security_bprm_check: remove reliance on sys_enter

aquasecurity · Oct 14, 2024 · 035cd69 · 035cd69
1 parent f51d1c3
commit 035cd69
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 7 deletions.
diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
@@ -2139,17 +2139,18 @@ int BPF_KPROBE(trace_security_bprm_check)
     unsigned long inode_nr = get_inode_nr_from_file(file);
     void *file_path = get_path_str(__builtin_preserve_access_index(&file->f_path));
 
-    syscall_data_t *sys = &p.task_info->syscall_data;
+    struct pt_regs *task_regs = get_current_task_pt_regs();
+
     const char *const *argv = NULL;
     const char *const *envp = NULL;
-    switch (sys->id) {
+    switch (get_current_task_syscall_id()) {
         case SYSCALL_EXECVE:
-            argv = (const char *const *) sys->args.args[1];
-            envp = (const char *const *) sys->args.args[2];
+            argv = (const char *const *) get_syscall_arg2(p.event->task, task_regs, false);
+            envp = (const char *const *) get_syscall_arg3(p.event->task, task_regs, false);
             break;
         case SYSCALL_EXECVEAT:
-            argv = (const char *const *) sys->args.args[2];
-            envp = (const char *const *) sys->args.args[3];
+            argv = (const char *const *) get_syscall_arg3(p.event->task, task_regs, false);
+            envp = (const char *const *) get_syscall_arg4(p.event->task, task_regs, false);
             break;
         default:
             break;

diff --git a/pkg/events/core.go b/pkg/events/core.go
@@ -11447,7 +11447,6 @@ var CoreEvents = map[ID]Definition{
 		dependencies: Dependencies{
 			probes: []Probe{
 				{handle: probes.SecurityBPRMCheck, required: true},
-				{handle: probes.SyscallEnter__Internal, required: true},
 			},
 			tailCalls: []TailCall{
 				{