Condense is_foo from exec into flags. (#194)

elastic · May 23, 2024 · f13bbbd · f13bbbd
1 parent f8e66ab
commit f13bbbd
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 9 deletions.
diff --git a/GPL/Events/EbpfEventProto.h b/GPL/Events/EbpfEventProto.h
@@ -226,16 +226,18 @@ struct ebpf_process_fork_event {
     struct ebpf_varlen_fields_start vl_fields;
 } __attribute__((packed));
 
+#define EXEC_F_SETUID	(1 << 0)
+#define EXEC_F_SETGID	(1 << 1)
+#define EXEC_F_MEMFD	(1 << 2)
+
 struct ebpf_process_exec_event {
     struct ebpf_event_header hdr;
     struct ebpf_pid_info pids;
     struct ebpf_cred_info creds;
     struct ebpf_tty_dev ctty;
     char comm[TASK_COMM_LEN];
     unsigned int inode_nlink;
-    bool is_setuid;
-    bool is_setgid;
-    bool is_memfd;
+    uint32_t flags;
 
     // Variable length fields: cwd, argv, env, filename, pids_ss_cgroup_path
     struct ebpf_varlen_fields_start vl_fields;

diff --git a/GPL/Events/Process/Probe.bpf.c b/GPL/Events/Process/Probe.bpf.c
@@ -106,8 +106,11 @@ int BPF_PROG(sched_process_exec,
     // set setuid and setgid flags
     struct file *f        = BPF_CORE_READ(binprm, file);
     struct inode *f_inode = BPF_CORE_READ(f, f_inode);
-    event->is_setuid      = (BPF_CORE_READ(f_inode, i_mode) & S_ISUID) ? true : false;
-    event->is_setgid      = (BPF_CORE_READ(f_inode, i_mode) & S_ISGID) ? true : false;
+    event->flags          = 0;
+    if (BPF_CORE_READ(f_inode, i_mode) & S_ISUID)
+	    event->flags |= EXEC_F_SETUID;
+    if (BPF_CORE_READ(f_inode, i_mode) & S_ISGID)
+	    event->flags |= EXEC_F_SETGID;
 
     // set inode link count (0 means anonymous or deleted file)
     event->inode_nlink = BPF_CORE_READ(f_inode, i_nlink);
@@ -122,7 +125,8 @@ int BPF_PROG(sched_process_exec,
         bpf_printk("could not read d_name at %p\n", component.name);
         goto out;
     }
-    event->is_memfd = is_equal_prefix(MEMFD_STRING, buf_filename, sizeof(MEMFD_STRING) - 1);
+    if (is_equal_prefix(MEMFD_STRING, buf_filename, sizeof(MEMFD_STRING) - 1))
+	    event->flags |= EXEC_F_MEMFD;
 
     // Variable length fields
     ebpf_vl_fields__init(&event->vl_fields);

diff --git a/non-GPL/Events/EventsTrace/EventsTrace.c b/non-GPL/Events/EventsTrace/EventsTrace.c
@@ -790,11 +790,11 @@ static void out_process_exec(struct ebpf_process_exec_event *evt)
     out_string("comm", evt->comm);
     out_comma();
 
-    out_bool("is_setuid", evt->is_setuid);
+    out_bool("is_setuid", evt->flags & EXEC_F_SETUID);
     out_comma();
-    out_bool("is_setgid", evt->is_setgid);
+    out_bool("is_setgid", evt->flags & EXEC_F_SETGID);
     out_comma();
-    out_bool("is_memfd", evt->is_memfd);
+    out_bool("is_memfd", evt->flags & EXEC_F_MEMFD);
     out_comma();
     unsigned int nlinks = evt->inode_nlink;
     out_uint("inode_nlinks", nlinks);