[v0.22.3] feat(ebpf): restrict set_fs_pwd to (f)chdir syscall

api/v1beta1/event.proto

@@ -547,7 +547,7 @@ enum EventId {
     module_load = 1082;
     module_free = 1083;
     execute_finished = 1084;
-    security_bprm_creds_for_exec = 1085;
+    process_execute_failed_internal = 1085;
 
     // Events originated from user-space
     net_packet_ipv4 = 2000;

builder/Dockerfile.alpine-tracee-container

@@ -38,8 +38,7 @@ RUN apk --no-cache update && \
 # install OPA
 
 # ARG OPA_VERSION
-# RUN altarch=$(uname -m | sed 's:x86_64:amd64:g' | sed 's:aarch64:arm64:g') && \
-# curl -L -o /usr/bin/opa https://github.com/open-policy-agent/opa/releases/download/${OPA_VERSION}/opa_linux_${altarch}_static && \
+# RUN curl -L -o /usr/bin/opa https://github.com/open-policy-agent/opa/releases/download/${OPA_VERSION}/opa_linux_${TARGETARCH}_static && \
 # chmod 755 /usr/bin/opa
 
 # Stage 2: Copy the OPA binary from the OPA extractor
@@ -102,9 +101,9 @@ RUN apk --no-cache update && \
 
 # install GO
 ARG GO_VERSION
-RUN altarch=$(uname -m | sed 's:x86_64:amd64:g' | sed 's:aarch64:arm64:g') && \
-    curl -L -o go${GO_VERSION}.linux-${altarch}.tar.gz https://go.dev/dl/go${GO_VERSION}.linux-${altarch}.tar.gz && \
-    tar -C /usr/local -xzf go${GO_VERSION}.linux-${altarch}.tar.gz && \
+RUN TARGETARCH=$(uname -m | sed 's:x86_64:amd64:g' | sed 's:aarch64:arm64:g') && \
+    curl -L -o go${GO_VERSION}.linux-${TARGETARCH}.tar.gz https://go.dev/dl/go${GO_VERSION}.linux-${TARGETARCH}.tar.gz && \
+    tar -C /usr/local -xzf go${GO_VERSION}.linux-${TARGETARCH}.tar.gz && \
     echo 'export PATH=$PATH:/usr/local/go/bin' >> /etc/profile && \
     echo 'export GOROOT=/usr/local/go' >> /etc/profile && \
     echo 'export GOPATH=$HOME/go' >> /etc/profile && \

builder/Dockerfile.alpine-tracee-make

@@ -1,41 +1,22 @@
+# Creates a local docker building environment (alpine)
+
 #
-# Creates a local docker building environment (alpine).
+# alpine-base: install necessary packages and tools
 #
 
-FROM alpine:3.19
-
-ARG uid=1000
-ARG gid=1000
+FROM alpine:3.19 AS alpine-base
+LABEL AS=alpine-base
+USER root
 
 # install needed environment
-
 RUN apk --no-cache update && \
-    apk --no-cache add sudo coreutils findutils && \
-    apk --no-cache add bash git curl rsync && \
-    apk --no-cache add clang14 llvm14 && \
-    apk --no-cache add musl-dev libc6-compat && \
-    apk --no-cache add go make gcc && \
-    apk --no-cache add linux-headers && \
-    apk --no-cache add elfutils-dev && \
-    apk --no-cache add libelf-static && \
-    apk --no-cache add zlib-static && \
-    apk --no-cache add zstd-static && \
-    rm -f /usr/bin/cc && \
-    rm -f /usr/bin/clang && \
-    rm -f /usr/bin/clang++ && \
-    rm -f /usr/bin/llc && \
-    rm -f /usr/bin/lld && \
-    rm -f /usr/bin/clangd && \
-    rm -f /usr/bin/clang-format && \
-    rm -f /usr/bin/llvm-strip && \
-    rm -f /usr/bin/llvm-config && \
-    rm -f /usr/bin/ld.lld && \
-    rm -f /usr/bin/llvm-ar && \
-    rm -f /usr/bin/llvm-nm && \
-    rm -f /usr/bin/llvm-objcopy && \
-    rm -f /usr/bin/llvm-objdump && \
-    rm -f /usr/bin/llvm-readelf && \
-    rm -f /usr/bin/opt && \
+    apk --no-cache add sudo coreutils findutils bash git curl rsync && \
+    apk --no-cache add clang14 llvm14 musl-dev libc6-compat make gcc linux-headers elfutils-dev libelf-static zlib-static zstd-static
+
+# set up symlinks for Clang and LLVM tools
+RUN rm -f /usr/bin/cc /usr/bin/clang /usr/bin/clang++ /usr/bin/llc /usr/bin/lld /usr/bin/clangd \
+          /usr/bin/clang-format /usr/bin/llvm-strip /usr/bin/llvm-config /usr/bin/ld.lld /usr/bin/llvm-ar \
+          /usr/bin/llvm-nm /usr/bin/llvm-objcopy /usr/bin/llvm-objdump /usr/bin/llvm-readelf /usr/bin/opt && \
     ln -s /usr/lib/llvm14/bin/clang /usr/bin/cc && \
     ln -s /usr/lib/llvm14/bin/clang /usr/bin/clang && \
     ln -s /usr/lib/llvm14/bin/clang++ /usr/bin/clang++ && \
@@ -54,51 +35,57 @@ RUN apk --no-cache update && \
     ln -s /usr/lib/llvm14/bin/opt /usr/bin/opt
 
 # install bpftool from btfhub
-
 RUN cd /tmp && \
     git clone https://github.com/aquasecurity/btfhub.git && \
     cd ./btfhub && \
     ./3rdparty/bpftool.sh
 
 # install OPA
-
-RUN altarch=$(uname -m | sed 's:x86_64:amd64:g' | sed 's:aarch64:arm64:g') && \
-    curl -L -o /usr/bin/opa https://github.com/open-policy-agent/opa/releases/download/v0.63.0/opa_linux_${altarch}_static && \
+RUN TARGETARCH=$(uname -m | sed 's:x86_64:amd64:g' | sed 's:aarch64:arm64:g') && \
+    curl -L -o /usr/bin/opa https://github.com/open-policy-agent/opa/releases/download/v0.63.0/opa_linux_${TARGETARCH}_static && \
     chmod 755 /usr/bin/opa
 
-# extra tools for testing things
+# install extra tools for testing things
+RUN apk --no-cache add man-pages man-pages-posix bash-completion vim iproute2 vlan bridge-utils net-tools \
+    netcat-openbsd iputils wget lynx w3m stress-ng
 
-RUN apk --no-cache add man-pages man-pages-posix bash-completion vim && \
-    apk --no-cache add iproute2 vlan bridge-utils net-tools && \
-    apk --no-cache add netcat-openbsd iputils && \
-    apk --no-cache add wget lynx w3m && \
-    apk --no-cache add stress-ng
+#
+# go-setup: install Go and Go tools
+#
 
-# install staticcheck
+FROM alpine-base AS go-setup
+LABEL AS=go-setup
+USER root
 
-RUN GOROOT=/usr/lib/go GOPATH=$HOME/go \
-    go install honnef.co/go/tools/cmd/[email protected] && \
-    cp $HOME/go/bin/staticcheck /usr/bin/
+ARG GO_VERSION=1.22.0
+ENV GOPATH=/go
+ENV GOROOT=/usr/local/go
+ENV GOTOOLCHAIN="auto"
+ENV PATH=${GOPATH}/bin:${GOROOT}/bin:$PATH
 
-# install goimports-reviser
+# install Go
+RUN TARGETARCH=$(uname -m | sed 's:x86_64:amd64:g' | sed 's:aarch64:arm64:g') && \
+    curl -L -o go${GO_VERSION}.linux-${TARGETARCH}.tar.gz https://go.dev/dl/go${GO_VERSION}.linux-${TARGETARCH}.tar.gz && \
+    tar -C /usr/local -xzf go${GO_VERSION}.linux-${TARGETARCH}.tar.gz && \
+    rm go${GO_VERSION}.linux-${TARGETARCH}.tar.gz
 
-RUN GOROOT=/usr/lib/go GOPATH=$HOME/go \
+# install Go tools
+RUN go install honnef.co/go/tools/cmd/[email protected] && \
     go install github.com/incu6us/goimports-reviser/v3@latest && \
-    cp $HOME/go/bin/goimports-reviser /usr/bin/
-
-# install revive
-
-RUN GOROOT=/usr/lib/go GOPATH=$HOME/go \
     go install github.com/mgechev/revive@e33fb87 && \
-    cp $HOME/go/bin/revive /usr/bin/
+    go install github.com/kisielk/errcheck@latest
 
-# install errcheck
+#
+# user-setup: configure user environment and permissions
+#
 
-RUN GOROOT=/usr/lib/go GOPATH=$HOME/go \
-    go install github.com/kisielk/errcheck@latest && \
-    cp $HOME/go/bin/errcheck /usr/bin/
+FROM go-setup AS user-setup
+LABEL AS=user-setup
+USER root
 
 # allow TRACEE* and LIBBPFGO* environment variables through sudo
+ARG uid=1000
+ARG gid=1000
 
 RUN echo "Defaults env_keep += \"LANG LC_* HOME EDITOR PAGER GIT_PAGER MAN_PAGER\"" > /etc/sudoers && \
     echo "Defaults env_keep += \"LIBBPFGO* TRACEE*\"" >> /etc/sudoers && \
@@ -107,7 +94,6 @@ RUN echo "Defaults env_keep += \"LANG LC_* HOME EDITOR PAGER GIT_PAGER MAN_PAGER
     chmod 0440 /etc/sudoers
 
 # prepare tracee user to be $UID:$GID host equivalent
-
 RUN export uid=$uid gid=$gid && \
     mkdir -p /home/tracee && \
     echo "tracee:x:${uid}:${gid}:Tracee,,,:/home/tracee:/bin/bash" >> /etc/passwd && \
@@ -119,6 +105,14 @@ RUN export uid=$uid gid=$gid && \
     echo "set -o vi" >> /home/tracee/.bashrc && \
     ln -s /home/tracee/.bashrc /home/tracee/.profile
 
+# adjust permissions
+RUN chown -R tracee:tracee ${GOPATH}
+
+#
+# tracee-env: last stage for tracee building environment
+#
+
+FROM user-setup AS tracee-env
 USER tracee
 ENV HOME=/home/tracee
 WORKDIR /tracee

deploy/helm/tracee/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: tracee
 description: Linux Runtime Security and Forensics using eBPF
-home: https://aquasecurity.github.io/tracee/v0.22.0/
+home: https://aquasecurity.github.io/tracee/v0.22.2/
 sources:
   - https://github.com/aquasecurity/tracee
 
@@ -18,10 +18,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: "0.22.0"
+version: "0.22.2"
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.22.0"
+appVersion: "0.22.2"