docs(userspace/libsinsp): more detailed docs about proc filterchecks

[therealbobo]

What type of PR is this?

/kind documentation

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area API-version

/area build

/area CI

/area driver-kmod

/area driver-bpf

/area driver-modern-bpf

/area libscap-engine-bpf

/area libscap-engine-gvisor

/area libscap-engine-kmod

/area libscap-engine-modern-bpf

/area libscap-engine-nodriver

/area libscap-engine-noop

/area libscap-engine-source-plugin

/area libscap-engine-savefile

/area libscap-engine-udig

/area libscap

/area libpman

/area libsinsp

/area tests

/area proposals

Does this PR require a change in the driver versions?

/version driver-API-version-major

/version driver-API-version-minor

/version driver-API-version-patch

/version driver-SCHEMA-version-major

/version driver-SCHEMA-version-minor

/version driver-SCHEMA-version-patch

What this PR does / why we need it:

This clarifies in the docs the behaviour of some filters of the processes.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

[leogr]

Overall, SGTM, thank you!

Just left a couple of comments

[leogr]

Suggested change

	{PT_CHARBUF, EPF_NONE, PF_NA, "proc.exe", "First Argument", "The first command line argument argv[0] (usually the executable name or a custom one). This field is updated on a procfs scan (in this case the field is read from /proc/<pid>/cmdline) or when a exceve or close syscall occurs (in this case the field is read from the syscall args)."},
	{PT_CHARBUF, EPF_NONE, PF_NA, "proc.exe", "First Argument", "The first command line argument argv[0] which is usually the executable name or a custom string. This field is initially updated through a procfs scan (specifically by reading from /proc/<pid>/cmdline), then through the syscall events stream at runtime (in this case, the field is read from the syscall args)."},

I'd not list the exact syscalls since they can change over time. I'd just mention

• procfs scan (only at starting time, pls this needs to be confirmed)
• syscall events stream (at runtime, without mentioning all the syscalls.

(Pls note, my suggestion is just a proposal, not necessarily the best way to document that field)

[therealbobo]

I really like these suggestions! Also I took a look at the code and the procfs scan is done at starting time only as you said! 😄

[therealbobo]

I took another look and, to be precise, the Procfs scans could also happen in live mode. e.g.:

libs/userspace/libsinsp/parsers.cpp

Line 711 in e54bbb8

evt->m_tinfo = m_inspector->get_thread_ref(evt->m_pevt->tid, query_os, false).get();

Given that I think that the best approach is to be more generic: documenting it in a very precise way could be a problem and lead to inconsistencies for the final user if the behaviour changes.

[loresuso]

same as above for at runtime

[incertum]

re exepath, should we be very clear that this applies only to executables that have an image on disk / on the filesystem? Since we are working on memfd+exec flag ...

[leogr]

Overall, SGTM. However, after a second look, I believe we should be more transparent regarding all those implications that are not self-evident. See my comments below.

[Andreagit97]

/approve

[poiana]

LGTM label has been added.

Git tree hash: f4e5834bb9db1775047bd4582806ee11bccf666d

[incertum]

Thanks a bunch @therealbobo for your help🙏 !

/approve

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, incertum, therealbobo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Andreagit97,incertum]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment