--- [8] Loaded eBPF programs/links (bpftool) ---
Loaded eBPF programs: 22
WARNING: lsm eBPF programs loaded by unknown process (expected systemd / AppArmor / SELinux).
Unknown loaders: python3(556)
Python3 is used to load my VPN daemon. According to HTOP.
muzqs
June 25, 2026, 7:36am
22
Thanks for debugging, really helpful.
The python3(556) warning is almost certainly ProtonVPN β its Linux daemon is Python-based and legitimately loads lsm eBPF hooks for the network killswitch. False positive on archcanaryβs end.
Fixed in the latest commit β it now checks if the loaderβs binary is a pacman-owned package and downgrades to INFO if so, instead of warning.
git pull
./install.sh --system
1 Like
Proton VPN is exactly what it is.
--- [8] Loaded eBPF programs/links (bpftool) ---
Loaded eBPF programs: 26
INFO: lsm eBPF programs loaded by non-systemd process (pacman-owned binary).
Loaders: python3(556) (python)
Perf attachments (kprobe/tracepoint): none.
Net attachments (XDP/TC): none.
Check summary
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Package list (2016 pkgs) β
clean
pacman.log history β
clean
Systemd persistence β
clean
eBPF rootkit traces β
clean
npm cache β
clean
bun cache β
clean
yarn cache β
clean
pnpm cache β
clean
PKGBUILD obfuscation scan β
clean
eBPF programs (bpftool) β
clean
ld.so.preload injection β
clean
XDG autostart + shell RCs β
clean
Kernel modules (DKMS) β
clean
Lynis hardening β
clean
Package integrity β
clean
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
============================================================
RESULT: CLEAN - No indicators found.
============================================================
1 Like