Hard limit on buffer size of captured arguments for execve

[markus1189]

Goal: Make the size of the buffer for execve arguments larger or configurable.

Currently, argument capture for execve calls is limited to the PAGE_SIZE, e.g. 4KiB on my machine.

I have a particular interest in this because our java processes have the full java classpath as an argument and it would be great to see the whole argument list.

After seeking contact in the sysdig slack channel, I got the following explanation from @gianlucaborello (https://sysdig.slack.com/archives/C0VHH7XE3/p1492095904448427):

you are right, the execve parameters are stored in a buffer whose size is equal to the page size, so most likely 4 KB (https://github.com/draios/sysdig/blob/dev/driver/ppm_fillers.c#L1156). -s just affects the I/O buffers for read/write. It should be possible to directly write the execve arguments to the ring buffer and overcome that limit, although it’s a delicate change at this point. Feel free to open an issue or submit a PR, the code shouldn’t actually be complicated

So this issue serves to track the status/progress/ideas on that feature.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.