Techly NewsGet the app

Get the latest tech news

Building a Custom eBPF Filesystem Watcher to Catch Root Ownership Goofs


A deep dive into building a Linux filesystem watcher. We compare fanotify vs. a powerful eBPF solution to solve in-kernel monitoring challenges.

Let’s dive in, according to man page, we first need to call fanotify_init with proper flags; This sets up a kernel-space notification group. LSM hooks provide a more stable and semantically meaningful API for monitoring filesystem events, since they are part of the kernel’s Linux Security Module framework. This little experiment turned out to be a great deep dive into Linux kernel internals, eBPF and various trade-offs of running kernel-space programs.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of root ownership goofs

root ownership goofs

« The Lambda Calculus (2023)
Show HN: Mosaic – A Kotlin framework for cleaner back end code »