bpf: use exe to read the binary path in sys_execve

Previously, we used the filename argument from the sys_execve tracepoint
to read the binary path, later potentially (if it was a relative path)
combined with cwd in userspace. With this change we replace that with
exe, already used and needed by matchBinaries, and remove the userspace
work (since exe is already absolute).

It has a user facing change: tetragon events will now contain the
canonical binary path while previously it could have been a symlink.

Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>

bpf/process/bpf_execve_event.c

@@ -163,7 +163,6 @@ __attribute__((section("tracepoint/sys_execve"), used)) int
 event_execve(struct sched_execve_args *ctx)
 {
 	struct task_struct *task = (struct task_struct *)get_current_task();
-	char *filename = (char *)ctx + (ctx->filename & 0xFFFF);
 	struct msg_execve_event *event;
 	struct execve_map_value *parent;
 	struct msg_process *p;
@@ -204,7 +203,10 @@ event_execve(struct sched_execve_args *ctx)
 	// a symlink) coming from the execve tracepoint.
 	read_exe(task, &event->exe);
 
-	p->size += read_path(ctx, event, filename);
+	// Previously, we used the filename for read_path, potentially later
+	// combined with cwd in user space. Now we reuse exe, that is absolute and
+	// not a potential symlink.
+	p->size += read_path(ctx, event, event->exe.off);
 	p->size += read_args(ctx, event);
 	p->size += read_cwd(ctx, p);
 

pkg/process/process.go

@@ -26,7 +26,6 @@ import (
 	"github.com/cilium/tetragon/pkg/reader/exec"
 	"github.com/cilium/tetragon/pkg/reader/namespace"
 	"github.com/cilium/tetragon/pkg/reader/node"
-	"github.com/cilium/tetragon/pkg/reader/path"
 	"github.com/cilium/tetragon/pkg/reader/proc"
 	"github.com/cilium/tetragon/pkg/watcher"
 	"google.golang.org/protobuf/proto"
@@ -270,14 +269,13 @@ func initProcessInternalExec(
 	execID := GetExecID(&process)
 	protoPod := GetPodInfo(containerID, process.Filename, args, process.NSPID)
 	apiCaps := caps.GetMsgCapabilities(event.Capabilities)
-	binary := path.GetBinaryAbsolutePath(process.Filename, cwd)
 	apiNs, err := namespace.GetMsgNamespaces(event.Namespaces)
 	if err != nil {
 		logger.GetLogger().WithFields(logrus.Fields{
 			"event.name":            "Execve",
 			"event.process.pid":     process.PID,
 			"event.process.tid":     process.TID,
-			"event.process.binary":  binary,
+			"event.process.binary":  process.Filename,
 			"event.process.exec_id": execID,
 			"event.parent.exec_id":  parentExecID,
 		}).Warn("ExecveEvent: parsing namespaces failed")
@@ -319,7 +317,7 @@ func initProcessInternalExec(
 			"event.name":            "Execve",
 			"event.process.pid":     process.PID,
 			"event.process.tid":     process.TID,
-			"event.process.binary":  binary,
+			"event.process.binary":  process.Filename,
 			"event.process.exec_id": execID,
 			"event.parent.exec_id":  parentExecID,
 		}).Warn("ExecveEvent: process PID and TID mismatch")
@@ -333,7 +331,7 @@ func initProcessInternalExec(
 			Tid:          &wrapperspb.UInt32Value{Value: process.TID},
 			Uid:          &wrapperspb.UInt32Value{Value: process.UID},
 			Cwd:          cwd,
-			Binary:       binary,
+			Binary:       process.Filename,
 			Arguments:    args,
 			Flags:        strings.Join(exec.DecodeCommonFlags(process.Flags), " "),
 			StartTime:    ktime.ToProtoOpt(process.Ktime, (process.Flags&api.EventProcFS) == 0),

pkg/reader/path/path.go

@@ -4,18 +4,9 @@
 package path
 
 import (
-	"path/filepath"
-
 	"github.com/cilium/tetragon/pkg/api/processapi"
 )
 
-func GetBinaryAbsolutePath(binary string, cwd string) string {
-	if filepath.IsAbs(binary) {
-		return binary
-	}
-	return filepath.Join(cwd, binary)
-}
-
 func FilePathFlagsToStr(flags uint32) string {
 	if (flags & processapi.UnresolvedPathComponents) != 0 {
 		return "unresolvedPathComponents"