From 8b7ea120670525d9ac7f1698ae7482d691e840a4 Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Mon, 9 Nov 2020 17:02:22 +0100
Subject: [PATCH] Added check for " (deleted)" suffix in get_program_from_fd()
(#97)
- get rid of this suffix
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
Removed strstr (#102)
---
src/library/process.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/src/library/process.c b/src/library/process.c
index edd2cca..6406610 100644
--- a/src/library/process.c
+++ b/src/library/process.c
@@ -146,10 +146,24 @@ char *get_program_from_pid(pid_t pid, size_t blen, char *buf)
return buf;
}
+
+ size_t len = 0;
if ((size_t)path_len < blen)
- buf[path_len] = 0;
+ len = path_len;
else
- buf[blen-1] = '\0';
+ len = blen-1;
+
+ buf[len] = '\0';
+ // some binaries can be deleted after execution
+ // then we need to delete the suffix so they are
+ // trusted even after deletion
+
+ // strlen(" deleted") == 10
+ if (buf[len-1] == ')' && len > 10) {
+
+ if (strcmp(&buf[len - 10], " (deleted)") == 0)
+ buf[len - 10] = '\0';
+ }
return buf;
}
--
2.26.2