fix(userspace/libsinsp): use comm file instead of status to get p…

…roc comm.

Signed-off-by: Federico Di Pierro <[email protected]>

Co-authored-by: <[email protected]>

userspace/libscap/linux/scap_procs.c

@@ -559,21 +559,23 @@ static int32_t scap_proc_add_from_proc(struct scap_linux_platform* linux_platfor
 	//
 	// Gather the command name
 	//
-	snprintf(filename, sizeof(filename), "%sstatus", dir_name);
+	snprintf(filename, sizeof(filename), "%scomm", dir_name);
 
 	f = fopen(filename, "r");
 	if(f == NULL) {
 		return scap_errprintf(error, errno, "can't open %s", filename);
 	} else {
 		ASSERT(sizeof(line) >= SCAP_MAX_PATH_SIZE);
 
-		if(fgets(line, SCAP_MAX_PATH_SIZE, f) == NULL) {
-			fclose(f);
-			return scap_errprintf(error, errno, "can't read from %s", filename);
+		filesize = fread(line, 1, SCAP_MAX_ARGS_SIZE, f);
+		if(filesize > 0) {
+			// In case `comm` is greater than `SCAP_MAX_ARGS_SIZE` it could be
+			// truncated so we put a `/0` at the end manually.
+			line[filesize - 1] = 0;
+			snprintf(tinfo.comm, SCAP_MAX_PATH_SIZE, "%s", line);
+		} else {
+			tinfo.comm[0] = 0;
 		}
-
-		line[SCAP_MAX_PATH_SIZE - 1] = 0;
-		sscanf(line, "Name:%1024s", tinfo.comm);
 		fclose(f);
 	}
 

userspace/libsinsp/sinsp_filtercheck_thread.cpp

@@ -111,7 +111,7 @@ static const filtercheck_field_info sinsp_filter_check_thread_fields[] = {
          "Name",
          "The process name (truncated after 16 characters) generating the event (task->comm). "
          "Truncation is determined by kernel settings and not by Falco. This field is collected "
-         "from the syscalls args or, as a fallback, extracted from /proc/PID/status. The name of "
+         "from the syscalls args or, as a fallback, extracted from /proc/PID/comm. The name of "
          "the process and the name of the executable file on disk (if applicable) can be different "
          "if a process is given a custom name which is often the case for example for java "
          "applications."},