Fix memfd execution detection

There was bug, testing the parent of the executed file for the `memfd` prefix, which of course is wrong. We now thest the correct file.
castai · Jul 1, 2024 · 8fb1216 · 8fb1216
1 parent 25a3e44
commit 8fb1216
Show file tree

Hide file tree

Showing 4 changed files with 3 additions and 3 deletions.
diff --git a/pkg/ebpftracer/c/headers/common/filesystem.h b/pkg/ebpftracer/c/headers/common/filesystem.h
@@ -543,7 +543,7 @@ statfunc bool get_exe_upper_layer(struct dentry *dentry, struct super_block *sb)
 
 static __always_inline bool get_exe_from_memfd(struct file *file)
 {
-    const unsigned char *name = BPF_CORE_READ(file, f_path.dentry, d_parent, d_name.name);
+    const unsigned char *name = BPF_CORE_READ(file, f_path.dentry, d_name.name);
     if (!name) {
         bpf_printk("get_exe_from_memfd(): failed to get name");
         return false;

diff --git a/pkg/ebpftracer/tracer_arm64_bpfel.o b/pkg/ebpftracer/tracer_arm64_bpfel.o
diff --git a/pkg/ebpftracer/tracer_test.go b/pkg/ebpftracer/tracer_test.go
@@ -108,9 +108,9 @@ func TestTracer(t *testing.T) {
 
 	policy := &ebpftracer.Policy{
 		Events: []*ebpftracer.EventPolicy{
-			{ID: events.NetFlowBase},
+			// {ID: events.NetFlowBase},
 			//{ID: events.NetPacketTCPBase},
-			//{ID: events.SchedProcessExec},
+			{ID: events.SchedProcessExec},
 			//{ID: events.SecuritySocketConnect},
 			//{ID: events.SockSetState},
 			//{ID: events.NetPacketDNSBase},

diff --git a/pkg/ebpftracer/tracer_x86_bpfel.o b/pkg/ebpftracer/tracer_x86_bpfel.o