding{ diff --git a/tests/e2e-inst-signatures/e2e-set_fs_pwd.go b/tests/e2e-inst-signatures/e2e-set_fs_pwd.go index 47e9abaff6db..f9cda190b64b 100644 --- a/tests/e2e-inst-signatures/e2e-set_fs_pwd.go +++ b/tests/e2e-inst-signatures/e2e-set_fs_pwd.go @@ -4,8 +4,7 @@ import ( "fmt" "strings" - libbfgo "github.com/aquasecurity/libbpfgo/helpers" - + "github.com/aquasecurity/tracee/pkg/utils/environment" "github.com/aquasecurity/tracee/signatures/helpers" "github.com/aquasecurity/tracee/types/detect" "github.com/aquasecurity/tracee/types/protocol" @@ -22,7 +21,7 @@ func (sig *e2eSetFsPwd) Init(ctx detect.SignatureContext) error { // Find if this system has the bpf_probe_read_user_str helper. // If it doesn't we won't expect the unresolved path to contain anything - ksyms, err := libbfgo.NewKernelSymbolTable() + ksyms, err := environment.NewKernelSymbolTable() if err != nil { return err } diff --git a/tests/integration/tracee.go b/tests/integration/tracee.go index 0a4772e89275..2da4e7ec39f8 100644 --- a/tests/integration/tracee.go +++ b/tests/integration/tracee.go @@ -10,12 +10,11 @@ import ( "testing" "time" - "github.com/aquasecurity/libbpfgo/helpers" - "github.com/aquasecurity/tracee/pkg/cmd/initialize" "github.com/aquasecurity/tracee/pkg/config" tracee "github.com/aquasecurity/tracee/pkg/ebpf" "github.com/aquasecurity/tracee/pkg/proctree" + "github.com/aquasecurity/tracee/pkg/utils/environment" uproc "github.com/aquasecurity/tracee/pkg/utils/proc" "github.com/aquasecurity/tracee/types/trace" ) @@ -78,7 +77,7 @@ func startTracee(ctx context.Context, t *testing.T, cfg config.Config, output *c cfg.KernelConfig = kernelConfig - osInfo, err := helpers.GetOSInfo() + osInfo, err := environment.GetOSInfo() if err != nil { return nil, err }