falcosecurity · FedeDP · Feb 20, 2024 · Feb 20, 2024 · Feb 23, 2024
diff --git a/action.yml b/action.yml
@@ -14,6 +14,10 @@ inputs:
     description: 'Whether to generate matrixes as matrix_$architecture artifact'
     required: false
     default: 'false'
+  testexe:
+    description: 'Test executable to be run. One of scap-open or drivers-test'
+    required: false
+    default: 'scap-open'
 
 outputs:
   ansible_output:
@@ -59,7 +63,7 @@ runs:
       working-directory: ${{ github.action_path }}/ansible-playbooks
       shell: bash
       run: |
-        ansible-playbook scap-open.yml --extra-vars "@vars.yml" || : 
+        ansible-playbook ${{ inputs.testexe }}.yml --extra-vars "@vars.yml" || : 
 
     - name: Tar output files
       shell: bash

diff --git a/ansible-playbooks/build-scap-open.yml b/ansible-playbooks/build-scap-open.yml
@@ -0,0 +1,61 @@
+# Playbook used to build and distribute scap-open to all vms.
+
+- name: Build scap-open on designated builder
+  hosts: "centos-builder"
+  remote_user: "{{ user }}"
+  gather_facts: false
+  tasks:
+    - name: Copy bpf skeleton to centos builder
+      ansible.builtin.copy:
+        src: "/tmp/bpf_probe.skel.h"
+        dest: "/tmp"
+        mode: '0755'
+
+    - name: Create cmake output dir
+      ansible.builtin.file:
+        path: "{{ remote_repos_folder }}/repos/{{ repos['libs'].name }}/build"
+        state: directory
+        mode: "0755"
+      register: cmake_result
+
+    - name: Prepare cmake for repository
+      ansible.builtin.shell:
+        cmd: |
+             source /opt/rh/devtoolset-9/enable &&
+             cmake \
+             -DCMAKE_BUILD_TYPE=Release \
+             -DBUILD_LIBSCAP_MODERN_BPF=ON \
+             -DMODERN_BPF_SKEL_DIR=/tmp \
+             -DBUILD_DRIVER=Off \
+             -DBUILD_BPF=Off \
+             -DBUILD_LIBSCAP_GVISOR=OFF \
+             -DCREATE_TEST_TARGETS=Off \
+             ..
+        chdir: "{{ remote_repos_folder }}/repos/{{ repos['libs'].name }}/build"
+      changed_when: false
+      register: cmake_result
+
+    - name: Build scap-open with modern probe
+      ansible.builtin.shell:
+        cmd: source /opt/rh/devtoolset-9/enable && make scap-open -j {{ cpus }}
+        chdir: "{{ remote_repos_folder }}/repos/{{ repos['libs'].name }}/build"
+      changed_when: false
+      register: cmake_result
+
+    - name: Fetch the scap-open binary
+      ansible.builtin.fetch:
+        src: "{{ remote_repos_folder }}/repos/{{ repos['libs'].name }}/build/libscap/examples/01-open/scap-open"
+        dest: "/tmp/"
+        flat: true
+
+- name: Play that distributes scap-open binary to VMs
+  hosts: "machines"
+  remote_user: "{{ user }}"
+  gather_facts: false
+  tasks:
+    - name: Copy scap-open binary to all VMs
+      ansible.builtin.copy:
+        src: "/tmp/scap-open"
+        dest: "/tmp"
+        mode: '0755'
+      become: false
diff --git a/ansible-playbooks/build-skeleton.yml b/ansible-playbooks/build-skeleton.yml
@@ -0,0 +1,39 @@
+# Playbook used to build modern bpf skeleton.
+
+- name: Build bpf skeleton on designated builder VM
+  hosts: "fedora-builder"
+  remote_user: "{{ user }}"
+  gather_facts: false
+  tasks:
+    - name: Create cmake output dir
+      ansible.builtin.file:
+        path: "{{ remote_repos_folder }}/repos/{{ repos['libs'].name }}/skeleton-build"
+        state: directory
+        mode: "0755"
+      register: cmake_result
+
+    - name: Prepare cmake for repository
+      ansible.builtin.command:
+        cmd: >
+             cmake
+             -DUSE_BUNDLED_DEPS=ON
+             -DBUILD_LIBSCAP_MODERN_BPF=ON
+             -DBUILD_LIBSCAP_GVISOR=OFF
+             -DCREATE_TEST_TARGETS=OFF
+             ..
+        chdir: "{{ remote_repos_folder }}/repos/{{ repos['libs'].name }}/skeleton-build"
+      changed_when: false
+      register: cmake_result
+
+    - name: Build skeleton
+      ansible.builtin.command:
+        cmd: make ProbeSkeleton -j {{ cpus }}
+        chdir: "{{ remote_repos_folder }}/repos/{{ repos['libs'].name }}/skeleton-build"
+      changed_when: false
+      register: cmake_result
+
+    - name: Fetch the skeleton file
+      ansible.builtin.fetch:
+        src: "{{ remote_repos_folder }}/repos/{{ repos['libs'].name }}/skeleton-build/skel_dir/bpf_probe.skel.h"
+        dest: /tmp/
+        flat: true
diff --git a/ansible-playbooks/drivers-test.yml b/ansible-playbooks/drivers-test.yml
@@ -0,0 +1,45 @@
+# Playbook used to run drivers_test role.
+# Check the role for more information
+
+- name: Include build-skeleton playbook
+  import_playbook: build-skeleton.yml
+- name: Include build-scap-open playbook
+  import_playbook: build-scap-open.yml
+
+# We need this since every VM is going to build its own drivers_test binary,
+# because drivers_test is very tied to the kernel we are running on
+# and must be built on each VM.
+# To eventually (where supported) build drivers_test with modern_bpf support enabled,
+# we need to pass the modern probe skeleton to each VM.
+- name: Play that distributes modern bpf skeleton to VMs
+  hosts: "machines"
+  remote_user: "{{ user }}"
+  gather_facts: false
+  tasks:
+    - name: Copy bpf_probe.skel.h to all VMs
+      ansible.builtin.copy:
+        src: "/tmp/bpf_probe.skel.h"
+        dest: "/tmp"
+        mode: '0755'
+      become: false
+
+- name: Play that builds and runs drivers tests using drivers_test binary
+  hosts: "machines"
+  gather_facts: true
+  remote_user: "{{ user }}"
+  become: true
+  serial: 30
+  roles:
+    - drivers_test
+
+- name: Remove artifacts from localhost
+  hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: Remove artifacs
+      ansible.builtin.file:
+        path: "./roles/drivers_test/files/"
+        state: absent
+      with_items:
+        - "/tmp/scap-open"
+        - "/tmp/bpf_probe.skel.h"
diff --git a/ansible-playbooks/roles/drivers_test/tasks/main.yml b/ansible-playbooks/roles/drivers_test/tasks/main.yml
@@ -0,0 +1,217 @@
+---
+# tasks file for drivers_test
+- name: Setting output directory for results
+  ansible.builtin.set_fact:
+    output_dest_dir: "{{ output_dir }}/drivers-test-test/{{ inventory_hostname }}"
+
+- name: Create output directory on localhost
+  become: false
+  delegate_to: localhost
+  block:
+    - name: Create output directory if it does not exist ({{ output_dir }})
+      ansible.builtin.file:
+        path: "{{ output_dest_dir }}"
+        state: directory
+        mode: '0755'
+
+- name: Check Modern Bpf Support
+  block:
+    - name: Check modern-bpf support
+      ansible.builtin.command:
+        cmd: /tmp/scap-open --num_events 0 --modern_bpf
+      register: result
+      changed_when: false
+  rescue:
+    - name: Disable Modern Bpf support
+      ansible.builtin.set_fact:
+        modern_bpf_supported: false
+      when: result.rc == 95
+
+- name: Check Old Bpf Support
+  block:
+    - name: Enable old Bpf support
+      ansible.builtin.set_fact:
+        bpf_supported: true
+      when: ansible_kernel is version(bpf_minimum_kver[ansible_architecture],'>=')
+
+- name: Prepare the build directory
+  block:
+    - name: Create cmake output dir
+      ansible.builtin.file:
+        path: "{{ remote_repos_folder }}/repos/{{ repos['libs'].name }}/build"
+        state: directory
+        mode: "0766"
+      register: cmake_result
+
+    - name: Prepare cmake for repository
+      ansible.builtin.command:
+        cmd: >
+             cmake
+             -DUSE_BUNDLED_DEPS=ON
+             -DBUILD_LIBSCAP_MODERN_BPF={{ modern_bpf_supported }}
+             -DMODERN_BPF_SKEL_DIR=/tmp
+             -DBUILD_LIBSCAP_GVISOR=OFF
+             -DBUILD_BPF={{ bpf_supported }}
+             -DENABLE_DRIVERS_TESTS=On
+             -DCREATE_TEST_TARGETS=On
+             -DENABLE_IA32_TESTS=Off
+             -DSCAP_FILES_SUITE_ENABLE=Off
+             ..
+        chdir: "{{ remote_repos_folder }}/repos/{{ repos['libs'].name }}/build"
+      changed_when: false
+      register: cmake_result
+  rescue:
+    - name: Print error message to stdout --- build directory
+      ansible.builtin.debug:
+        var: cmake_result
+  always:
+    - name: Dump error message to file
+      ansible.builtin.copy:
+        content: "{{ cmake_result | to_nice_json }}"
+        dest: "{{ output_dest_dir }}/cmake-configure.json"
+        mode: '0755'
+      delegate_to: localhost
+      become: false
+
+- name: Build drivers_test binary
+  block:
+    - name: Build drivers_test
+      ansible.builtin.command:
+        cmd: make drivers_test -j {{ cpus }}
+        chdir: "{{ remote_repos_folder }}/repos/{{ repos['libs'].name }}/build"
+      register: dt_result
+      changed_when: false
+  rescue:
+    - name: Print error message to stdout --- drivers_test
+      ansible.builtin.debug:
+        var: dt_result
+  always:
+    - name: Dump error message to file
+      ansible.builtin.copy:
+        content: "{{ dt_result | to_nice_json }}"
+        dest: "{{ output_dest_dir }}/drivers_test_build.json"
+        mode: '0755'
+      delegate_to: localhost
+      become: false
+
+- name: Build and load the kernel module
+  block:
+    - name: Unload the kernel module
+      ansible.builtin.command:
+        cmd: rmmod driver/scap.ko
+        chdir: "{{ remote_repos_folder }}/repos/{{ repos['libs'].name }}/build"
+      failed_when: false
+      changed_when: false
+
+    - name: Build kmod
+      ansible.builtin.command:
+        cmd: make driver -j {{ cpus }}
+        chdir: "{{ remote_repos_folder }}/repos/{{ repos['libs'].name }}/build"
+      register: km_result
+      changed_when: false
+
+    - name: Load the kernel module
+      ansible.builtin.command:
+        cmd: insmod driver/scap.ko
+        chdir: "{{ remote_repos_folder }}/repos/{{ repos['libs'].name }}/build"
+      register: km_result
+      changed_when: false
+  rescue:
+    - name: Print error message to stdout --- kernel module
+      ansible.builtin.debug:
+        var: km_result
+  always:
+    - name: Dump error message to file
+      ansible.builtin.copy:
+        content: "{{ km_result | to_nice_json }}"
+        dest: "{{ output_dest_dir }}/kmod_build.json"
+        mode: '0755'
+      delegate_to: localhost
+      become: false
+
+- name: drivers_test + kernel module
+  block:
+    - name: Run drivers_test with kernel module
+      ansible.builtin.command:
+        cmd: ./test/drivers/drivers_test -k
+        chdir: "{{ remote_repos_folder }}/repos/{{ repos['libs'].name }}/build"
+      register: result
+      changed_when: false
+  rescue:
+    - name: Print error message to stdout -- drivers_test + kernel module
+      ansible.builtin.debug:
+        var: result
+  always:
+    - name: Dump error message to file
+      ansible.builtin.copy:
+        content: "{{ result | to_nice_json }}"
+        dest: "{{ output_dest_dir }}/kmod_drivers_test.json"
+        mode: '0755'
+      delegate_to: localhost
+      become: false
+
+- name: Build bpf probe
+  block:
+    - name: Build bpf probe
+      ansible.builtin.command:
+        cmd: make bpf -j {{ cpus }}
+        chdir: "{{ remote_repos_folder }}/repos/{{ repos['libs'].name }}/build"
+      register: bpf_probe_result
+      when: bpf_supported
+      changed_when: false
+  rescue:
+    - name: Print error message to stdout --- build bpf probe
+      ansible.builtin.debug:
+        var: bpf_probe_result
+  always:
+    - name: Dump error message to file
+      ansible.builtin.copy:
+        content: "{{ bpf_probe_result | to_nice_json }}"
+        dest: "{{ output_dest_dir }}/bpf-probe_build.json"
+        mode: '0755'
+      delegate_to: localhost
+      become: false
+
+- name: drivers_test + bpf probe
+  block:
+    - name: Run drivers_test with bpf probe
+      ansible.builtin.command:
+        cmd: ./test/drivers/drivers_test -b driver/bpf/probe.o
+        chdir: "{{ remote_repos_folder }}/repos/{{ repos['libs'].name }}/build"
+      register: result
+      when: bpf_supported
+      changed_when: false
+  rescue:
+    - name: Print error message to stdout --- drivers_test + bpf probe
+      ansible.builtin.debug:
+        var: result
+  always:
+    - name: Dump error message to file
+      ansible.builtin.copy:
+        content: "{{ result | to_nice_json }}"
+        dest: "{{ output_dest_dir }}/bpf-probe_drivers_test.json"
+        mode: '0755'
+      delegate_to: localhost
+      become: false
+
+- name: drivers_test + modern probe
+  block:
+    - name: Run drivers_test with modern-probe
+      ansible.builtin.command:
+        cmd: ./test/drivers/drivers_test -m
+        chdir: "{{ remote_repos_folder }}/repos/{{ repos['libs'].name }}/build"
+      register: result
+      when: modern_bpf_supported
+      changed_when: false
+  rescue:
+    - name: Print error message to stdout --- drivers_test + modern probe
+      ansible.builtin.debug:
+        var: result
+  always:
+    - name: Dump error message to file
+      ansible.builtin.copy:
+        content: "{{ result | to_nice_json }}"
+        dest: "{{ output_dest_dir }}/modern-bpf_drivers_test.json"
+        mode: '0755'
+      delegate_to: localhost
+      become: false
diff --git a/ansible-playbooks/roles/drivers_test/vars/main.yml b/ansible-playbooks/roles/drivers_test/vars/main.yml
@@ -0,0 +1,6 @@
+---
+modern_bpf_supported: true
+bpf_supported: false
+bpf_minimum_kver:
+  aarch64: '4.17'
+  x86_64: '4.14'