fix: security_socket_connect wrong fd

The security_scoket_connect event sent the wrong fd number. This was due to using a wrong way to check if the binary is a 32bit binary. Fix this.
aquasecurity · Apr 3, 2024 · 151b9d6 · 151b9d6
1 parent 04231fc
commit 151b9d6
Showing 1 changed file with 2 additions and 3 deletions.
diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
@@ -2612,9 +2612,8 @@ int BPF_KPROBE(trace_security_socket_connect)
     void *args_buf = &p.event->args_buf;
     void *to = (void *) &sys->args.args[0];
 
-#if defined(bpf_target_x86) // only i386 binaries uses socketcall
-    to = (void *) sys->args.args[1];
-#endif
+    if (is_x86_compat(p.event->task)) // only i386 binaries uses socketcall
+        to = (void *) sys->args.args[1];
 
     // Save the socket fd, depending on the syscall.
     switch (sys->id) {