diff --git a/bpf/process/bpf_execve_event.c b/bpf/process/bpf_execve_event.c index 743c6525a63..d2c8316cfff 100644 --- a/bpf/process/bpf_execve_event.c +++ b/bpf/process/bpf_execve_event.c @@ -285,13 +285,11 @@ execve_send(struct sched_execve_args *ctx) // buffer can be written at clone stage with parent's info, if previous // path is longer than current, we can have leftovers at the end. memset(&curr->bin, 0, sizeof(curr->bin)); - // reuse p->args first string that contains the filename, this can't be - // above 256 in size (otherwise the complete will be send via data msg) - // which is okay because we need the 256 first bytes. - curr->bin.path_length = probe_read_str(curr->bin.path, BINARY_PATH_MAX_LEN, &p->args); - if (curr->bin.path_length > 1) { - // don't include the NULL byte in the length - curr->bin.path_length--; + // read from proc exe stored at execve time + if (event->exe.len <= BINARY_PATH_MAX_LEN) { + curr->bin.path_length = probe_read(curr->bin.path, event->exe.len, event->exe.off); + if (curr->bin.path_length == 0) + curr->bin.path_length = event->exe.len; } }