Address review

GPL/Events/EbpfEventProto.h

@@ -293,16 +293,30 @@ struct ebpf_process_setgid_event {
     uint32_t new_euid;
 } __attribute__((packed));
 
+// from linux/memfd.h:
+//
+/* flags for memfd_create(2) (unsigned int) */
+#ifndef MFD_CLOEXEC
+#define MFD_CLOEXEC 0x0001U
+#endif
+#ifndef MFD_ALLOW_SEALING
+#define MFD_ALLOW_SEALING 0x0002U
+#endif
+#ifndef MFD_HUGETLB
+#define MFD_HUGETLB 0x0004U
+#endif
+/* not executable and sealed to prevent changing to executable. */
+#ifndef MFD_NOEXEC_SEAL
+#define MFD_NOEXEC_SEAL 0x0008U
+#endif
+/* executable */
+#ifndef MFD_EXEC
+#define MFD_EXEC 0x0010U
+#endif
 struct ebpf_process_memfd_create_event {
     struct ebpf_event_header hdr;
     struct ebpf_pid_info pids;
-    unsigned int flags; // memfd_create flags
-    bool flag_cloexec;
-    bool flag_allow_seal;
-    bool flag_hugetlb;
-    bool flag_noexec_seal;
-    bool flag_exec;
-
+    uint32_t flags; // memfd_create flags
     // Variable length fields: memfd name
     struct ebpf_varlen_fields_start vl_fields;
 } __attribute__((packed));

GPL/Events/Helpers.h

@@ -283,16 +283,25 @@ static bool is_consumer()
     return consumer_pid == pid;
 }
 
+static int strncmp(const char *s1, const char *s2, size_t n)
+{
+
+    if (n == 0)
+        return (0);
+    do {
+        if (*s1 != *s2++)
+            return (*(unsigned char *)s1 - *(unsigned char *)--s2);
+        if (*s1++ == 0)
+            break;
+    } while (--n != 0);
+    return (0);
+}
+
 // compares first 'len' characters of str1 and str2, returns 1 if equal
 // NOTE: no bounds check, assumes use under eBPF verifier
 static int is_equal_prefix(const char *str1, const char *str2, int len)
 {
-    for (int i = 0; i < len; i++) {
-        if (str1[i] != str2[i]) {
-            return 0;
-        }
-    }
-    return 1;
+    return !strncmp(str1, str2, len);
 }
 
 #endif // EBPF_EVENTPROBE_HELPERS_H

GPL/Events/Process/Probe.bpf.c

@@ -281,7 +281,7 @@ int BPF_PROG(module_load, struct module *mod)
     pid_t curr_tgid = BPF_CORE_READ(task, tgid);
 
     // ignore if process is child of init/systemd/whatever
-    if ((1 == curr_tgid) || (2 == curr_tgid) || (1 == ppid) || (2 == ppid))
+    if ((curr_tgid == 1) || (curr_tgid == 2) || (ppid == 1) || (ppid == 2))
         goto out;
 
     // Variable length fields
@@ -373,7 +373,6 @@ int tracepoint_syscalls_sys_enter_shmget(struct trace_event_raw_sys_enter *ctx)
         long shmflg;
     };
     struct shmget_args *ex_args = (struct shmget_args *)ctx;
-
     const struct task_struct *task = (struct task_struct *)bpf_get_current_task();
 
     if (is_kernel_thread(task))
@@ -425,23 +424,7 @@ int tracepoint_syscalls_sys_enter_memfd_create(struct trace_event_raw_sys_enter
 
     event->hdr.type = EBPF_EVENT_PROCESS_MEMFD_CREATE;
     event->hdr.ts   = bpf_ktime_get_ns();
-
-// from linux/memfd.h:
-//
-/* flags for memfd_create(2) (unsigned int) */
-#define MFD_CLOEXEC 0x0001U
-#define MFD_ALLOW_SEALING 0x0002U
-#define MFD_HUGETLB 0x0004U
-/* not executable and sealed to prevent changing to executable. */
-#define MFD_NOEXEC_SEAL 0x0008U
-/* executable */
-#define MFD_EXEC 0x0010U
-    event->flags            = ex_args->flags;
-    event->flag_cloexec     = (event->flags & MFD_CLOEXEC) ? true : false;
-    event->flag_allow_seal  = (event->flags & MFD_ALLOW_SEALING) ? true : false;
-    event->flag_hugetlb     = (event->flags & MFD_HUGETLB) ? true : false;
-    event->flag_noexec_seal = (event->flags & MFD_NOEXEC_SEAL) ? true : false;
-    event->flag_exec        = (event->flags & MFD_EXEC) ? true : false;
+    event->flags    = ex_args->flags;
 
     ebpf_pid_info__fill(&event->pids, task);
 

non-GPL/Events/EventsTrace/EventsTrace.c

@@ -600,15 +600,15 @@ static void out_process_memfd_create(struct ebpf_process_memfd_create_event *evt
 
     out_uint("flags", evt->flags);
     out_comma();
-    out_bool("flag_cloexec", evt->flag_cloexec);
+    out_bool("flag_cloexec", evt->flags & MFD_CLOEXEC);
     out_comma();
-    out_bool("flag_allow_seal", evt->flag_allow_seal);
+    out_bool("flag_allow_seal", evt->flags & MFD_ALLOW_SEALING);
     out_comma();
-    out_bool("flag_hugetlb", evt->flag_hugetlb);
+    out_bool("flag_hugetlb", evt->flags & MFD_HUGETLB);
     out_comma();
-    out_bool("flag_noexec_seal", evt->flag_noexec_seal);
+    out_bool("flag_noexec_seal", evt->flags & MFD_NOEXEC_SEAL);
     out_comma();
-    out_bool("flag_exec", evt->flag_exec);
+    out_bool("flag_exec", evt->flags & MFD_EXEC);
 
     struct ebpf_varlen_field *field;
     FOR_EACH_VARLEN_FIELD(evt->vl_fields, field)