matchBinaries: Skip binary check for long binary names

In the case where the binary name is > 255 characters we simply skip the test. In order to support that we have to filter using data events that can be a follow-up. Generally, 255 characters for binary names should be enough in most cases. Signed-off-by: Anastasios Papagiannis <tasos.papagiannnis@gmail.com>
cilium · Feb 23, 2023 · b67be11 · b67be11
1 parent 1a304e3
commit b67be11
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/bpf/process/bpf_execve_event.c b/bpf/process/bpf_execve_event.c
@@ -130,6 +130,10 @@ event_filename_builder(void *ctx, struct msg_process *curr, __u32 curr_pid, __u3
 	curr->ktime = ktime_get_ns();
 	curr->size = size + offsetof(struct msg_process, args);
 
+	// skip binaries check for long (> 255) filenames for now
+	if (flags & EVENT_DATA_FILENAME)
+		return 0;
+
 	heap = map_lookup_elem(&execve_heap, &zero);
 	if (!heap)
 		return 0;