bpf/exec: Move call to read_exe to tail call

In execve events we have 2 tail calls. Now we call read_exe in the first
one. The second seems to be more lightweight. So let's move it there to
improve loading time.

Signed-off-by: Anastasios Papagiannis <[email protected]>

bpf/process/bpf_execve_event.c

@@ -201,14 +201,6 @@ event_execve(struct sched_execve_args *ctx)
 	p->auid = get_auid();
 	p->uid = get_current_uid_gid();
 
-	// Reading the absolute path of the process exe for matchBinaries.
-	// Historically we used the filename, a potentially relative path (maybe to
-	// a symlink) coming from the execve tracepoint. For kernels not supporting
-	// large BPF prog, we still use the filename.
-#ifdef __LARGE_BPF_PROG
-	read_exe(task, &event->exe);
-#endif
-
 	p->size += read_path(ctx, event, filename);
 	p->size += read_args(ctx, event);
 	p->size += read_cwd(ctx, p);
@@ -253,6 +245,14 @@ execve_send(struct sched_execve_args *ctx)
 	if (!event)
 		return 0;
 
+#ifdef __LARGE_BPF_PROG
+	// Reading the absolute path of the process exe for matchBinaries.
+	// Historically we used the filename, a potentially relative path (maybe to
+	// a symlink) coming from the execve tracepoint. For kernels not supporting
+	// large BPF prog, we still use the filename.
+	read_exe((struct task_struct *)get_current_task(), &event->exe);
+#endif
+
 	p = &event->process;
 
 	pid = (get_current_pid_tgid() >> 32);