removed existing ebpf code

.github/workflows/ci.yaml

@@ -58,12 +58,6 @@ jobs:
           go-version: "1.21"
           cache: false
 
-      - name: EBPF prerequisites
-        run: |
-          set -x
-          sudo apt update && sudo apt install -y jq pkg-config libelf-dev clang
-          make ebpf
-
       - name: Run unit tests
         run: make unit-test
 

.gitignore

@@ -4,7 +4,6 @@
 /vendor
 /.local
 /.vscode
-/pkg/**/capture_exec.bpf.o
 /pkg/tarianpb/api.pb.go
 /pkg/tarianpb/types.pb.go
 coverage.xml

.golangci.yml

@@ -1,8 +1,6 @@
 run:
   timeout: 10m
   concurrency: 4
-  skip-files:
-  - pkg/nodeagent/ebpf/exec.go
 
 linters:
   disable-all: true

Makefile

@@ -34,7 +34,6 @@ default: help
 help: ## Display this help.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
 
-##@ eBPF
 
 BASEDIR = $(abspath ./)
 OUTPUT = ./output
@@ -60,7 +59,6 @@ CGO_LDFLAGS_DYN = "-lelf -lz -lbpf"
 BTFFILE = /sys/kernel/btf/vmlinux
 BPFTOOL = $(shell which bpftool || /bin/false)
 VMLINUXH = $(OUTPUT)/vmlinux.h
-NODEAGENT_EBPF_DIR = pkg/nodeagent/ebpf
 
 # extracts the major, minor, and patch version numbers of the kernel version
 KERNEL_VERSION = $(word 1, $(subst -, ,$(shell uname -r)))
@@ -97,18 +95,6 @@ $(VMLINUXH): $(OUTPUT)
 		$(BPFTOOL) btf dump file $(BTFFILE) format c > $(VMLINUXH); \
 	fi
 
-# libbpf
-
-$(LIBBPF_OBJ): $(LIBBPF_SRC) $(wildcard $(LIBBPF_SRC)/*.[ch]) | $(OUTPUT)/libbpf
-	CC="$(CC)" CFLAGS="$(CFLAGS)" LD_FLAGS="$(LDFLAGS)" \
-		$(MAKE) -C $(LIBBPF_SRC) \
-		BUILD_STATIC_ONLY=1 \
-		OBJDIR=$(LIBBPF_OBJDIR) \
-		DESTDIR=$(LIBBPF_DESTDIR) \
-		INCLUDEDIR= LIBDIR= UAPIDIR= install
-
-libbpfgo-static: $(VMLINUXH) | $(LIBBPF_OBJ)
-
 ##@ Development
 
 generate: bin/controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.

go.sum

@@ -280,8 +280,6 @@ github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/intelops/tarian-detector v0.0.0-20240223205958-674f5351cece h1:lai7AMQVv7tyoNqYdt4u4ibaxT5CjvoCI0paH2rpVJY=
-github.com/intelops/tarian-detector v0.0.0-20240223205958-674f5351cece/go.mod h1:u7VW9+KOi2ujvIevz/LtfaXkjfkBp7BKgGuPcSq814E=
 github.com/intelops/tarian-detector v0.0.0-20240226164335-7701e4e67daa h1:ExaZjScIYDDIfCOygau+d09cvJdJdrWEN3yfHdehgbE=
 github.com/intelops/tarian-detector v0.0.0-20240226164335-7701e4e67daa/go.mod h1:u7VW9+KOi2ujvIevz/LtfaXkjfkBp7BKgGuPcSq814E=
 github.com/jessevdk/go-flags v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c2EWnYs/m4=

pkg/nodeagent/capture_exec.go

@@ -1,11 +1,12 @@
 package nodeagent
 
 import (
+	"context"
 	"fmt"
 
+	"github.com/aquasecurity/libbpfgo"
 	"github.com/intelops/tarian-detector/pkg/detector"
 	"github.com/intelops/tarian-detector/tarian"
-	"github.com/kube-tarian/tarian/pkg/nodeagent/ebpf"
 	"github.com/sirupsen/logrus"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
@@ -48,12 +49,16 @@ type ExecEvent struct {
 // CaptureExec captures and processes execution events, associating them with Kubernetes Pods.
 // It uses eBPF (Extended Berkeley Packet Filter) to capture execution events in the Linux kernel.
 type CaptureExec struct {
-	eventsChan         chan ExecEvent       // Channel for sending captured execution events
-	shouldClose        bool                 // Flag indicating whether the capture should be closed
-	bpfCaptureExec     *ebpf.BpfCaptureExec // Instance of eBPF capture execution
-	nodeName           string               // The name of the node where the capture is running
-	logger             *logrus.Logger       // Logger instance for logging
+	ctx                context.Context
+	eventsChan         chan ExecEvent // Channel for sending captured execution events
+	shouldClose        bool           // Flag indicating whether the capture should be closed
+	bpfModule          *libbpfgo.Module
+	bpfProg            *libbpfgo.BPFProg
+	bpfRingBuffer      *libbpfgo.RingBuffer
+	nodeName           string         // The name of the node where the capture is running
+	logger             *logrus.Logger // Logger instance for logging
 	eventsDetectorChan chan map[string]any
+	eventsDetector     *detector.EventsDetector
 }
 
 // NewCaptureExec creates a new CaptureExec instance for capturing and processing execution events.
@@ -65,8 +70,9 @@ type CaptureExec struct {
 // Returns:
 //   - *CaptureExec: A new instance of CaptureExec.
 //   - error: An error if creating the eBPF capture execution instance fails.
-func NewCaptureExec(logger *logrus.Logger) (*CaptureExec, error) {
+func NewCaptureExec(ctx context.Context, logger *logrus.Logger) (*CaptureExec, error) {
 	return &CaptureExec{
+		ctx:                ctx,
 		eventsChan:         make(chan ExecEvent, 1000),
 		logger:             logger,
 		eventsDetectorChan: make(chan map[string]any, 1000),
@@ -100,7 +106,7 @@ func (c *CaptureExec) Start() error {
 	}
 	watcher.Start()
 
-	err = c.GetTarianDetectorEvents()
+	err = c.GetTarianDetectorEbpfEvents()
 	if err != nil {
 		return fmt.Errorf("CaptureExec.Start: failed to get tarian detector events: %w", err)
 	}
@@ -141,7 +147,7 @@ func (c *CaptureExec) Start() error {
 
 		// Create an ExecEvent and send it to the events channel.
 		execEvent := ExecEvent{
-			Pid: pid,
+			Pid:               pid,
 			ContainerID:       containerID,
 			K8sPodName:        podName,
 			K8sPodUID:         podUID,
@@ -158,23 +164,26 @@ func (c *CaptureExec) Start() error {
 // Close stops the capture process and closes associated resources.
 func (c *CaptureExec) Close() {
 	c.shouldClose = true
+	c.eventsDetector.Close()
 }
 
 // GetEventsChannel returns the channel for receiving execution events.
 func (c *CaptureExec) GetEventsChannel() chan ExecEvent {
 	return c.eventsChan
 }
 
-func (c *CaptureExec) GetTarianDetectorEvents() error {
+func (c *CaptureExec) GetTarianDetectorEbpfEvents() error {
 	tarianEbpfModule, err := tarian.GetModule()
 	if err != nil {
-		c.logger.Error("error while get tarian ebpf module: %v", err)
+		fmt.Println("error while get tarian ebpf module: ", err)
+		c.logger.Errorf("error while get tarian ebpf module: %v", err)
 		return fmt.Errorf("error while get tarian-detector ebpf module: %w", err)
 	}
 
 	tarianDetector, err := tarianEbpfModule.Prepare()
 	if err != nil {
-		c.logger.Error("error while prepare tarian detector: %v", err)
+		fmt.Printf("error while prepare tarian detector: %v", err)
+		c.logger.Errorf("error while prepare tarian detector: %v", err)
 		return fmt.Errorf("error while prepare tarian-detector: %w", err)
 	}
 
@@ -187,16 +196,20 @@ func (c *CaptureExec) GetTarianDetectorEvents() error {
 	// Start and defer Close
 	err = eventsDetector.Start()
 	if err != nil {
+		fmt.Printf("error while start tarian detector: %v", err)
 		c.logger.Errorf("error while start tarian detector: %v", err)
 		return fmt.Errorf("error while start tarian-detector: %w", err)
 	}
 
-	defer eventsDetector.Close()
+	c.eventsDetector = eventsDetector
+
+	defer c.eventsDetector.Close()
 
 	go func() {
 		for {
-			event, err := eventsDetector.ReadAsInterface()
+			event, err := c.eventsDetector.ReadAsInterface()
 			if err != nil {
+				fmt.Printf("error while read event: %v", err)
 				fmt.Print("error while read event as interface: ", err)
 				c.logger.WithError(err).Error("error while read event")
 				continue
@@ -210,6 +223,7 @@ func (c *CaptureExec) GetTarianDetectorEvents() error {
 		}
 	}()
 
-	return nil
+	<-c.ctx.Done()
+	return c.ctx.Err()
 
 }