tetragon: Use heap map for pathname instead of stack

Using heap map data for pathname instead of the stack
as suggested in the comment. The probe_read_str will
copy NULL terminated string, so we don't need to
initialize it to zero.

Signed-off-by: Jiri Olsa <[email protected]>

bpf/lib/process.h

@@ -294,7 +294,10 @@ struct bpf_map_def __attribute__((section("maps"), used)) execve_val = {
 };
 
 struct execve_heap {
-	char maxpath[4096];
+	union {
+		char pathname[256];
+		char maxpath[4096];
+	};
 };
 
 struct bpf_map_def __attribute__((section("maps"), used)) execve_heap = {

bpf/process/bpf_execve_event.c

@@ -53,17 +53,12 @@ static inline __attribute__((always_inline)) uint32_t
 event_filename_builder(struct msg_process *curr, __u32 curr_pid, __u32 flags,
 		       __u32 bin, void *filename)
 {
+	struct execve_heap *heap;
 	int64_t size = 0;
+	__u32 zero = 0;
 	uint32_t *value;
 	char *earg;
 
-	/* For now we set pathname on stack with zero initializer because its
-	 * easy. We should push this into a map or do string compare directly
-	 * to make it work for longer pathnames. For now lets get the mechanics
-	 * working with short names.
-	 */
-	char pathname[256] = { 0 };
-
 	/* This is a bit parnoid but was previously having trouble on
 	 * 4.14 kernels tracking offset of curr through filename_builder
 	 * resulting in a a verifier error. We can optimize this a bit
@@ -84,8 +79,12 @@ event_filename_builder(struct msg_process *curr, __u32 curr_pid, __u32 flags,
 	curr->ktime = ktime_get_ns();
 	curr->size = size + offsetof(struct msg_process, args);
 
-	probe_read_str(pathname, 255, filename);
-	value = map_lookup_elem(&names_map, pathname);
+	heap = map_lookup_elem(&execve_heap, &zero);
+	if (!heap)
+		return bin;
+
+	probe_read_str(heap->pathname, 255, filename);
+	value = map_lookup_elem(&names_map, heap->pathname);
 	if (value)
 		return *value;
 	return bin;