Description
Is there an existing issue for this?
- I have searched the existing issues
Is your feature request related to a problem?
In events, we report the path of the binary that started the process. This is typically an amalgamation of the current working directory and the path provided to execve. Notably, this could include symbolic links; for example, the absolute path could be /bin/busybox but the symlink (and what was executed) could be /bin/ls. In the event, we have been reporting the binary path as executed (eg /bin/ls and not /bin/busybox).
In tracing policies, we can match on the binary that started the process. This is always the absolute path of the binary (the same as that retrieved with realpath, so /bin/busybox in this example). When writing policies that match on binaries based on existing events, a user would need to run realpath on any binaries (including those reported in events) and use the resultant absolute paths. This is not obvious.
Describe the feature you would like
Add a field to all events to report the absolute path of the binary. This could be 'binary_absolute' or something else to distinguish it from the existing 'binary'. Keep the existing binary for backwards compatibility and for the value it brings (/bin/ls rather than /bin/busybox).
If users wish, they could filter out this field (or indeed the binary field).
Describe your proposed solution
Either use the binary in the map as used for matching on binaries, or simply run realpath on the binary path and cache the result (latter is racy).
Code of Conduct
- I agree to follow this project's Code of Conduct