feat(ebpf): add prev_comm for sched_process_exec

rscampos · Jul 28, 2024 · ce3f1bb · ce3f1bb
1 parent 6762ab7
commit ce3f1bb
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 1 deletion.
diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
@@ -1405,14 +1405,15 @@ int sched_process_exec_event_submit_tail(struct bpf_raw_tracepoint_args *ctx)
     save_to_submit_buf(&p.event->args_buf, &stdin_type, sizeof(unsigned short), 12);
     save_str_to_buf(&p.event->args_buf, stdin_path, 13);
     save_to_submit_buf(&p.event->args_buf, &invoked_from_kernel, sizeof(int), 14);
+    save_str_to_buf(&p.event->args_buf, (void *) p.task_info->context.comm, 15);
     if (p.config->options & OPT_EXEC_ENV) {
         unsigned long env_start, env_end;
         env_start = get_env_start_from_mm(mm);
         env_end = get_env_end_from_mm(mm);
         int envc = get_envc_from_bprm(bprm);
 
         save_args_str_arr_to_buf(
-            &p.event->args_buf, (void *) env_start, (void *) env_end, envc, 15);
+            &p.event->args_buf, (void *) env_start, (void *) env_end, envc, 16);
     }
 
     events_perf_submit(&p, 0);

diff --git a/pkg/events/core.go b/pkg/events/core.go
@@ -11229,6 +11229,7 @@ var CoreEvents = map[ID]Definition{
 			{Type: "umode_t", Name: "stdin_type"},
 			{Type: "char*", Name: "stdin_path"},
 			{Type: "int", Name: "invoked_from_kernel"},
+			{Type: "const char*", Name: "prev_comm"},
 			{Type: "const char**", Name: "env"},
 		},
 	},