3
0
Fork 0
forked from mirrors/nixpkgs
nixpkgs/pkgs/tools/security/tracee/default.nix
2022-05-21 13:39:43 +01:00

114 lines
3.2 KiB
Nix

{ lib
, buildGoModule
, fetchFromGitHub
, llvmPackages_13
, pkg-config
, zlib
, libelf
}:
let
inherit (llvmPackages_13) clang;
clang-with-bpf =
(clang.overrideAttrs (o: { pname = o.pname + "-with-bpf"; })).override (o: {
extraBuildCommands = o.extraBuildCommands + ''
# make a separate wrapped clang we can target at bpf
cp $out/bin/clang $out/bin/clang-bpf
# extra flags to append after the cc-cflags
echo '-target bpf -fno-stack-protector' > $out/nix-support/cc-cflags-bpf
# use sed to attach the cc-cflags-bpf after cc-cflags
sed -i -E "s@^(extraAfter=\(\\$\NIX_CFLAGS_COMPILE_.*)(\))\$@\1 $(cat $out/nix-support/cc-cflags-bpf)\2@" $out/bin/clang-bpf
'';
});
in
buildGoModule rec {
pname = "tracee";
version = "0.7.0";
src = fetchFromGitHub {
owner = "aquasecurity";
repo = pname;
rev = "v${version}";
sha256 = "sha256-Y++FWxADnj1W5S3VrAlJAnotFYb6biCPJ6dpQ0Nin8o=";
# Once libbpf hits 1.0 we will migrate to the nixpkgs libbpf rather than the
# pinned copy in submodules
fetchSubmodules = true;
};
vendorSha256 = "sha256-C2RExp67qax8+zJIgyMJ18sBtn/xEYj4tAvGCCpBssQ=";
patches = [
# bpf-core can't be compiled with wrapped clang since it forces the target
# we need to be able to replace it with another wrapped clang that has
# it's target as bpf
./bpf-core-clang-bpf.patch
# add -s to ldflags for smaller binaries
./disable-go-symbol-table.patch
];
enableParallelBuilding = true;
strictDeps = true;
nativeBuildInputs = [ pkg-config clang-with-bpf ];
buildInputs = [ zlib libelf ];
makeFlags = [
"VERSION=v${version}"
"CMD_CLANG_BPF=clang-bpf"
# don't actually need git but the Makefile checks for it
"CMD_GIT=echo"
];
buildPhase = ''
runHook preBuild
make $makeFlags ''${enableParallelBuilding:+-j$NIX_BUILD_CORES -l$NIX_BUILD_CORES}
runHook postBuild
'';
doCheck = false;
installPhase = ''
runHook preInstall
mkdir -p $out/{bin,share/tracee}
cp ./dist/tracee-ebpf $out/bin
cp ./dist/tracee-rules $out/bin
cp -r ./dist/rules $out/share/tracee/
cp -r ./cmd/tracee-rules/templates $out/share/tracee/
runHook postInstall
'';
doInstallCheck = true;
installCheckPhase = ''
runHook preInstallCheck
$out/bin/tracee-ebpf --help
$out/bin/tracee-ebpf --version | grep "v${version}"
$out/bin/tracee-rules --help
runHook postInstallCheck
'';
meta = with lib; {
homepage = "https://aquasecurity.github.io/tracee/latest/";
changelog = "https://github.com/aquasecurity/tracee/releases/tag/v${version}";
description = "Linux Runtime Security and Forensics using eBPF";
longDescription = ''
Tracee is a Runtime Security and forensics tool for Linux. It is using
Linux eBPF technology to trace your system and applications at runtime,
and analyze collected events to detect suspicious behavioral patterns. It
is delivered as a Docker image that monitors the OS and detects suspicious
behavior based on a pre-defined set of behavioral patterns.
'';
license = licenses.asl20;
maintainers = with maintainers; [ jk ];
platforms = [ "x86_64-linux" ];
};
}