Make helpers package into its own go module

[grantseltzer]

If consumers of the helpers package want to import a new version without upgrading libbpfgo, it becomes impossible because it's a single module.

[NDStrahilevitz]

Hi, it would also be nice if libbpfgo could be decoupled from it dependency wise as well, otherwise if I try to use it for writing a tracee signature for example I get this error:

../go/pkg/mod/github.com/aquasecurity/libbpfgo@v0.4.0-libbpf-1.0.0.0.20220919160735-14c6bc9b8a05/libbpfgo.go:76:13: error: no member named 'sz' in 'struct perf_buffer_opts'
    pb_opts.sz = sizeof(struct perf_buffer_opts);
    ~~~~~~~ ^
../go/pkg/mod/github.com/aquasecurity/libbpfgo@v0.4.0-libbpf-1.0.0.0.20220919160735-14c6bc9b8a05/libbpfgo.go:78:59: error: too many arguments to function call, expected 3, have 6
    pb = perf_buffer__new(map_fd, page_cnt, perfCallback, perfLostCallback,
         ~~~~~~~~~~~~~~~~                                 ^~~~~~~~~~~~~~~~~
/usr/include/bpf/libbpf.h:682:1: note: 'perf_buffer__new' declared here
perf_buffer__new(int map_fd, size_t page_cnt,
^
2 errors generated.

This would be useful because then you could use the direct argument values defined in the argument parsers instead of relying on argument parsing before signatures (for exmaple use the PTRACE_TRACME const instead of the string "PTRACE_TRACEME".

[grantseltzer]

@NDStrahilevitz Do you mean to say you think helpers shouldn't import libbpfgo?

[NDStrahilevitz]

@NDStrahilevitz Do you mean to say you think helpers shouldn't import libbpfgo?

Yes, otherwise you can't really use the helpers independently.

[grantseltzer]

@NDStrahilevitz Where do you get the above error? When building or running go get? How can I reproduce?

[NDStrahilevitz]

I made a new go signature using PR #2220 in tracee.
Code is the following

package main

import (
	"fmt"

	"github.com/aquasecurity/tracee/types/protocol"

	args "github.com/aquasecurity/libbpfgo/helpers"
	"github.com/aquasecurity/tracee/signatures/helpers"

	"github.com/aquasecurity/tracee/types/detect"
	"github.com/aquasecurity/tracee/types/trace"
)

type AntiDebuggingPtraceme struct {
	cb detect.SignatureHandler
}

...

func (sig *AntiDebuggingPtraceme) OnEvent(e protocol.Event) error {
	// casting to tracee event
	eventObj, ok := e.Payload.(trace.Event)
	if !ok {
		return fmt.Errorf("invalid event")
	}

	switch eventObj.EventName {

	case "ptrace":
		requestArg, err := helpers.GetTraceeArgumentByName(eventObj, "request")
		if err != nil {
			return err
		}

		if requestArg.Value == args.PTRACE_TRACEME {
			// metadata, err := sig.GetMetadata()
			// if err != nil {
			// 	return err
			// }
		}

	}
	return nil
}

...

And I got the errors i've written above when compiling to a .so plugin.

[grantseltzer]

Can you provide the command you use to compile? @NDStrahilevitz

[NDStrahilevitz]

This was standard signature compilation in tracee so just make rules. Internally:

GOSIGNATURES_DIR ?= signatures/golang
GOSIGNATURES_SRC :=	$(shell find $(GOSIGNATURES_DIR) \
			-type f \
			-name '*.go' \
			! -name '*_test.go' \
			! -path '$(GOSIGNATURES_DIR)/examples/*' \
			)

[geyslan]

@NDStrahilevitz is this still relevant? Perhaps correlated to #297?