Merge pull request containers#23557 from deepskyblue86/crun-comm-3

chore(podmansnoop): explain why crun comm is 3
Regis-Caelum · Aug 9, 2024 · dd1d2c1 · dd1d2c1
2 parents d305a34 + ec59508
commit dd1d2c1
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/hack/podmansnoop b/hack/podmansnoop
@@ -125,7 +125,12 @@ def _print_event(cpu, data, size): # callback
 
     comm = e.comm.decode()
     if comm == "3":
-        # For absolutely unknown reasons, 'crun' appears as '3'.
+        # Because of CVE-2019-5736, crun copies itself on a memfd or temp file, add seals,
+        # then goes fexecve. The linux kernel will then set comm as the basename of
+        # /dev/fd/<fdnum>, which happens to be 3 being the first available file descriptor.
+        # runc implementation is slightly different, with multiple processes, and they also
+        # set the process name to make them intelligible (i.e. "runc:[0:PARENT]", "runc:[1:CHILD]")
+        # so it doesn't fall into this case.
         comm = "crun"
 
     if e.isArgv: