From 1120ca43ae9e3a8cbda23f102fc181c11ece23db Mon Sep 17 00:00:00 2001 From: Federico Di Pierro Date: Wed, 11 Dec 2024 13:58:07 +0100 Subject: [PATCH] fix(userspace/libsinsp): use `comm` file instead of `status` to get proc comm. Signed-off-by: Federico Di Pierro Co-authored-by: --- userspace/libscap/linux/scap_procs.c | 16 +++++++++------- userspace/libsinsp/sinsp_filtercheck_thread.cpp | 2 +- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/userspace/libscap/linux/scap_procs.c b/userspace/libscap/linux/scap_procs.c index d9f28d5075..384184ce22 100644 --- a/userspace/libscap/linux/scap_procs.c +++ b/userspace/libscap/linux/scap_procs.c @@ -559,7 +559,7 @@ static int32_t scap_proc_add_from_proc(struct scap_linux_platform* linux_platfor // // Gather the command name // - snprintf(filename, sizeof(filename), "%sstatus", dir_name); + snprintf(filename, sizeof(filename), "%scomm", dir_name); f = fopen(filename, "r"); if(f == NULL) { @@ -567,13 +567,15 @@ static int32_t scap_proc_add_from_proc(struct scap_linux_platform* linux_platfor } else { ASSERT(sizeof(line) >= SCAP_MAX_PATH_SIZE); - if(fgets(line, SCAP_MAX_PATH_SIZE, f) == NULL) { - fclose(f); - return scap_errprintf(error, errno, "can't read from %s", filename); + filesize = fread(line, 1, SCAP_MAX_ARGS_SIZE, f); + if(filesize > 0) { + // In case `comm` is greater than `SCAP_MAX_ARGS_SIZE` it could be + // truncated so we put a `/0` at the end manually. + line[filesize - 1] = 0; + snprintf(tinfo.comm, SCAP_MAX_PATH_SIZE, "%s", line); + } else { + tinfo.comm[0] = 0; } - - line[SCAP_MAX_PATH_SIZE - 1] = 0; - sscanf(line, "Name:%1024s", tinfo.comm); fclose(f); } diff --git a/userspace/libsinsp/sinsp_filtercheck_thread.cpp b/userspace/libsinsp/sinsp_filtercheck_thread.cpp index fb1578422e..a634c4361b 100644 --- a/userspace/libsinsp/sinsp_filtercheck_thread.cpp +++ b/userspace/libsinsp/sinsp_filtercheck_thread.cpp @@ -111,7 +111,7 @@ static const filtercheck_field_info sinsp_filter_check_thread_fields[] = { "Name", "The process name (truncated after 16 characters) generating the event (task->comm). " "Truncation is determined by kernel settings and not by Falco. This field is collected " - "from the syscalls args or, as a fallback, extracted from /proc/PID/status. The name of " + "from the syscalls args or, as a fallback, extracted from /proc/PID/comm. The name of " "the process and the name of the executable file on disk (if applicable) can be different " "if a process is given a custom name which is often the case for example for java " "applications."},