From 0b06e51ea1d6eec4db969064708e1ba997e14f1d Mon Sep 17 00:00:00 2001
From: Paul Buetow <paul@buetow.org>
Date: Thu, 6 Mar 2025 22:40:41 +0200
Subject: can gather file path from proc fs if unknown

---
 internal/eventloop.go |  4 ++--
 internal/file.go      | 13 +++++++++++++
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/internal/eventloop.go b/internal/eventloop.go
index 634e5d5..b26ae35 100644
--- a/internal/eventloop.go
+++ b/internal/eventloop.go
@@ -100,7 +100,7 @@ func (e *eventLoop) syscallExit(exitEv event, ch chan<- *eventPair) {
 		openEv := ev.enterEv.(*OpenEvent)
 
 		fd := int32(ev.exitEv.(*RetEvent).Ret)
-		file := fdFile{fd, string(openEv.Filename[:])}
+		file := newFdFile(fd, string(openEv.Filename[:]))
 		if fd >= 0 {
 			e.files[fd] = file
 		}
@@ -130,7 +130,7 @@ func (e *eventLoop) syscallExit(exitEv event, ch chan<- *eventPair) {
 				delete(e.files, fd)
 			}
 		} else {
-			ev.file = fdFile{fd, "?"}
+			ev.file = newFdFileWithPid(fd, ev.enterEv.(*FdEvent).Pid)
 		}
 		ev.comm, _ = e.comms[ev.enterEv.GetTid()]
 
diff --git a/internal/file.go b/internal/file.go
index 9230afd..efb570b 100644
--- a/internal/file.go
+++ b/internal/file.go
@@ -1,6 +1,8 @@
 package internal
 
 import (
+	"fmt"
+	"os"
 	"strconv"
 	"strings"
 )
@@ -14,6 +16,17 @@ type fdFile struct {
 	name string
 }
 
+func newFdFile(fd int32, name string) fdFile {
+	return fdFile{fd, name}
+}
+
+func newFdFileWithPid(fd int32, pid uint32) fdFile {
+	if linkName, err := os.Readlink(fmt.Sprintf("/proc/%d/fd/%d", pid, fd)); err == nil {
+		return fdFile{fd, linkName}
+	}
+	return fdFile{fd, "?"}
+}
+
 func (f fdFile) String() string {
 	var sb strings.Builder
 
-- 
cgit v1.2.3