cilium
diff --git a/‎bpf/lib/process.h‎
Lines changed: 14 additions & 0 deletions b/‎bpf/lib/process.h‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎bpf/process/bpf_execve_event.c‎
Lines changed: 6 additions & 1 deletion b/‎bpf/process/bpf_execve_event.c‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎bpf/process/types/basic.h‎
Lines changed: 18 additions & 2 deletions b/‎bpf/process/types/basic.h‎
Lines changed: 18 additions & 2 deletions
@@ -320,6 +320,19 @@ struct binary {
 	char end_r[STRING_POSTFIX_MAX_LENGTH];
 	// args for the binary
 	char args[MAXARGLENGTH];
+	/**
+	 * filename_length - Length of script path for matchScript support
+	 *
+	 * When matchScript is enabled, this field stores the length of the
+	 * script path found in args[0]. For shebang scripts (e.g., #!/bin/bash),
+	 * this allows matching against the script path (/path/script.sh) instead
+	 * of the interpreter path (/bin/bash).
+	 * 
+	 * Set during execve processing and used by matchScript selectors.
+	 * Value of 0 indicates no script path available.
+	 */
+	__s32 filename_length;
+	__s32 __pad_filename; // padding for uint64 alignment
 	// matchBinary bitset for binary
 	// NB: everything after and including ->mb_bitset will not be zeroed on a new exec. See
 	// binary_reset().
@@ -366,6 +379,7 @@ struct {
 	__type(value, struct binary);
 } tg_binary_heap SEC(".maps");
 
+
 // Parent binaries map is used for saving actual immediate parents
 // for processes to get check them in matchParentBinaries selector.
 // If multiple execs are called in same process without fork, the map
 
@@ -442,9 +442,13 @@ execve_send(struct exec_ctx_struct *ctx __arg_ctx)
 		with_errmetrics(probe_read, curr->bin.args, len, (char *)&event->process + off);
 
 		// there's a null byte between each argv element, so we terminate with
-		// two of them to make it possible to identify the end of the buffer
 		curr->bin.args[len] = 0x00;
 		curr->bin.args[len + 1] = 0x00;
+
+		// Store filename length for matchScript support.
+		// The filename (script path) is already in args as the first element.
+		if (p->size_path > 0 && p->size_path < BINARY_PATH_MAX_LEN)
+			curr->bin.filename_length = p->size_path;
 #else
 		char *filename = (char *)ctx + (_(ctx->__data_loc_filename) & 0xFFFF);
 
@@ -467,3 +471,4 @@ execve_send(struct exec_ctx_struct *ctx __arg_ctx)
 	event_output_metric(ctx, MSG_OP_EXECVE, event, size);
 	return 0;
 }
+
@@ -1849,6 +1849,9 @@ struct match_binaries_sel_opts {
 	__u32 op;
 	__u32 map_id;
 	__u32 mbset_id;
+	// match_script: if true, match against the script path (filename from execve)
+	// instead of the interpreter path (exe_file) for shebang scripts
+	__u32 match_script;
 };
 
 // We need data for:
@@ -1904,7 +1907,20 @@ FUNC_INLINE int match_binaries(__u32 key, struct execve_map_value *current, stru
 		if (selector_options->op == op_filter_none)
 			return 1; // matchBinaries selector is empty <=> match
 
-		if (bin->path_length < 0) {
+		// Select which path to match against based on match_script option.
+		// If match_script is true, use the resolved script path from tg_script_path_map.
+		// This handles both absolute and relative paths (resolved at execve time).
+		// Otherwise use path (exe_file, which is the interpreter for shebang scripts).
+		char *match_path = bin->path;
+		__s32 match_path_length = bin->path_length;
+
+		if (selector_options->match_script) {
+			// Use script path (bin->args) instead of interpreter path (bin->path)
+			match_path = bin->args;
+			match_path_length = bin->filename_length;
+		}
+
+		if (match_path_length < 0) {
 			// something wrong happened when copying the filename to execve_map
 			return 0;
 		}
@@ -1928,7 +1944,7 @@ FUNC_INLINE int match_binaries(__u32 key, struct execve_map_value *current, stru
 			path_map = map_lookup_elem(&tg_mb_paths, &key);
 			if (!path_map)
 				return 0;
-			found_key = map_lookup_elem(path_map, bin->path);
+			found_key = map_lookup_elem(path_map, match_path);
 			break;
 #ifdef __LARGE_BPF_PROG
 		case op_filter_str_prefix: