task-47: add KindExec for execve paths

author: Paul Buetow <paul@buetow.org> 2026-05-20 23:42:12 +0300
committer: Paul Buetow <paul@buetow.org> 2026-05-20 23:42:12 +0300
commit: be6d4e8ffc722bf0d36c5b01ff46f817539a1525 (patch)
tree: 7bb0aeb51e29cfbc6735af15bb812b888f4b3574 /internal/eventloop_runtime.go
parent: 2156d6e51b18e29fe8dfe8e1a519e1a84e0a1fe6 (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/internal/eventloop_runtime.go b/internal/eventloop_runtime.go
index 334fa63..d9d9c4c 100644
--- a/internal/eventloop_runtime.go
+++ b/internal/eventloop_runtime.go
@@ -250,6 +250,7 @@ func (e *eventLoop) initRawHandlers() {
 	e.registerTwoFdHandlers()
 	e.registerMemoryHandlers()
 	e.registerSleepHandlers()
+	e.registerProcessHandlers()
 	e.registerSecurityHandlers()
 }
 
@@ -483,6 +484,16 @@ func (e *eventLoop) registerSleepHandlers() {
 	}
 }
 
+func (e *eventLoop) registerProcessHandlers() {
+	e.rawHandlers[types.ENTER_EXEC_EVENT] = func(raw []byte, _ chan<- *event.Pair) {
+		execEv, ok := decodeRawEvent(e, types.ENTER_EXEC_EVENT, raw, types.NewExecEventFast)
+		if !ok {
+			return
+		}
+		e.tracepointEntered(execEv)
+	}
+}
+
 func (e *eventLoop) registerSecurityHandlers() {
 	e.rawHandlers[types.ENTER_KEYCTL_EVENT] = func(raw []byte, _ chan<- *event.Pair) {
 		keyctlEv, ok := decodeRawEvent(e, types.ENTER_KEYCTL_EVENT, raw, types.NewKeyctlEventFast)
@@ -528,6 +539,8 @@ func (e *eventLoop) tracepointEntered(enterEv event.Event) {
 	switch enterEv.(type) {
 	case *types.OpenEvent:
 		e.pairs.set(enterEv)
+	case *types.ExecEvent:
+		e.pairs.set(enterEv)
 	default:
 		// Only, when we have a comm name
 		if _, ok := e.cachedComm(tid); ok {
author	Paul Buetow <paul@buetow.org>	2026-05-20 23:42:12 +0300
committer	Paul Buetow <paul@buetow.org>	2026-05-20 23:42:12 +0300
commit	be6d4e8ffc722bf0d36c5b01ff46f817539a1525 (patch)
tree	7bb0aeb51e29cfbc6735af15bb812b888f4b3574 /internal/eventloop_runtime.go
parent	2156d6e51b18e29fe8dfe8e1a519e1a84e0a1fe6 (diff)