in_ebpf: Implement exec trace

[cosmo0920]

This PR implements exec/execve trace on in_ebpf plugin.

---

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

• Example configuration file for the change

$ sudo bin/fluent-bit -i ebpf -ptrace=trace_exec -o stdout -v

• Debug log output from testing the change

Fluent Bit v5.0.3
* Copyright (C) 2015-2026 The Fluent Bit Authors
* Fluent Bit is a CNCF graduated project under the Fluent organization
* https://fluentbit.io

______ _                  _    ______ _ _           _____  _____ 
|  ___| |                | |   | ___ (_) |         |  ___||  _  |
| |_  | |_   _  ___ _ __ | |_  | |_/ /_| |_  __   _|___ \ | |/' |
|  _| | | | | |/ _ \ '_ \| __| | ___ \ | __| \ \ / /   \ \|  /| |
| |   | | |_| |  __/ | | | |_  | |_/ / | |_   \ V //\__/ /\ |_/ /
\_|   |_|\__,_|\___|_| |_|\__| \____/|_|\__|   \_/ \____(_)\___/


[2026/04/15 17:53:25.021] [ info] Configuration:
[2026/04/15 17:53:25.021] [ info]  flush time     | 1.000000 seconds
[2026/04/15 17:53:25.021] [ info]  grace          | 5 seconds
[2026/04/15 17:53:25.021] [ info]  daemon         | 0
[2026/04/15 17:53:25.021] [ info] ___________
[2026/04/15 17:53:25.021] [ info]  inputs:
[2026/04/15 17:53:25.021] [ info]      ebpf
[2026/04/15 17:53:25.021] [ info] ___________
[2026/04/15 17:53:25.021] [ info]  filters:
[2026/04/15 17:53:25.021] [ info] ___________
[2026/04/15 17:53:25.021] [ info]  outputs:
[2026/04/15 17:53:25.021] [ info]      stdout.0
[2026/04/15 17:53:25.021] [ info] ___________
[2026/04/15 17:53:25.021] [ info]  collectors:
[2026/04/15 17:53:25.021] [ info] [fluent bit] version=5.0.3, commit=17fd5bce9b, pid=133991
[2026/04/15 17:53:25.021] [debug] [engine] coroutine stack size: 24576 bytes (24.0K)
[2026/04/15 17:53:25.021] [ info] [storage] ver=1.5.4, type=memory, sync=normal, checksum=off, max_chunks_up=128
[2026/04/15 17:53:25.021] [ info] [simd    ] SSE2
[2026/04/15 17:53:25.021] [ info] [cmetrics] version=2.1.2
[2026/04/15 17:53:25.021] [ info] [ctraces ] version=0.7.1
[2026/04/15 17:53:25.021] [ info] [input:ebpf:ebpf.0] initializing
[2026/04/15 17:53:25.021] [ info] [input:ebpf:ebpf.0] storage_strategy='memory' (memory only)
[2026/04/15 17:53:25.021] [debug] [ebpf:ebpf.0] created event channels: read=21 write=22
[2026/04/15 17:53:25.021] [debug] [input:ebpf:ebpf.0] initializing eBPF input plugin
[2026/04/15 17:53:25.021] [debug] [input:ebpf:ebpf.0] processing trace: trace_exec
[2026/04/15 17:53:25.021] [debug] [input:ebpf:ebpf.0] setting up trace configuration for: trace_exec
[2026/04/15 17:53:25.048] [debug] [input:ebpf:ebpf.0] attaching BPF program for trace: trace_exec
[2026/04/15 17:53:25.050] [debug] [input:ebpf:ebpf.0] registering trace handler for: trace_exec
[2026/04/15 17:53:25.050] [ info] [input:ebpf:ebpf.0] registered trace handler for: trace_exec
[2026/04/15 17:53:25.050] [ info] [input:ebpf:ebpf.0] trace configuration completed for: trace_exec
[2026/04/15 17:53:25.050] [debug] [input:ebpf:ebpf.0] setting up collector with poll interval: 1000 ms
[2026/04/15 17:53:25.050] [ info] [input:ebpf:ebpf.0] eBPF input plugin initialized successfully
[2026/04/15 17:53:25.050] [debug] [stdout:stdout.0] created event channels: read=38 write=39
[2026/04/15 17:53:25.050] [ info] [sp] stream processor started
[2026/04/15 17:53:25.050] [ info] [engine] Shutdown Grace Period=5, Shutdown Input Grace Period=2
[2026/04/15 17:53:25.050] [ info] [output:stdout:stdout.0] worker #0 started
[2026/04/15 17:53:25.343] [debug] [input:ebpf:ebpf.0] collecting events from ring buffers
[2026/04/15 17:53:25.344] [debug] [input:ebpf:ebpf.0] consuming events from ring buffer trace_exec
[2026/04/15 17:53:25.344] [debug] [input:ebpf:ebpf.0] successfully consumed events from ring buffer trace_exec
[2026/04/15 17:53:26.343] [debug] [input:ebpf:ebpf.0] collecting events from ring buffers
[2026/04/15 17:53:26.344] [debug] [input:ebpf:ebpf.0] consuming events from ring buffer trace_exec
[2026/04/15 17:53:26.344] [debug] [input:ebpf:ebpf.0] successfully consumed events from ring buffer trace_exec
[2026/04/15 17:53:27.343] [debug] [input:ebpf:ebpf.0] collecting events from ring buffers
[2026/04/15 17:53:27.343] [debug] [input:ebpf:ebpf.0] consuming events from ring buffer trace_exec
[2026/04/15 17:53:27.344] [debug] [input:ebpf:ebpf.0] successfully consumed events from ring buffer trace_exec
[2026/04/15 17:53:28.344] [debug] [task] created task=0x7202f40781b0 id=0 OK
[2026/04/15 17:53:28.344] [debug] [output:stdout:stdout.0] task_id=0 assigned to thread #0
[2026/04/15 17:53:28.344] [debug] [input:ebpf:ebpf.0] collecting events from ring buffers
[2026/04/15 17:53:28.344] [debug] [input:ebpf:ebpf.0] consuming events from ring buffer trace_exec
[2026/04/15 17:53:28.344] [debug] [input:ebpf:ebpf.0] successfully consumed events from ring buffer trace_exec
[0] ebpf.0: [[1776243207.343952535, {}], {"event_type"=>"execve", "pid"=>133996, "tid"=>133996, "comm"=>"gnome-shell", "stage"=>"enter", "ppid"=>3265, "filename"=>"/usr/lib/x86_64-linux-gnu/glib-2.0/gio-launch-desktop", "argv"=>"/usr/lib/x86_64-linux-gnu/glib-2.0/gio-launch-desktop", "argv1"=>"/usr/bin/sh", "argv2"=>"-c", "argv_last"=>"sh", "argc"=>5, "error_raw"=>0}]
[1] ebpf.0: [[1776243207.344108622, {}], {"event_type"=>"execve", "pid"=>133996, "tid"=>133996, "comm"=>"gio-launch-desk", "stage"=>"exit", "ppid"=>3265, "filename"=>"/usr/lib/x86_64-linux-gnu/glib-2.0/gio-launch-desktop", "argv"=>"/usr/lib/x86_64-linux-gnu/glib-2.0/gio-launch-desktop", "argv1"=>"/usr/bin/sh", "argv2"=>"-c", "argv_last"=>"sh", "argc"=>5, "error_raw"=>0}]
[2] ebpf.0: [[1776243207.344143582, {}], {"event_type"=>"execve", "pid"=>133996, "tid"=>133996, "comm"=>"gio-launch-desk", "stage"=>"enter", "ppid"=>3265, "filename"=>"/usr/bin/sh", "argv"=>"/usr/bin/sh", "argv1"=>"-c", "argv2"=>"if [ -n "$*" ]; then exec /usr/bin/emacsclient --alternate-editor= --reuse-frame "$@"; else exec emacsclient --alternate-editor= --create-frame; fi", "argv_last"=>"sh", "argc"=>4, "error_raw"=>0}]
[3] ebpf.0: [[1776243207.344157460, {}], {"event_type"=>"execve", "pid"=>133996, "tid"=>133996, "comm"=>"sh", "stage"=>"exit", "ppid"=>3265, "filename"=>"/usr/bin/sh", "argv"=>"/usr/bin/sh", "argv1"=>"-c", "argv2"=>"if [ -n "$*" ]; then exec /usr/bin/emacsclient --alternate-editor= --reuse-frame "$@"; else exec emacsclient --alternate-editor= --create-frame; fi", "argv_last"=>"sh", "argc"=>4, "error_raw"=>0}]
[4] ebpf.0: [[1776243207.344169073, {}], {"event_type"=>"execve", "pid"=>133996, "tid"=>133996, "comm"=>"sh", "stage"=>"enter", "ppid"=>3265, "filename"=>"/home/cosmo/bin/emacsclient", "argv"=>"emacsclient", "argv1"=>"--alternate-editor=", "argv2"=>"--create-frame", "argv_last"=>"--create-frame", "argc"=>3, "error_raw"=>0}]
[5] ebpf.0: [[1776243207.344180755, {}], {"event_type"=>"execve", "pid"=>133996, "tid"=>133996, "comm"=>"sh", "stage"=>"exit", "ppid"=>3265, "filename"=>"/home/cosmo/bin/emacsclient", "argv"=>"emacsclient", "argv1"=>"--alternate-editor=", "argv2"=>"--create-frame", "argv_last"=>"--create-frame", "argc"=>3, "error_raw"=>2}]
[6] ebpf.0: [[1776243207.344191389, {}], {"event_type"=>"execve", "pid"=>133996, "tid"=>133996, "comm"=>"sh", "stage"=>"enter", "ppid"=>3265, "filename"=>"/usr/local/sbin/emacsclient", "argv"=>"emacsclient", "argv1"=>"--alternate-editor=", "argv2"=>"--create-frame", "argv_last"=>"--create-frame", "argc"=>3, "error_raw"=>0}]
[7] ebpf.0: [[1776243207.344202332, {}], {"event_type"=>"execve", "pid"=>133996, "tid"=>133996, "comm"=>"sh", "stage"=>"exit", "ppid"=>3265, "filename"=>"/usr/local/sbin/emacsclient", "argv"=>"emacsclient", "argv1"=>"--alternate-editor=", "argv2"=>"--create-frame", "argv_last"=>"--create-frame", "argc"=>3, "error_raw"=>2}]
[8] ebpf.0: [[1776243207.344212778, {}], {"event_type"=>"execve", "pid"=>133996, "tid"=>133996, "comm"=>"sh", "stage"=>"enter", "ppid"=>3265, "filename"=>"/usr/local/bin/emacsclient", "argv"=>"emacsclient", "argv1"=>"--alternate-editor=", "argv2"=>"--create-frame", "argv_last"=>"--create-frame", "argc"=>3, "error_raw"=>0}]
[9] ebpf.0: [[1776243207.344223520, {}], {"event_type"=>"execve", "pid"=>133996, "tid"=>133996, "comm"=>"sh", "stage"=>"exit", "ppid"=>3265, "filename"=>"/usr/local/bin/emacsclient", "argv"=>"emacsclient", "argv1"=>"--alternate-editor=", "argv2"=>"--create-frame", "argv_last"=>"--create-frame", "argc"=>3, "error_raw"=>2}]
[10] ebpf.0: [[1776243207.344234093, {}], {"event_type"=>"execve", "pid"=>133996, "tid"=>133996, "comm"=>"sh", "stage"=>"enter", "ppid"=>3265, "filename"=>"/usr/sbin/emacsclient", "argv"=>"emacsclient", "argv1"=>"--alternate-editor=", "argv2"=>"--create-frame", "argv_last"=>"--create-frame", "argc"=>3, "error_raw"=>0}]
[11] ebpf.0: [[1776243207.344244775, {}], {"event_type"=>"execve", "pid"=>133996, "tid"=>133996, "comm"=>"sh", "stage"=>"exit", "ppid"=>3265, "filename"=>"/usr/sbin/emacsclient", "argv"=>"emacsclient", "argv1"=>"--alternate-editor=", "argv2"=>"--create-frame", "argv_last"=>"--create-frame", "argc"=>3, "error_raw"=>2}]
[12] ebpf.0: [[1776243207.344255819, {}], {"event_type"=>"execve", "pid"=>133996, "tid"=>133996, "comm"=>"sh", "stage"=>"enter", "ppid"=>3265, "filename"=>"/usr/bin/emacsclient", "argv"=>"emacsclient", "argv1"=>"--alternate-editor=", "argv2"=>"--create-frame", "argv_last"=>"--create-frame", "argc"=>3, "error_raw"=>0}]
[13] ebpf.0: [[1776243207.344266618, {}], {"event_type"=>"execve", "pid"=>133996, "tid"=>133996, "comm"=>"emacsclient", "stage"=>"exit", "ppid"=>3265, "filename"=>"/usr/bin/emacsclient", "argv"=>"emacsclient", "argv1"=>"--alternate-editor=", "argv2"=>"--create-frame", "argv_last"=>"--create-frame", "argc"=>3, "error_raw"=>0}]
[2026/04/15 17:53:28.344] [debug] [out flush] cb_destroy coro_id=0
[2026/04/15 17:53:28.345] [debug] [task] destroy task=0x7202f40781b0 (task_id=0)
[2026/04/15 17:53:29.344] [debug] [input:ebpf:ebpf.0] collecting events from ring buffers
[2026/04/15 17:53:29.344] [debug] [input:ebpf:ebpf.0] consuming events from ring buffer trace_exec
[2026/04/15 17:53:29.344] [debug] [input:ebpf:ebpf.0] successfully consumed events from ring buffer trace_exec
^C[2026/04/15 17:53:29] [engine] caught signal (SIGINT)
[2026/04/15 17:53:29.579] [ warn] [engine] service will shutdown in max 5 seconds
[2026/04/15 17:53:29.579] [ info] [engine] pausing all inputs..
[2026/04/15 17:53:29.579] [ info] [input] pausing ebpf.0
[2026/04/15 17:53:29.579] [debug] [input:ebpf:ebpf.0] collector paused
[2026/04/15 17:53:30.344] [ info] [engine] service has stopped (0 pending tasks)
[2026/04/15 17:53:30.344] [ info] [input] pausing ebpf.0
[2026/04/15 17:53:30.344] [debug] [input:ebpf:ebpf.0] collector paused
[2026/04/15 17:53:30.344] [ info] [output:stdout:stdout.0] thread worker #0 stopping...
[2026/04/15 17:53:30.344] [ info] [output:stdout:stdout.0] thread worker #0 stopped
[2026/04/15 17:53:30.430] [ info] [input:ebpf:ebpf.0] eBPF input plugin exited

• Attached Valgrind output that shows no leaks or memory corruption was found

==134205== 
==134205== HEAP SUMMARY:
==134205==     in use at exit: 0 bytes in 0 blocks
==134205==   total heap usage: 4,327 allocs, 4,327 frees, 19,472,425 bytes allocated
==134205== 
==134205== All heap blocks were freed -- no leaks are possible
==134205== 

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

• Run local packaging test showing all targets (including any new ones) build.
• Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

• Documentation required for this feature

Backporting

• Backport to latest stable release.

---

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Summary by CodeRabbit

• New Features

  • Added exec syscall tracing to the eBPF plugin, capturing exec events with filename, argv/argc, parent PID (ppid) and raw error codes; exec trace is registered and emitted for processing.

• Documentation

  • Updated the Trace option help text to include "exec" as an example trace name.

• Tests

  • Added runtime tests validating exec event encoding/decoding and negative-path handler behavior.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds an execve eBPF trace: new BPF programs and maps, a userland handler and header to encode exec events, event struct changes, trace registration and tests, plus a minor config help-text update.

Changes

Cohort / File(s)	Summary
eBPF program plugins/in_ebpf/traces/exec/bpf.c	New tracepoint programs for sys_enter_execve and sys_exit_execve, per-tid staging map, per-CPU heap, events map, license, capture of filename/argv/argc/mntns_id, parent pid and error, and event submission.
Trace handler & API plugins/in_ebpf/traces/exec/handler.c, plugins/in_ebpf/traces/exec/handler.h	New handler implementation and header: encode_exec_event() encodes exec events; trace_exec_handler() validates events and appends encoded logs.
Event definitions plugins/in_ebpf/traces/includes/common/events.h	struct execve_event: renamed tpid → ppid and added int error_raw.
Trace registry plugins/in_ebpf/traces/traces.h	Includes generated exec skeleton and handler header, adds DEFINE_GET_BPF_OBJECT(trace_exec), and registers trace_exec with trace_exec_handler.
Config help text plugins/in_ebpf/in_ebpf.c	Updated Trace option example list to include exec.
Tests & build tests/runtime/CMakeLists.txt, tests/runtime/in_ebpf_exec_handler.c	Added CMake test target and runtime tests validating exec event encoding/decoding and negative-path handling.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Kernel
  participant BPF as "eBPF: exec/bpf.c"
  participant Maps as "BPF Maps: values/heap/events"
  participant Userspace as "in_ebpf userspace reader"
  participant Handler as "exec handler (handler.c)"
  participant Encoder as "flb_log_event_encoder / flb_input"

  Kernel->>BPF: tracepoint sys_enter_execve(ctx)
  BPF->>Maps: store staged args by tid (filename, argv, argc, mntns_id)
  Kernel->>BPF: tracepoint sys_exit_execve(ctx)
  BPF->>Maps: lookup staged args, build event (ppid, error_raw, comm...), submit to events map
  Maps->>Userspace: userspace reads submitted event
  Userspace->>Handler: trace_exec_handler(data, size)
  Handler->>Encoder: encode_exec_event(ev) -> encoded buffer
  Handler->>Userspace: flb_input_log_append(encoded buffer)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• in_ebpf: add tcp trace #11646: Adds another eBPF trace and updates trace registration/skeleton accessors in the same traces header.

Suggested reviewers

• edsiper

Poem

"I hopped through kernel traces with glee,
Collected exec tales beneath a tree.
Maps held the carrots, argv the feast,
Handlers wrapped stories, from greatest to least.
A tiny rabbit cheers — exec is released!" 🐇

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'in_ebpf: Implement exec trace' directly and clearly describes the main change: adding exec/execve tracing support to the in_ebpf input plugin.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cosmo0920-implement-exec-trace

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: da45240ff6

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@plugins/in_ebpf/in_ebpf.c`:
- Line 265: Update the help text so it advertises the actual registration key
used by trace_setup: replace or augment the "exec" entry with the registered
name "trace_exec" (e.g., "exec (trace_exec)") so users can pass the correct key;
locate the help string near the trace option and ensure it matches the
registration name used when registering trace_exec in the plugin code.

In `@plugins/in_ebpf/traces/exec/bpf.c`:
- Around line 21-26: The struct execve_args currently stores raw user pointers
(args.filename and args.argv) from sys_enter_execve which are later dereferenced
in the exit hook after an exec may have replaced the caller's address space; to
fix this, read and copy the filename and each argv string into kernel-space
buffers on entry (e.g., using bpf_probe_read_str or equivalent) and store those
copied strings in the map value instead of the raw pointers, update the
execve_args/map value layout to include fixed-size char arrays or pointers to
allocated buffers, and adjust all locations that currently reference
args.filename/args.argv (including the exit hook and the areas around lines
68-84 and 131-143) to use the copied strings from the map value rather than
user-space pointers.

In `@plugins/in_ebpf/traces/exec/handler.c`:
- Around line 106-112: The current code returns immediately on
flb_input_log_append failure and leaves the committed data in encoder; update
the failure path in the block around flb_input_log_append (the call using
event_ctx->ins and encoder->output_buffer/encoder->output_length) to call
flb_log_event_encoder_reset(encoder) before returning so the encoder is cleared
on both success and error paths, preventing stale bytes from being re-emitted or
corrupting the next record.

In `@tests/runtime/in_ebpf_exec_handler.c`:
- Around line 86-122: Update the verify_decoded_values function to track and
assert presence of all required exec fields: add boolean seen_pid, seen_ppid,
seen_filename, seen_argc, seen_argv, seen_error_raw (set true when each key is
encountered) and after the loop assert each seen_* is true; also validate argv
contents (compare each argument string and count against
original->details.execve.argc). Additionally add a negative-path unit test for
trace_exec_handler that calls it with an incorrect event_type and a truncated
payload and asserts it fails/returns the expected error, ensuring missing fields
are detected. Use the functions/structures present in the diff
(verify_decoded_values and trace_exec_handler, original->details.execve) to
locate where to add the checks.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 88223759-c29d-4031-ba07-1c24983e7897

📥 Commits

Reviewing files that changed from the base of the PR and between 63ed88e and da45240.

📒 Files selected for processing (8)

• plugins/in_ebpf/in_ebpf.c
• plugins/in_ebpf/traces/exec/bpf.c
• plugins/in_ebpf/traces/exec/handler.c
• plugins/in_ebpf/traces/exec/handler.h
• plugins/in_ebpf/traces/includes/common/events.h
• plugins/in_ebpf/traces/traces.h
• tests/runtime/CMakeLists.txt
• tests/runtime/in_ebpf_exec_handler.c

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@plugins/in_ebpf/traces/exec/handler.c`:
- Around line 82-85: When flb_log_event_encoder_commit_record(log_encoder) fails
in exec/handler.c (and the other trace handlers vfs, tcp, signal, malloc, bind),
roll back the encoder state before returning error to avoid leaving a dirty
encoder; specifically call flb_log_event_encoder_rollback_record(log_encoder)
immediately on any non-success return from flb_log_event_encoder_commit_record()
(mirroring the existing rollback behavior on append/encode failures) and then
return -1.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2cfd281c-eb9f-4bd3-a4a2-5c8883f9473a

📥 Commits

Reviewing files that changed from the base of the PR and between 8d6c3ba and a4e6edb.

📒 Files selected for processing (1)

• plugins/in_ebpf/traces/exec/handler.c

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tests/runtime/in_ebpf_exec_handler.c`:
- Around line 114-127: The filename/argv checks can pass on truncated values
because they only compare kv->val.via.str.size bytes; update the checks in the
blocks that handle key_matches(kv->key, "filename") and key_matches(kv->key,
"argv") to first assert kv->val.type == MSGPACK_OBJECT_STR, then assert
kv->val.via.str.size == strlen(original->details.execve.filename) (for
"filename") or == strlen(original->details.execve.argv) (for "argv"), and only
after verifying equal lengths perform the content comparison (memcmp/strncmp)
using kv->val.via.str.size; keep seen_filename and seen_argv handling the same.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ec715826-cd72-4e8b-8474-faf81de49cee

📥 Commits

Reviewing files that changed from the base of the PR and between a4e6edb and 2524dbc.

📒 Files selected for processing (8)

• plugins/in_ebpf/in_ebpf.c
• plugins/in_ebpf/traces/exec/bpf.c
• plugins/in_ebpf/traces/exec/handler.c
• plugins/in_ebpf/traces/exec/handler.h
• plugins/in_ebpf/traces/includes/common/events.h
• plugins/in_ebpf/traces/traces.h
• tests/runtime/CMakeLists.txt
• tests/runtime/in_ebpf_exec_handler.c

✅ Files skipped from review due to trivial changes (2)

• plugins/in_ebpf/in_ebpf.c
• plugins/in_ebpf/traces/exec/handler.h

🚧 Files skipped from review as they are similar to previous changes (4)

• plugins/in_ebpf/traces/includes/common/events.h
• tests/runtime/CMakeLists.txt
• plugins/in_ebpf/traces/traces.h
• plugins/in_ebpf/traces/exec/handler.c

[coderabbitai]

🧹 Nitpick comments (1)

plugins/in_ebpf/traces/exec/handler.c (1)

21-80: Consider consolidating append+rollback boilerplate.

The repeated ret checks with identical rollback/return branches are easy to drift. A tiny helper/macro would make this safer to maintain.

Refactor sketch

+static inline int append_or_rollback(int rc, struct flb_log_event_encoder *enc)
+{
+    if (rc != FLB_EVENT_ENCODER_SUCCESS) {
+        flb_log_event_encoder_rollback_record(enc);
+        return -1;
+    }
+    return 0;
+}
+
 int encode_exec_event(struct flb_input_instance *ins,
                       struct flb_log_event_encoder *log_encoder,
                       const struct event *ev)
 {
     int ret;
@@
-    ret = flb_log_event_encoder_append_body_cstring(log_encoder, "ppid");
-    if (ret != FLB_EVENT_ENCODER_SUCCESS) {
-        flb_log_event_encoder_rollback_record(log_encoder);
-        return -1;
-    }
+    ret = append_or_rollback(
+              flb_log_event_encoder_append_body_cstring(log_encoder, "ppid"),
+              log_encoder);
+    if (ret != 0) {
+        return -1;
+    }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugins/in_ebpf/traces/exec/handler.c` around lines 21 - 80, The code repeats
the same pattern of calling flb_log_event_encoder_* functions, checking ret,
calling flb_log_event_encoder_rollback_record(log_encoder) and returning -1;
introduce a small helper (static inline function or macro) to encapsulate this
pattern (e.g., SAFE_ENCODE(call) or safe_encode(log_encoder, (call))) and
replace each pair of calls in handler.c (including uses around
encode_common_fields, flb_log_event_encoder_append_body_cstring,
flb_log_event_encoder_append_body_uint32,
flb_log_event_encoder_append_body_int32, etc.) with that helper so the call,
error-check, rollback and return -1 are handled centrally to remove boilerplate
and avoid drift.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@plugins/in_ebpf/traces/exec/handler.c`:
- Around line 21-80: The code repeats the same pattern of calling
flb_log_event_encoder_* functions, checking ret, calling
flb_log_event_encoder_rollback_record(log_encoder) and returning -1; introduce a
small helper (static inline function or macro) to encapsulate this pattern
(e.g., SAFE_ENCODE(call) or safe_encode(log_encoder, (call))) and replace each
pair of calls in handler.c (including uses around encode_common_fields,
flb_log_event_encoder_append_body_cstring,
flb_log_event_encoder_append_body_uint32,
flb_log_event_encoder_append_body_int32, etc.) with that helper so the call,
error-check, rollback and return -1 are handled centrally to remove boilerplate
and avoid drift.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d773a0be-0bb6-4036-9295-b6ab4c25d272

📥 Commits

Reviewing files that changed from the base of the PR and between 2524dbc and dbda20b.

📒 Files selected for processing (1)

• plugins/in_ebpf/traces/exec/handler.c