Resolve falcosecurity#932, use /proc/1/cmdline for boot/procfs creati…

…on time See falcosecurity#932 for more context Change occurrences of `/proc/1` to `/proc/1/cmdline` in * userspace/libscap/linux/scap_procs.c * userspace/libscap/scap.c Previous: ```c snprintf(proc_dir, sizeof(proc_dir), "%s/proc/1/", scap_get_host_root()); ``` This PR: ```c snprintf(proc_cmdline, sizeof(proc_cmdline), "%s/proc/1/cmdline", scap_get_host_root()); ``` Co-authored-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com> Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com Signed-off-by: Stanley Chan <pocketgamer5000@gmail.com>
happy-dude · Mar 24, 2023 · 65a70bb · 65a70bb
1 parent c8b0d6a
commit 65a70bb
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 11 deletions.
diff --git a/userspace/libscap/linux/scap_procs.c b/userspace/libscap/linux/scap_procs.c
@@ -501,11 +501,11 @@ int32_t scap_proc_fill_cgroups(char* error, int cgroup_version, struct scap_thre
 
 int32_t scap_proc_fill_pidns_start_ts(char* error, struct scap_threadinfo* tinfo, const char* procdirname)
 {
-	char filename[SCAP_MAX_PATH_SIZE];
+	char proc_cmdline_pidns[SCAP_MAX_PATH_SIZE];
 	struct stat targetstat = {0};
 
-	snprintf(filename, sizeof(filename), "%sroot/proc/1", procdirname);
-	if(stat(filename, &targetstat) == 0)
+	snprintf(proc_cmdline_pidns, sizeof(proc_cmdline_pidns), "%sroot/proc/1/cmdline", procdirname);
+	if(stat(proc_cmdline_pidns, &targetstat) == 0)
 	{
 		tinfo->pidns_init_start_ts = targetstat.st_ctim.tv_sec * (uint64_t) 1000000000 + targetstat.st_ctim.tv_nsec;
 		return SCAP_SUCCESS;
@@ -977,9 +977,11 @@ static int32_t scap_proc_add_from_proc(scap_t* handle, uint32_t tid, char* procd
 			 dir_name, handle->m_lasterr);
 	}
 
-	if(stat(dir_name, &dirstat) == 0)
+	char proc_cmdline[SCAP_MAX_PATH_SIZE];
+	snprintf(proc_cmdline, sizeof(proc_cmdline), "%scmdline", dir_name);
+	if(stat(proc_cmdline, &dirstat) == 0)
 	{
-		tinfo->clone_ts = dirstat.st_ctim.tv_sec*1000000000 + dirstat.st_ctim.tv_nsec;
+		tinfo->clone_ts = dirstat.st_ctim.tv_sec * (uint64_t) 1000000000 + dirstat.st_ctim.tv_nsec;
 	}
 
 	// If tid is different from pid, assume this is a thread and that the FDs are shared, and set the

diff --git a/userspace/libscap/scap.c b/userspace/libscap/scap.c
@@ -705,9 +705,9 @@ void scap_deinit(scap_t* handle)
 	{
 		/* The capture should be stopped before
 		 * closing the engine, here we only enforce it.
-	     * Please note that there are some corner cases in which 
+		 * Please note that there are some corner cases in which
 		 * we call `scap_close` before the engine is validated
-		 * so we need to pay attention to NULL pointers in the 
+		 * so we need to pay attention to NULL pointers in the
 		 * following v-table methods.
 		 */
 		handle->m_vtable->stop_capture(handle->m_engine);
@@ -1240,12 +1240,12 @@ int32_t scap_get_boot_time(char* last_err, uint64_t *boot_time)
 	struct timespec tv_now = {0};
 	uint64_t now = 0;
 	uint64_t uptime = 0;
-	char proc_dir[PPM_MAX_PATH_SIZE];
+	char proc_cmdline[PPM_MAX_PATH_SIZE];
 	struct stat targetstat = {0};
 
-	/* More reliable way to get boot time */
-	snprintf(proc_dir, sizeof(proc_dir), "%s/proc/1/", scap_get_host_root());
-	if (stat(proc_dir, &targetstat) == 0)
+	/* More reliable way to get boot time, similar to Docker */
+	snprintf(proc_cmdline, sizeof(proc_cmdline), "%s/proc/1/cmdline", scap_get_host_root());
+	if (stat(proc_cmdline, &targetstat) == 0)
 	{
 		/* This approach is constant between agent re-boots */
 		*boot_time = targetstat.st_ctim.tv_sec * (uint64_t) SECOND_TO_NS + targetstat.st_ctim.tv_nsec;