[PATCH bpf-next 1/2] bpf: Add bpf_get_task_cmdline kfunc

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Tao Chen <chen.dylane@linux.dev>
To: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org,
	martin.lau@linux.dev, eddyz87@gmail.com, song@kernel.org,
	yonghong.song@linux.dev, john.fastabend@gmail.com,
	kpsingh@kernel.org, sdf@fomichev.me, haoluo@google.com,
	jolsa@kernel.org
Cc: bpf@vger.kernel.org, linux-kernel@vger.kernel.org,
	Tao Chen <chen.dylane@linux.dev>
Subject: [PATCH bpf-next 1/2] bpf: Add bpf_get_task_cmdline kfunc
Date: Tue, 18 Nov 2025 20:58:01 +0800	[thread overview]
Message-ID: <20251118125802.385503-1-chen.dylane@linux.dev> (raw)

Add the bpf_get_task_cmdline kfunc. One use case is as follows: In
production environments, there are often short-lived script tasks executed,
and sometimes these tasks may cause stability issues. It is desirable to
detect these script tasks via eBPF. The common approach is to check
the process name, but it can be difficult to distinguish specific
tasks in some cases. Take the shell as an example: some tasks are
started via bash xxx.sh – their process name is bash, but the script
name of the task can be obtained through the cmdline. Additionally,
myabe this is helpful for security auditing purposes.

Signed-off-by: Tao Chen <chen.dylane@linux.dev>
---
 kernel/bpf/helpers.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index 865b0dae38d..7cac17d58d5 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -2685,6 +2685,27 @@ __bpf_kfunc struct task_struct *bpf_task_from_pid(s32 pid)
 	return p;
 }
 
+/*
+ * bpf_get_task_cmdline - Get the cmdline to a buffer
+ *
+ * @task: The task whose cmdline to get.
+ * @buffer: The buffer to save cmdline info.
+ * @len: The length of the buffer.
+ *
+ * Return: the size of the cmdline field copied. Note that the copy does
+ * not guarantee an ending NULL byte. A negative error code on failure.
+ */
+__bpf_kfunc int bpf_get_task_cmdline(struct task_struct *task, char *buffer, size_t len)
+{
+	int ret;
+
+	ret = get_cmdline(task, buffer, len);
+	if (ret < 0)
+		memset(buffer, 0, len);
+
+	return ret;
+}
+
 /**
  * bpf_task_from_vpid - Find a struct task_struct from its vpid by looking it up
  * in the pid namespace of the current task. If a task is returned, it must
@@ -4421,6 +4442,7 @@ BTF_ID_FLAGS(func, bpf_task_get_cgroup1, KF_ACQUIRE | KF_RCU | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_task_from_pid, KF_ACQUIRE | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_task_from_vpid, KF_ACQUIRE | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_throw)
+BTF_ID_FLAGS(func, bpf_get_task_cmdline, KF_SLEEPABLE | KF_TRUSTED_ARGS)
 #ifdef CONFIG_BPF_EVENTS
 BTF_ID_FLAGS(func, bpf_send_signal_task, KF_TRUSTED_ARGS)
 #endif
-- 
2.48.1

next             reply	other threads:[~2025-11-18 12:58 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-18 12:58 Tao Chen [this message]
2025-11-18 12:58 ` [PATCH bpf-next 2/2] selftests/bpf: Add bpf_get_task_cmdline test case Tao Chen
2025-11-22  1:17 ` [PATCH bpf-next 1/2] bpf: Add bpf_get_task_cmdline kfunc Alexei Starovoitov
2025-11-25 23:32   ` Andrii Nakryiko
2025-11-26  9:15     ` Tao Chen

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:865b0dae38 dfblob:7cac17d58d )
 OR (
bs:"[PATCH bpf-next 1/2] bpf: Add bpf_get_task_cmdline kfunc" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20251118125802.385503-1-chen.dylane@linux.dev \
    --to=chen.dylane@linux.dev \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=eddyz87@gmail.com \
    --cc=haoluo@google.com \
    --cc=john.fastabend@gmail.com \
    --cc=jolsa@kernel.org \
    --cc=kpsingh@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=martin.lau@linux.dev \
    --cc=sdf@fomichev.me \
    --cc=song@kernel.org \
    --cc=yonghong.song@linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox