mount tracefs path if it's not mounted

Some kernels or systems may not have tracefs mounted or available
by default.

We need the path /sys/kernel/tracing to be mounted, in order to add
syscalls ebpf probes.

So from now on we'll try to mount /sys/kernel/tracing if it's not
already mounted.

-check-requirements parameter updated to check if this option is
available.

Closes #1450.

Author: gustavo-iniguez-goya

daemon/core/system.go

@@ -28,6 +28,23 @@ func GetKernelVersion() string {
 	return strings.Replace(string(version), "\n", "", -1)
 }
 
+// GetMounts returns the mounts of the system
+func GetMounts() []string {
+	buf, _ := ioutil.ReadFile("/proc/mounts")
+	return strings.Split(string(buf), "\n")
+}
+
+// HasTraceFS returns if tracefs is mounted
+func IsTraceFSMounted() bool {
+	for _, line := range GetMounts() {
+		if strings.Contains(line, "tracefs") {
+			return true
+		}
+	}
+
+	return false
+}
+
 // CheckSysRequirements checks system features we need to work properly
 func CheckSysRequirements() {
 	type checksT struct {
@@ -109,17 +126,19 @@ func CheckSysRequirements() {
         "Regexps": [
             "CONFIG_FTRACE=y"
             ],
-        "Reason": " - CONFIG_TRACE=y not set. Common error => Error while loading kprobes: invalid argument."
+        "Reason": " - CONFIG_FTRACE=y not set. Common error => Error while loading kprobes: invalid argument."
     }
 },
 {
     "Item": "syscalls",
     "Checks": {
         "Regexps": [
             "CONFIG_HAVE_SYSCALL_TRACEPOINTS=y",
-            "CONFIG_FTRACE_SYSCALLS=y"
+            "CONFIG_FTRACE_SYSCALLS=y",
+			"CONFIG_TRACING=[my]",
+			"CONFIG_EVENT_TRACING=[my]"
             ],
-        "Reason": " - CONFIG_FTRACE_SYSCALLS or CONFIG_HAVE_SYSCALL_TRACEPOINTS not set. Common error => error enabling tracepoint tracepoint/syscalls/sys_enter_execve: cannot read tracepoint id"
+        "Reason": " - CONFIG_FTRACE_SYSCALLS, CONFIG_HAVE_SYSCALL_TRACEPOINTS, CONFIG_TRACE or CONFIG_EVENT_TRACING not set. Common error => error enabling tracepoint tracepoint/syscalls/sys_enter_execve: cannot read tracepoint id"
     }
 },
 {
@@ -193,6 +212,14 @@ func CheckSysRequirements() {
 			fmt.Println()
 		}
 	}
+
+	if IsTraceFSMounted() {
+		fmt.Printf("\t* %s\t %s\n\n", log.Bold(log.Green("tracefs mount")), log.Bold(log.Green("✔")))
+	} else {
+		reqsFullfiled = false
+		fmt.Printf("\t* %s\t %s\n\n", log.Bold(log.Red("tracefs mount not found, needed for syscalls (mount -t tracefs none /sys/kernel/tracing/)")), log.Bold(log.Red("✘")))
+	}
+
 	if !reqsFullfiled {
 		log.Raw("\n%sWARNING:%s Your kernel doesn't support some of the features OpenSnitch needs:\nRead more: https://github.com/evilsocket/opensnitch/issues/774\n", log.FG_WHITE+log.BG_YELLOW, log.RESET)
 	}

daemon/procmon/ebpf/events.go

@@ -87,6 +87,12 @@ type eventsDefsT struct {
 }
 
 func initEventsStreamer() *Error {
+	if !core.IsTraceFSMounted() {
+		if err := mountTraceFS(); err != nil {
+			return &Error{err, EventsNotAvailable}
+		}
+	}
+
 	eventsColl, err := core.LoadEbpfModule("opensnitch-procs.o", ebpfCfg.ModulesPath)
 	if err != nil {
 		return &Error{err, EventsNotAvailable}

daemon/procmon/ebpf/utils.go

@@ -26,12 +26,12 @@ func determineHostByteOrder() {
 	lock.Unlock()
 }
 
-func mountDebugFS() error {
-	debugfsPath := "/sys/kernel/debug/"
-	kprobesPath := fmt.Sprint(debugfsPath, "tracing/kprobe_events")
+func mountTraceFS() error {
+	tracefsPath := "/sys/kernel/tracing/"
+	kprobesPath := fmt.Sprint(tracefsPath, "kprobe_events")
 	if core.Exists(kprobesPath) == false {
-		if _, err := core.Exec("mount", []string{"-t", "debugfs", "none", debugfsPath}); err != nil {
-			log.Warning("eBPF debugfs error: %s", err)
+		if _, err := core.Exec("mount", []string{"-t", "tracefs", "none", tracefsPath}); err != nil {
+			log.Warning("eBPF tracefs error: %s", err)
 			return fmt.Errorf(`%s
 Unable to access debugfs filesystem, needed for eBPF to work, likely caused by a hardened or customized kernel.
 Change process monitor method to 'proc' to stop receiving this alert