diff options
Diffstat (limited to 'internal/c')
| -rw-r--r-- | internal/c/generated_tracepoints.c | 25 | ||||
| -rw-r--r-- | internal/c/generated_tracepoints_result.txt | 4 | ||||
| -rw-r--r-- | internal/c/types.h | 14 |
3 files changed, 32 insertions, 11 deletions
diff --git a/internal/c/generated_tracepoints.c b/internal/c/generated_tracepoints.c index b7fa686..58c993f 100644 --- a/internal/c/generated_tracepoints.c +++ b/internal/c/generated_tracepoints.c @@ -8972,7 +8972,7 @@ int handle_sys_exit_pipe(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_execve is a struct path_event +/// sys_enter_execve is a struct exec_event SEC("tracepoint/syscalls/sys_enter_execve") int handle_sys_enter_execve(struct syscall_trace_enter *ctx) { __u32 pid, tid; @@ -8982,17 +8982,20 @@ int handle_sys_enter_execve(struct syscall_trace_enter *ctx) { if (!ior_on_syscall_enter(tid, SYS_ENTER_EXECVE)) return 0; - struct path_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct path_event), 0); + struct exec_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct exec_event), 0); if (!ev) return 0; - ev->event_type = ENTER_PATH_EVENT; + ev->event_type = ENTER_EXEC_EVENT; ev->trace_id = SYS_ENTER_EXECVE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - __builtin_memset(&(ev->pathname), 0, sizeof(ev->pathname)); - bpf_probe_read_user_str(ev->pathname, sizeof(ev->pathname), (void*)ctx->args[0]); + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[0]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + ev->dirfd = -1; + ev->flags = 0; bpf_ringbuf_submit(ev, 0); return 0; @@ -9024,7 +9027,7 @@ int handle_sys_exit_execve(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_execveat is a struct fd_event +/// sys_enter_execveat is a struct exec_event SEC("tracepoint/syscalls/sys_enter_execveat") int handle_sys_enter_execveat(struct syscall_trace_enter *ctx) { __u32 pid, tid; @@ -9034,16 +9037,20 @@ int handle_sys_enter_execveat(struct syscall_trace_enter *ctx) { if (!ior_on_syscall_enter(tid, SYS_ENTER_EXECVEAT)) return 0; - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + struct exec_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct exec_event), 0); if (!ev) return 0; - ev->event_type = ENTER_FD_EVENT; + ev->event_type = ENTER_EXEC_EVENT; ev->trace_id = SYS_ENTER_EXECVEAT; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); - ev->fd = (__s32)ctx->args[0]; + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + ev->dirfd = -1; + ev->flags = (__s32)ctx->args[4]; bpf_ringbuf_submit(ev, 0); return 0; diff --git a/internal/c/generated_tracepoints_result.txt b/internal/c/generated_tracepoints_result.txt index 0d516db..8328467 100644 --- a/internal/c/generated_tracepoints_result.txt +++ b/internal/c/generated_tracepoints_result.txt @@ -40,8 +40,8 @@ sys_enter_epoll_pwait2 is a struct fd_event sys_enter_epoll_wait is a struct fd_event sys_enter_eventfd is a struct eventfd_event sys_enter_eventfd2 is a struct eventfd_event -sys_enter_execve is a struct path_event -sys_enter_execveat is a struct fd_event +sys_enter_execve is a struct exec_event +sys_enter_execveat is a struct exec_event sys_enter_exit is a struct null_event sys_enter_exit_group is a struct null_event sys_enter_faccessat is a struct path_event diff --git a/internal/c/types.h b/internal/c/types.h index 6fde3a1..f384075 100644 --- a/internal/c/types.h +++ b/internal/c/types.h @@ -47,6 +47,8 @@ #define EXIT_PTRACE_EVENT 42 #define ENTER_PERF_OPEN_EVENT 43 #define EXIT_PERF_OPEN_EVENT 44 +#define ENTER_EXEC_EVENT 45 +#define EXIT_EXEC_EVENT 46 #define UNCLASSIFIED 0 #define READ_CLASSIFIED 1 @@ -64,6 +66,18 @@ struct open_event { char comm[MAX_PROGNAME_LENGTH]; }; +struct exec_event { + __u32 event_type; + __u32 trace_id; + __u64 time; + __u32 pid; + __u32 tid; + __s32 dirfd; + __s32 flags; + char filename[MAX_FILENAME_LENGTH]; + char comm[MAX_PROGNAME_LENGTH]; +}; + struct null_event { __u32 event_type; __u32 trace_id; |