Skip to content



security_sb_mount - An event capturing the details when a file system is mounted.


The event gets triggered whenever a file system is mounted in the system, which could be a significant action from both a system administration and security perspective.

By hooking into the kernel's security_sb_mount function, this eBPF program captures details such as the device name, the path where the filesystem will be mounted, the type of the file system, and the flags provided for the mount operation.

Monitoring such mount events can provide a deep understanding of system operations and potential anomalies. For example, if an unexpected device or file system gets mounted, it could be indicative of a security breach or system misconfiguration.


  1. dev_name (const char*): The name of the device being mounted.
  2. path (const char*): The destination path in the file system where the device will be mounted.
  3. type (const char*): The type of the file system being mounted (e.g., ext4, nfs, etc.).
  4. flags (unsigned long): The flags that specify the mount options.




Kprobe (using kprobe/security_sb_mount).


To observe and gather data whenever a file system is mounted. The captured details include the device name, mounting path, file system type, and flags. All this information is saved into a buffer and is then submitted to user-space for further analysis or logging.

Example Use Case

By tracking the security_sb_mount event, system administrators can gain insights about what devices or file systems are being mounted, ensuring that only authorized actions are taken and detecting unexpected mounts, which could be a potential sign of malicious activity or system misconfiguration.

To get a more comprehensive view of system operations related to storage, it's beneficial to monitor this event in conjunction with others, like file system unmounting or device initialization events.

Note: This document was generated by OpenAI with a human review process.