diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c index d364de379872..b1a145ed03ba 100644 --- a/pkg/ebpf/c/tracee.bpf.c +++ b/pkg/ebpf/c/tracee.bpf.c @@ -2815,22 +2815,18 @@ int BPF_KPROBE(trace_security_socket_setsockopt) int level = (int) PT_REGS_PARM2(ctx); int optname = (int) PT_REGS_PARM3(ctx); - // Load the arguments given to the setsockopt syscall (which eventually invokes this function) - syscall_data_t *sys = &p.task_info->syscall_data; - if (sys == NULL) { - return -1; - } - - if (!p.task_info->syscall_traced) - return 0; - - switch (sys->id) { + struct pt_regs *task_regs = get_task_pt_regs((struct task_struct *) bpf_get_current_task()); + int sockfd; + u64 sockfd_addr; + switch (p.event->context.syscall) { case SYSCALL_SETSOCKOPT: - save_to_submit_buf(&p.event->args_buf, (void *) &sys->args.args[0], sizeof(u32), 0); + sockfd = PT_REGS_PARM1_CORE_SYSCALL(task_regs); + save_to_submit_buf(&p.event->args_buf, (void *) &sockfd, sizeof(u32), 0); break; #if defined(bpf_target_x86) // armhf makes use of SYSCALL_SETSOCKOPT case SYSCALL_SOCKETCALL: - save_to_submit_buf(&p.event->args_buf, (void *) sys->args.args[1], sizeof(u32), 0); + sockfd_addr = PT_REGS_PARM2_CORE_SYSCALL(task_regs); + save_to_submit_buf(&p.event->args_buf, (void *) sockfd_addr, sizeof(u32), 0); break; #endif default: diff --git a/pkg/events/core.go b/pkg/events/core.go index 5f1544137f49..54d71c2490f5 100644 --- a/pkg/events/core.go +++ b/pkg/events/core.go @@ -11688,10 +11688,6 @@ var CoreEvents = map[ID]Definition{ dependencies: Dependencies{ probes: []Probe{ {handle: probes.SecuritySocketSetsockopt, required: true}, - {handle: probes.SyscallEnter__Internal, required: true}, - }, - tailCalls: []TailCall{ - {"sys_enter_init_tail", "sys_enter_init", []uint32{uint32(Setsockopt)}}, }, }, sets: []string{"lsm_hooks", "net", "net_sock"},