Fix an issue that usermode events are only created if they should be
emitted.

commit: cc1eea7 (main), cherry-pick

The previous probe was missing from different distros and kernels.
The new probes are safer, but only exist starting from v5.8 of the kernel.

commit: a496a9e (main), cherry-pick

…uasecurity#4020)

The MAX_NUM_MODULES was recently decreased from 600 to 450 and is anyway relatively small.
In case there are more modules to iterate on than the number of the
iterations done, it will report the rest as false positives.
To mitigate that, an LRU holds the suspected events and waits until the
scan finishes: if the scan finished successfully, sends the events and
otherwise deletes them.

This was introduced in kernels 6.5 where the mod_tree contains 3x nodes
as before, and 450 iterations are not enough if there are about 450/3
modules loaded in the system.

When it's possible to use bpf_loop (currently RHEL verifier fails if the
helper exists in the code; specific program loading might solve it),
this patch needs to be reverted and the patch that uses bpf_loop needs
to be used instead.

Allow the procfs scanning and querying to be configured by the user.
For now Tracee only enable to disable the procfs querying upon lost events.
This should help to improve performance on high-load systems.

Commit 3ddf73d changed various probe_read calls to probe_read_kernel.
However, io capture relies on reading userspace buffers, as such the
pointers being read are userspace pointers. Therefore the relevant calls
in some of these changes, affecting IO capture, were changed to
probe_read_user.

commit: e08d553 (main), cherry-pick

Add an e2e instrumentation test for the vfs_writev event. Due to the
event being broken on some kernels, it is currently disabled (missing
in declaration in pr.yaml).

commit: ce26df3 (main), cherry-pick

commit: d89195c (main), cherry-pick

Commit f806cb4 changed context initialization to occur in the submit
stage. However, network events do not have access to that context during
their submit stage (since they happen in a cgroup_skb program).

Therefore, add a call to init_task_context in the pre cgroup bpf program
(cgroup_bpf_run_filter_skb).

In addition add a validation in the e2e tests so that task context
initialization in network events doesn't break.

commit: cf391b4 (main), cherry-pick

…security#4030)

Recently, the process_execute_failed event implementation had been changed to use the new inner execute_finished event.
This event has used syscall tracepoints in its implementation.
However, tracepoints rely on debugfs, which was not a requirement of tracee until now.
To remove this requirement (at least for now), move to use architecture-specific kprobes instead.

(cherry picked from commit 14c106e)

aquasecurity#4037)

The symbols_loaded event currently log all errors received in its
logic.
However, there is a case that an object is loaded to a process which
is not ELF (for example, jsa files of Java).
As the event is not meant to parse such files, avoid logging errors in
parsing them.

(cherry picked from commit 134f281)

…ity#4041)

Errors from the SO loader are pretty frequent because of race conditions.
As the user has nothing to do with it, the log level should be lowered from WARN.

Fix aquasecurity#4012

The documentation sports a "Format" security event:
https://aquasecurity.github.io/tracee/latest/docs/events/builtin/signatures/format/
This is some error with how the documentation got created by AI.

Remove this "event" from docs.

…#4047) (aquasecurity#4052)

Fix tests so they will make sure to close channels properly and clean goroutines.

(cherry picked from commit cd7ed0d)

…asecurity#4055)

This reverts commit 7d63078.

commit: 70abe5e (main), cherry-pick

…ecurity#4057)

commit: a458fa9 (main), cherry-pick

Co-authored-by: Raphael Campos <raphaelcampos.rp@gmail.com>

Add limitation to the amount of logged objects in the changelog.
This should help in reducing the chance of memory leakage.

The current proces tree takes a lot of memory (~150MB from calculation).
However, it is a new feature and not all of its info has high chance to
be used.
For now, it was decided to not save the interpreter and interp
information for processes until it was proven to be needed.
This should reduce the process tree size by at least 60MB (but will
probably reduce more than that).

File paths are created by concatting the dentries names from the root to the file, and concattign the file name in the end.
Although each dentry and file name has max length, the entire path has none.
To avoid memorly leakage caused by saving file paths, introduce a limit to the save path length.

libelf might be built with zstd support in some environments, so for
static builds (mainly) it is necessary to ensure that the zstd library
is available.

https://sourceware.org/git/?p=elfutils.git;a=commit;h=ed688a59b4d4f5ccf6ef15244e5a9139f71769a3

commit: 5e42f2c (main), cherry-pick

commit: d2cd2c3 (main), cherry-pick

AMIs have to be updated and installations like this commented out.

commit: ba4db8b (main), cherry-pick

When running Tracee from within a container, multiple mount points of the
cgroup filesystem may exist. In such cases, we need to ensure that we select
the mountpoint from the host cgroup namespace. By checking for an inode equal
to 1, we can identify the cgroupfs mountpoint belonging to the host cgroup
namespace. This ensures that Tracee can discover preexisting containers using
the host cgroup filesystem.

Additionally, a warning log is emitted if the cgroup mountpoint does not have
an inode of 1, indicating that it might not be part of the host cgroup
namespace.

The GetCgroupPath function previously used recursion for directory traversal,
which could consume excessive memory for deep directory structures. This commit
refactors the function to use an iterative approach, reducing memory usage and
improving performance. Additionally, the comments and error handling in the
function have been updated for clarity and consistency.

Copied helpers package from libbpfgo to local repo to avoid dependency issues.
This eliminates frequent updates of libbpfgo and simplifies our workflow.
Allows faster bug fixes and updates, improving development efficiency.

Ensure safe type assertions in kernel config parsing to prevent potential panics.
Used type switch assignment and added type checks for value comparisons.

Ensure errors from file closures are handled to prevent potential issues.
- Added deferred anonymous functions to check and log errors from f.Close().
- Improved logging for better error tracking.

This commit integrates the libbpfgo packages into the tracee repository.
These packages were previously copied over from libbpfgo in a separate
PR (aquasecurity#4090) to resolve dependency issues. Now, tracee is utilizing these
packages, providing better compatibility and ensuring smoother
development.

The hooked_syscalls event requires CAP_SYSLOG in order to refresh its
symbol table when reading /proc/kallsyms.
Add this missing dependency.

Use modified ksymbols implementation. The new implementation may take
a list of required symbols and addresses to track. If the list is given,
symbol scanning will only save those symbols or addresses which were
given in the list. If a new symbol is queried, then a rescan is needed.

Refactor tracee initialization to find all necessary symbols to track
ahead of runtime.

Co-authored-by: Geyslan Gregório <geyslan@gmail.com>
Co-authored-by: Yaniv Agman <yanivagman@gmail.com>