Show HN: Detecting running processes using AF_ALG
A new tool has been developed to detect processes using AF_ALG sockets, which can help assess the safety of disabling the AF_ALG kernel module. The tool identifies running processes that rely on AF_ALG, such as bluetoothd, to prevent unintended disruptions. It outputs results in JSON format and supports streaming mode for real-time monitoring.
- ▪The tool helps identify processes using AF_ALG sockets to evaluate the impact of disabling the AF_ALG kernel module.
- ▪It can be run via Go or by downloading a precompiled binary from GitHub.
- ▪Output is provided in JSON format, listing process IDs, file descriptors, and associated commands.
- ▪Streaming mode allows continuous monitoring of AF_ALG usage during execution.
- ▪Permission errors may occur if the tool cannot access certain process file descriptors.
Opening excerpt (first ~120 words) tap to expand
Detect AF_ALG sockets Recently the https://copy.fail exploit was released, it uses AF_ALG (aead) to achieve arbitrary page write. If you're looking for a way to determine whether its safe to just turn off the AF_ALG kernel module entirely this tool will give you a list of processes that currently use AF_ALG that may need to be migrated before doing so. Running sudo go run main.go # Or go build sudo ./detect-running-alg-socket # Or curl -L https://github.com/NHAS/detect-running-alg-socket/releases/download/v1.0.0/detect-running-alg-socket-linux-amd64 -o detect-running-alg-socket-linux-amd64 && chmod +x detect-running-alg-socket-linux-amd64 sudo ./detect-running-alg-socket-linux-amd64 Arguments Usage of ./detect-running-alg-socket: -ignore-permissions-errors ignore permission errors -stream…
Excerpt limited to ~120 words for fair-use compliance. The full article is at GitHub.