Concept familiarization

Process context

When an eBPF program runs, it’s executed in kernel space, but with access to information about the process that triggered the event.

For example, if bash triggers an event, your eBPF program can query details about that bash process context: its name, process ID, and more.

The kernel defines a large set of helper functions to retrieve this information about the triggering process.

The challenge

We want to extract the name of every program that executes in the system.

To do this, we need to attach our code to an event that fires whenever a program executes. This event is called sched_process_exec.

In the preloaded snippet, you will see a specific “section” definition just above our function:

SEC("tp/sched/sched_process_exec")

This macro tells the eBPF loader to attach the function to that specific tracepoint. Now, whenever the scheduler runs a new process, our code runs too!

Try running the preloaded snippet now. It should log an entry per event.

Getting the program name

The example code works, but it prints a static string. We want the actual program name for every execution.

Since our code has access to information about the new process, we can ask the kernel for the triggering process’ name.

We will use bpf_get_current_comm(&buf, size) which writes the current process name into a buffer you provide.

In C, we can declare a character buffer with:

char buffer[16];

To populate the buffer with the current process name, call the helper function:

bpf_get_current_comm(&buffer, sizeof(buffer));

Then call DEBUG_STR to see the results:

DEBUG_STR("Command", buffer);

Try this now. You’ll see some normal programs like ls, and one that stands out.

Comparing strings

To filter out the unwanted entries, you’ll need to compare strings.

We’ll use bpf_strncmp(s1, s1_sz, s2) which compares a variable string to a constant string.

For example, to check if the buffer contains "ls":

if (bpf_strncmp(buffer, sizeof(buffer), "ls") == 0) {
    // buffer contains "ls"
}

It returns 0 when the strings match.

Your task

Submit the name of the program that stands out, using SUBMIT_STR(buffer).

Run your code to see execution events here