From b67be115ec66a1e0f4aa8d93a67f870913f409a9 Mon Sep 17 00:00:00 2001 From: Anastasios Papagiannis Date: Wed, 22 Feb 2023 16:33:46 +0000 Subject: [PATCH] matchBinaries: Skip binary check for long binary names In the case where the binary name is > 255 characters we simply skip the test. In order to support that we have to filter using data events that can be a follow-up. Generally, 255 characters for binary names should be enough in most cases. Signed-off-by: Anastasios Papagiannis --- bpf/process/bpf_execve_event.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/bpf/process/bpf_execve_event.c b/bpf/process/bpf_execve_event.c index 109701dcca..3d279264ab 100644 --- a/bpf/process/bpf_execve_event.c +++ b/bpf/process/bpf_execve_event.c @@ -130,6 +130,10 @@ event_filename_builder(void *ctx, struct msg_process *curr, __u32 curr_pid, __u3 curr->ktime = ktime_get_ns(); curr->size = size + offsetof(struct msg_process, args); + // skip binaries check for long (> 255) filenames for now + if (flags & EVENT_DATA_FILENAME) + return 0; + heap = map_lookup_elem(&execve_heap, &zero); if (!heap) return 0;