fix: filldir64 event

The second parameter (`name`) of filldir64 is currently being interpreted as the `process name`, whereas it should be interpreted as the directory entry name (`dirent`).
aquasecurity · Feb 14, 2025 · b830f86 · b830f86
1 parent 78561c3
commit b830f86
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 5 deletions.
diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
@@ -1674,8 +1674,8 @@ SEC("kprobe/filldir64")
 int BPF_KPROBE(trace_filldir64)
 {
     // only inode=0 is relevant, simple filter prior to program run
-    unsigned long process_inode_number = (unsigned long) PT_REGS_PARM5(ctx);
-    if (process_inode_number != 0)
+    unsigned long dirent_inode_number = (unsigned long) PT_REGS_PARM5(ctx);
+    if (dirent_inode_number != 0)
         return 0;
 
     program_data_t p = {};
@@ -1685,9 +1685,9 @@ int BPF_KPROBE(trace_filldir64)
     if (!evaluate_scope_filters(&p))
         return 0;
 
-    char *process_name = (char *) PT_REGS_PARM2(ctx);
+    char *dirent_name = (char *) PT_REGS_PARM2(ctx);
 
-    save_str_to_buf(&p.event->args_buf, process_name, 0);
+    save_str_to_buf(&p.event->args_buf, dirent_name, 0);
     return events_perf_submit(&p, 0);
 }
 

diff --git a/pkg/events/core.go b/pkg/events/core.go
@@ -11900,7 +11900,7 @@ var CoreEvents = map[ID]Definition{
 		},
 		sets: []string{},
 		fields: []trace.ArgMeta{
-			{Type: "char*", Name: "hidden_process"},
+			{Type: "char*", Name: "hidden_dirent"},
 		},
 	},
 	KernelWrite: {