Example eBPF to trace the execve system call.
This example traces tracepoint/sched/sched_process_exec because tracing tracepoint/syscalls/sys_enter_execve is not reliable - see this for why.
It's built using libbpfgo which is a thin golang wrapper around the C libbpf. Libbpf is a git submodule in the repo so it can be built and the eBPF program statically linked to it. The resulting object is embedded in the golang binary and the target machines don't require any dependencies. Also CORE allows the binary to work across kernel versions.
The code to find the full path when a relative path is passed to execve is based on this.
Most of the Makefile is explained here.
$ sudo zypper install git make libelf-devel bpftool clang go1.23
Path to /usr/sbin is needed for bpftool
$ export PATH=$PATH:/usr/sbin
$ make
For golang see here.
$ sudo apt install git make libelf-dev bpftool clang
$ make