Pending fixes for Sensor base 0.7.0

[jeffmahoney]

This PR contains a variety of fixes:

• Build fixes for BPF on older releases, where it would use the host includes instead of the built-in includes
• Build fix to not build the Go code in the go generate portion of creating the bpf modules
• Fixed the exit criteria for the main event loop to ensure the listener exits first to avoid losing events
• Fixed a typoed double-lock in notifyMissingRule
• Fixed an issue with client lifecycle when the service restarts
• Changed the listener lifecycle to allow better testing
• More test cases in general
• Small bug fixes

Thanks to @djoreilly for the reports and review.

[djoreilly]

I got this panic on updating the client monitoring table

[INFO] 2023-11-07T17:30:08Z Closing EventTable 
[DEBUG] 2023-11-07T17:30:08Z audit: removing subscriber, total now 0 
[DEBUG] 2023-11-07T17:30:08Z audit: listener event loop exited 
[DEBUG] 2023-11-07T17:30:08Z audit: rules checker exited 
[DEBUG] 2023-11-07T17:30:08Z audit: log event loop exited 
[DEBUG] 2023-11-07T17:30:08Z audit: reassembler maintainer exited 
[DEBUG] 2023-11-07T17:30:08Z audit: mainEventLoop exited 
[INFO] 2023-11-07T17:30:08Z audit: Shut down audit service 
[DEBUG] 2023-11-07T17:30:08Z audit: shutdown watcher exited 
[INFO] 2023-11-07T17:30:08Z audit: Unsubscribed to audit service 
[INFO] 2023-11-07T17:30:08Z File Ring Buffer: Enqueue {"header":"{\"ReadPointer\":50,\"WritePointer\":1363,\"MaxSize\":1073741874,\"AvailableBytes\":1305,\"LeasedBytes\":0}","leased_pointer":50}
[INFO] 2023-11-07T17:30:08Z Collection $fe8cda6603a0dd3fed8273c525401e4f604d9a4b92d19d9486ce90ae8c18edbb is done after 1m16.054502262s 
[DEBUG] 2023-11-07T17:30:08Z Query Stats: {"RowsScanned":148,"PluginsCalled":5,"FunctionsCalled":50,"ProtocolSearch":4,"ScopeCopy":423} 
[INFO] 2023-11-07T17:30:08Z Finished monitoring query $fe8cda6603a0dd3fed8273c525401e4f604d9a4b92d19d9486ce90ae8c18edbb 
[INFO] 2023-11-07T17:30:08Z Starting monitoring query $fe8cda6603a0dd3fed8273c525401e4f604d9a4b92d19d9486ce90ae8c18edbb 
[INFO] 2023-11-07T17:30:08Z Starting monitoring query $b41624017300041cdc59e8eb57aa5da9ab039586f4b6dfd68e9b1d32afbc259a 
[INFO] 2023-11-07T17:30:08Z Starting query execution for $b41624017300041cdc59e8eb57aa5da9ab039586f4b6dfd68e9b1d32afbc259a. 
[INFO] 2023-11-07T17:30:08Z Starting query execution for $fe8cda6603a0dd3fed8273c525401e4f604d9a4b92d19d9486ce90ae8c18edbb. 
[INFO] 2023-11-07T17:30:08Z audit: starting audit service 
panic: send on closed channel
    panic: close of closed channel
    panic: close of closed channel

goroutine 536 [running]:
www.velocidex.com/golang/velociraptor/vql/linux/audit.(*AuditListener).Open.func1({0x0?, 0xc000d73120?})
    /root/linux-security-sensor-oct12/vql/linux/audit/audit_listener.go:135 +0x1ac
created by www.velocidex.com/golang/velociraptor/vql/linux/audit.(*AuditListener).Open in goroutine 534
    /root/linux-security-sensor-oct12/vql/linux/audit/audit_listener.go:113 +0x27b

[jeffmahoney]

Thanks, @djoreilly. This commit should fix it.

[jeffmahoney]

I've updated the series to improve the commit messages and consolidated/moved some changes to make the history make sense. I added a few comments where I thought more clarity was needed.

Final diff:

index b2113b451..3376663fe 100644
--- a/vql/linux/audit/audit_service.go
+++ b/vql/linux/audit/audit_service.go
@@ -363,6 +363,8 @@ func (self *auditService) runService() error {
        // No new messages will be generated, wait for the event processing loop
        // and reassembler to exit
        listenerWg.Wait()
+
+       // Closing will clean up any remaining incomplete messages
        reassembler.Close()
        close(self.eventChannel)

diff --git a/vql/linux/audit/audit_service_test.go b/vql/linux/audit/audit_service_test.go
index bfe686833..b2885694d 100644
--- a/vql/linux/audit/audit_service_test.go
+++ b/vql/linux/audit/audit_service_test.go
@@ -94,6 +94,7 @@ func (self *TestListener) Wait(ctx context.Context) error {
    if !self.opened || self.failWait {
        return syscall.ENOTCONN
    }
+   // If we're out of events, just wait until we're canceled
    if self.count >= len(self.events) {
        <- self.ctx.Done()
    }
@@ -104,6 +105,7 @@ func (self *TestListener) Receive(buf *auditBuf) error {
    if !self.opened || self.failReceive {
        return syscall.ENOTCONN
    }
+   // No more events to receive
    if self.count >= len(self.events) {
        return syscall.EAGAIN
    }
@@ -294,7 +296,6 @@ L:
            if len(events) >= self.listener.real_count {
                break L
            }
-
        }
    }