From c28fc22e9dca7256e6406dfd5bc551aeb8d3de15 Mon Sep 17 00:00:00 2001
From: Joseph Voss <vossjm@ornl.gov>
Date: Thu, 22 Apr 2021 09:33:45 -0400
Subject: [PATCH 1/2] Adds env parser to execsnoop sensor

---
 csrc/execsnoop.c | 25 ++++++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/csrc/execsnoop.c b/csrc/execsnoop.c
index e08188c..c0f9e42 100644
--- a/csrc/execsnoop.c
+++ b/csrc/execsnoop.c
@@ -21,6 +21,7 @@ struct data_t {
     u32 ppid; // Parent PID as in the userspace term (i.e task->real_parent->tgid in kernel)
     u32 uid;
     char comm[TASK_COMM_LEN];
+    char env[MAX_ARGS][ARGSIZE];
     char argv[MAX_ARGS][ARGSIZE];
     int rc;
     u64 span_us;
@@ -56,9 +57,9 @@ int syscall__execve(struct pt_regs *ctx,
     // We use the get_ppid function as a fallback in those cases. (#1883)
     //data.ppid = task->real_parent->tgid;
     data->ppid = task->real_parent->tgid;
-    int max = sizeof(data->argv[0]) - 1;
 
     const char *argp = NULL;
+    int max = sizeof(data->argv[0]) - 1;
 
     #pragma unroll
     for (int i = 0; i < MAX_ARGS; i++) {
@@ -68,11 +69,29 @@ int syscall__execve(struct pt_regs *ctx,
       {
         bpf_probe_read(&(data->argv[i]), max, argp);
       } else {
-        goto out;
+        goto arg_out;
+      }
+    }
+
+arg_out:;
+
+    // Get max size of what env we can return
+    const char *envp= NULL;
+    int env_max = sizeof(data->env[0]) - 1;
+
+    #pragma unroll
+    for (int i = 0; i < MAX_ARGS; i++) {
+      envp = NULL;
+      bpf_probe_read_str(&envp, sizeof(envp), (void *)&__envp[i]);
+      if (envp)
+      {
+        bpf_probe_read(&(data->env[i]), max, envp);
+      } else {
+        goto env_out;
       }
     }
 
-out:
+env_out:;
 
     if (bpf_get_current_comm(&data->comm, sizeof(data->comm)) == 0) {
         data->rc = 0;

From 030a10993560c344110f6bf4be9f673812527c59 Mon Sep 17 00:00:00 2001
From: Joseph Voss <vossjm@ornl.gov>
Date: Thu, 22 Apr 2021 11:51:49 -0400
Subject: [PATCH 2/2] Adds execsnoop config

---
 configs/execsnoop.yaml | 43 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 configs/execsnoop.yaml

diff --git a/configs/execsnoop.yaml b/configs/execsnoop.yaml
new file mode 100644
index 0000000..f2ac50e
--- /dev/null
+++ b/configs/execsnoop.yaml
@@ -0,0 +1,43 @@
+---
+# Variables to set for all program traces
+globals:
+  # Socket to open
+  socketPath: /run/greggd.sock
+  # Format for verbose output
+  verboseFormat: influx
+
+# Hash of all programs to load
+programs:
+  - source: /usr/share/greggd/c/execsnoop.c
+    # Events to bind program to
+    events:
+      - type: kprobe
+        loadFunc: syscall__execve
+        attachTo: __x64_sys_execve
+      - type: kretprobe
+        loadFunc: do_ret_sys_execve
+        attachTo: __x64_sys_execve
+    outputs:
+      - type: BPF_PERF_OUTPUT
+        id: execs
+        format:
+          - name: pid
+            type: u32
+            isTag: true
+          - name: ppid
+            type: u32
+            isTag: true
+          - name: uid
+            type: u32
+            isTag: true
+          - name: comm
+            type: char[16]
+            isTag: true
+          - name: env
+            type: char[12][32]
+          - name: argv
+            type: char[12][32]
+          - name: retval
+            type: int32
+          - name: span_us
+            type: u64