lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20251118125802.385503-1-chen.dylane@linux.dev>
Date: Tue, 18 Nov 2025 20:58:01 +0800
From: Tao Chen <chen.dylane@...ux.dev>
To: ast@...nel.org,
	daniel@...earbox.net,
	andrii@...nel.org,
	martin.lau@...ux.dev,
	eddyz87@...il.com,
	song@...nel.org,
	yonghong.song@...ux.dev,
	john.fastabend@...il.com,
	kpsingh@...nel.org,
	sdf@...ichev.me,
	haoluo@...gle.com,
	jolsa@...nel.org
Cc: bpf@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	Tao Chen <chen.dylane@...ux.dev>
Subject: [PATCH bpf-next 1/2] bpf: Add bpf_get_task_cmdline kfunc

Add the bpf_get_task_cmdline kfunc. One use case is as follows: In
production environments, there are often short-lived script tasks executed,
and sometimes these tasks may cause stability issues. It is desirable to
detect these script tasks via eBPF. The common approach is to check
the process name, but it can be difficult to distinguish specific
tasks in some cases. Take the shell as an example: some tasks are
started via bash xxx.sh – their process name is bash, but the script
name of the task can be obtained through the cmdline. Additionally,
myabe this is helpful for security auditing purposes.

Signed-off-by: Tao Chen <chen.dylane@...ux.dev>
---
 kernel/bpf/helpers.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index 865b0dae38d..7cac17d58d5 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -2685,6 +2685,27 @@ __bpf_kfunc struct task_struct *bpf_task_from_pid(s32 pid)
 	return p;
 }
 
+/*
+ * bpf_get_task_cmdline - Get the cmdline to a buffer
+ *
+ * @task: The task whose cmdline to get.
+ * @buffer: The buffer to save cmdline info.
+ * @len: The length of the buffer.
+ *
+ * Return: the size of the cmdline field copied. Note that the copy does
+ * not guarantee an ending NULL byte. A negative error code on failure.
+ */
+__bpf_kfunc int bpf_get_task_cmdline(struct task_struct *task, char *buffer, size_t len)
+{
+	int ret;
+
+	ret = get_cmdline(task, buffer, len);
+	if (ret < 0)
+		memset(buffer, 0, len);
+
+	return ret;
+}
+
 /**
  * bpf_task_from_vpid - Find a struct task_struct from its vpid by looking it up
  * in the pid namespace of the current task. If a task is returned, it must
@@ -4421,6 +4442,7 @@ BTF_ID_FLAGS(func, bpf_task_get_cgroup1, KF_ACQUIRE | KF_RCU | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_task_from_pid, KF_ACQUIRE | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_task_from_vpid, KF_ACQUIRE | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_throw)
+BTF_ID_FLAGS(func, bpf_get_task_cmdline, KF_SLEEPABLE | KF_TRUSTED_ARGS)
 #ifdef CONFIG_BPF_EVENTS
 BTF_ID_FLAGS(func, bpf_send_signal_task, KF_TRUSTED_ARGS)
 #endif
-- 
2.48.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ