chore(events): export parse functions as a go module #4096
Conversation
AlonZivony
force-pushed
the
chore/move-parse-to-new-module
branch
from
d47532f
to
0ac73f4
Compare
go.mod
Outdated
| @@ -1,16 +1,15 @@ | |||
| module github.com/aquasecurity/tracee | |||
|
|
|||
| go 1.21 | |||
|
|
|||
| toolchain go1.21.5 | |||
There was a problem hiding this comment.
I think this was recently added by @geyslan to make builds use a known toolchain, why removing it?
There was a problem hiding this comment.
Didn't remove it, just ran go mod tidy.
I will check it.
There was a problem hiding this comment.
@geyslan is the toolchain still a requirement?
It is automatically removed by my IDE (Goland).
There was a problem hiding this comment.
Actually the PR is still open, I didn't have time to resolve its conflicts yet - mostly because it has to be coordinated with an internal tests bump (types).
@geyslan is the toolchain still a requirement?
I think that it is a sane requirement since we (contributors) will always have the same go version for tests/debugging.
It is automatically removed by my IDE (Goland).
Check if the cli go mod tidy removes it. In my case it doesn't.
I suppose that the maximum that go will enforce you is to download (automatically) the toolchain for that specific go.mod project. When you leave tracee folder, go version will be system's.
There was a problem hiding this comment.
Have you checked it in this PR branch?
Because it is reproduced in my machine with go mod tidy.
My go version is go version go1.21.6 linux/amd64
There was a problem hiding this comment.
So go mod tidy reinserted the toolchain, right?
What is the output of go version in other folder (without a go.mod)?
There was a problem hiding this comment.
go version go1.21.6 linux/amd64
| @@ -179,3 +178,5 @@ require ( | |||
| gopkg.in/yaml.v3 v3.0.1 // indirect | |||
| kernel.org/pub/linux/libs/security/libcap/psx v1.2.68 // indirect | |||
| ) | |||
|
|
|||
| replace github.com/aquasecurity/tracee/pkg/events/parsers => ./pkg/events/parsers | |||
There was a problem hiding this comment.
This is only temporary, right?
There was a problem hiding this comment.
Yea, will need follow-up PR to remove it
| return nil | ||
| } | ||
|
|
||
| func parseArgsFDs(event *trace.Event, origTimestamp uint64, fdArgPathMap *bpf.BPFMap) error { |
There was a problem hiding this comment.
Shouldn't it be part of the parsers package?
There was a problem hiding this comment.
No.
This function name is misleading.
It is not a parsing function, but a resolving function. It uses the real-time info from a BPF map.
Hence, it is part of the eBPF logic in user mode. Not a parsing function of known values.
There was a problem hiding this comment.
Can you please rename it to getPathFromFD then?
| @@ -103,7 +104,7 @@ func (t *Tracee) processNetCapEvent(event *trace.Event) { | |||
|
|
|||
| // sanity checks | |||
|
|
|||
| payloadArg := events.GetArg(event, "payload") | |||
| payloadArg := parsers.GetArg(event, "payload") | |||
There was a problem hiding this comment.
I think it is more intuitive for the GetArg function to be in the events or pipeline package (once we will extract it from the ebpf package) and not under parsers
There was a problem hiding this comment.
Hmm this concerns the ArgVal function as well (which resides both in the signatures/helpers package and in the events/params package).
I only move the code as it is, without trying to restructure the whole package.
I think all the arguments extraction functions places should be determined in its own PR and discussion. This PR won't be affected by the change.
There was a problem hiding this comment.
I will add that for now both GetArg and SetArgValue are only used by the parsers package.
| @@ -287,7 +288,7 @@ func (t *Tracee) processHookedProcFops(event *trace.Event) error { | |||
| } | |||
| hookedFops = append(hookedFops, trace.HookedSymbolData{SymbolName: functionName, ModuleOwner: hookingFunction.Owner}) | |||
| } | |||
| err = events.SetArgValue(event, hookedFopsPointersArgName, hookedFops) | |||
| err = parsers.SetArgValue(event, hookedFopsPointersArgName, hookedFops) | |||
| @@ -8,9 +8,8 @@ import ( | |||
| "strings" | |||
| "sync/atomic" | |||
|
|
|||
| "github.com/moby/moby/pkg/parsers/kernel" | |||
There was a problem hiding this comment.
Why do we need this external package and not use our own environment package?
If it's because it is not exposed as a module - then maybe we should
There was a problem hiding this comment.
The reason is mainly because of the external module issue.
However, we coupled that environment into Tracee by using the logger and errfmt packages there.
As the function only use the kernel version and not other OS information, I determined that it will be easier to use the version as a string. As I needed to parse it I thought that using such a known third-party package might be easier than trying to export many parts of the code as modules.
There was a problem hiding this comment.
@AlonZivony do you want me to move environment as its own module? I think we should since it's required by different projects.
There was a problem hiding this comment.
I think we do.
I think we might also want to put the logger in another module, but this way we divide the project to too many pieces.
For now I think using this external library is good enough.
There was a problem hiding this comment.
If that's the case let's take the logger and err handling out of the environment package (it should be only a few lines to change).
It doesn't make sense to use an external package for logic we already have (actually, we need to do the opposite - make as less dependencies on external packages as possible)
| switch ID(event.EventID) { | ||
| case MemProtAlert: | ||
| switch event.EventName { | ||
| case "mem_prot_alert": |
There was a problem hiding this comment.
We can keep event.EventID here and use the existing consts from the events package.
In the future, we should change it to the new EventID enum, exported as part of the new proto API.
There was a problem hiding this comment.
We can't use the events.ID values because we can't import the events package.
If this package is imported by the signatures, and the signatures are used by Tracee, then it will cause a circular dependency to import Tracee for the events IDs.
The only solution is to have an external package that will translate the IDs to an informative value. I think that we agreed that it will be possible once we use the new event's structure and the protobuf values could be used.
| // TODO: Add support for syscall id to name parsing | ||
| // case "sys_enter", "sys_exit": | ||
| // if syscallArg := GetArg(event, "syscall"); syscallArg != nil { | ||
| // if id, isInt32 := syscallArg.Value.(int32); isInt32 { | ||
| // if events.Core.IsDefined(events.ID(id)) { | ||
| // eventDefinition := events.Core.GetDefinitionByID(events.ID(id)) | ||
| // if eventDefinition.IsSyscall() { | ||
| // syscallArg.Value = eventDefinition.GetName() | ||
| // syscallArg.Type = "string" | ||
| // } | ||
| // } | ||
| // } | ||
| // } |
There was a problem hiding this comment.
Why did you remove this?
There was a problem hiding this comment.
It's impossible to translate the syscall ID to its name in a small effort way which will support both AMD64 and ARM64.
As using the events package is not possible, for now I determined that this was out of scope to support this parsing.
There was a problem hiding this comment.
So this is a regression.
I think we should merge this PR only after introducing the new pipeline event structure (to be done in the coming milestone)
AlonZivony
force-pushed
the
chore/move-parse-to-new-module
branch
from
0ac73f4
to
5643a7d
Compare
| @@ -8,9 +8,8 @@ import ( | |||
| "strings" | |||
| "sync/atomic" | |||
|
|
|||
| "github.com/moby/moby/pkg/parsers/kernel" | |||
There was a problem hiding this comment.
@AlonZivony do you want me to move environment as its own module? I think we should since it's required by different projects.
AlonZivony
force-pushed
the
chore/move-parse-to-new-module
branch
4 times, most recently
from
794c93b
to
29b6551
Compare
|
@yanivagman I suppose #4129 removed some blocker of this PR. Anyway, is this still relevant? Converting it to draft to clear filters out. |
1. Explain what the PR does
Export the parse functions from Tracee, which would allow signatures to use them.
2. Explain how to test it
3. Other comments