FAQ - Frequently Asked Questions¶
When tracee-ebpf reads information from user programs, it is subject to a race condition where the user program might be able to change the arguments after tracee read them.
For example, a program invoked:
execve("/bin/ls", NULL, 0)
Tracee picked that up and will report that, then the program changed the first argument from
/bin/bash, and this is what the kernel will execute.
To mitigate this, Tracee also provides "LSM" (Linux Security Module) based events, for example, the
bprm_checkevent which can be reported by Tracee and cross-referenced with the reported regular syscall event.