From 4fcb85885cd1aca2f61a589167c856d7fd0cdea8 Mon Sep 17 00:00:00 2001 From: Mahe Tardy Date: Wed, 3 Jan 2024 17:28:07 +0000 Subject: [PATCH] bpf: copy exe absolute path into execve_map Previously, filename from the args was copied into the execve_map, used later for matchBinaries. With this change, we copy the absolute path we read from the proc exe at the execve tracepoint stage to use it later. Signed-off-by: Mahe Tardy --- bpf/process/bpf_execve_event.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/bpf/process/bpf_execve_event.c b/bpf/process/bpf_execve_event.c index 06df0d8777e..6495978f0d9 100644 --- a/bpf/process/bpf_execve_event.c +++ b/bpf/process/bpf_execve_event.c @@ -290,6 +290,14 @@ execve_send(struct sched_execve_args *ctx) // buffer can be written at clone stage with parent's info, if previous // path is longer than current, we can have leftovers at the end. memset(&curr->bin, 0, sizeof(curr->bin)); +#ifdef __LARGE_BPF_PROG + // read from proc exe stored at execve time + if (event->exe.len <= BINARY_PATH_MAX_LEN) { + curr->bin.path_length = probe_read(curr->bin.path, event->exe.len, event->exe.off); + if (curr->bin.path_length == 0) + curr->bin.path_length = event->exe.len; + } +#else // reuse p->args first string that contains the filename, this can't be // above 256 in size (otherwise the complete will be send via data msg) // which is okay because we need the 256 first bytes. @@ -298,6 +306,7 @@ execve_send(struct sched_execve_args *ctx) // don't include the NULL byte in the length curr->bin.path_length--; } +#endif } event->common.flags = 0;