From 507372c67d0acb6d1323b8b550b4ce142f850927 Mon Sep 17 00:00:00 2001 From: Nicholas Berlin Date: Tue, 5 Aug 2025 08:14:33 -0400 Subject: [PATCH 1/2] Resolve path via struct path on exec --- GPL/Events/Process/Probe.bpf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/GPL/Events/Process/Probe.bpf.c b/GPL/Events/Process/Probe.bpf.c index d3b24d27..f34c7df0 100644 --- a/GPL/Events/Process/Probe.bpf.c +++ b/GPL/Events/Process/Probe.bpf.c @@ -166,7 +166,7 @@ int BPF_PROG(sched_process_exec, // filename field = ebpf_vl_field__add(&event->vl_fields, EBPF_VL_FIELD_FILENAME); - size = read_kernel_str_or_empty_str(field->data, PATH_MAX, binprm->filename); + size = ebpf_resolve_path_to_string(field->data, &p, task); ebpf_vl_field__set_size(&event->vl_fields, field, size); ebpf_ringbuf_write(&ringbuf, event, EVENT_SIZE(event), 0); From 928e3c83bb22ea73d3d70f09f8299837331b4264 Mon Sep 17 00:00:00 2001 From: Nicholas Berlin Date: Tue, 5 Aug 2025 08:14:52 -0400 Subject: [PATCH 2/2] Update tests to account for full path resolution --- testing/testrunner/ebpf_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testing/testrunner/ebpf_test.go b/testing/testrunner/ebpf_test.go index 3cf88362..8bb16f24 100644 --- a/testing/testrunner/ebpf_test.go +++ b/testing/testrunner/ebpf_test.go @@ -179,7 +179,7 @@ func ForkExec(t *testing.T, et *Runner) { require.Equal(t, execEvent.Creds.CapPermitted, uint64(0x000001ffffffffff)) require.Equal(t, execEvent.Creds.CapEffective, uint64(0x000001ffffffffff)) - require.Equal(t, execEvent.FileName, "./do_nothing") + require.Equal(t, execEvent.FileName, "/do_nothing") require.Equal(t, execEvent.Argv[0], "./do_nothing") require.Equal(t, execEvent.Env[0], "TEST_ENV_KEY1=TEST_ENV_VAL1") require.Equal(t, execEvent.Env[1], "TEST_ENV_KEY2=TEST_ENV_VAL2")