add support for comm, coredump, and prctl procevents in firemon

RELNOTES

@@ -16,6 +16,7 @@ firejail (0.9.73) baseline; urgency=low
     --netfilter6= --trace=) (#6032 #6109)
   * feature: add Landlock support (#5269 #6078 #6115 #6125 #6187 #6195 #6200
     #6228 #6260 #6302 #6305)
+  * feature: add support for comm, coredump, and prctl procevents in firemon
   * modif: Stop forwarding own double-dash to the shell (#5599 #5600)
   * modif: Prevent sandbox name (--name=) and host name (--hostname=)
     from containing only digits (#5578 #5741)

src/firemon/procevent.c

@@ -301,7 +301,9 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my
 			proc_ev = (struct proc_event *)cn_msg->data;
 			pid_t pid = 0;
 			pid_t child = 0;
+			char *new_comm = NULL;
 			int remove_pid = 0;
+			int nodisplay = 0;
 			switch (proc_ev->what) {
 				case PROC_EVENT_FORK:
 #ifdef DEBUG_PRCTL
@@ -322,6 +324,7 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my
 						pids[child].parent = pid;
 					}
 					sprintf(lineptr, " fork");
+					nodisplay = 1;
 					break;
 				case PROC_EVENT_EXEC:
 					pid = proc_ev->event_data.exec.process_tgid;
@@ -363,6 +366,7 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my
 						sprintf(lineptr, " uid (%d:%d)",
 							proc_ev->event_data.id.r.ruid,
 							proc_ev->event_data.id.e.euid);
+					nodisplay = 1;
 					break;
 
 				case PROC_EVENT_GID:
@@ -379,6 +383,7 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my
 						sprintf(lineptr, " gid (%d:%d)",
 							proc_ev->event_data.id.r.rgid,
 							proc_ev->event_data.id.e.egid);
+					nodisplay = 1;
 					break;
 
 
@@ -391,6 +396,41 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my
 					sprintf(lineptr, " sid ");
 					break;
 
+				case PROC_EVENT_COREDUMP:
+					pid = proc_ev->event_data.coredump.process_tgid;
+#ifdef DEBUG_PRCTL
+	printf("%s: %d, event coredump, pid %d\n", __FUNCTION__, __LINE__, pid);
+#endif
+					sprintf(lineptr, " coredump ");
+					break;
+
+				case PROC_EVENT_COMM:
+					pid = proc_ev->event_data.comm.process_tgid;
+#ifdef DEBUG_PRCTL
+	printf("%s: %d, event comm, pid %d\n", __FUNCTION__, __LINE__, pid);
+#endif
+					if (proc_ev->event_data.comm.process_pid !=
+					    proc_ev->event_data.comm.process_tgid)
+						continue; // this is a thread, not a process
+
+					if (pids[pid].level == 1 ||
+					    pids[pids[pid].parent].level == 1) {
+						sprintf(lineptr, "\n");
+						continue;
+					}
+					else
+						sprintf(lineptr, " comm  %s", proc_ev->event_data.comm.comm);
+					nodisplay = 1;
+					break;
+
+				case PROC_EVENT_PTRACE:
+					pid = proc_ev->event_data.ptrace.process_tgid;
+#ifdef DEBUG_PRCTL
+	printf("%s: %d, event ptrace, pid %d\n", __FUNCTION__, __LINE__, pid);
+#endif
+					sprintf(lineptr, " ptrace ");
+					break;
+
 				default:
 #ifdef DEBUG_PRCTL
 	printf("%s: %d, event unknown\n", __FUNCTION__, __LINE__);
@@ -449,7 +489,7 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my
 				if (!cmd) {
 					cmd = pid_proc_cmdline(pid);
 				}
-				if (cmd == NULL)
+				if (cmd == NULL || nodisplay)
 					sprintf(lineptr, "\n");
 				else {
 					sprintf(lineptr, " %s\n", cmd);
@@ -473,15 +513,12 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my
 			}
 
 			// print forked child
-			if (child) {
-				cmd = pid_proc_cmdline(child);
-				if (cmd) {
-					printf("\tchild %u %s\n", child, cmd);
-					free(cmd);
-				}
-				else
-					printf("\tchild %u\n", child);
-			}
+			if (child)
+				printf("\tchild %u\n", child);
+
+			// print new comm
+			if (new_comm)
+				printf("\tnew comm %s\n", new_comm);
 
 			// on uid events the uid is changing
 			if (proc_ev->what == PROC_EVENT_UID) {