Name:           execopen-tracer
Version:        1.4.0
Release:        1%{?dist}
Summary:        eBPF Process and File Monitoring Tool

License:        Apache-2.0
URL:            https://gitlab.com/imcleod1/execopen
Source0:        execopen-tracer-%{version}.tar.gz

BuildRequires:  clang >= 10.0.0
BuildRequires:  llvm >= 10.0.0
BuildRequires:  libbpf-devel >= 0.7.0
BuildRequires:  libbpf-static >= 0.7.0
BuildRequires:  bpftool
BuildRequires:  systemd-devel
BuildRequires:  systemd-rpm-macros
BuildRequires:  %{?kernel_devel_pkg}%{!?kernel_devel_pkg:kernel-devel}
BuildRequires:  elfutils-libelf-devel
BuildRequires:  zlib-devel
BuildRequires:  make
BuildRequires:  gcc

%{?systemd_requires}
Requires:       kernel >= 4.15.0

%description
execopen-tracer provides tools for monitoring and analyzing system activity
through runtime tracing and process inspection.

execopen - Runtime Activity Tracer:
Uses eBPF to trace all process execution and file access across the system
in real-time. Captures execve/execveat syscalls, scheduler exec events, and
openat/openat2 file operations with full path resolution. Buffers output in
memory and dumps to /run/execopen-tracer/ on SIGTERM, making it suitable for boot-time tracing
scenarios. Can run as an init replacement to capture system initialization.
Includes statistics tracking to detect dropped events.

procmap - Process and File Inspector:
Enumerates all running userspace processes and their memory-mapped files by
reading /proc/PID/map_files. Outputs process information (PID, PPID, command)
and associated files in JSON format or as a plain file list. Supports flexible
filtering to exclude processes by name, process trees, or parent processes.
Useful for determining what files and libraries are actively in use on a
running system for dependency analysis, compliance audits, or backup planning.

Integration Features:
- Dracut module for automatic inclusion in initramfs
- Init replacement capability for boot-time system tracing
- Systemd service units for runtime operation
- Helper scripts for trace collection and analysis

The eBPF program is built using BTF from the running kernel or from
kernel-headers. It will likely work with other closely related kernel
versions. If you get bogus output or errors, try recompiling the RPM on
a system with the correct kernel-devel package.

Requires:       python3

%prep
%autosetup -n execopen-tracer-%{version}

# Generate vmlinux.h from installed kernel-devel if not already present.
# Supports both pre-generated vmlinux.h (Fedora) and vmlinux ELF with BTF (RHEL/AutoSD).
if [ ! -f vmlinux.h ]; then
    KVER=$(ls -1 /usr/src/kernels 2>/dev/null | head -1)
    if [ -n "$KVER" ]; then
        if [ -f "/usr/src/kernels/$KVER/vmlinux.h" ]; then
            cp "/usr/src/kernels/$KVER/vmlinux.h" .
        elif [ -f "/usr/src/kernels/$KVER/vmlinux" ]; then
            bpftool btf dump file "/usr/src/kernels/$KVER/vmlinux" format c > vmlinux.h
        fi
    fi
fi

%build
make %{?_smp_mflags}

%install
make install DESTDIR=%{buildroot}

%post
%systemd_post execopen.service

%preun
%systemd_preun execopen.service

%postun
%systemd_postun_with_restart execopen.service

# Trigger dracut regeneration when the dracut module is installed/updated
%transfiletriggerin -- /usr/lib/dracut/modules.d
dracut -f 2>/dev/null || :

%files
%license LICENSE
%doc README.md
%{_bindir}/execopen
%{_bindir}/procmap
%dir %{_libexecdir}/execopen-tracer
%{_libexecdir}/execopen-tracer/kill-tracer.sh
%{_libexecdir}/execopen-tracer/execopen-init.sh
%{_libexecdir}/execopen-tracer/execopen-chroot-signal.sh
%{_unitdir}/execopen.service
%{_unitdir}/kill-tracer.service
%{_unitdir}/execopen-enable-sshd.service
%{_prefix}/lib/tmpfiles.d/execopen-tracer.conf
%{_prefix}/lib/dracut/modules.d/99execopen/
%{_bindir}/generate-execopen-report.py

%changelog
* Wed May 13 2026 Juanje Ojeda <juanje@redhat.com> - 1.4.0-1
- Reliable boot tracing: mount /run tmpfs, /proc fallback for PID discovery
- Async-signal-safe chroot: deferred to main loop with error logging
- Merge execopen-report into main package; fix grep binary file match
- Copy all artifacts to TMT plan data for offline analysis

* Mon May 11 2026 Juanje Ojeda <juanje@redhat.com> - 1.3.0-1
- FHS runtime paths (/run, /var/log, /var/lib), tmpfiles.d, systemd pre-create
- Static libbpf in binary; libbpf-static build dep; drop runtime libbpf Requires
- Cross-kernel RPM/build: KVER and kernel_devel_pkg macro; vmlinux.h from kernel-devel
- x86_64 support for openat kretprobes (__x64_sys_*)

* Fri Mar 6 2026 Juanje Ojeda <juanje@redhat.com> - 1.2.0-1
- Refactor
- Add testing
- Fix minor bugs

* Fri Nov 21 2025 Ian McLeod <imcleod@redhat.com> - 1.1.0-1
- Rework to log to memory and then disk
- Add scripts and examples of an image that traces and then shuts down

* Wed Aug 20 2025 Ian McLeod <imcleod@redhat.com> - 1.0.0-1
- Initial RPM package for execopen-tracer
- eBPF-based process and file monitoring tool
- Includes systemd service and dracut module