add harpoon in pipeline

Signed-off-by: Alessio Greggi <[email protected]>

.github/workflows/tests.yaml

@@ -44,6 +44,11 @@ jobs:
         with:
           go-version: '1.22'
 
+      - name: Install iptables
+        run: |
+          sudo apt update
+          sudo apt install -y iptables
+
       - name: Build coverage-instrumented binary
         run: |
           make build-cover && sudo make -B install
@@ -91,16 +96,6 @@ jobs:
             -v ./... \
             -run TestFwdctl/version \
             -args -test.gocoverdir=/tmp/integration/
-          go test \
-            -exec sudo \
-            -cover \
-            -v ./... \
-            -run TestFwdctl/strace \
-            -args -test.gocoverdir=/tmp/integration/
-
-      - name: check files have been created
-        run: |
-          cat syscalls/*.log
 
       - name: Upload cover profiles
         uses: actions/upload-artifact@v3
@@ -113,7 +108,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: [unit-test,integration-test]
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
 
       - uses: actions/download-artifact@v3
         with:
@@ -133,7 +128,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v4
         with:
-          go-version: '1.20'
+          go-version: '1.22'
 
       - name: Calculate total coverage
         run: |
@@ -154,3 +149,77 @@ jobs:
           amend: true
           coverage-file: ./code-coverage
 
+  trace-unit-test:
+
+    runs-on: ubuntu-latest
+    needs: [unit-test]
+    steps:
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
+
+      - name: Build coverage-instrumented binary
+        run: |
+          make build-cover && sudo make -B install
+
+      - name: Set up Go
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # ratchet:actions/setup-go@v4
+        with:
+          go-version: '1.22'
+
+      - name: Install harpoon
+        run: |
+          curl -s https://raw.githubusercontent.com/alegrey91/harpoon/main/install | sudo sh
+
+      - name: Analyze binaries
+        run: |
+          harpoon analyze \
+            --exclude .git/ \
+            --save
+
+      - name: Trace system calls
+        run: |
+          harpoon hunt \
+            --file harpoon-report.yml \
+            --save
+
+      - name: Upload metadata from unit-tests
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # ratchet:actions/upload-artifact@v3
+        with:
+          name: unit-test
+          path: unit-test
+
+  build-seccomp-profile:
+
+    runs-on: ubuntu-latest
+    needs: [trace-unit-test]
+    steps:
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
+
+      - uses: actions/download-artifact@v3
+        with:
+          name: unit-test
+          path: ./unit-test
+
+#      - uses: actions/download-artifact@v3
+#        with:
+#          name: integration-test
+#          path: ./integration-test
+
+      - name: list files
+        run: |
+          ls -lah ./unit-test
+
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: '1.22'
+
+      - name: Create unique directory
+        run: |
+          mkdir -p harpoon
+
+      - name: Build Seccomp Profile
+        run: |
+          harpoon build \
+            -D harpoon/ \
+            -S \
+            -n fwdctl-seccomp.json

utils.go

@@ -1,19 +1,9 @@
 package main
 
 import (
-	"bufio"
-	"bytes"
-	"fmt"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"regexp"
-	"time"
-
 	"github.com/alegrey91/fwdctl/pkg/iptables"
 	goiptables "github.com/coreos/go-iptables/iptables"
 	"github.com/rogpeppe/go-internal/testscript"
-	"github.com/u-root/u-root/pkg/strace"
 )
 
 func fwdExists(ts *testscript.TestScript, neg bool, args []string) {
@@ -49,103 +39,11 @@ func fwdExists(ts *testscript.TestScript, neg bool, args []string) {
 	}
 }
 
-func straceCmd(ts *testscript.TestScript, neg bool, args []string) {
-	if len(args) < 1 {
-		ts.Fatalf("syntax: strace needs at least one argument")
-	}
-
-	outputDir := "syscalls"
-	if err := os.MkdirAll(outputDir, 0755); err != nil {
-		ts.Fatalf("failed to create output directory: %v", err)
-	}
-
-	// Prepare the strace output file
-	timestamp := time.Now().Format("20060102-150405")
-	outputFile := filepath.Join(outputDir, fmt.Sprintf("strace-%s.log", timestamp))
-
-	// Prepare the command to execute with strace, filtering only system calls
-	tracedCmd := exec.Command(args[0], args[1:]...)
-
-	var stdoutBuf bytes.Buffer
-	tracedCmd.Stdout = &stdoutBuf
-	var stderrBuf bytes.Buffer
-	tracedCmd.Stderr = &stderrBuf
-
-	// Run the command
-	writer := new(bytes.Buffer)
-	if err := strace.Strace(tracedCmd, writer); err != nil {
-		if !neg {
-			ts.Fatalf("command failed: %v", err)
-		}
-	} else {
-		if neg {
-			ts.Fatalf("command succeeded when it should have failed")
-		}
-	}
-
-	fmt.Fprintf(ts.Stdout(), "%s", stdoutBuf.String())
-
-	syscalls, err := processStraceOutput(writer.String())
-	if err != nil {
-		ts.Fatalf("error processing strace output: %v", err)
-	}
-
-	err = writeToFile(outputFile, syscalls)
-	if err != nil {
-		ts.Fatalf("error creating file: %v", err)
-	}
-
-	ts.Logf("strace output saved to %s", outputFile)
-}
-
-func writeToFile(outputFile string, syscalls []string) error {
-	file, err := os.OpenFile(outputFile, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
-
-	if err != nil {
-		return fmt.Errorf("failed creating file: %s", err)
-	}
-
-	datawriter := bufio.NewWriter(file)
-
-	for _, data := range syscalls {
-		_, _ = datawriter.WriteString(data + "\n")
-	}
-	datawriter.Flush()
-	file.Close()
-	return nil
-}
-
-func processStraceOutput(straceOutput string) ([]string, error) {
-	// Regular expression to match system calls in the format "[pid xxx] E syscall("
-	re := regexp.MustCompile(`\[pid \d+\] E (\w+)\(`)
-
-	// Find all matches of the pattern in the strace output
-	matches := re.FindAllStringSubmatch(straceOutput, -1)
-
-	// Use a map to keep track of unique system calls
-	systemCalls := make(map[string]struct{})
-
-	for _, match := range matches {
-		if len(match) > 1 {
-			systemCalls[match[1]] = struct{}{}
-		}
-	}
-
-	// Convert map keys to a slice
-	var result []string
-	for call := range systemCalls {
-		result = append(result, call)
-	}
-
-	return result, nil
-}
-
 func customCommands() map[string]func(ts *testscript.TestScript, neg bool, args []string) {
 	return map[string]func(ts *testscript.TestScript, neg bool, args []string){
 
 		// fwd_exists check that the given forward exists
 		// invoke as "fwd_exists iface proto dest_port src_addr src_port"
 		"fwd_exists": fwdExists,
-		"strace":     straceCmd,
 	}
 }