IMO this name is too vague. ktrexecveargs() or similar would be better.

Same comment regarding the name - "ARGS" is too vague.

Please group this with the other ktr*() functions further down below main().

Please format this more like other ktrace records. Using english to describe the fields is not very useful, especially without quotes.

At the very least, something like printf("{argv='%s', envp='%s'}\n"). Though, perhaps we want to do something to show whether individual args/envvars contain whitespace?

Missing an entry here for the new record type.

Hello Mark. Please check the new version. Do I still need to run a free() call at the end of the function, right after ktr_submitrequest()?

Is it possible that argvs and/or envv contain whitespace characters?

Please put a newline between variable declarations and the rest of the function. See the style.9 man page for more guidance: https://man.freebsd.org/cgi/man.cgi?style(9)

This can simply be buf[argc] = '\0';, no need to use bcopy().

Similarly, buf[argc + 1 + envc] = '\0'; is a bit simpler.

It's impossible to have buf == NULL here, this check can be removed.

Extra newline here.

You don't need these includes here. Just declare struct image_args in the same place where we already declare struct ktr_io_params.

There should be a space before *. See the style.9 man page I linked above.

Yes. Try tracing a shell, and run something like

$ awk '{ print }' /dev/null

The argv reported by ktrace will look like awk { print } /dev/null, which is a bit confusing.

The ktrace man page needs to be updated as well. We should add a new flag to -t to optionally disable execve tracing, and the documented list of default tracepoints also needs to be updated.

Because of parsing in ktrace.c with the help of exec_args_get_begin_envv and similar, I need the complete definition.

Then imgact.h should be included in kern_ktrace.c, not here. ktrace.h is included by many different C files, and it should avoid bringing in more definitions than necessary.

If req == NULL here, then we need to free buf.

Most of these other functions should use const as well, e.g., in ktrnamei(), but that should be handled in a separate patch.

I just realized that you have no way of distinguishing arguments and environment variables here. I think the structure returned from the kernel should distinguish the two. For example, you could store the offset of the environment variables at the beginning of the ktrace record.

And then you can just call:

ktrdata(KTR_EXECVE_ARGS, args->begin_argv, exec_args_get_begin_envv(args) - args->begin_argv);
ktrdata(KTR_EXECVE_ENVS, exec_args_get_begin_envv(args), args->endp - exec_args_get_begin_envv(args));

straight from the kern_exec.c, without need to import <imgact.h> into ktr_ktrace.c.

New function ktrdata() can also be used to reduce ktrnamei() down to:

ktrdata(KTR_NAMEI, path, strlen(path))

Here is the version I suggest, might be easier to read than a colored diff:

void
ktrdata(int type, const void *data, size_t len)
{
        struct ktr_request *req;
        void *buf;

        if ((req = ktr_getrequest(type)) == NULL)
                return;
        buf = malloc(len, M_KTRACE, M_WAITOK);
        bcopy(data, buf, len);
        req->ktr_header.ktr_len = len;
        req->ktr_buffer = buf;
        ktr_submitrequest(curthread, req);
}

Every meaningful change to a manual page must bump this date.

These two new declarations need a comment, just like all old ones have. See comment above KTR_NAMEI as an example.