process_execute_failed: don't rely on sys_enter (#4259)

aquasecurity · Aug 22, 2024 · 4df40aa · 4df40aa
1 parent a325d64
commit 4df40aa
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 6 deletions.
diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
@@ -4984,13 +4984,21 @@ statfunc int execute_failed_tail2(struct pt_regs *ctx)
     if (!init_tailcall_program_data(&p, ctx))
         return -1;
 
-    syscall_data_t *sys = &p.task_info->syscall_data;
-    save_str_arr_to_buf(
-        &p.event->args_buf, (const char *const *) sys->args.args[1], 10); // userspace argv
+    long long argv, envp;
+    struct pt_regs *regs = get_current_task_pt_regs();
+
+    if (p.event->context.syscall == SYSCALL_EXECVE) {
+        argv = get_syscall_arg2(p.event->task, regs, false);
+        envp = get_syscall_arg3(p.event->task, regs, false);
+    } else {
+        argv = get_syscall_arg3(p.event->task, regs, false);
+        envp = get_syscall_arg4(p.event->task, regs, false);
+    }
+
+    save_str_arr_to_buf(&p.event->args_buf, (const char *const *) argv, 10); // userspace argv
 
     if (p.config->options & OPT_EXEC_ENV) {
-        save_str_arr_to_buf(
-            &p.event->args_buf, (const char *const *) sys->args.args[2], 11); // userspace envp
+        save_str_arr_to_buf(&p.event->args_buf, (const char *const *) envp, 11); // userspace envp
     }
 
     int ret = PT_REGS_RC(ctx); // needs to be int

diff --git a/pkg/events/core.go b/pkg/events/core.go
@@ -12954,7 +12954,6 @@ var CoreEvents = map[ID]Definition{
 			probes: []Probe{
 				{handle: probes.ExecBinprm, required: false},
 				{handle: probes.ExecBinprmRet, required: false},
-				{handle: probes.SyscallEnter__Internal, required: true},
 			},
 			tailCalls: []TailCall{
 				{"prog_array", "trace_execute_failed1", []uint32{TailProcessExecuteFailed1}},