Name:           execopen-tracer
Version:        1.0.0
Release:        3%{?dist}
Summary:        eBPF Process and File Monitoring Tool

License:        Apache-2.0
URL:            https://github.com/imcleod/execopen
Source0:        execopen-%{version}.tar.gz

BuildRequires:  clang >= 10.0.0
BuildRequires:  llvm >= 10.0.0
BuildRequires:  libbpf-devel >= 0.7.0
BuildRequires:  bpftool
BuildRequires:  systemd-devel
BuildRequires:  kernel-headers
BuildRequires:  elfutils-libelf-devel
BuildRequires:  zlib-devel
BuildRequires:  make
BuildRequires:  gcc
BuildRequires:  kernel-automotive-devel

Requires:       libbpf >= 0.7.0
Requires:       systemd
Requires:       kernel >= 4.15.0

# Kernel version and header detection
%{!?kernel_version: %define kernel_version %(ls -1 /usr/src/kernels 2>/dev/null | head -1)}
%{!?kernel_header: %define kernel_header %(if [ -n "%{kernel_version}" ] && [ -f "/usr/src/kernels/%{kernel_version}/vmlinux.h" ]; then echo "/usr/src/kernels/%{kernel_version}/vmlinux.h"; fi)}

%description
execopen is a high-performance eBPF-based system monitoring tool that traces 
process execution (execve) and file access (openat) events across the entire 
Linux system with advanced file descriptor tracking and path resolution.

Features:
- Process Execution Tracking: Traces all execve and scheduler exec events
- File Access Monitoring: Comprehensive openat syscall tracing
- Advanced File Descriptor Management: Hash table-based FD tracking
- Path Resolution: Resolves relative paths using directory file descriptors
- Real-time Output: Live event streaming with microsecond timestamps
- Performance Optimized: Ring buffer communication and minimal overhead

This RPM was compiled with the headers for the following kernel version:

%{kernel_version}

It will likely work with other closely related versions. However, if you get
bogus output or errors, try recompiling the RPM on a system with the correct
"-devel" kernel package.

%prep
%autosetup -n execopen

# Copy kernel header file if detected
%if "%{?kernel_header}" != ""
cp "%{kernel_header}" .
%endif

%build
make %{?_smp_mflags}

%install
make install DESTDIR=%{buildroot}

%post
%systemd_post execopen.service

%preun
%systemd_preun execopen.service

%postun
%systemd_postun_with_restart execopen.service

# Trigger dracut regeneration when the dracut module is installed/updated
%transfiletriggerin -- /usr/lib/dracut/modules.d
dracut -f 2>/dev/null || :

%files
%license LICENSE
%doc README.md
%{_bindir}/execopen
%{_unitdir}/execopen.service
%{_prefix}/lib/dracut/modules.d/99execopen/

%changelog
* Wed Aug 20 2025 Ian McLeod <imcleod@redhat.com> - 1.0.0-1
- Initial RPM package for execopen-tracer
- eBPF-based process and file monitoring tool
- Includes systemd service and dracut module