Skip to content

Commit 7a82831

Browse files
NDStrahilevitzNDStrahilevitz
authored
events: add execve and execveat to security_file_open syscalls (#2166)
These missing events were causing invalid parses for the syscall_pathname argument.
1 parent 63cead8 commit 7a82831

File tree

2 files changed

+8
-2
lines changed

2 files changed

+8
-2
lines changed

pkg/ebpf/tracee_test.go

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -144,7 +144,10 @@ func Test_getTailCalls(t *testing.T) {
144144
{MapName: "sys_exit_tails", MapIndexes: []uint32{uint32(events.Dup), uint32(events.Dup2), uint32(events.Dup3)}, ProgName: "sys_dup_exit_tail"},
145145
{MapName: "sys_enter_init_tail", MapIndexes: []uint32{uint32(events.Dup), uint32(events.Dup2), uint32(events.Dup3)}, ProgName: "sys_enter_init"},
146146
{MapName: "sys_exit_init_tail", MapIndexes: []uint32{uint32(events.Dup), uint32(events.Dup2), uint32(events.Dup3)}, ProgName: "sys_exit_init"},
147-
{MapName: "sys_enter_init_tail", MapIndexes: []uint32{uint32(events.Open), uint32(events.Openat), uint32(events.Openat2), uint32(events.OpenByHandleAt)}, ProgName: "sys_enter_init"},
147+
{MapName: "sys_enter_init_tail", MapIndexes: []uint32{
148+
uint32(events.Open), uint32(events.Openat), uint32(events.Openat2), uint32(events.OpenByHandleAt),
149+
uint32(events.Execve), uint32(events.Execveat),
150+
}, ProgName: "sys_enter_init"},
148151
{MapName: "sys_enter_init_tail", MapIndexes: []uint32{uint32(events.Mmap), uint32(events.Mprotect)}, ProgName: "sys_enter_init"},
149152
{MapName: "sys_enter_init_tail", MapIndexes: []uint32{uint32(events.Ptrace), uint32(events.ClockSettime)}, ProgName: "sys_enter_init"},
150153
{MapName: "sys_enter_submit_tail", MapIndexes: []uint32{uint32(events.Ptrace), uint32(events.ClockSettime)}, ProgName: "sys_enter_submit"},

pkg/events/events.go

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5151,7 +5151,10 @@ var Definitions = eventDefinitions{
51515151
},
51525152
Dependencies: dependencies{
51535153
TailCalls: []TailCall{
5154-
{MapName: "sys_enter_init_tail", MapIndexes: []uint32{uint32(Open), uint32(Openat), uint32(Openat2), uint32(OpenByHandleAt)}, ProgName: "sys_enter_init"},
5154+
{MapName: "sys_enter_init_tail", MapIndexes: []uint32{
5155+
uint32(Open), uint32(Openat), uint32(Openat2), uint32(OpenByHandleAt),
5156+
uint32(Execve), uint32(Execveat),
5157+
}, ProgName: "sys_enter_init"},
51555158
},
51565159
},
51575160
Sets: []string{"default", "lsm_hooks", "fs", "fs_file_ops"},

0 commit comments

Comments
 (0)