event: set_task_comm

[roikol]

create new event indicating process name change

Initial Checklist

• There is an issue describing the need for this PR.
• Git log contains summary of the change.
• Git log contains motivation and context of the change.
• If part of an EPIC, PR git log contains EPIC number.
• If part of an EPIC, PR was added to EPIC description.

Description (git log)

using __set_task_comm kprobe to indicate event of process name change

Fixes: #1810

Type of change

• Bug fix (non-breaking change fixing an issue, preferable).
• Quick fix (minor non-breaking change requiring no issue, use with care)
• Code refactor (code improvement and/or code removal)
• New feature (non-breaking change adding functionality).
• Breaking change (cause existing functionality not to work as expected).

How Has This Been Tested?

Tests being included in this PR:

• Test File A
• Test File B

Reproduce the test by running:

• command 01
• command 02

Final Checklist:

Pick "Bug Fix" or "Feature", delete the other and mark appropriate checks.

• I have made corresponding changes to the documentation.
• My code follows the style guidelines (C and Go) of this project.
• I have performed a self-review of my own code.
• I have commented all functions/methods created explaining what they do.
• I have commented my code, particularly in hard-to-understand areas.
• My changes generate no new warnings.
• I have added tests that prove my fix, or feature, is effective.
• New and existing unit tests pass locally with my changes.
• Any dependent changes have been merged and published before.

Git Log Checklist:

My commits logs have:

• Subject starts with "subsystem|file: description".
• Do not end the subject line with a period.
• Limit the subject line to 50 characters.
• Separate subject from body with a blank line.
• Use the imperative mood in the subject line.
• Wrap the body at 72 characters.
• Use the body to explain what and why instead of how.

[yanivagman]

You should probably use task_rename tracepoint which is more stable than this kprobe:
https://elixir.bootlin.com/linux/v5.18.2/source/fs/exec.c#L1231

[roikol]

You should probably use task_rename tracepoint which is more stable than this kprobe: https://elixir.bootlin.com/linux/v5.18.2/source/fs/exec.c#L1231

thanks @yanivagman !
i've updated the PR so now it works with the tracepoint.

[yanivagman]

Is that always true?
What if the main thread (which has tgid) renamed itself?

[roikol]

your'e right, good point.

i think the way to tackle this is to create a map indicating an exec. this map would be updated in sched_process_fork, and deleted from in sched_process_exec and task_rename.

another is option is to go back to using kprobe __set_task_comm (https://elixir.bootlin.com/linux/latest/source/fs/exec.c#L1228) which gets this information as an argument.

WDYT?

[yanivagman]

can't we just check if the current syscall is execve/execveat?

[roikol]

yes we can

[yanivagman]

As you now send it as an argument, let's add this to the argument parser to get the syscall name

[roikol]

i've added it to argprinters.go. should i do it elsewhere?

[yanivagman]

sorry, I missed that

[yanivagman]

LGTM