Public bug reported: Hello, the execsnoop-bpfcc field PCOMM is supposed to report the parent process's COMM field, but I haven't seen it do that on Ubuntu systems. Here's some outputs of running 'sleep 10' in a shell with a very fancy PS1 prompt:
20.04 LTS: $ sudo execsnoop-bpfcc PCOMM PID PPID RET ARGS sleep 2367606 127550 0 /usr/bin/sleep 10 tmux 2367716 2367715 0 /usr/bin/tmux list-sessions grep 2367717 2367715 0 /usr/bin/grep -cv attached wc 2367720 2367718 0 /usr/bin/wc -l wc 2367723 2367721 0 /usr/bin/wc -l acpi 2367732 2367731 0 /usr/bin/acpi --battery git 2367738 2367737 0 /usr/bin/git rev-parse --is-inside-work-tree git 2367739 2367737 0 /usr/bin/git symbolic-ref -q HEAD git 2367742 2367741 0 /usr/bin/git rev-parse --git-dir git 2367743 2367736 0 /usr/bin/git status --porcelain grep 2367744 2367736 0 /usr/bin/grep -Eq ^\?\? git 2367766 2367765 0 /usr/bin/git stash list -n 1 git 2367767 2367766 0 /usr/lib/git-core/git config --bool stash.usebuiltin git 2367769 2367768 0 /usr/bin/git config --get branch.master.remote git 2367770 2367736 0 /usr/bin/git config --get branch.master.merge git 2367772 2367771 0 /usr/bin/git rev-list --count refs/remotes/origin/master..HEAD git 2367774 2367773 0 /usr/bin/git rev-list --count HEAD..refs/remotes/origin/master git 2367776 2367775 0 /usr/bin/git diff --shortstat HEAD $ uname -a Linux millbarge 5.4.0-59-generic #65-Ubuntu SMP Thu Dec 10 12:01:51 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 18.04 LTS: $ sudo execsnoop-bpfcc PCOMM PID PPID RET ARGS sleep 12535 30858 0 /bin/sleep 10 grep 12810 12808 0 /bin/grep -c [Dd]etach[^)]*)$ screen 12809 12808 0 /usr/bin/screen -ls grep 12813 12811 0 /bin/grep -cv attached tmux 12812 12811 0 /usr/bin/tmux list-sessions wc 12816 12814 0 /usr/bin/wc -l wc 12819 12817 0 /usr/bin/wc -l sensors 12823 12822 0 /usr/bin/sensors -u sed 12824 12822 0 /bin/sed -n s/^ temp[0-9][0-9]*_input: \([0-9]*\)\..*$/\1/p $ uname -a Linux wopr 4.15.0-130-generic #134-Ubuntu SMP Tue Jan 5 20:46:26 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux You can see the example output has the parent comm in the PCOMM field: https://github.com/iovisor/bcc/blob/master/tools/execsnoop_example.txt I didn't spot any blame output that looked related, didn't spot any issues that looked related, but I did see a comment from 2017 with the same incorrect output: https://github.com/iovisor/bcc/issues/1276#issuecomment-320751768 . Thanks ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: bpfcc-tools 0.12.0-2 ProcVersionSignature: Ubuntu 5.4.0-59.65-generic 5.4.78 Uname: Linux 5.4.0-59-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu27.16 Architecture: amd64 CasperMD5CheckResult: skip Date: Fri Feb 5 03:26:41 2021 PackageArchitecture: all ProcEnviron: TERM=rxvt-unicode-256color PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: bpfcc UpgradeStatus: Upgraded to focal on 2020-01-24 (377 days ago) ** Affects: bpfcc (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1914710 Title: execsnoop-bpfcc field pcomm reports comm, instead To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bpfcc/+bug/1914710/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
