From ec59508d4c8d8bfa5cf74bf95e71e27f9a1c2f57 Mon Sep 17 00:00:00 2001
From: Angelo Puglisi <angelopuglisi86@gmail.com>
Date: Fri, 9 Aug 2024 10:57:42 +0200
Subject: [PATCH] chore(podmansnoop): explain why crun comm is 3

Signed-off-by: Angelo Puglisi <angelopuglisi86@gmail.com>
---
 hack/podmansnoop | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/hack/podmansnoop b/hack/podmansnoop
index a404ccf0e8..343495e59c 100755
--- a/hack/podmansnoop
+++ b/hack/podmansnoop
@@ -125,7 +125,12 @@ def _print_event(cpu, data, size): # callback
 
     comm = e.comm.decode()
     if comm == "3":
-        # For absolutely unknown reasons, 'crun' appears as '3'.
+        # Because of CVE-2019-5736, crun copies itself on a memfd or temp file, add seals,
+        # then goes fexecve. The linux kernel will then set comm as the basename of
+        # /dev/fd/<fdnum>, which happens to be 3 being the first available file descriptor.
+        # runc implementation is slightly different, with multiple processes, and they also
+        # set the process name to make them intelligible (i.e. "runc:[0:PARENT]", "runc:[1:CHILD]")
+        # so it doesn't fall into this case.
         comm = "crun"
 
     if e.isArgv: