diff --git a/bpf/process/bpf_execve_event.c b/bpf/process/bpf_execve_event.c index af8e4d46f2b..dee90be22bf 100644 --- a/bpf/process/bpf_execve_event.c +++ b/bpf/process/bpf_execve_event.c @@ -13,14 +13,22 @@ #include "policy_filter.h" +int execve_rate(void *ctx); +int execve_send(void *ctx); + char _license[] __attribute__((section("license"), used)) = "Dual BSD/GPL"; struct { __uint(type, BPF_MAP_TYPE_PROG_ARRAY); __uint(max_entries, 2); __uint(key_size, sizeof(__u32)); - __uint(value_size, sizeof(__u32)); -} execve_calls SEC(".maps"); + __array(values, int(void *)); +} execve_calls SEC(".maps") = { + .values = { + [0] = (void *)&execve_rate, + [1] = (void *)&execve_send, + }, +}; #include "data_event.h" @@ -273,7 +281,7 @@ event_execve(struct trace_event_raw_sched_process_exec *ctx) return 0; } -__attribute__((section("tracepoint/0"), used)) int +__attribute__((section("tracepoint"), used)) int execve_rate(void *ctx) { struct msg_execve_event *msg; @@ -318,7 +326,7 @@ void update_mb_bitset(struct binary *bin) * is to update the pid execve_map entry to reflect the new execve event that * has already been collected, then send it to the perf buffer. */ -__attribute__((section("tracepoint/1"), used)) int +__attribute__((section("tracepoint"), used)) int execve_send(void *ctx) { struct msg_execve_event *event; diff --git a/pkg/sensors/base/base.go b/pkg/sensors/base/base.go index 6ae7bef1cb3..b09952adaf2 100644 --- a/pkg/sensors/base/base.go +++ b/pkg/sensors/base/base.go @@ -97,9 +97,6 @@ var ( ) func setupPrograms() { - // execve program tail calls details - Execve.SetTailCall("tracepoint", ExecveTailCallsMap) - // exit program function ks, err := ksyms.KernelSymbols() if err == nil {