failed to link process and package (needs-restarting)

[MaineK00n]

What did you do? (required. The issue will be closed when not provided.)

In Redhat, there is a function to link the process obtained by needs-restarting to an installed package.
However, the current implementation does not allow accurate linking to the package.

For example, assume the following needs-restarting output:

[root@localhost ~]# needs-restarting
1 : /usr/lib/systemd/systemd --system --deserialize 39 
577 : /usr/sbin/NetworkManager --no-daemon 
597 : /usr/lib/systemd/systemd-logind 
611 : /usr/bin/dbus-broker-launch --scope system --audit 
613 : dbus-broker --log 4 --controller 9 --machine-id 6562661accbe426982b858d468e267f9 --max-bytes 536870912 --max-fds 4096 --max-matches 131072 --audit 
634 : /sbin/agetty -o -p -- \u --noclear - linux 
786 : /usr/sbin/VBoxService --pidfile /var/run/vboxadd-service.sh 
4069 : sshd: vagrant [priv] 
4073 : /usr/lib/systemd/systemd --user 
4075 : (sd-pam) 
4082 : sshd: vagrant@pts/0  
4083 : -bash

Each line is split by :, and the left side is treated as PID and the right side is treated as Path.
Then, for Path, if it does not start with "/", it will look for the path to the binary being executed.

vuls/scanner/redhatbase.go

Lines 936 to 950 in 8cf43b8

	path := ss[1]
	if path != "" && !strings.HasPrefix(path, "/") {
	path = strings.Fields(path)[0]
	// [ec2-user@ip-172-31-11-139 ~]$ sudo needs-restarting
	// 2024 : auditd
	// [ec2-user@ip-172-31-11-139 ~]$ type -p auditd
	// /sbin/auditd
	cmd := fmt.Sprintf("LANGUAGE=en_US.UTF-8 which %s", path)
	r := o.exec(cmd, sudo)
	if !r.isSuccess() {
	o.log.Debugf("Failed to exec which %s: %s", path, r)
	continue
	}
	path = strings.TrimSpace(r.Stdout)
	}

This implementation might work well for a line like this:

1 : /usr/lib/systemd/systemd --system --deserialize 39 
613 : dbus-broker --log 4 --controller 9 --machine-id 6562661accbe426982b858d468e267f9 --max-bytes 536870912 --max-fds 4096 --max-matches 131072 --audit 

But it won't work for a line like this:

4069 : sshd: vagrant [priv] 
4075 : (sd-pam) 
4083 : -bash

If you want to get the exact path of the binary that is being executed, you should look at the value of /proc/<PID>/exe.
However, since /proc/<PID>/exe points to the actual executable path, it may be different from /proc/<PID>/cmdline.
So in the example below, /proc/<PID>/cmdline points to /usr/sbin/VBoxService, but /proc/786/exe points to /opt/VBoxGuestAdditions-6.1.28/sbin/VBoxService.

// 786 : /usr/sbin/VBoxService --pidfile /var/run/vboxadd-service.sh 

[root@localhost 786]# cat /proc/786/cmdline 
/usr/sbin/VBoxService--pidfile/var/run/vboxadd-service.sh

[root@localhost 786]# readlink /proc/786/exe
/opt/VBoxGuestAdditions-6.1.28/sbin/VBoxService

[root@localhost 786]# which VBoxService
/usr/sbin/VBoxService

[root@localhost 786]# ls -l /usr/sbin/VBoxService
lrwxrwxrwx. 1 root root 47 May 31  2022 /usr/sbin/VBoxService -> /opt/VBoxGuestAdditions-6.1.28/sbin/VBoxService

Now, the obtained path is input into the rpm -qf command in the following part.

vuls/scanner/redhatbase.go

Lines 965 to 966 in 8cf43b8

	path := strings.Fields(execCommand)[0]
	cmd := `LANGUAGE=en_US.UTF-8 rpm -qf --queryformat "%{NAME}-%{EPOCH}:%{VERSION}-%{RELEASE}\n" ` + path

However, the specifications of /proc/<PID>/exe mentioned above do not match rpm -qf in some cases.
If it is /usr/sbin/arptables, you can get the package with rpm -qf, but if it is the actual path /etc/alternatives/arptables, you cannot get the package with rpm -qf.

[root@localhost sbin]# ls -l /usr/sbin/arptables
lrwxrwxrwx. 1 root root 27 May 31  2022 /usr/sbin/arptables -> /etc/alternatives/arptables
[root@localhost sbin]# rpm -qf /usr/sbin/arptables
iptables-nft-1.8.10-11.el9_5.x86_64
[root@localhost sbin]# rpm -qf /etc/alternatives/arptables
file /etc/alternatives/arptables is not owned by any package