Attack wave on AUR packages!

--- [8] Loaded eBPF programs/links (bpftool) ---
  Loaded eBPF programs: 22
  WARNING: lsm eBPF programs loaded by unknown process (expected systemd / AppArmor / SELinux).
  Unknown loaders: python3(556)



Python3 is used to load my VPN daemon. According to HTOP.

Thanks for debugging, really helpful.

The python3(556) warning is almost certainly ProtonVPN β€” its Linux daemon is Python-based and legitimately loads lsm eBPF hooks for the network killswitch. False positive on archcanary’s end.

Fixed in the latest commit β€” it now checks if the loader’s binary is a pacman-owned package and downgrades to INFO if so, instead of warning.

  git pull
  ./install.sh --system
1 Like

Proton VPN is exactly what it is.

--- [8] Loaded eBPF programs/links (bpftool) ---
  Loaded eBPF programs: 26
  INFO: lsm eBPF programs loaded by non-systemd process (pacman-owned binary).
  Loaders: python3(556) (python)
  Perf attachments (kprobe/tracepoint): none.
  Net attachments (XDP/TC): none.

 Check summary
 ───────────────────────────────────────────────────────
 Package list (2016 pkgs)             βœ…  clean
 pacman.log history                   βœ…  clean
 Systemd persistence                  βœ…  clean
 eBPF rootkit traces                  βœ…  clean
 npm cache                            βœ…  clean
 bun cache                            βœ…  clean
 yarn cache                           βœ…  clean
 pnpm cache                           βœ…  clean
 PKGBUILD obfuscation scan            βœ…  clean
 eBPF programs (bpftool)              βœ…  clean
 ld.so.preload injection              βœ…  clean
 XDG autostart + shell RCs            βœ…  clean
 Kernel modules (DKMS)                βœ…  clean
 Lynis hardening                      βœ…  clean
 Package integrity                    βœ…  clean
 ───────────────────────────────────────────────────────
============================================================
 RESULT: CLEAN - No indicators found.
============================================================

1 Like