ebpf: arm improvements

gustavo-iniguez-goya · gustavo-iniguez-goya · commit 8ec86c638c94 · 2025-04-14T17:43:41.000+02:00
- better process interception on aarch64 and armhf.
 - on armhf getting proc arguments is ignored due to an error, but we
   were not marking the event as INCOMPLETE_ARGS, so we were not reading
   the compete cmdline.
diff --git a/daemon/procmon/ebpf/events.go b/daemon/procmon/ebpf/events.go
@@ -35,13 +35,12 @@ type execEvent struct {
 	UID         uint32
 	PPID        uint32
 	RetCode     uint32
+	Pad         uint16
 	ArgsCount   uint8
 	ArgsPartial uint8
 	Filename    [MaxPathLen]byte
 	Args        [MaxArgs][MaxArgLen]byte
 	Comm        [TaskCommLen]byte
-	Pad1        uint16
-	Pad2        uint32
 }
 
 // Struct that holds the metadata of a connection.
diff --git a/ebpf_prog/common.h b/ebpf_prog/common.h
@@ -74,13 +74,12 @@ struct data_t {
     // Parent PID as in the userspace term (i.e task->real_parent->tgid in kernel)
     u32 ppid;
     u32 ret_code;
+    u16 _pad;
     u8 args_count;
     u8 args_partial;
     char filename[MAX_PATH_LEN];
     char args[MAX_ARGS][MAX_ARG_SIZE];
     char comm[TASK_COMM_LEN];
-    u16 pad1;
-    u32 pad2;
 };
 
 //-----------------------------------------------------------------------------
diff --git a/ebpf_prog/opensnitch-procs.c b/ebpf_prog/opensnitch-procs.c
@@ -111,16 +111,14 @@ int tracepoint__syscalls_sys_enter_execve(struct trace_sys_enter_execve* ctx)
     }
     new_event(data);
     data->type = EVENT_EXEC;
-    // bpf_probe_read_user* helpers were introduced in kernel 5.5
-    // Since the args can be overwritten anyway, maybe we could get them from
-    // mm_struct instead for a wider kernel version support range?
+
+    data->args_count = 0;
+    data->args_partial = INCOMPLETE_ARGS;
     bpf_probe_read_user_str(&data->filename, sizeof(data->filename), (const char *)ctx->filename);
 
 // FIXME: on i386 arch, the following code fails with permission denied.
 #if !defined(__arm__) && !defined(__i386__)
     const char *argp={0};
-    data->args_count = 0;
-    data->args_partial = INCOMPLETE_ARGS;
 
     #pragma unroll
     for (int i = 0; i < MAX_ARGS; i++) {
@@ -157,6 +155,7 @@ int tracepoint__syscalls_sys_enter_execve(struct trace_sys_enter_execve* ctx)
         // -28 ENOSPC (no space left)
         //     -> perf reader buffer too small.
         //     -> also happens after coming back from suspend state.
+        // -11 EAGAIN - ringbuf full?
         // -7 E2BIG (arg list too long) -> too much args?
         // -2 ENOENT (no such file or directory) -> map index not found. on different cpu?
 
@@ -182,11 +181,12 @@ int tracepoint__syscalls_sys_enter_execveat(struct trace_sys_enter_execveat* ctx
     data->type = EVENT_EXECVEAT;
     bpf_probe_read_user_str(&data->filename, sizeof(data->filename), (const char *)ctx->filename);
 
+    data->args_count = 0;
+    data->args_partial = INCOMPLETE_ARGS;
+
 // FIXME: on i386 arch, the following code fails with permission denied.
 #if !defined(__arm__) && !defined(__i386__)
     const char *argp={0};
-    data->args_count = 0;
-    data->args_partial = INCOMPLETE_ARGS;
 
     #pragma unroll
     for (int i = 0; i < MAX_ARGS; i++) {
