From a0cb89e65d7699aa72cef12b6ac1cb354e037495 Mon Sep 17 00:00:00 2001 From: Mahe Tardy Date: Wed, 3 Jan 2024 17:28:07 +0000 Subject: [PATCH] bpf: copy exe absolute path into execve_map Previously, filename from the args was copied into the execve_map, used later for matchBinaries. With this change, we copy the absolute path we read from the proc exe at the execve tracepoint stage to use it later. Signed-off-by: Mahe Tardy --- bpf/process/bpf_execve_event.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/bpf/process/bpf_execve_event.c b/bpf/process/bpf_execve_event.c index 743c6525a63..d2c8316cfff 100644 --- a/bpf/process/bpf_execve_event.c +++ b/bpf/process/bpf_execve_event.c @@ -285,13 +285,11 @@ execve_send(struct sched_execve_args *ctx) // buffer can be written at clone stage with parent's info, if previous // path is longer than current, we can have leftovers at the end. memset(&curr->bin, 0, sizeof(curr->bin)); - // reuse p->args first string that contains the filename, this can't be - // above 256 in size (otherwise the complete will be send via data msg) - // which is okay because we need the 256 first bytes. - curr->bin.path_length = probe_read_str(curr->bin.path, BINARY_PATH_MAX_LEN, &p->args); - if (curr->bin.path_length > 1) { - // don't include the NULL byte in the length - curr->bin.path_length--; + // read from proc exe stored at execve time + if (event->exe.len <= BINARY_PATH_MAX_LEN) { + curr->bin.path_length = probe_read(curr->bin.path, event->exe.len, event->exe.off); + if (curr->bin.path_length == 0) + curr->bin.path_length = event->exe.len; } }