latchset · ueno · May 12, 2026 · neverpanic · May 12, 2026 · neverpanic
diff --git a/agent/src/bpf/audit.bpf.c b/agent/src/bpf/audit.bpf.c
@@ -71,6 +71,10 @@ record_new_context (struct pt_regs *ctx, long context, long parent)
 			 context);
   event->parent = parent;
 
+  err = bpf_get_current_comm (event->command, sizeof(event->command));
+  if (err < 0)
+    DEBUG ("unable to get current command: %ld\n", err);
+
   if (BPF_CORE_READ_BITFIELD(build_id, status) & BPF_STACK_BUILD_ID_VALID)
     {
       event->origin_size = bpf_core_field_size (build_id->build_id);

diff --git a/crypto-auditing/src/bpf/audit.h b/crypto-auditing/src/bpf/audit.h
@@ -32,13 +32,15 @@ struct audit_event_header_st
 };
 
 #define MAX_BUILD_ID_SIZE 64
+#define MAX_COMMAND_SIZE 64
 
 struct audit_new_context_event_st
 {
   struct audit_event_header_st header;
   long parent;
   unsigned char origin[MAX_BUILD_ID_SIZE];
   unsigned long int origin_size;
+  char command[MAX_COMMAND_SIZE];
 };
 
 struct audit_data_event_st

diff --git a/crypto-auditing/src/types.rs b/crypto-auditing/src/types.rs
@@ -8,7 +8,7 @@ use serde::{
 use serde_with::{hex::Hex, serde_as};
 use std::cell::RefCell;
 use std::collections::BTreeMap;
-use std::ffi::CStr;
+use std::ffi::{CStr, CString};
 use std::rc::Rc;
 use std::time::{Duration, SystemTime, UNIX_EPOCH};
 use sysinfo::System;
@@ -32,6 +32,13 @@ where
     seq.end()
 }
 
+fn to_string_lossy<S>(source: &CString, serializer: S) -> Result<S::Ok, S::Error>
+where
+    S: Serializer,
+{
+    serializer.serialize_str(&source.to_string_lossy())
+}
+
 #[serde_as]
 #[derive(Debug, Serialize)]
 pub struct Context {
@@ -40,6 +47,8 @@ pub struct Context {
     pub id: ContextId,
     #[serde_as(as = "Hex")]
     pub origin: Vec<u8>,
+    #[serde(serialize_with = "to_string_lossy")]
+    pub command: CString,
     #[serde_as(as = "serde_with::TimestampSecondsWithFrac<f64>")]
     pub start: SystemTime,
     #[serde_as(as = "serde_with::TimestampSecondsWithFrac<f64>")]
@@ -103,10 +112,12 @@ impl ContextTracker {
                 Event::NewContext {
                     parent: parent_context,
                     origin,
+                    command,
                 } => {
                     let context = Rc::new(RefCell::new(Context {
                         id: *group.context(),
                         origin: origin.to_owned(),
+                        command: command.to_owned(),
                         start,
                         end,
                         events: Default::default(),
@@ -132,6 +143,7 @@ impl ContextTracker {
                         let context_obj = Rc::new(RefCell::new(Context {
                             id: *group.context(),
                             origin: Default::default(),
+                            command: Default::default(),
                             start,
                             end,
                             events: Default::default(),
@@ -173,6 +185,8 @@ pub enum Event {
         parent: ContextId,
         #[serde_as(as = "serde_with::Bytes")]
         origin: Vec<u8>,
+        #[serde(default)]
+        command: CString,
     },
     Data {
         key: String,
@@ -305,11 +319,17 @@ impl EventGroup {
                 let origin = unsafe {
                     (&(*raw_new_context).origin)[..(*raw_new_context).origin_size as usize].to_vec()
                 };
+                let command =
+                    unsafe { CStr::from_ptr((&(*raw_new_context).command).as_ptr()).to_owned() };
                 EventGroup {
                     context,
                     start: ktime,
                     end: ktime,
-                    events: vec![Event::NewContext { parent, origin }],
+                    events: vec![Event::NewContext {
+                        parent,
+                        origin,
+                        command,
+                    }],
                 }
             }
             audit_event_type_t::AUDIT_EVENT_DATA => unsafe {

diff --git a/docs/query.schema.json b/docs/query.schema.json
@@ -11,6 +11,7 @@
         "properties": {
           "context": { "type": "string" },
           "origin": { "type": "string" },
+          "command": { "type": "string" },
           "start": { "type": "number" },
           "end": { "type": "number" },
           "events": {

diff --git a/fixtures/logs/since-until/none.json b/fixtures/logs/since-until/none.json
@@ -2,6 +2,7 @@
   {
     "context": "77c5eac18916f65560e4a72c378fa571",
     "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a",
+    "command": "",
     "start": 1771974803.010886,
     "end": 1771974803.010886,
     "events": {
@@ -12,6 +13,7 @@
       {
         "context": "3cb4522554c9b0dc609cb15a60e8066d",
         "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a",
+        "command": "",
         "start": 1771974803.0110753,
         "end": 1771974803.0110753,
         "events": {
@@ -22,6 +24,7 @@
           {
             "context": "a585d1425ae9a1bb716ef919a7077b79",
             "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a",
+            "command": "",
             "start": 1771974803.0110772,
             "end": 1771974803.0110772,
             "events": {
@@ -35,6 +38,7 @@
       {
         "context": "8bea2cd10c263427b8ea8f7a75ab63dc",
         "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a",
+        "command": "",
         "start": 1771974803.0253136,
         "end": 1771974803.0253136,
         "events": {
@@ -45,6 +49,7 @@
           {
             "context": "56cef1e26f5035c51e0df469ac338f5d",
             "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a",
+            "command": "",
             "start": 1771974803.025316,
             "end": 1771974803.025316,
             "events": {
@@ -55,6 +60,7 @@
           {
             "context": "bd1bf0fb3d99d6695865fa2bbef92b34",
             "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a",
+            "command": "",
             "start": 1771974803.0255075,
             "end": 1771974803.0255075,
             "events": {
@@ -67,6 +73,7 @@
       {
         "context": "ba2f7865e4de038b3da670176ac134aa",
         "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a",
+        "command": "",
         "start": 1771974803.0425448,
         "end": 1771974803.0425448,
         "events": {
@@ -78,6 +85,7 @@
       {
         "context": "dcb5668c7981c908da00c4f485aa28fe",
         "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a",
+        "command": "",
         "start": 1771974803.0257778,
         "end": 1771974803.0257778,
         "events": {
@@ -88,6 +96,7 @@
           {
             "context": "0c7af68a3db1a3f26781b44c3b74f372",
             "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a",
+            "command": "",
             "start": 1771974803.025795,
             "end": 1771974803.025795,
             "events": {
@@ -104,6 +113,7 @@
   {
     "context": "ccb9432c9c2c8c203230e6b7d31c0b16",
     "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a",
+    "command": "",
     "start": 1771974863.214706,
     "end": 1771974863.214706,
     "events": {
@@ -114,6 +124,7 @@
       {
         "context": "4496299804038c7e426b63ba21e82767",
         "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a",
+        "command": "",
         "start": 1771974863.2148774,
         "end": 1771974863.2148774,
         "events": {
@@ -124,6 +135,7 @@
           {
             "context": "f4a8575856bd5e71c9cfeb08004b18a8",
             "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a",
+            "command": "",
             "start": 1771974863.2148807,
             "end": 1771974863.2148807,
             "events": {
@@ -137,6 +149,7 @@
       {
         "context": "5d965925626f231276ab4658c070f0bb",
         "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a",
+        "command": "",
         "start": 1771974863.2293024,
         "end": 1771974863.2293024,
         "events": {
@@ -147,6 +160,7 @@
           {
             "context": "5ffa226b4b1b2e03ac33f016c368daf5",
             "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a",
+            "command": "",
             "start": 1771974863.22932,
             "end": 1771974863.22932,
             "events": {
@@ -161,6 +175,7 @@
       {
         "context": "9c3eb879769d1ca094404184669f6d60",
         "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a",
+        "command": "",
         "start": 1771974863.2288046,
         "end": 1771974863.2288046,
         "events": {
@@ -171,6 +186,7 @@
           {
             "context": "464cbb78dccd784c9b70a5592a97c067",
             "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a",
+            "command": "",
             "start": 1771974863.229047,
             "end": 1771974863.229047,
             "events": {
@@ -181,6 +197,7 @@
           {
             "context": "6b12b88a73508c86569afb171fc86fa2",
             "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a",
+            "command": "",
             "start": 1771974863.2288072,
             "end": 1771974863.2288072,
             "events": {
@@ -193,6 +210,7 @@
       {
         "context": "f574d1bf35c80d999cd45243992cbcf3",
         "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a",
+        "command": "",
         "start": 1771974863.2472508,
         "end": 1771974863.2472508,
         "events": {
@@ -206,6 +224,7 @@
   {
     "context": "ba622d5b9877a430162242de965c3a3e",
     "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a",
+    "command": "",
     "start": 1771974923.4500113,
     "end": 1771974923.4500113,
     "events": {
@@ -216,6 +235,7 @@
       {
         "context": "086f6407cbc7d1ab26012b7e939373c4",
         "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a",
+        "command": "",
         "start": 1771974923.4649017,
         "end": 1771974923.4649017,
         "events": {
@@ -226,6 +246,7 @@
           {
             "context": "849055c3278578d687c4b54c828ec440",
             "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a",
+            "command": "",
             "start": 1771974923.4649038,
             "end": 1771974923.4649038,
             "events": {
@@ -236,6 +257,7 @@
           {
             "context": "dbdb8d7e3703cb023b12c41af91cad51",
             "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a",
+            "command": "",
             "start": 1771974923.465125,
             "end": 1771974923.465125,
             "events": {
@@ -248,6 +270,7 @@
       {
         "context": "174de05063ba9b25008b373abab6edc2",
         "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a",
+        "command": "",
         "start": 1771974923.4501987,
         "end": 1771974923.4501987,
         "events": {
@@ -258,6 +281,7 @@
           {
             "context": "ac972e44ea6bcef3b4a63cbe53a80cc9",
             "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a",
+            "command": "",
             "start": 1771974923.4502006,
             "end": 1771974923.4502006,
             "events": {
@@ -271,6 +295,7 @@
       {
         "context": "520f84448e7d46817efd218659951f35",
         "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a",
+        "command": "",
         "start": 1771974923.4855325,
         "end": 1771974923.4855325,
         "events": {
@@ -282,6 +307,7 @@
       {
         "context": "7efbca0e91133d460bbabf918ea3d2d5",
         "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a",
+        "command": "",
         "start": 1771974923.4654472,
         "end": 1771974923.4654472,
         "events": {
@@ -292,6 +318,7 @@
           {
             "context": "631afe9e5424d5b5b2a69e94388704d7",
             "origin": "25afdfb85a5c7626b28a77ac4dce92637f7c842a",
+            "command": "",
             "start": 1771974923.465482,
             "end": 1771974923.465482,
             "events": {