BPF sys_execve get file_name?

[Nigelwz]

• Can I know why does the "tail call" about exec hook?
  Because If you only hook exec it also can get the args, e.g: path_name, can I know why tracee need to asign args in sys_enter_init_tail call.
• I captured the screenshot in below, I saw "execve" only add dependency about "sys_enter_tail". If my understanding is correct, the "execv"'s path_name is get from sys_enter_init_tail.

Maybe I miss some cases, thank you for checking the questions.

[yanivagman]

Execve(at) is different than other syscalls in two ways:

1. We can't submit the arguments in sys_exit (like we do for almost all the other syscalls), since a successful exec never returns.
2. It has the argv and envp arguments, which require a different handling on submit

[Nigelwz]

Thank you for your reply.

• Can I know how to get the path_name in "execve"?
  Beause when I run tracee, I can saw "execve" has path_name. But
  In the source code I don't find the "assign arg" method in execve hook.

 TIME(s)        UID    COMM             PID     TID     RET             EVENT                ARGS
176751.746515  1000   zsh              14726   14726   0               execve               pathname: /usr/bin/ls, argv: [ls]
176751.746772  1000   zsh              14726   14726   0               security_bprm_check  pathname: /usr/bin/ls, dev: 8388610, inode: 777
176751.747044  1000   ls               14726   14726  -2               access               pathname: /etc/ld.so.preload, mode: R_OK
176751.747077  1000   ls               14726   14726   0               security_file_open   pathname: /etc/ld.so.cache, flags: O_RDONLY|O_LARGEFILE, dev: 838861a, inode: 533737
...

• I think I got wrong point about "execve hook" in userspace, It ony attach "sys_enter" "sys_enter_init" ..., and add Execve index in "tail_call_map". Is it correct ?

[yanivagman]

Thank you for your reply.

• Can I know how to get the path_name in "execve"?
  Beause when I run tracee, I can saw "execve" has path_name. But
  In the source code I don't find the "assign arg" method in execve hook.

It's simply the first argument of execve, which we obtain through the PT_REGS_PARM1 macro with pt_regs as an argument.

• I think I got wrong point about "execve hook" in userspace, It ony attach "sys_enter" "sys_enter_init" ..., and add Execve index in "tail_call_map". Is it correct ?

Correct

[Nigelwz]

• When I search the "syscall__execve" there are two file locations in the "trace", Can I know which one is used by "trace".

./dist/tracee.bpf/tracee.bpf.c:2936:int syscall__execve(void *ctx)
./dist/tracee.bpf/tracee.bpf.c:2959:int syscall__execveat(void *ctx)
Binary file ./dist/tracee-ebpf matches
./pkg/ebpf/c/tracee.bpf.c:3150:int syscall__execve(void *ctx)
./pkg/ebpf/c/tracee.bpf.c:3179:int syscall__execveat(void *ctx)

• I think I got another wrong point I trace wrong code base. Because when I checked "./pkg/ebpf/c/tracee.bpf.c" with "sys_enter" it doesn't assign args in it, but "./dist/tracee.bpf/tracee.bpf.c" with "sys_enter" which has assigned args in it.

• Because I think if tracee doesn't add "sys__execve" index in "sys_enter_init_tail" the "sys__execve" can't get file_path, like second picture I attached.