From 6fe6c3ed2eaa5b6cce461643e993ddf8a71bae27 Mon Sep 17 00:00:00 2001 From: Dean Sheather Date: Tue, 16 Apr 2024 07:43:49 +0000 Subject: [PATCH] fixup! Logs cleanup --- bpf/handler-bpfeb.o | Bin 73536 -> 73536 bytes bpf/handler-bpfel.o | Bin 73536 -> 73536 bytes bpf/handler.c | 4 +++- 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/bpf/handler-bpfeb.o b/bpf/handler-bpfeb.o index 1b1c415d3942e069ff0cb7cf1a4f83dca70d211f..423dd61989b0293c303842bba95a197e7f3d90c4 100644 GIT binary patch delta 3124 zcma)-e{2**6vyAp?9ATn7HKIdM8V$Kqpeu`!(c*U4V4hn0BRM58c`ZG5u+y6XzU-z zHKL|TO9V$F{;mq9QN(IB)TEX({s_V1Z>2&pRS~Yy7!uInk3_$-Gh0^^6F1q}`Me)9 z@6Eh-R~YpQqu$`w5w>~gp^*lbe}+h2lcDGl6&%P?Sx}xxRPlZyZ>zyyfpz>j;Cn!} zorwR$pEtfh?_+4s<2#+NTnOzg{3U~DnT5>)ufe3&cyLZt@H6s8zC*W+u3)3O596zP zd~|jGOBYXY4jdM7VCon62QLCE_yMByvjz_X2RO#`3&8NBD4wInw;Gxu&MM6Y(2Uo( z%?u5|jQFI;L1BVO)z)Gx$3XJTXw)z7$+4pTbk7QQLZ4ZUmgv~lQ zE7y+{E@6KReOIXRSL2 zr<`xsiP`F0565>k(oSX%*htEg{Cbd-Y^<3;Qd z8+}WHbC|o+i}YxATA$FPfT+{5UrnM5Cq(^@*Ao{TP=^=jJzp=&N3}R?RdK-VxaBxO zcFO5ZEec$3sb!4O!(HgYRHdmZ7kb2|s#;)%RH7<0dKWr4&sUlegygL!8-)cGTRKGpJ zDd@LYjtk%Kx2$J=cVE;gsYxq{J0(5Wa_o?H0mK`mT_)4^o&U1$vWzi$f;N0`5^_6v z4>SB-by()tlAd*>DT*N&x3YN6u+-VOe~!?_BwV+KjaH8_dcqETut(gj;rayQkU|$@ z+^wODak^W>Zs*|sRKgz1akqwB9J_7|w>fs*81^UZ&4z=HT{nlrj$OBgla_-U1bIDr z+4rmU6W{MV_i4stQ;=0+a$`o8DDga7uEgPu&6s5H&EVVIES0)Ya&d*e^Jwn$Ue+#C zsvfetq{vEA;>5;gIa7&;^lL|}Z$5@~QcAqRnw9tfb05?CXqHxD1kz^dN2|S=&&c3z zscur@0ZgIY#b6G7pb*a|h~X7h-;Bk~-WUJF*jM6xebKQw;+1^8UO6@YhF-Qj4oZoW z*mj{3y;v>|6j4ITXA@%{r!=bCKH>}HUlC+w`PH&QWn?ZRYcgU0d5^;zSq7>aAtHcB z^`T>xbFY|Q@n5OWD&`g(!#Usxj~dUdaCtD!&>WJ>@h5#vv5DQMHy7t$-=@TGQH-!x zo0Pa8adRa$@pd^gi<79AGq8KQ!MOi?PrXcwUY?PmT7hKl$%sBcS}la(S9U%q3Gfc2YM@Exz*qoseWo?BJ=VWr>*Bh&$e7u6W^pX8qPwE=1N!Jjd&m a_mDu6V|TMlcX!NZlk6`DhzN@S delta 3028 zcma)+Yiv|S6vyXrXZBU3wOEN#cGqqnJZvdSLSju9qDjLe6sb^yfd)T_QIe8C><3{> zL~KQ4aWtY4vP5F=QLStf8ZEGiXb@T@pi&-%A_caQ7>$ZmKj?q%%w4Z0CT?=?o!@!Q zIWy;M_K=f3}`#A=)gL_ewb8g55`Ct{Iq-)ds8J3Eu{VGdAvVR zLx+~9zOwm*XTafZ1`OVSe;C1$-q(bL_Glai?qlbGZvi7;y7`Q1-wJ3ljF##Rpc$&P zn`znyGr}(L1Qa@nU{w{~#dr}h)qSh(!wGs-ojkmd{-~yAmr|-)vy+N~*ysh6rPHP@ zj25X^vWw~OnakO-0IkRbj=sx_w%nw*Afy@(MT**H9 zr|r50>%HpMfn|%|wy|bGgI~DUarbs6V{M`sxrstZEFXoCB-UA|Yw@&TeMB7?C@cEh zMw|mFe&LhqyMf#3Wfd5#q&ZcC_s?p@U}X`rcJ;git1a zdOIuHp!GNwq6_?tur_t@Oq6a_!)K!Ltp$*E7#&?fn9FI)#|Z0CrDs#M37jV#F;YH_ zumqwp6sRMzZo;Z0zA>v`PuNT~c(x{$oCs;FmA+3{ass%`@@c~E)B1KFPXpUrxYld? zE~9s55Z0jW^^sy%m$iPMK(-@!d)J+{1jpDxntmC2D?JbdkIgfJBL><)mJ5K z2HsW4n6dJ%O4_ikVBD}d6JQojgcUkL` zK2Bh5PtVn3)X7?(9t}iV4F@U+Z^a3bwB@yg@eSz1dsOzqeWn-tjLJ)x{$SWEkd9lu z+lzB9Moll;1i9CXNo(cxqD|24J>84CY7~_3#b(3#UTpEP?nPUGj)vqJ-O)s`v zf!B*2mUS=UHoayJyia%+29w#c=rO`yR=12SNxA)&HeP|B2=Bp2@O?f;8obAFa0=nQ zTHohml*O|?*8O|J$J&3$aw}Z5K9}eDyiW(TX$7@`b{Mw?XpH`HG;z?!SUYnK>oT&c z{L<>w$dbQXH+U8k1S`>KtZ;{X6zw3|4TtU`j-y+>!}1DjfGosLA7gYx+VXn*g(E9r zk0JCNaS|v)WQ`v0`FJ2WiWjaoZ;-Qm9K#wxA8RA6zeJom1dz6j@GK0ky8qinsd>a{ z!hdj}&>HGYCxK%=j)JRvj7kEt42K^e&J)Nq&|ugb$3U}>gV1*w_PRTeHmnLSZ*}KA zIAR3eID{q}_8dYs0dIqltt4;X>a$l@E=TF}N{rUKqZS_eXY7bA){7mndvSNvHjbK6 zi>$R?cGMzv2X~Zkd671&*P}NL-0ou>Nurjm3$kP(7s1u4t-c6pHs-8n^xB$nBKeLAI1U6kEnUq zZsi}Qs@0;g(nmV!0xv1aZ(!T$l6NAUmngD?luaU(VzNSLN%P~UP=84{E{Y!#B{C)w zF;N-g@1X8);EgK7vH~e0f!EZzYthM#`H252{pMVvd<^G+BOKM9JK(azt56@3t?{~A znX9GS)C;-NHA^HPcXNcjd|L8nkvEfk3u_h=<2Z?GF#)@WYP9>Wo2o^Kce0p>$b~3o zQ;a_c2+490*oeKZ!q+`b+==ARq!x&qB!5K}j3wv|RXaAf>HnROppw7Ig1bclzpxp1 r{ItH}>Hk^v!LdXHRZE^`)sl~7u8;jOo345_H-$b)7awRTr6cq&nE(M` diff --git a/bpf/handler-bpfel.o b/bpf/handler-bpfel.o index a31c7e33d33c159182b98dfbbb9e204a8282064c..135e9c3a133ee664da8ab9075264f179965fd2c6 100644 GIT binary patch delta 3163 zcma)-e{57m5XX1l-rM`pUaz&JHVWQ5TKWqtcLtMcYN(*50e@6MEdiks6EVi58VLOZ zI3j8qTVioZs6Wv1%Mekh6k?5~oQV(uMNttdrKTv-HZg<*FlbElJMZSXzUR%p=`#KPLR$z&;3-lBo0 zeqsjupGco_OBrlfm}4xFX3HD8F` zN#Yny9h2)+W2XoI$9p+!aK81G^ zeuvDyfs)&gvd23iq31hhH@2*Z#>m|m&YQsTayf3MVZ3VQA1^OZ+1%#MWXl56etf#T z+4LQsC*wW&U*(5oS&wu2b*o^NC2)bl;CC3m)LQfT4{_OUhJJ`A+AYz_x+jsLTyPij zQLyeXx1LF-rdeVHL>?-U`w+Mow@Cak-a2UshxtY5)eLj&%=C1oAFrNm; z9<;<-A6J4~eH;aMFi%C2V-1$*^l=otllgJz3l>?ToB0LsV64zMT2Wjx6IW`neT(U$GLDCTiAPs}-ng1fID<l9}{Xu&?tmU2V(1?9I?{dAd-K8}J1nVVrBhOt-c#Is@$T=E%2!Pl7I zhQX9CQAAwO#367EvwMsqrsUk>bOW4vb$y1+z|l>+;7?%w{Wj>~MZD#h`wZ+G7yRP*Ks9jr`y>{(j z_S&(N*=xrxpFOp6H?!Byz06*_jxaBc2qmmmGy9kMrt_CQx4$Q)or)y18d>Amxms;>Q;Ug%w}W?Wt*!Mvwxu33%P*AP(k2`2kgkSog{=~{(CYG>+vZAYejUGZhg`Dh+(fxjKK$u|Npe*F E4K8j5Y5)KL delta 3161 zcma)-Yiv|S6vyYWclJTI+X|_Tq4X|Y`Vvd)BdMl_MKNi3NR=uzC^q;(jGEL0LO%#w zf?`2TilY$?kP?Ui1gx})jn=Xs)Tp#-6tzIX@(|jD7>tPM7yX~R=i-&b#L0H<{LY*? zbLPxB)9hdeRW`#%xquk2;mB}A}xg49+5&MGr%&!9a}=cKY%j{yFVe^ z4V9l2a3`%zeht~JG`r7RTMgOMG`p8@I$2I0LRU#DI~8U`nSf3$25Og056+hZb~E~S z?a1K6nWLURH^+pyofaIu62ba?K+nDJc1D3GfqQ87#M^{lO=5q}(c1D}nkkVZkW#Cl z&GzKRn85FpPL*LY0(oWSWa`Bk;`1Hm)Yit(Z`S_O#=ey_##!js;oFM8 zk8R&j*)5;5#XBIO_6@V=TTVoM>@IX?ZD_bcj@y~&FWctfib9o(ZT@W5EU=r0XUQTv zFuYh!>n-@QAljS!VUsFcsRXW1Sp0p8zq)oiaI93mU`LOYCSOpZljoKoK6&77<}bje z(@s5}sY@v_1|kbphHYk=e6JR4%@Zqd0rPHr zW!la>`S=64nsJu;SLK@AD*vi#nQ6Wn`so1E)wcgj-;SQF$TaC|DfAX*i<-6fa*!{l z!IN9GsK?mnB5*puDR5(eE5IuPY`|^IvYFl#rPCIz&z6?CGgF>YnszYzY1+x0OVfYy{9qXGR$iADmsr6o(%0;iu|=64#Ef(ASHvsKoDFak{B?li;1T9FtdC-`pX6%CGQS0d83RZn zPH5r?xSrWNM%JcIFUu@KLHT)ooYcTnC3Ft&e$Q#q!F(Iue-#RePUa=x1oqe(;4rwG z`8mwT@t*fEZvsbCA(3Uq7WaAy^4WC?en}m{f=N`%Tq38*Kto8>GuPq)52x+iGxIWY zFwAcbi2}r)d?#P0z*jfGrQpf{(^+bnAH@3jGa=E)>{n|`fT>!$nEl-E&asW3-9V)> zh7i*B{$o%KH?D=U5)TuzZ@xajWWMb>{dQ(AOz4{6CfW0zpv@uC%KR85=nd!U$cGV@ z`92ijA6L+aVrIWwYnlB$TABTFT@hd^*EVLqT-yWem1{>pK;_!W?3Zg7vtN!|nf-F? z4(L-k_b~hA+|TTn>lpL$n9xFX*ttJ7+c$pdxn-M_PF*Z%^qIA;lV|i!InU@H*EV3_ z;_Kqu(BK$zx1)5kU3orr(?;3iL`)52s~nwlgwemPZEzAsciBVd%b%KnoruxBvcc$K zjKdh#c%!J%A3)mRggt8?W?Uz>+A&WWy#Yha?w3%05|y%FYoN8u%;YKo9Dq(l^%kZbx|oWCfRbS6LI z6dBh^xlVM10Gv#m*4!mhkTqrGWx@PgZqu(%|nlXVmAcW^=Ue?S8Uxxee?f|kRy%Wr6N0= yJbh{{?sz?2arJ+m`lE@|B%IplZdGISSntJ&%eTs9Z=9YgSIdR(KT;wu$iD&mi~ diff --git a/bpf/handler.c b/bpf/handler.c index 43a7a4c..f66dd3e 100644 --- a/bpf/handler.c +++ b/bpf/handler.c @@ -134,6 +134,8 @@ static void log(const char *fmt, u32 fmt_size, u32 arg0, u32 arg1, u32 arg2) { } // Copy the fmt string into the log entry. + // NOTE: bpf_snprintf is not supported in some of the lower kernel versions + // we claim to support, so we have to do it this way. ret = bpf_probe_read_kernel_str(&entry->fmt, sizeof(entry->fmt), fmt); if (ret < 0) { bpf_printk("could not read fmt into log struct: %d", ret); @@ -245,7 +247,7 @@ s32 enter_execve(struct exec_info *ctx) { // Write the filename in addition to argv[0] because the filename contains // the full path to the file which could be more useful in some situations. - ret = bpf_probe_read_user_str(event->filename, sizeof(event->filename), ctx->filename); + ret = bpf_probe_read_user_str(&event->filename, sizeof(event->filename), ctx->filename); if (ret < 0) { LOG1("could not read filename into event struct: %d", ret); bpf_ringbuf_discard(event, 0);