ProcessWatch is a Linux kernel module that exposes process information through a /proc interface. It allows users to monitor running processes and apply filters dynamically by writing to the proc file.
The module creates:
/proc/procwatch
- Lists active processes from kernel space
- Supports runtime filtering via writing to
/proc/procwatch
When you run:
cat /proc/procwatchThe module iterates over task_struct and prints the following process details:
- PID
- Process name
- UID / loginuid
You can write filter criteria into the proc file:
echo "name=bash" > /proc/procwatchor
echo "pid=6969" > /proc/procwatchThe next read will only show matching processes.
echo "clear" > /proc/procwatch| Filter Type | Example Input | Description |
|---|---|---|
| Name | name=bash |
Match process name |
| UID | uid=6969 |
Filter by user ID |
| Clear | clear |
Remove all filters |
Mostly just to:
- mess with
/proc - understand how user <-> kernel interaction works
- get comfortable poking around
task_struct - and generally to stop treating kernel code like black magic