Revisions to Getting the executable name in Linux from /proc/ and detect if it's truncated

Make sure the link will keep working.

edited Jan 19, 2021 at 13:26

484k
60
1.2k
1.4k

The only reliable way is via /proc/PID/exe, which will work even if the executable has been removed, or it never existed in the first place (as when executing a file created with memfd_create() via fexecve() or execveat(AT_EMPTY_PATH).

Both /proc/PID/comm and /proc/PID/cmdline can be easily faked by the process itself (the former via prctl(PR_SET_NAME), the latter just by overwriting the argv[] strings).

How does the file comm contains kworker/3:1-xfs-reclaim/sda2 without getting truncated to 15 places (+ \n to be 16)?

That's a kernel thread, not a userland process, and different rules rules apply ;-)

The only reliable way is via /proc/PID/exe, which will work even if the executable has been removed, or it never existed in the first place (as when executing a file created with memfd_create() via fexecve() or execveat(AT_EMPTY_PATH).

Both /proc/PID/comm and /proc/PID/cmdline can be easily faked by the process itself (the former via prctl(PR_SET_NAME), the latter just by overwriting the argv[] strings).

How does the file comm contains kworker/3:1-xfs-reclaim/sda2 without getting truncated to 15 places (+ \n to be 16)?

That's a kernel thread, not a userland process, and different rules apply ;-)

The only reliable way is via /proc/PID/exe, which will work even if the executable has been removed, or it never existed in the first place (as when executing a file created with memfd_create() via fexecve() or execveat(AT_EMPTY_PATH).

Both /proc/PID/comm and /proc/PID/cmdline can be easily faked by the process itself (the former via prctl(PR_SET_NAME), the latter just by overwriting the argv[] strings).

How does the file comm contains kworker/3:1-xfs-reclaim/sda2 without getting truncated to 15 places (+ \n to be 16)?

That's a kernel thread, not a userland process, and different rules apply ;-)

added 71 characters in body

Source Link

edited Jan 19, 2021 at 13:25

user313992

The only reliable way is via /proc/PID/exe, which will work even if the executable has been removed, or it never existed in the first place (as when executing a file created with memfd_create() via fexecve() or execveat(AT_EMPTY_PATH).

Both /proc/PID/comm and /proc/PID/cmdline can be easily faked by the process itself (the former via prctl(PR_SET_NAME), the latter just by overwriting the argv[] strings).

How does the file comm contains kworker/3:1-xfs-reclaim/sda2 without getting truncated to 15 places (+ \n to be 16)?

That's a kernel thread, not a userland process, and different rulesrules apply ;-)

The only reliable way is via /proc/PID/exe, which will work even if the executable has been removed, or it never existed in the first place (as when executing a file created with memfd_create() via fexecve() or execveat(AT_EMPTY_PATH).

Both /proc/PID/comm and /proc/PID/cmdline can be easily faked by the process itself (the former via prctl(PR_SET_NAME), the latter just by overwriting the argv[] strings).

How does the file comm contains kworker/3:1-xfs-reclaim/sda2 without getting truncated to 15 places (+ \n to be 16)?

That's a kernel thread, not a userland process, and different rules apply ;-)

The only reliable way is via /proc/PID/exe, which will work even if the executable has been removed, or it never existed in the first place (as when executing a file created with memfd_create() via fexecve() or execveat(AT_EMPTY_PATH).

Both /proc/PID/comm and /proc/PID/cmdline can be easily faked by the process itself (the former via prctl(PR_SET_NAME), the latter just by overwriting the argv[] strings).

How does the file comm contains kworker/3:1-xfs-reclaim/sda2 without getting truncated to 15 places (+ \n to be 16)?

That's a kernel thread, not a userland process, and different rules apply ;-)

Source Link

answered Jan 19, 2021 at 13:16

user313992

The only reliable way is via /proc/PID/exe, which will work even if the executable has been removed, or it never existed in the first place (as when executing a file created with memfd_create() via fexecve() or execveat(AT_EMPTY_PATH).

Both /proc/PID/comm and /proc/PID/cmdline can be easily faked by the process itself (the former via prctl(PR_SET_NAME), the latter just by overwriting the argv[] strings).

How does the file comm contains kworker/3:1-xfs-reclaim/sda2 without getting truncated to 15 places (+ \n to be 16)?

That's a kernel thread, not a userland process, and different rules apply ;-)

Stack Exchange Network

Return to Answer