From 035cd69aec841fa0c00daaa8729ec951f04cfb6d Mon Sep 17 00:00:00 2001 From: Ofek Shaked Date: Mon, 14 Oct 2024 14:43:25 +0300 Subject: [PATCH] security_bprm_check: remove reliance on sys_enter --- pkg/ebpf/c/tracee.bpf.c | 13 +++++++------ pkg/events/core.go | 1 - 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c index 36c88fad8021..8c4cb72818e2 100644 --- a/pkg/ebpf/c/tracee.bpf.c +++ b/pkg/ebpf/c/tracee.bpf.c @@ -2139,17 +2139,18 @@ int BPF_KPROBE(trace_security_bprm_check) unsigned long inode_nr = get_inode_nr_from_file(file); void *file_path = get_path_str(__builtin_preserve_access_index(&file->f_path)); - syscall_data_t *sys = &p.task_info->syscall_data; + struct pt_regs *task_regs = get_current_task_pt_regs(); + const char *const *argv = NULL; const char *const *envp = NULL; - switch (sys->id) { + switch (get_current_task_syscall_id()) { case SYSCALL_EXECVE: - argv = (const char *const *) sys->args.args[1]; - envp = (const char *const *) sys->args.args[2]; + argv = (const char *const *) get_syscall_arg2(p.event->task, task_regs, false); + envp = (const char *const *) get_syscall_arg3(p.event->task, task_regs, false); break; case SYSCALL_EXECVEAT: - argv = (const char *const *) sys->args.args[2]; - envp = (const char *const *) sys->args.args[3]; + argv = (const char *const *) get_syscall_arg3(p.event->task, task_regs, false); + envp = (const char *const *) get_syscall_arg4(p.event->task, task_regs, false); break; default: break; diff --git a/pkg/events/core.go b/pkg/events/core.go index 8e8c59ad8509..e8c215777765 100644 --- a/pkg/events/core.go +++ b/pkg/events/core.go @@ -11447,7 +11447,6 @@ var CoreEvents = map[ID]Definition{ dependencies: Dependencies{ probes: []Probe{ {handle: probes.SecurityBPRMCheck, required: true}, - {handle: probes.SyscallEnter__Internal, required: true}, }, tailCalls: []TailCall{ {