fPIE error when running

[skandbug]

Thank you team for providing such a great tool.
I need help in using it.
I put the tracee-aarch64.v0.13.1.tar.gz binary file in the Android emulator and unpacked it and ran it with the following error:

"./dist/tracee": error: Android 5.0 and later only support position-independent executables (-fPIE).

How can I use it in aarch64 architecture platforms (e.g, Android).

[rafaeldtinoco]

@yanivagman looks like Android >= 5, because of security reasons, only support PIE executables. Probably to randomize location of executable code (together with ASLR and DEP, sandboxing, etc.). While we don't directly support Android, I think we can compile artifacts as PIE binaries, right?

I'm converting this as issue. @skandbug for now I believe you will have to compile tracee yourself you can check the building documentation and let us know if you have any doubts (you can always export CFLAGS="-fPIE" during compilation time.

[yanivagman]

Please use the statically compiled binary (or compile one yourself). Anyway for Android you have to use it and not link dynamically (Android has it's own libc and loader implementation which is not compatible with Tracee).

[skandbug]

Yes, I ran the binary of aarch64 released by your team in Android and reported the following error.
./dist/tracee": error: Android 5.0 and later only support position-independent executables (-fPIE).
So, I think we should add the fPIE parameter and then recompile it.
https://aquasecurity.github.io/tracee/v0.14/contributing/building/building/

If compiled on ubuntu22.04 of aarch64, can the resulting binary be run on Android?

[yanivagman]

I think the artifact with have for aarch64 is not statically linked, and this is why you get this error - so you will have to compile on your own to make it work.
BTW, do you plan to run it on a real Android device or an Android emulator? If the latter, you should use the x86 binary and not the aarch64 binary.

[skandbug]

The simulator provided by GOOGLE uses qemu in Docker (running on X86) for instruction conversion (aarch64 after conversion, kernel 5.4). So to run in the simulator, I'm using the Tracee-aarch binary. just get the error:
./dist/tracee": error: Android 5.0 and later only support position-independent executables (-fPIE).

I also tried to compile Tracee in ARM64 (VPS) according to the documentation you provided. The goal was to get the compiled binary file after adding the fPIE parameter, but it was unsuccessful.

At present, your team has advanced development technology and a ready-made compilation environment. Do you want to complete a new round of compilation after adding the fPIE parameter, and release a Tracee version that can run on Android (just add fPIE in the current environment and then compile again)?

We will be very grateful.

[yanivagman]

fPIE is not what you need in order to run on an Android device.
You need to statically link Tracee, which should be enough to run it on Android (you already seen that using the static binary you can make tracee-ebpf to work on Android).

[rafaeldtinoco]

If you use the "tracee-make" environment in any arm64 you should be able to generate a static binary that could run in android I suppose.

Instructions:

Apply this patch:

diff --git a/Makefile b/Makefile
index ac864283..2021184c 100644
--- a/Makefile
+++ b/Makefile
@@ -436,8 +436,11 @@ $(OUTPUT_DIR)/tracee: \
        $(MAKE) btfhub
        $(GO_ENV_EBPF) $(CMD_GO) build \
                -tags $(GO_TAGS_EBPF) \
-               -ldflags="$(GO_DEBUG_FLAG) \
-                       -extldflags \"$(CGO_EXT_LDFLAGS_EBPF)\" \
+               -buildmode=pie \
+               -ldflags=" \
+                   $(GO_DEBUG_FLAG) \
+                   -linkmode external \
+                       -extldflags \"-static-pie $(CGO_EXT_LDFLAGS_EBPF)\" \
                        -X github.com/aquasecurity/tracee/cmd/tracee/cmd.version=\"$(VERSION)\" \
                        " \
                -v -o $@ \
@@ -468,8 +471,11 @@ $(OUTPUT_DIR)/tracee-ebpf: \
        $(MAKE) btfhub
        $(GO_ENV_EBPF) $(CMD_GO) build \
                -tags $(GO_TAGS_EBPF) \
-               -ldflags="$(GO_DEBUG_FLAG) \
-                       -extldflags \"$(CGO_EXT_LDFLAGS_EBPF)\" \
+               -buildmode=pie \
+               -ldflags=" \
+                   $(GO_DEBUG_FLAG) \
+                   -linkmode external \
+                       -extldflags \"-static-pie $(CGO_EXT_LDFLAGS_EBPF)\" \
                        -X main.version=\"$(VERSION)\" \
                        " \
                -v -o $@ \

and

$ make -f builder/Makefile.tracee-make alpine-prepare
$ STATIC=1 make -f builder/Makefile.tracee-make alpine-make ARG="tracee tracee-ebpf"
$ file ./dist/tracee
./dist/tracee: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), static-pie linked, BuildID[sha1]=5fe67c1831bd2bf6ef325c12d03fe046786ed817, with debug_info, not stripped

And you should have your fPIE binary inside ./dist/ directory (tracee-ebpf and tracee binaries).

NOTE: tracee-ebpf is the introspection tool only (you should use it with tracee-rules) AND "tracee" is the single binary experience (where signature triggers are events). Problem using STATIC is that, for the default signatures usage, you have to be able to load shared libraries (signatures come as a shared library through file builtin.so). So, by using STATIC builds, you will be only able to use either tracee-ebpf alone OR tracee binary as an introspection tool (to observe events) only.
By using tracee binary you will observe errors trying to load the signatures plugin:

{"level":"error","ts":1683533825.1982257,"msg":"Opening plugin /home/rafaeldtinoco/work/ebpf/tracee-libbpfgo/dist/signatures/builtin.so: plugin.Open(\"/home/rafaeldtinoco/work/ebpf/tracee-libbpfgo/dist/signatures/builtin.so\"): Dynamic loading not supported"}
{"level":"error","ts":1683533825.1982696,"msg":"Walking dir","error":"plugin.Open(\"/home/rafaeldtinoco/work/ebpf/tracee-libbpfgo/dist/signatures/builtin.so\"): Dynamic loading not supported"}

Let me know if that works for you. I can't guarantee we will make that change anytime soon (as we need to check implications).

[skandbug]

The trace-ebpf compiled after applying the first patch (index ac864283..2021184c 100644) cannot run on Android. operation result:

[skandbug]

If it is convenient for you, you can log in to the VPS to have a look (Ubuntu22.04 Arm64), where /home/env-install/tracee-main is the working directory.

[skandbug]

VPS information has sent your Email.

[yanivagman]

Unfortunately, we don't officially support the Android platform right now (although we do support ARM64 architecture), and don't have the capacity to test things on this platform. Any help from the community on that is welcome.

[skandbug]

Thank you and your team for your all-out support.