bpf: copy exe absolute path into execve_map

Previously, filename from the args was copied into the execve_map, used
later for matchBinaries. With this change, we copy the absolute path we
read from the proc exe at the execve tracepoint stage to use it later.

Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>

bpf/process/bpf_execve_event.c

@@ -285,13 +285,11 @@ execve_send(struct sched_execve_args *ctx)
 		// buffer can be written at clone stage with parent's info, if previous
 		// path is longer than current, we can have leftovers at the end.
 		memset(&curr->bin, 0, sizeof(curr->bin));
-		// reuse p->args first string that contains the filename, this can't be
-		// above 256 in size (otherwise the complete will be send via data msg)
-		// which is okay because we need the 256 first bytes.
-		curr->bin.path_length = probe_read_str(curr->bin.path, BINARY_PATH_MAX_LEN, &p->args);
-		if (curr->bin.path_length > 1) {
-			// don't include the NULL byte in the length
-			curr->bin.path_length--;
+		// read from proc exe stored at execve time
+		if (event->exe.len <= BINARY_PATH_MAX_LEN) {
+			curr->bin.path_length = probe_read(curr->bin.path, event->exe.len, event->exe.off);
+			if (curr->bin.path_length == 0)
+				curr->bin.path_length = event->exe.len;
 		}
 	}