Use available BPF module BTF fd & opportunistic changes

[geyslan]

Close: #5330

1. Explain what the PR does

d558ef8 wip
18625bc fix(ci): skip auto-label writes for fork PRs
e0d2e44 libbpf: bump to v1.7.0 (b4fa3e39)
db29d34 fix(policy): use module BTF fd for inner maps

18625bc fix(ci): skip auto-label writes for fork PRs

Prevent auto-label CI failures caused by restricted token permissions on
fork-origin pull requests. Keep label handling best-effort without
blocking workflow execution.

This could be solved by using pull_request_target, but it's better to
continue safe.

--

e0d2e44 libbpf: bump to v1.7.0 (b4fa3e39)

https://github.com/libbpf/libbpf/releases/tag/v1.7.0
libbpf/libbpf@v1.5.1...v1.7.0

--

db29d34 fix(policy): use module BTF fd for inner maps

Avoid BTF ID lookup during inner map creation by reusing the loaded module
BTF fd, which removes dependency on BTF_GET_FD_BY_ID that would require
CAP_SYS_ADMIN on stricter paranoid levels.

--

2. Explain how to test it

3. Other comments

[geyslan]

Depends on aquasecurity/libbpfgo#528

[geyslan]

@pwasiewi could you test this solution? Tks.

[rscampos]

LGTM

Good fix @geyslan

uname -r
6.19.0-061900-generic

Without the fix and without --cap-add SYS_ADMIN. Status: got the same error reported.

docker run --rm -it   --name tracee-test-a   --pid=host --net=host   --cap-drop ALL   --cap-add SYS_RESOURCE   --cap-add SYS_PTRACE   --cap-add NET_ADMIN   --cap-add BPF   --cap-add PERFMON   --cap-add SETPCAP   --cap-add SYSLOG --cap-add SYS_ADMIN   --security-opt seccomp=unconfined   -v /sys/kernel/debug:/sys/kernel/debug:ro   -v /lib/modules:/lib/modules:ro   -v /usr/src:/usr/src:ro   -v /etc/os-release:/etc/os-release-host:ro   -v /boot/config-$(uname -r):/boot/config-$(uname -r):ro   tracee:latest   --capabilities bypass=true
...
{"level":"fatal","ts":1781898119.0729108,"msg":"Tracee runner failed","error":"cmd.Runner.Run: error initializing Tracee: ebpf.(*Tracee).Init: ebpf.(*Tracee).initBPF: ebpf.(*Tracee).populateBPFMaps: ebpf.(*Tracee).populateFilterMaps: policy.(*policies).updateBPF: policy.(*policies).createNewEventsMapVersion: policy.createNewInnerMap: could not find BTF id 245: operation not permitted"}

With the fix and without --cap-add SYS_ADMIN. Status: no error with permission.

docker run --rm -it   --name tracee-test-a   --pid=host --net=host   --cap-drop ALL   --cap-add SYS_RESOURCE   --cap-add SYS_PTRACE   --cap-add NET_ADMIN   --cap-add BPF   --cap-add PERFMON   --cap-add SETPCAP   --cap-add SYSLOG --security-opt seccomp=unconfined   -v /sys/kernel/debug:/sys/kernel/debug:ro   -v /lib/modules:/lib/modules:ro   -v /usr/src:/usr/src:ro   -v /etc/os-release:/etc/os-release-host:ro   -v /boot/config-$(uname -r):/boot/config-$(uname -r):ro   tracee:latest   --capabilities bypass=true
....
TIME             UID    COMM             PID     TID     EVENT                     ARGS
19:42:34:450656  0      kubelet          222     225     security_socket_connect   sockfd: 9, type: 1, remote_addr: sa_family:AF_INET  sin_addr:"127.0.0.1"  sin_port:2381
19:42:34:450656  0      kubelet          222     225     net_tcp_connect           dst: 127.0.0.1, dst_port: 2381, dst_dns: []
19:42:34:639945  0      kubelet          224     239     security_socket_connect   sockfd: 18, type: 1, remote_addr: sa_family:AF_INET  sin_addr:"172.18.0.2"  sin_port:6443
19:42:34:639945  0      kubelet          224     239     net_tcp_connect           dst: 172.18.0.2, dst_port: 6443, dst_dns: []
19:42:34:659794  65532  coredns          1       1       security_socket_connect   sockfd: 9, type: 1, remote_addr: sa_family:AF_INET  sin_addr:"0.0.0.0"  sin_port:8080

That is strong evidence the change removed the BTF-ID/CAP_SYS_ADMIN dependency in this path.

Approved