Skip to content

Commit

Permalink
feat(ebpf): make process_execute_failed not rely on sys_enter/exit
Browse files Browse the repository at this point in the history
  • Loading branch information
@OriGlassman @randomname21
OriGlassman authored and randomname21 committed Aug 5, 2024
1 parent 0a32ea2 commit 3a8f7f0
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 4 deletions.
8 changes: 5 additions & 3 deletions pkg/ebpf/c/tracee.bpf.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4978,13 +4978,15 @@ statfunc int execute_failed_tail2(struct pt_regs *ctx)
if (!init_tailcall_program_data(&p, ctx))
return -1;

syscall_data_t *sys = &p.task_info->syscall_data;
struct pt_regs *task_regs = get_task_pt_regs((struct task_struct *) bpf_get_current_task());
u64 argv = PT_REGS_PARM2_CORE_SYSCALL(task_regs);
u64 envp = PT_REGS_PARM3_CORE_SYSCALL(task_regs);
save_str_arr_to_buf(
&p.event->args_buf, (const char *const *) sys->args.args[1], 10); // userspace argv
&p.event->args_buf, (const char *const *) argv, 10); // userspace argv

if (p.config->options & OPT_EXEC_ENV) {
save_str_arr_to_buf(
&p.event->args_buf, (const char *const *) sys->args.args[2], 11); // userspace envp
&p.event->args_buf, (const char *const *) envp, 11); // userspace envp
}

int ret = PT_REGS_RC(ctx); // needs to be int
Expand Down
1 change: 0 additions & 1 deletion pkg/events/core.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12986,7 +12986,6 @@ var CoreEvents = map[ID]Definition{
probes: []Probe{
{handle: probes.ExecBinprm, required: false},
{handle: probes.ExecBinprmRet, required: false},
{handle: probes.SyscallEnter__Internal, required: true},
},
tailCalls: []TailCall{
{"prog_array", "trace_execute_failed1", []uint32{TailProcessExecuteFailed1}},
Expand Down

0 comments on commit 3a8f7f0

Please sign in to comment.