bpf: Add bpf_get_task_cmdline kfunc

Add the bpf_get_task_cmdline kfunc. One use case is as follows: In
production environments, there are often short-lived script tasks executed,
and sometimes these tasks may cause stability issues. It is desirable to
detect these script tasks via eBPF. The common approach is to check
the process name, but it can be difficult to distinguish specific
tasks in some cases. Take the shell as an example: some tasks are
started via bash xxx.sh – their process name is bash, but the script
name of the task can be obtained through the cmdline. Additionally,
myabe this is helpful for security auditing purposes.

Signed-off-by: Tao Chen <[email protected]>

Author: Tao Chen

kernel/bpf/helpers.c

@@ -2688,6 +2688,27 @@ __bpf_kfunc struct task_struct *bpf_task_from_pid(s32 pid)
 	return p;
 }
 
+/*
+ * bpf_get_task_cmdline - Get the cmdline to a buffer
+ *
+ * @task: The task whose cmdline to get.
+ * @buffer: The buffer to save cmdline info.
+ * @len: The length of the buffer.
+ *
+ * Return: the size of the cmdline field copied. Note that the copy does
+ * not guarantee an ending NULL byte. A negative error code on failure.
+ */
+__bpf_kfunc int bpf_get_task_cmdline(struct task_struct *task, char *buffer, size_t len)
+{
+	int ret;
+
+	ret = get_cmdline(task, buffer, len);
+	if (ret < 0)
+		memset(buffer, 0, len);
+
+	return ret;
+}
+
 /**
  * bpf_task_from_vpid - Find a struct task_struct from its vpid by looking it up
  * in the pid namespace of the current task. If a task is returned, it must
@@ -4428,6 +4449,7 @@ BTF_ID_FLAGS(func, bpf_task_get_cgroup1, KF_ACQUIRE | KF_RCU | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_task_from_pid, KF_ACQUIRE | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_task_from_vpid, KF_ACQUIRE | KF_RET_NULL)
 BTF_ID_FLAGS(func, bpf_throw)
+BTF_ID_FLAGS(func, bpf_get_task_cmdline, KF_SLEEPABLE | KF_TRUSTED_ARGS)
 #ifdef CONFIG_BPF_EVENTS
 BTF_ID_FLAGS(func, bpf_send_signal_task, KF_TRUSTED_ARGS)
 #endif