Getting the actual executable path of current process context - Linux kernel

Question

I\'m trying to get the actual executable path of a running process through my kernel driver.

I\'ve done the following:

static struct kretprobe do_for         


        

Answer 1

It is unclear what you try to get, so here are list of options:

• execname as it is considered by SystemTap. Simple process->comm should suffice. That is how comm field defined in Kernel:

  char comm[TASK_COMM_LEN]; /* executable name excluding path
                              - access with [gs]et_task_comm (which lock
                              it with task_lock())
                              - initialized normally by setup_new_exec */
  

  But if bash is a symlink, than comm should contain symlink's name, not the real executable name.

• argv[0] first element of command line arguments array as it seen my application (and may be altered by it). There is a get_cmdline() function in kernel, but it seem not to be exported.

• Basename of full path. In this case, do not call d_path, just take d_name field of dentry:

  strlcpy(pathname, mm->exe_file->f_path->d_name, PATH_MAX);
  

But it sounds like a XY problem. You trying to get executable names for all forking processes? Why not use SystemTap directly?

# stap -v -e 'probe scheduler.process_fork { println(execname()); }'