Address review comments

elastic · Mar 20, 2024 · 91cf609 · 91cf609
1 parent e5ae5a0
commit 91cf609
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 10 deletions.
diff --git a/GPL/Events/File/Probe.bpf.c b/GPL/Events/File/Probe.bpf.c
@@ -243,11 +243,6 @@ static void prepare_and_send_file_event(struct file *f,
     struct ebpf_varlen_field *field;
     long size;
 
-    // path
-    field = ebpf_vl_field__add(&event->vl_fields, EBPF_VL_FIELD_PATH);
-    size  = ebpf_resolve_path_to_string(field->data, &p, task);
-    ebpf_vl_field__set_size(&event->vl_fields, field, size);
-
     // symlink_target_path
     field      = ebpf_vl_field__add(&event->vl_fields, EBPF_VL_FIELD_SYMLINK_TARGET_PATH);
     char *link = BPF_CORE_READ(p.dentry, d_inode, i_link);
@@ -259,6 +254,11 @@ static void prepare_and_send_file_event(struct file *f,
     size  = ebpf_resolve_pids_ss_cgroup_path_to_string(field->data, task);
     ebpf_vl_field__set_size(&event->vl_fields, field, size);
 
+    // path
+    field = ebpf_vl_field__add(&event->vl_fields, EBPF_VL_FIELD_PATH);
+    size  = ebpf_resolve_path_to_string(field->data, &p, task);
+    ebpf_vl_field__set_size(&event->vl_fields, field, size);
+
     // skip event if prefix is specified and file path does not start with it
     if (path_prefix) {
         if ((path_prefix_len > 0) && (size >= path_prefix_len)) {

diff --git a/GPL/Events/Helpers.h b/GPL/Events/Helpers.h
@@ -279,6 +279,7 @@ static bool is_consumer()
 }
 
 // compares first 'len' characters of str1 and str2, returns 1 if equal
+// NOTE: no bounds check, assumes use under eBPF verifier
 static int is_equal_prefix(const char *str1, const char *str2, int len)
 {
     for (int i = 0; i < len; i++) {

diff --git a/GPL/Events/Process/Probe.bpf.c b/GPL/Events/Process/Probe.bpf.c
@@ -79,6 +79,9 @@ int BPF_PROG(sched_process_exec,
              pid_t old_pid,
              const struct linux_binprm *binprm)
 {
+    if (!binprm)
+        goto out;
+
     // Note that we don't ignore the !is_thread_group_leader(task) case here.
     // if a non-thread-group-leader thread performs an execve, it assumes the
     // pid info of the thread group leader, all other threads are terminated,
@@ -98,9 +101,6 @@ int BPF_PROG(sched_process_exec,
     ebpf_cred_info__fill(&event->creds, task);
     ebpf_ctty__fill(&event->ctty, task);
 
-    if (!binprm)
-        return 0;
-
     // set setuid and setgid flags
     struct file *f        = BPF_CORE_READ(binprm, file);
     struct inode *f_inode = BPF_CORE_READ(f, f_inode);
@@ -445,8 +445,8 @@ int tracepoint_syscalls_sys_enter_memfd_create(struct trace_event_raw_sys_enter
     // memfd filename
     field = ebpf_vl_field__add(&event->vl_fields, EBPF_VL_FIELD_FILENAME);
     size  = bpf_probe_read_user_str(field->data, PATH_MAX, ex_args->uname);
-    if (size < 0)
-        return 1;
+    if (size <= 0)
+        goto out;
     ebpf_vl_field__set_size(&event->vl_fields, field, size);
 
     bpf_ringbuf_output(&ringbuf, event, EVENT_SIZE(event), 0);