lsmtrace
lsmtrace copied to clipboard

lumontec

→

Metadata

Trace deep kernel events through eBPF and lsm hooks

Readme
Issues

lsmtrace

Trace all Linux Security Modules hooks touched by executable.
Have a look at my blog post to find out more.

Requirements

Your kernel must have been compiled with the follwing options:

BPF_SYSCALL
BPF_LSM
DEBUG_INFO
DEBUG_INFO_BTF

Compilation

$ git submodule update --init --recursive    # check out libbpf
$ cd src
$ make

Run

$ sudo ./lsmtrace /usr/bin/ls -a /home  

Attaching hooks, don`t rush..

-> HOOK_CALL: -> cred_getsecid( const struct cred *c, u32 *secid )
-> HOOK_CALL: -> file_permission( struct file *file, int mask )
     file,f_mode = 32797
     file,f_path.dentry,d_flags = 64
     file,f_path.dentry,d_name.name = ls
     file,f_path.dentry,d_inode,i_ino = 3670696
...

About

Trace deep kernel events through eBPF and lsm hooks

security

ebpf

kernel

tracing

linux-security-module

32

Stars

8

Forks

Watchers

Owner

lumontec

← Metadata

32

Stars

8

Forks

Watchers

Owner

lumontec

Metadata

Trace deep kernel events through eBPF and lsm hooks

Back

lsmtrace lsmtrace copied to clipboard

Metadata

lsmtrace

Requirements

Compilation

Run

← Metadata

Owner

Metadata

lsmtrace
lsmtrace copied to clipboard