Linux Procfs

October 02, 2019

I love the procfs because it provides an intuitive and easy to use interface for interacting with the kernel. In the same way you’d normally use the command line for exploring files, you can control and find out information about currently running processes. All without the need for system calls.

A procfs is mounted at /proc by default. If you go into /proc you’ll see something like this:


You’ll notice a lot of the directories that are just named by numbers. There is one for each individual process. The directory names correspond to the process ID. One directory for each process.

They all have the same layout:


Among these files you can find out information such as performance of the process, where the executable is located, resource limits, or namespace information. There’s a lot to explore but here’s some highlights:

- /proc/[pid]/fd

A file descriptor is a process’ handle on an open file. This directory contains symbolic links to open file descriptors that the process has. Most importantly you can find the file descriptors for standardized streams. One use case for this is using tail to follow logs printed to standard error of a particular process (tail -f /proc/[pid]/fd/2)

- /proc/[pid]/exe and /proc/[pid]/cmdline

The exe file is a symbolic link to the executable that spawned the process. This could be useful if you have a program that wants to re-execute itself. The cmdline file will tell you what arguments were passed at the command line to run that process.

- /proc/[pid]/stat / /proc/[pid]/status

The stat and status files contain resource usage information about the process. Everything from what CPU core the process is running on, to how many clock ticks the process has spent running or idle. Any system monitor program such as top would read the stat file every few seconds for CPU and Memory share percentages.

- /proc/kallsyms

Here’s a really cool one. This contains every symbol (function or variable) in your kernels code. If you cat it as root it’ll also give you their static memory addresses. This is used for setting kprobes or for use in kernel modules.

- /proc/self

This is a symlink to the currently running process. Meaning this will be the /proc/[pid] directory of whatever process requests access to it.


The directories and files in /proc don’t actually exist on disk. The procfs is the kernel representing the proceses on your system as if they were files. Whenever a process requests files in the procfs, the kernel responds with the contents of the theoretical file.

Now if only Apple would enable procfs on Macos…

copyright 2018 - 2023