fix: filldir64 event

[rscampos]

1. Explain what the PR does

6482680 fix: filldir64 event

The second parameter (`name`) of filldir64 is currently being
interpreted as the `process name`, whereas it should be
interpreted as the directory entry name (`dirent name`).

2. Explain how to test it

In order to generate the event hidden_inodes its necessary to trigger filldir64. filldir64 is triggered by getdents64 (library function readdir). Flow: readdir -> getdents64 -> filldir64

% gcc readdir -o readdir.c
% ./readdir /

readdir source code:

Source code

#include <stdio.h>
#include <stdlib.h>
#include <dirent.h>

int main(int argc, char *argv[]) {
    // Check if the directory path is provided
    if (argc != 2) {
        fprintf(stderr, "Usage: %s <directory_path>\n", argv[0]);
        return EXIT_FAILURE;
    }
    // Open the directory
    DIR *dir = opendir(argv[1]);
    if (dir == NULL) {
        perror("opendir");
        return EXIT_FAILURE;
    }
    printf("Contents of directory %s:\n", argv[1]);
    struct dirent *entry;
    while ((entry = readdir(dir)) != NULL) {
        printf("Name: %s", entry->d_name);
        // Additional information
        switch (entry->d_type) {
            case DT_REG:
                printf(" (Regular file)\n");
                break;
            case DT_DIR:
                printf(" (Directory)\n");
                break;
            case DT_LNK:
                printf(" (Symbolic link)\n");
                break;
            default:
                printf(" (Other)\n");
                break;
        }
    }
    // Close the directory
    closedir(dir);
    return EXIT_SUCCESS;
}

sudo ./dist/tracee -s comm=readdir -e hidden_inodes.data.hidden_dirent=tmp
TIME             UID    COMM             PID     TID     RET              EVENT                     ARGS
08:12:55:823956  1000   readdir          2470122 2470122 0                hidden_inodes             hidden_dirent: tmp

3. Other comments

Notes: this C example is a partial PoC because don't trigger the event unless we comment out the lines:

    // only inode=0 is relevant, simple filter prior to program run
    unsigned long dirent_inode_number = (unsigned long) PT_REGS_PARM5(ctx);
    if (dirent_inode_number != 0)
        return 0;

For a fully PoC would be necessary to trigger the event and some how set the inode=0 before calling filldir64. Maybe using a LKM to hook filldir64 and set to 0 before passing to the original function.

[rscampos]

@OriGlassman FYI