Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Read absolute path for binary execution for matchBinaries #1741

Closed
mtardy opened this issue Nov 13, 2023 · 0 comments · Fixed by #1926
Closed

Read absolute path for binary execution for matchBinaries #1741

mtardy opened this issue Nov 13, 2023 · 0 comments · Fixed by #1926
Assignees
@mtardy
Labels
area/bpf This is related to BPF code kind/enhancement This improves or streamlines existing functionality

Comments

@mtardy
Copy link
Member

mtardy commented Nov 13, 2023
edited

This is a followup of #1731.

[For matchBinaries] the binary path is just the arg passed to execve and thus can be a relative path (this explains many of the users issues). A future patch is needed to read the absolute path of the task_struct (as we do on userspace side with /proc to fill the initial state of the execve_map) to make this feature complete.

I agree that this is not tied to this PR but this would be also a great improvement in matchBinaries for a follow-up PR. I believe what you do here will help to have the full binary path ready from the kernel. Maybe we need to create an issue to keep track of this (if we do not already have one).

Originally posted by @tpapagian in #1731 (review)

Might be useful: #90.
@mtardy mtardy added kind/enhancement This improves or streamlines existing functionality area/bpf This is related to BPF code labels Nov 13, 2023
@mtardy mtardy self-assigned this Nov 13, 2023
@mtardy mtardy mentioned this issue Jan 3, 2024
Merged
@mtardy mtardy linked a pull request Jan 4, 2024 that will close this issue
bpf: read and copy proc exe at execve for matchBinaries #1926
Merged
@mtardy mtardy mentioned this issue Apr 19, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mtardy mtardy

Labels
area/bpf This is related to BPF code kind/enhancement This improves or streamlines existing functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

bpf: read and copy proc exe at execve for matchBinaries cilium/tetragon
1 participant
@mtardy