From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from out-174.mta0.migadu.com (out-174.mta0.migadu.com [91.218.175.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 52B9F20B80D for ; Tue, 18 Nov 2025 12:58:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.174 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763470709; cv=none; b=Qs0D+W0d63kk079+Vj965cRLLZdIhyF2wEeVckZWnI4bUFreopTqugyH3OnpFGG1NnQCP0FimQxdczty94Y4LpG/bNvHHRiRGMjNj4BoHm2+s3rlDsJa/w/MgMa1R2goQvPXBXLXKdjp1ncv8Z2OFLrUD2mCwm0x02uwcDncx4g= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763470709; c=relaxed/simple; bh=1It17VyWxlZt4UP1TPW3kOAhm2nO9vcYweNBkfj4jkI=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type; b=LLGaNq0GtTvkAnsD2GbV8r+yEPUV53dOnxjRS6s22Q4oH/AmIHBuT/KpkhGtP/RXW++mxImwewsPcKaUBntnahefUnP9ouc6v0NzXXLPJz3QpNPOSzK+vuDwumcMPOSw7bQ/EVLDgoiOYVmjOVTm0VztjbcT+D5Na4aWvDnPM/s= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=IQRUfTKQ; arc=none smtp.client-ip=91.218.175.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="IQRUfTKQ" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1763470704; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=J0WyGvggr4Md2cOrTzy5GTDtDFxSripvoA8F1jrkQLc=; b=IQRUfTKQX049clQqn5N4KiP37s/o1KBwFMIDwoVQfcJa5qKzODBX1lL114EeV8X59EtnQN vD3Ls5bGqUjSBQzxXUFEHSDzDzS+gY00jhfRRqziqaloHwYML1h3SV2SBkqoMtG1xyKzZO rausHYu5KCeYe27rvL/JGkxxuthbbgQ= From: Tao Chen To: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, martin.lau@linux.dev, eddyz87@gmail.com, song@kernel.org, yonghong.song@linux.dev, john.fastabend@gmail.com, kpsingh@kernel.org, sdf@fomichev.me, haoluo@google.com, jolsa@kernel.org Cc: bpf@vger.kernel.org, linux-kernel@vger.kernel.org, Tao Chen Subject: [PATCH bpf-next 1/2] bpf: Add bpf_get_task_cmdline kfunc Date: Tue, 18 Nov 2025 20:58:01 +0800 Message-ID: <20251118125802.385503-1-chen.dylane@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Migadu-Flow: FLOW_OUT Add the bpf_get_task_cmdline kfunc. One use case is as follows: In production environments, there are often short-lived script tasks executed, and sometimes these tasks may cause stability issues. It is desirable to detect these script tasks via eBPF. The common approach is to check the process name, but it can be difficult to distinguish specific tasks in some cases. Take the shell as an example: some tasks are started via bash xxx.sh – their process name is bash, but the script name of the task can be obtained through the cmdline. Additionally, myabe this is helpful for security auditing purposes. Signed-off-by: Tao Chen --- kernel/bpf/helpers.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c index 865b0dae38d..7cac17d58d5 100644 --- a/kernel/bpf/helpers.c +++ b/kernel/bpf/helpers.c @@ -2685,6 +2685,27 @@ __bpf_kfunc struct task_struct *bpf_task_from_pid(s32 pid) return p; } +/* + * bpf_get_task_cmdline - Get the cmdline to a buffer + * + * @task: The task whose cmdline to get. + * @buffer: The buffer to save cmdline info. + * @len: The length of the buffer. + * + * Return: the size of the cmdline field copied. Note that the copy does + * not guarantee an ending NULL byte. A negative error code on failure. + */ +__bpf_kfunc int bpf_get_task_cmdline(struct task_struct *task, char *buffer, size_t len) +{ + int ret; + + ret = get_cmdline(task, buffer, len); + if (ret < 0) + memset(buffer, 0, len); + + return ret; +} + /** * bpf_task_from_vpid - Find a struct task_struct from its vpid by looking it up * in the pid namespace of the current task. If a task is returned, it must @@ -4421,6 +4442,7 @@ BTF_ID_FLAGS(func, bpf_task_get_cgroup1, KF_ACQUIRE | KF_RCU | KF_RET_NULL) BTF_ID_FLAGS(func, bpf_task_from_pid, KF_ACQUIRE | KF_RET_NULL) BTF_ID_FLAGS(func, bpf_task_from_vpid, KF_ACQUIRE | KF_RET_NULL) BTF_ID_FLAGS(func, bpf_throw) +BTF_ID_FLAGS(func, bpf_get_task_cmdline, KF_SLEEPABLE | KF_TRUSTED_ARGS) #ifdef CONFIG_BPF_EVENTS BTF_ID_FLAGS(func, bpf_send_signal_task, KF_TRUSTED_ARGS) #endif -- 2.48.1