Skip to content

fix(kmod): safer ppm_get_mm_exe_file #242

fix(kmod): safer ppm_get_mm_exe_file

fix(kmod): safer ppm_get_mm_exe_file #242

Workflow file for this run

name: CI Build
on:
pull_request:
push:
branches:
- master
- 'release/**'
- 'maintainers/**'
workflow_dispatch:
# Checks if any concurrent jobs under the same pull request or branch are being executed
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
jobs:
paths-filter:
runs-on: ubuntu-latest
outputs:
driver_changed: ${{ steps.filter.outputs.driver }}
libscap_changed: ${{ steps.filter.outputs.libscap }}
libsinsp_changed: ${{ steps.filter.outputs.libsinsp }}
steps:
- uses: actions/checkout@v2
- uses: dorny/paths-filter@v2
id: filter
with:
filters: |
driver:
- 'driver/**'
libscap:
- 'userspace/libscap/**'
libsinsp:
- 'userspace/libsinsp/**'
build-libs-linux-amd64:
name: build-libs-linux-amd64 😁
strategy:
matrix:
name: [system_deps, bundled_deps, system_deps_w_chisels, system_deps_minimal]
include:
- name: system_deps
cmake_opts: -DBUILD_WARNINGS_AS_ERRORS=On -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=False
- name: bundled_deps
cmake_opts: -DBUILD_WARNINGS_AS_ERRORS=On -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=True
- name: system_deps_w_chisels
cmake_opts: -DBUILD_WARNINGS_AS_ERRORS=On -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=False -DWITH_CHISEL=True
- name: system_deps_minimal
cmake_opts: -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=False -DMINIMAL_BUILD=True
runs-on: ubuntu-latest
container:
image: debian:buster
steps:
- name: Install deps ⛓️
run: |
apt update && apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libgtest-dev libprotobuf-dev liblua5.1-dev linux-headers-amd64
- name: Checkout Libs ⤵️
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Install deps ⛓️
run: |
.github/install-deps.sh
- name: Git safe directory
run: |
git config --global --add safe.directory $GITHUB_WORKSPACE
- name: Build and test 🏗️🧪
run: |
mkdir -p build
cd build && cmake ${{ matrix.cmake_opts }} ../
KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4
make run-unit-tests
build-libs-linux-amd64-asan:
name: build-libs-linux-amd64-asan 🧐
runs-on: ubuntu-latest
container:
image: debian:buster
steps:
- name: Install deps ⛓️
run: |
apt update && apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libgtest-dev libprotobuf-dev liblua5.1-dev linux-headers-amd64
- name: Checkout Libs ⤵️
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Install deps ⛓️
run: |
.github/install-deps.sh
- name: Git safe directory
run: |
git config --global --add safe.directory $GITHUB_WORKSPACE
- name: Build and test 🏗️🧪
run: |
mkdir -p build
cd build && LDFLAGS="-lpthread" cmake -DCMAKE_C_FLAGS=-fsanitize=address -DCMAKE_CXX_FLAGS=-fsanitize=address -DUSE_BUNDLED_DEPS=False ../
KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4
make run-unit-tests
build-shared-libs-linux-amd64:
name: build-shared-libs-linux-amd64 🧐
runs-on: ubuntu-latest
steps:
- name: Install deps ⛓️
run: |
sudo apt update
sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libre2-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libgtest-dev libprotobuf-dev liblua5.1-dev linux-headers-$(uname -r)
- name: Checkout Libs ⤵️
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Git safe directory
run: |
git config --global --add safe.directory $GITHUB_WORKSPACE
- name: Build and test 🏗️🧪
run: |
mkdir -p build
cd build && cmake -DBUILD_SHARED_LIBS=True -DUSE_BUNDLED_DEPS=False -DMINIMAL_BUILD=True -DUSE_BUNDLED_VALIJSON=True -DCMAKE_INSTALL_PREFIX=/tmp/libs-test ../
KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4
make run-unit-tests
- name: Install
run: |
cd build
make install
- name: Test sinsp-example build with pkg-config
run: |
cd userspace/libsinsp/examples
export PKG_CONFIG_PATH=/tmp/libs-test/lib/pkgconfig
g++ -o sinsp-example test.cpp util.cpp $(pkg-config --cflags --libs libsinsp)
- name: Test sinsp-example runtime linker
run: |
cd userspace/libsinsp/examples
export LD_LIBRARY_PATH=/tmp/libs-test/lib/falcosecurity
./sinsp-example -h
build-libs-others-amd64:
name: build-libs-others-amd64 😨
strategy:
fail-fast: false
matrix:
os: [windows-latest, macos-latest]
runs-on: ${{ matrix.os }}
steps:
- name: Checkout Libs ⤵️
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Build and test 🏗️🧪
run: |
mkdir -p build
cd build && cmake -DUSE_BUNDLED_DEPS=ON -DCMAKE_BUILD_TYPE=Release -DCREATE_TEST_TARGETS=ON -DMINIMAL_BUILD=ON ..
cmake --build . --config Release && make run-unit-tests || libsinsp\test\Release\unit-test-libsinsp.exe
# This job run all engine tests and scap-open
test-scap-x86:
name: test-scap-x86 😆 (bundled_deps)
runs-on: ubuntu-22.04
needs: paths-filter
if: needs.paths-filter.outputs.driver_changed == 'true' || needs.paths-filter.outputs.libscap_changed == 'true'
steps:
- name: Checkout Libs ⤵️
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Install deps ⛓️
run: |
sudo apt update
sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 llvm-14 git pkg-config autoconf automake libtool libelf-dev libcap-dev linux-headers-$(uname -r)
sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
sudo update-alternatives --install /usr/bin/llc llc /usr/bin/llc-14 90
- name: Build scap-open and drivers 🏗️
run: |
mkdir -p build
cd build && cmake -DUSE_BUNDLED_DEPS=On -DBUILD_DRIVER=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DBUILD_BPF=On -DBUILD_LIBSCAP_GVISOR=On -DCREATE_TEST_TARGETS=On -DENABLE_LIBSCAP_TESTS=On ../
make scap-open
make driver bpf
make libscap_test
- name: Run scap-open with modern bpf 🏎️
run: |
cd build
sudo ./libscap/examples/01-open/scap-open --modern_bpf --num_events 0
- name: Run scap-open with bpf 🏎️
run: |
cd build
sudo ./libscap/examples/01-open/scap-open --bpf ./driver/bpf/probe.o --num_events 0
- name: Run scap-open with kmod 🏎️
run: |
cd build
sudo insmod ./driver/scap.ko
sudo ./libscap/examples/01-open/scap-open --kmod --num_events 0
sudo rmmod scap
- name: Run libscap_test 🏎️
run: |
cd build
sudo ./test/libscap/libscap_test
test-drivers-x86:
name: test-drivers-x86 😇 (bundled_deps)
runs-on: ubuntu-22.04
needs: paths-filter
if: needs.paths-filter.outputs.driver_changed == 'true' || needs.paths-filter.outputs.libscap_changed == 'true'
steps:
- name: Checkout Libs ⤵️
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Install deps ⛓️
run: |
sudo apt update
sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git pkg-config autoconf automake libelf-dev libcap-dev linux-headers-$(uname -r) clang-14 llvm-14 libtool
sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
sudo update-alternatives --install /usr/bin/llc llc /usr/bin/llc-14 90
- name: Build drivers tests 🏗️
run: |
mkdir -p build
cd build && cmake -DUSE_BUNDLED_DEPS=ON -DENABLE_DRIVERS_TESTS=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_DEBUG_MODE=ON -DBUILD_BPF=True -DBUILD_LIBSCAP_GVISOR=OFF ../
make drivers_test
make driver bpf
- name: Run drivers_test with modern bpf 🏎️
run: |
cd build
sudo ./test/drivers/drivers_test -m
- name: Run drivers_test with bpf 🏎️
run: |
cd build
sudo ./test/drivers/drivers_test -b
- name: Run drivers_test with kmod 🏎️
run: |
cd build
sudo ./test/drivers/drivers_test -k
build-libs-s390x:
name: build-libs-s390x 😁 (system_deps)
runs-on: ubuntu-22.04
needs: paths-filter
if: needs.paths-filter.outputs.driver_changed == 'true' || needs.paths-filter.outputs.libsinsp_changed == 'true'
steps:
- name: Checkout Libs ⤵️
uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: uraimo/run-on-arch-action@v2.2.0
name: Run s390x build 🏗️
with:
arch: s390x
distro: ubuntu22.04
githubToken: ${{ github.token }}
install: |
apt update && apt install -y --no-install-recommends ca-certificates cmake build-essential clang llvm git pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libgtest-dev libprotobuf-dev linux-headers-generic
git clone https://github.com/libbpf/bpftool.git --branch v7.0.0 --single-branch
cd bpftool
git submodule update --init
cd src && make install
cd ../../
git clone https://github.com/libbpf/libbpf.git --branch v1.0.1 --single-branch
cd libbpf/src && BUILD_STATIC_ONLY=y DESTDIR=/ make install
ln -s /usr/lib64/libbpf.a /usr/lib/s390x-linux-gnu/
# Please note: we cannot inject the BPF probe inside QEMU, so right now, we only build it
run: |
git config --global --add safe.directory $GITHUB_WORKSPACE
.github/install-deps.sh
mkdir -p build
cd build && cmake -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=OFF -DMODERN_PROBE_INCLUDE="-I/usr/include/s390x-linux-gnu" -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_DEBUG_MODE=ON -DBUILD_LIBSCAP_GVISOR=OFF ../
KERNELDIR=/lib/modules/$(ls /lib/modules)/build make scap-open driver bpf unit-test-libsinsp -j6
./libsinsp/test/unit-test-libsinsp
# This job checks that a bundled deps of libs is as static as possible
test-libs-static:
name: test-libs-static (bundled_deps)
runs-on: ubuntu-22.04
steps:
- name: Checkout Libs ⤵️
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install deps ⛓️
run: |
sudo apt update
sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 llvm-14 git pkg-config autoconf automake libtool libelf-dev libcap-dev linux-headers-$(uname -r)
sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
sudo update-alternatives --install /usr/bin/llc llc /usr/bin/llc-14 90
- name: Build sinsp-example
run: |
mkdir -p build
cd build && cmake -DUSE_BUNDLED_DEPS=On -DBUILD_DRIVER=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DBUILD_BPF=On -DBUILD_LIBSCAP_GVISOR=On -DCREATE_TEST_TARGETS=Off -DENABLE_LIBSCAP_TESTS=Off ../
make -j$(nproc) sinsp-example
- name: Ensure that sinsp-example with bundled deps is as static as possible
run: |
ldd "build/libsinsp/examples/sinsp-example" | cut --fields=2 | cut --delimiter=' ' --fields=1 | rev | cut --delimiter='/' --fields=1 | rev | sort --unique --version-sort > ldd_out.txt
cat > expected_ldd_out.txt <<EOF
ld-linux-x86-64.so.2
libc.so.6
libgcc_s.so.1
libm.so.6
libstdc++.so.6
linux-vdso.so.1
EOF
diff -u expected_ldd_out.txt ldd_out.txt
run-e2e-tests-amd64:
name: run-e2e-tests-amd64
strategy:
fail-fast: false
matrix:
name: [system_deps, bundled_deps, system_deps_w_chisels, asan]
include:
- name: system_deps
cmake_opts: -DUSE_BUNDLED_DEPS=False
- name: bundled_deps
cmake_opts: -DUSE_BUNDLED_DEPS=True
- name: system_deps_w_chisels
cmake_opts: -DUSE_BUNDLED_DEPS=False -DWITH_CHISEL=True
- name: asan
cmake_opts: -DUSE_BUNDLED_DEPS=True -DCMAKE_C_FLAGS=-fsanitize=address -DCMAKE_CXX_FLAGS=-fsanitize=address
runs-on: ubuntu-22.04
steps:
- name: Install deps ⛓️
run: |
sudo apt-get update && sudo apt-get install -y --no-install-recommends \
ca-certificates \
cmake \
build-essential \
clang-14 llvm-14 \
git \
clang \
llvm \
pkg-config \
autoconf \
automake \
libtool \
libelf-dev \
wget \
libc-ares-dev \
libbpf-dev \
libcap-dev \
libcurl4-openssl-dev \
libssl-dev \
libtbb-dev \
libjq-dev \
libjsoncpp-dev \
libgrpc++-dev \
protobuf-compiler-grpc \
libgtest-dev \
libprotobuf-dev \
liblua5.1-dev \
"linux-headers-$(uname -r)"
sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
sudo update-alternatives --install /usr/bin/llc llc /usr/bin/llc-14 90
- name: Checkout Libs ⤵️
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Install deps ⛓️
run: |
sudo .github/install-deps.sh
- name: Git safe directory
run: |
git config --global --add safe.directory $GITHUB_WORKSPACE
- name: Build and test 🏗️🧪
run: |
mkdir -p build && cd build
cmake -DBUILD_BPF=ON \
-DBUILD_LIBSCAP_MODERN_BPF=ON \
-DBUILD_LIBSCAP_GVISOR=OFF \
${{ matrix.cmake_opts }} \
-DUSE_BUNDLED_LIBBPF=ON \
..
make -j$(nproc) sinsp-example driver bpf
sudo make e2e-install-deps
sudo ../test/e2e/scripts/run_tests.sh
- name: Archive test reports
uses: actions/upload-artifact@v3
if: failure()
with:
name: ${{ matrix.name }}_report
path: |
${{ github.workspace }}/build/report/
build-libs-emscripten:
name: build-libs-emscripten 🧐
runs-on: ubuntu-latest
steps:
- name: Install deps ⛓️
run: |
sudo apt update
sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 llvm-14 git pkg-config autoconf automake libtool libelf-dev libcap-dev linux-headers-$(uname -r) emscripten
- name: Checkout Libs ⤵️
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Git safe directory
run: |
git config --global --add safe.directory $GITHUB_WORKSPACE
- name: Build and test 🏗️🧪
run: |
mkdir -p build
cd build && emcmake cmake -DUSE_BUNDLED_DEPS=True ../
KERNELDIR=/lib/modules/$(ls /lib/modules)/build emmake make -j4
KERNELDIR=/lib/modules/$(ls /lib/modules)/build emmake make run-unit-tests -j4