wip dont send twice

pkg/ebpf/c/tracee.bpf.c

@@ -4950,8 +4950,10 @@ statfunc int submit_process_execute_failed(struct pt_regs *ctx, program_data_t *
     return -1;
 }
 
-statfunc int execute_failed_tail1(struct pt_regs *ctx, u32 tail_call_id)
+SEC("kprobe/execute_failed_tail1")
+int execute_failed_tail1(struct pt_regs *ctx)
 {
+    bpf_printk("running execute_failed_tail1");
     program_data_t p = {};
     if (!init_tailcall_program_data(&p, ctx))
         return -1;
@@ -4968,12 +4970,15 @@ statfunc int execute_failed_tail1(struct pt_regs *ctx, u32 tail_call_id)
     int kernel_invoked = (get_task_parent_flags(task) & PF_KTHREAD) ? 1 : 0;
     save_to_submit_buf(&p.event->args_buf, &kernel_invoked, sizeof(int), 9);
 
-    bpf_tail_call(ctx, &prog_array, tail_call_id);
+    bpf_tail_call(ctx, &prog_array, TAIL_PROCESS_EXECUTE_FAILED2);
     return -1;
 }
 
-statfunc int execute_failed_tail2(struct pt_regs *ctx)
+SEC("kprobe/execute_failed_tail2")
+int execute_failed_tail2(struct pt_regs *ctx)
 {
+    bpf_printk("running execute_failed_tail1");
+
     program_data_t p = {};
     if (!init_tailcall_program_data(&p, ctx))
         return -1;
@@ -5021,17 +5026,19 @@ int BPF_KPROBE(trace_ret_exec_binprm)
     return submit_process_execute_failed(ctx, &p);
 }
 
-SEC("kretprobe/trace_execute_failed1")
-int BPF_KPROBE(trace_execute_failed1)
-{
-    return execute_failed_tail1(ctx, TAIL_PROCESS_EXECUTE_FAILED2);
-}
+// SEC("kretprobe/trace_execute_failed1")
+// int BPF_KPROBE(trace_execute_failed1)
+// {
+//     bpf_printk("execute_failed_tail1");
+//     return execute_failed_tail1(ctx, TAIL_PROCESS_EXECUTE_FAILED2);
+// }
 
-SEC("kretprobe/trace_execute_failed2")
-int BPF_KPROBE(trace_execute_failed2)
-{
-    return execute_failed_tail2(ctx);
-}
+// SEC("kretprobe/trace_execute_failed2")
+// int BPF_KPROBE(trace_execute_failed2)
+// {
+//     bpf_printk("execute_failed_tail2");
+//     return execute_failed_tail2(ctx);
+// }
 
 SEC("kprobe/security_bprm_creds_for_exec")
 int BPF_KPROBE(trace_security_bprm_creds_for_exec)
@@ -5054,7 +5061,18 @@ int BPF_KPROBE(trace_execute_finished)
         return 0;
 
     long exec_ret = PT_REGS_RC(ctx);
-    return events_perf_submit(&p, exec_ret);
+    events_perf_submit(&p, exec_ret);
+
+    if (!reset_event(p.event, PROCESS_EXECUTION_FAILED))
+        return 0;
+
+    if (!evaluate_scope_filters(&p))
+        return 0;
+
+    if (exec_ret < 0)
+        bpf_tail_call(ctx, &prog_array, TAIL_PROCESS_EXECUTE_FAILED1);
+//TODO: save event (in bprm_creds_for_check and exec_binprm) and submit it only from here
+    return 0;
 }
 
 SEC("kprobe/security_path_notify")

pkg/events/core.go

@@ -12956,8 +12956,8 @@ var CoreEvents = map[ID]Definition{
 				{handle: probes.SecurityBprmCredsForExec, required: false}, // TODO: Change to required once fallbacks are supported
 			},
 			tailCalls: []TailCall{
-				{"prog_array", "trace_execute_failed1", []uint32{TailProcessExecuteFailed1}},
-				{"prog_array", "trace_execute_failed2", []uint32{TailProcessExecuteFailed2}},
+				{"prog_array", "execute_failed_tail1", []uint32{TailProcessExecuteFailed1}},
+				{"prog_array", "execute_failed_tail2", []uint32{TailProcessExecuteFailed2}},
 			},
 		},
 		params: []trace.ArgMeta{
@@ -12987,10 +12987,10 @@ var CoreEvents = map[ID]Definition{
 				{handle: probes.ExecBinprm, required: false},
 				{handle: probes.ExecBinprmRet, required: false},
 			},
-			tailCalls: []TailCall{
-				{"prog_array", "trace_execute_failed1", []uint32{TailProcessExecuteFailed1}},
-				{"prog_array", "trace_execute_failed2", []uint32{TailProcessExecuteFailed2}},
-			},
+			//tailCalls: []TailCall{
+			//	{"prog_array", "trace_execute_failed1", []uint32{TailProcessExecuteFailed1}},
+			//	{"prog_array", "trace_execute_failed2", []uint32{TailProcessExecuteFailed2}},
+			//},
 		},
 		params: []trace.ArgMeta{
 			{Type: "const char*", Name: "path"},