ebpf instructions updated

ebpf_prog/README

@@ -1,4 +1,9 @@
-opensnitch.c is an eBPF program. Compilation requires getting kernel source.
+Compilation requires getting kernel sources.
+
+There's a helper script to automate this process:
+ https://github.com/evilsocket/opensnitch/blob/master/utils/packaging/build_modules.sh
+
+The basic steps to compile the modules are:
 
   sudo apt install clang llvm libelf-dev libzip-dev flex bison libssl-dev bc rsync python3
   cd opensnitch
@@ -13,8 +18,12 @@ llvm-strip -g opensnitch.o #remove debug info
   sudo cp opensnitch*.o /etc/opensnitchd/
   cd ../../../daemon
 
---opensnitchd expects to find opensnitch.o in /etc/opensnitchd/
---start opensnitchd with:
+opensnitchd expects to find opensnitch.o in:
+ /usr/local/lib/opensnitchd/ebpf/
+ /usr/lib/opensnitchd/ebpf/
+ /etc/opensnitchd/ # deprecated
+
+start opensnitchd with:
 
   opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf
 
@@ -28,6 +37,11 @@ CONFIG_BPF_EVENTS=y
   CONFIG_KPROBES=y
   CONFIG_KPROBE_EVENTS=y
 
+For the opensnitch-procs.o module to work, this option must be enabled:
+
+ $ grep FTRACE_SYSCALLS /boot/config-$(uname -r)
+  CONFIG_FTRACE_SYSCALLS=y
+
 Also, in some distributions debugfs is not mounted automatically, so you need
 to do it manually: