| CPC G06F 16/164 (2019.01) [G06F 16/137 (2019.01); G06F 16/1734 (2019.01)] | 14 Claims |
|
1. A method comprising:
identifying, by a user space monitoring application executing in a user space of an operating system, a target application file associated with a target application process executing in the user space of the operating system, wherein the target application process is associated with a first mount namespace in a kernel space of the operating system that is currently inaccessible by the user space monitoring application;
determining that a first process of the operating system switched from a second mount namespace to the first mount namespace;
updating a mapping to add an entry that associates the first process with the first mount namespace and remove an entry associating the first process with the second mount namespace; and
in response to the first mount namespace being inaccessible by the user space monitoring application:
accessing, by the user space monitoring application, the updated mapping between the first mount namespace and the first process executing in the user space of the operating system, wherein the accessing further comprises retrieving the updated mapping from a shared memory that is shared between the user space of the operating system and the kernel space of the operating system;
switching, by a processing device, the user space monitoring application to the first mount namespace based on a process identifier (PID) in the updated mapping that corresponds to the first process; and
accessing, by the user space monitoring application, the target application file in the first mount namespace; and
generating a file hash of contents of the target application file.
|