diff --git a/sdjournal-build-fix-for-SLE12.patch b/sdjournal-build-fix-for-SLE12.patch new file mode 100644 index 0000000..c9e12a9 --- /dev/null +++ b/sdjournal-build-fix-for-SLE12.patch @@ -0,0 +1,18 @@ +From: Jeff Mahoney +Subject: third_party/sdjournal: remove enums missing on SLE-12 + +The version of systemd on SLE-12 is older and doesn't have these enums. We +don't use them, so it's safe to remove them. + +--- a/third_party/sdjournal/journal_linux.go ++++ b/third_party/sdjournal/journal_linux.go +@@ -380,9 +380,6 @@ const ( + SD_JOURNAL_RUNTIME_ONLY = int(C.SD_JOURNAL_RUNTIME_ONLY) + SD_JOURNAL_SYSTEM = int(C.SD_JOURNAL_SYSTEM) + SD_JOURNAL_CURRENT_USER = int(C.SD_JOURNAL_CURRENT_USER) +- SD_JOURNAL_OS_ROOT = int(C.SD_JOURNAL_OS_ROOT) +- SD_JOURNAL_ALL_NAMESPACES = int(C.SD_JOURNAL_ALL_NAMESPACES) +- SD_JOURNAL_INCLUDE_DEFAULT_NAMESPACE = int(C.SD_JOURNAL_INCLUDE_DEFAULT_NAMESPACE) + ) + + // Journal event constants diff --git a/velociraptor-client.changes b/velociraptor-client.changes index 88eab43..1dfdd75 100644 --- a/velociraptor-client.changes +++ b/velociraptor-client.changes @@ -1,3 +1,41 @@ +------------------------------------------------------------------- +Sat Jan 21 04:07:38 UTC 2023 - Jeff Mahoney + +- Fixed release detection to include Tumblweed + +------------------------------------------------------------------- +Sat Jan 21 02:20:07 UTC 2023 - Jeff Mahoney + +- Increase required release to enable eBPF to SLE 15 SP2 and + openSUSE Leap 15.2. Earlier versions don't have a usable eBPF + and can't easily build llvm13. + +------------------------------------------------------------------- +Sat Jan 21 01:44:59 UTC 2023 - Jeff Mahoney + +- Remove dependency on bpftool. We use the vmlinux.h archive + to provide vmlinux.h. + +------------------------------------------------------------------- +Fri Jan 20 20:18:49 UTC 2023 - Jeff Mahoney + +- Restored %defattr due to SLE12 using rpm-4.11. +- Fix builds in vendor code on SLE12 +- Fix build in third_party/sdjournal due to older systemd on SLE12 +- Added patches: + - vendor-build-fixes-for-SLE12.patch + - sdjournal-build-fix-for-SLE12.patch + +------------------------------------------------------------------- +Fri Jan 20 16:37:17 UTC 2023 - Dirk Müller + +- add memory limit to systemd unit + +--------------------------------------------------------------------- +Fri Jan 20 16:37:17 UTC 2023 - Dirk Müller + +- add memory limit to systemd unit + --------------------------------------------------------------------- Thu Jan 19 15:17:22 UTC 2023 - Jeff Mahoney diff --git a/velociraptor-client.service b/velociraptor-client.service index 77a0e2b..358b8c4 100644 --- a/velociraptor-client.service +++ b/velociraptor-client.service @@ -6,6 +6,8 @@ Type=simple User=root Group=root UMask=0027 +MemoryHigh=4G +MemoryMax=8G EnvironmentFile=-/etc/sysconfig/velociraptor-client ExecStart=/usr/bin/velociraptor client --config /etc/velociraptor/client.config $VELOCIRAPTOR_CLIENT_OPTS diff --git a/velociraptor-client.spec b/velociraptor-client.spec index 020b339..9a1a9e1 100644 --- a/velociraptor-client.spec +++ b/velociraptor-client.spec @@ -1,7 +1,7 @@ # -# spec file for package velociraptor +# spec file for package velociraptor-client # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -15,51 +15,66 @@ # Please submit bugfixes or comments via https://bugs.opensuse.org/ # + %define projname velociraptor %define vendor_version 0.6.7.4~git41.678ed56 %define vmlinux_h_version 5.14.21150400.22-150400-default -%if 0%{?suse_version} >= 1500 +# SLE 15 SP2 / Leap 15.2 or newer gets eBPF +# Earlier versions don't have a usable eBPF and the +# release doesn't easily build llvm13 +%if 0%{?suse_version} > 1500 || 0%{?sle_version} >= 150200 %bcond_without bpf %else %bcond_with bpf %endif +#Compat macro for new _fillupdir macro introduced in Nov 2017 +%if ! %{defined _fillupdir} + %define _fillupdir %{_localstatedir}/adm/fillup-templates +%endif + +# SLE12 has _sharedstatedir in an odd place +%if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000 +%define _sharedstatedir /var/lib +%endif + Name: velociraptor-client Version: 0.6.7.4~git53.0e85855 Release: 0 Summary: Endpoint visibility and collection tool (endpoint only) -Group: System/Monitoring +Group: System/Monitoring License: AGPL-3.0-only URL: https://github.com/Velocidex/velociraptor Source: %{projname}-%{version}.tar.xz Source1: vendor-golang-%{vendor_version}.tar.xz Source2: %{name}.service Source3: %{name}.config.placeholder -Source4: vmlinux.h-%{vmlinux_h_version}.tar.xz -Source5: update-vendoring.sh -Source6: sysconfig.%{name} +Source4: vmlinux.h-%{vmlinux_h_version}.tar.xz +Source5: update-vendoring.sh +Source6: sysconfig.%{name} Patch1: velociraptor-golang-mage-vendoring.diff -Patch2: velociraptor-skip-git-submodule-import-for-OBS-build.patch -BuildRequires: golang-packaging -BuildRequires: systemd-rpm-macros -BuildRequires: pkgconfig(libsystemd) -BuildRequires: golang(API) >= 1.19 +Patch2: velociraptor-skip-git-submodule-import-for-OBS-build.patch +Patch3: vendor-build-fixes-for-SLE12.patch +Patch4: sdjournal-build-fix-for-SLE12.patch BuildRequires: fileb0x +BuildRequires: golang-packaging BuildRequires: mage +BuildRequires: systemd-rpm-macros +BuildRequires: golang(API) >= 1.19 +BuildRequires: pkgconfig(libsystemd) %ifarch x86_64 BuildRequires: libtsan0 %endif %if %{with bpf} # clang15 causes libbpfo to crash immediately BuildRequires: clang13 +BuildRequires: libelf-devel BuildRequires: llvm13 -BuildRequires: bpftool -BuildRequires: libelf-devel -BuildRequires: zlib-devel-static +BuildRequires: zlib-devel-static %endif Conflicts: velociraptor -ExclusiveArch: x86_64 ppc64le aarch64 s390x +ExclusiveArch: x86_64 ppc64le aarch64 s390x %description Velociraptor is a tool for collecting host based state information @@ -72,7 +87,6 @@ https://docs.velociraptor.app/ This package contains only the endpoint agent. For the full console, please install the 'velociraptor' package. - %prep %setup -q -a 1 -a 4 -n %{projname}-%{version} %autopatch -p1 @@ -107,6 +121,7 @@ install -d -m 755 %{buildroot}%{_fillupdir} install -m 0644 %{SOURCE6} %{buildroot}%{_fillupdir} %files +%defattr(-, root, root) %license LICENSE %doc README.md %dir %{_sysconfdir}/velociraptor diff --git a/velociraptor.changes b/velociraptor.changes index 732b49c..fd2d27f 100644 --- a/velociraptor.changes +++ b/velociraptor.changes @@ -1,3 +1,31 @@ +------------------------------------------------------------------- +Sat Jan 21 04:07:38 UTC 2023 - Jeff Mahoney + +- Fixed release detection to include Tumblweed + +------------------------------------------------------------------- +Sat Jan 21 02:20:07 UTC 2023 - Jeff Mahoney + +- Increase required release to enable eBPF to SLE 15 SP2 and + openSUSE Leap 15.2. Earlier versions don't have a usable eBPF + and can't easily build llvm13. + +------------------------------------------------------------------- +Sat Jan 21 01:44:59 UTC 2023 - Jeff Mahoney + +- Remove dependency on bpftool. We use the vmlinux.h archive + to provide vmlinux.h. + +------------------------------------------------------------------- +Fri Jan 20 20:18:49 UTC 2023 - Jeff Mahoney + +- Restored %defattr due to SLE12 using rpm-4.11. +- Fix builds in vendor code on SLE12 +- Fix build in third_party/sdjournal due to older systemd on SLE12 +- Added patches: + - vendor-build-fixes-for-SLE12.patch + - sdjournal-build-fix-for-SLE12.patch + ------------------------------------------------------------------- Thu Jan 19 15:17:22 UTC 2023 - Jeff Mahoney diff --git a/velociraptor.spec b/velociraptor.spec index bb28079..31d6a17 100644 --- a/velociraptor.spec +++ b/velociraptor.spec @@ -1,7 +1,7 @@ # # spec file for package velociraptor # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -15,58 +15,73 @@ # Please submit bugfixes or comments via https://bugs.opensuse.org/ # + %define projname velociraptor %define vendor_version 0.6.7.4~git41.678ed56 %define vmlinux_h_version 5.14.21150400.22-150400-default -%if 0%{?suse_version} >= 1500 +# SLE 15 SP2 / Leap 15.2 or newer gets eBPF +# Earlier versions don't have a usable eBPF and the +# release doesn't easily build llvm13 +%if 0%{?suse_version} > 1500 || 0%{?sle_version} >= 150200 %bcond_without bpf %else %bcond_with bpf %endif +#Compat macro for new _fillupdir macro introduced in Nov 2017 +%if ! %{defined _fillupdir} + %define _fillupdir %{_localstatedir}/adm/fillup-templates +%endif + +# SLE12 has _sharedstatedir in an odd place +%if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000 +%define _sharedstatedir /var/lib +%endif + Name: velociraptor Version: 0.6.7.4~git53.0e85855 Release: 0 -Summary: Endpoint visibility and collection tool -Group: System/Monitoring +Summary: Endpoint visibility and collection tool +Group: System/Monitoring License: AGPL-3.0-only URL: https://github.com/Velocidex/velociraptor Source: %{projname}-%{version}.tar.xz -Source1: vendor-golang-%{vendor_version}.tar.xz -Source2: vendor-golang-kafka-humio-gateway-%{vendor_version}.tar.xz -Source3: vendor-nodejs-%{vendor_version}.tar.xz +Source1: vendor-golang-%{vendor_version}.tar.xz +Source2: vendor-golang-kafka-humio-gateway-%{vendor_version}.tar.xz +Source3: vendor-nodejs-%{vendor_version}.tar.xz Source4: %{name}.service Source5: %{name}-server.config.placeholder Source6: %{name}-client.service Source7: %{name}-client.config.placeholder -Source8: vmlinux.h-%{vmlinux_h_version}.tar.xz -Source9: update-vendoring.sh -Source10: sysconfig.%{name} -Source11: sysconfig.%{name}-client -Patch1: velociraptor-golang-mage-vendoring.diff -Patch2: velociraptor-skip-git-submodule-import-for-OBS-build.patch +Source8: vmlinux.h-%{vmlinux_h_version}.tar.xz +Source9: update-vendoring.sh +Source10: sysconfig.%{name} +Source11: sysconfig.%{name}-client +Patch1: velociraptor-golang-mage-vendoring.diff +Patch2: velociraptor-skip-git-submodule-import-for-OBS-build.patch +Patch3: vendor-build-fixes-for-SLE12.patch +Patch4: sdjournal-build-fix-for-SLE12.patch +BuildRequires: fileb0x BuildRequires: golang-packaging +BuildRequires: mage BuildRequires: systemd-rpm-macros -BuildRequires: pkgconfig(libsystemd) BuildRequires: golang(API) >= 1.18 -BuildRequires: fileb0x -BuildRequires: mage +BuildRequires: pkgconfig(libsystemd) %ifarch x86_64 -BuildRequires: libtsan0 +BuildRequires: libtsan0 %endif -BuildRequires: nodejs >= 16 -BuildRequires: npm >= 16 +BuildRequires: nodejs >= 16 +BuildRequires: npm >= 16 %if %{with bpf} # clang15 causes libbpfo to crash immediately BuildRequires: clang13 +BuildRequires: libelf-devel BuildRequires: llvm13 -BuildRequires: bpftool -BuildRequires: libelf-devel -BuildRequires: zlib-devel-static +BuildRequires: zlib-devel-static %endif -Conflicts: velociraptor-client -ExclusiveArch: x86_64 ppc64le aarch64 s390x +Conflicts: velociraptor-client +ExclusiveArch: x86_64 ppc64le aarch64 s390x %description Velociraptor is a tool for collecting host based state information @@ -80,8 +95,8 @@ This package contains the endpoint agent and full console GUI. For just the endpoint agent, please install the 'velociraptor-client' package. %package kafka-humio-gateway -Summary: Gateway between Kafka and Humio for Velociraptor Artifacts -Version: 0.6.7.4~git53.0e85855 +Summary: Gateway between Kafka and Humio for Velociraptor Artifacts +Version: 0.6.7.4~git53.0e85855 %description kafka-humio-gateway This tool is used to consume events generated by the Kafka Velociraptor plugin @@ -132,6 +147,7 @@ install -m 0644 %{SOURCE10} %{buildroot}%{_fillupdir} install -m 0644 %{SOURCE11} %{buildroot}%{_fillupdir} %files +%defattr(-, root, root) %license LICENSE %doc README.md %dir %{_sysconfdir}/velociraptor @@ -148,6 +164,7 @@ install -m 0644 %{SOURCE11} %{buildroot}%{_fillupdir} %{_fillupdir}/sysconfig.%{name}-client %files kafka-humio-gateway +%defattr(-, root, root) %license LICENSE %doc contrib/kafka-humio-gateway/README.md %{_bindir}/%{name}-kafka-humio-gateway diff --git a/vendor-build-fixes-for-SLE12.patch b/vendor-build-fixes-for-SLE12.patch new file mode 100644 index 0000000..9c35c1c --- /dev/null +++ b/vendor-build-fixes-for-SLE12.patch @@ -0,0 +1,137 @@ +From: Jeff Mahoney +Subject: vendor: build fixes for SLE-12 + +SLE-12 uses gcc 4.8 and as a result requires definition +of _GNU_SOURCE and -std=c99 to build properly. + +--- a/vendor/github.com/Velocidex/go-magic/magic/magic.go ++++ b/vendor/github.com/Velocidex/go-magic/magic/magic.go +@@ -1,7 +1,7 @@ + package magic + + /* +- #cgo CFLAGS: -DHAVE_CONFIG_H ++ #cgo CFLAGS: -DHAVE_CONFIG_H -std=c99 -D_GNU_SOURCE -DHAVE_STRNDUP + #include + #include + */ +--- a/vendor/github.com/Velocidex/go-magic/magic/regex.c ++++ b/vendor/github.com/Velocidex/go-magic/magic/regex.c +@@ -24,8 +24,6 @@ + #pragma alloca + #endif + +-#define _GNU_SOURCE +- + /* We need this for `regex.h', and perhaps for the Emacs include files. */ + #include + +--- a/vendor/github.com/Velocidex/go-yara/cgo.go ++++ b/vendor/github.com/Velocidex/go-yara/cgo.go +@@ -6,6 +6,6 @@ + + package yara + +-// #cgo CFLAGS: -D_FILE_OFFSET_BITS=64 ++// #cgo CFLAGS: -D_FILE_OFFSET_BITS=64 -std=c99 -D_GNU_SOURCE + // #cgo LDFLAGS: + import "C" +--- a/vendor/github.com/Velocidex/go-yara/endian.h ++++ /dev/null +@@ -1,96 +0,0 @@ +-/* +-Copyright (c) 2016. The YARA Authors. All Rights Reserved. +- +-Redistribution and use in source and binary forms, with or without modification, +-are permitted provided that the following conditions are met: +- +-1. Redistributions of source code must retain the above copyright notice, this +-list of conditions and the following disclaimer. +- +-2. Redistributions in binary form must reproduce the above copyright notice, +-this list of conditions and the following disclaimer in the documentation and/or +-other materials provided with the distribution. +- +-3. Neither the name of the copyright holder nor the names of its contributors +-may be used to endorse or promote products derived from this software without +-specific prior written permission. +- +-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +-WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR +-ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +-(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +-LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON +-ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +-SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +-*/ +- +-#ifndef YR_ENDIAN_H +-#define YR_ENDIAN_H +- +-#include +- +-#if defined(__has_builtin) +-#if __has_builtin(__builtin_bswap16) +-#define yr_bswap16(x) __builtin_bswap16(x) +-#endif +-#endif +- +-#if !defined(yr_bswap16) && defined(_MSC_VER) +-#define yr_bswap16(x) _byteswap_ushort(x) +-#endif +- +-#if !defined(yr_bswap16) +-uint16_t _yr_bswap16(uint16_t x); +-#define yr_bswap16(x) _yr_bswap16(x) +-#endif +- +-#if defined(__has_builtin) +-#if __has_builtin(__builtin_bswap32) +-#define yr_bswap32(x) __builtin_bswap32(x) +-#endif +-#endif +- +-#if !defined(yr_bswap32) && defined(_MSC_VER) +-#define yr_bswap32(x) _byteswap_ulong(x) +-#endif +- +-#if !defined(yr_bswap32) +-uint32_t _yr_bswap32(uint32_t x); +-#define yr_bswap32(x) _yr_bswap32(x) +-#endif +- +-#if defined(__has_builtin) +-#if __has_builtin(__builtin_bswap64) +-#define yr_bswap64(x) __builtin_bswap64(x) +-#endif +-#endif +- +-#if !defined(yr_bswap64) && defined(_MSC_VER) +-#define yr_bswap64(x) _byteswap_uint64(x) +-#endif +- +-#if !defined(yr_bswap64) +-uint64_t _yr_bswap64(uint64_t x); +-#define yr_bswap64(x) _yr_bswap64(x) +-#endif +- +-#if defined(WORDS_BIGENDIAN) +-#define yr_le16toh(x) yr_bswap16(x) +-#define yr_le32toh(x) yr_bswap32(x) +-#define yr_le64toh(x) yr_bswap64(x) +-#define yr_be16toh(x) (x) +-#define yr_be32toh(x) (x) +-#define yr_be64toh(x) (x) +-#else +-#define yr_le16toh(x) (x) +-#define yr_le32toh(x) (x) +-#define yr_le64toh(x) (x) +-#define yr_be16toh(x) yr_bswap16(x) +-#define yr_be32toh(x) yr_bswap32(x) +-#define yr_be64toh(x) yr_bswap64(x) +-#endif +- +-#endif