The Proc Connector and Socket Filters

“The proc connector is one of those interesting kernel features
that most people rarely come across, and even more rarely find
documentation on. Likewise the socket filter. This is a shame,
because they’re both really quite useful interfaces that might
serve a variety of purposes if they were better documented.

“The proc connector allows you to receive notification of
process events such fork and exec calls, as well as changes to a
process’s uid, gid or sid (session id). These are provided through
a socket-based interface by reading instances of struct proc_event
defined in the kernel header.


“The interface is built on the more generic connector API, which
itself is built on the generic netlink API. These interfaces add
some complexity as they are intended to provide bi-directional
communication between the kernel and userspace; the connector API
appears to have been largely forgotten as newer such socket
interfaces simply declare their own first-class socket classes. So
we need the headers for those too.”

Complete Story

Previous article
Next article

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis