Version: v0.52.0

trace_init_module

The trace_init_module gadget emits events when processes invoke the init_module() or finit_module() syscalls to load kernel modules.

Syscalls traced:

init_module(module_image, len, param_values) - loads a module from a memory buffer
finit_module(fd, param_values, flags) - loads a module from a file descriptor

This gadget captures:

For init_module: module size (len) and parameters (param_values)
For finit_module: file descriptor (fd), resolved filepath, flags, and parameters (param_values)

Note: The module_image parameter from init_module is intentionally not captured.

Requirements

Minimum Kernel Version : 5.4

Getting started

Running the gadget:

kubectl gadget
ig

$ kubectl gadget run ghcr.io/inspektor-gadget/gadget/trace_init_module:v0.52.0 [flags]

$ sudo ig run ghcr.io/inspektor-gadget/gadget/trace_init_module:v0.52.0 [flags]

Flags

`--pid`

Show only events generated by processes with this pid

Default value: ""

`--uid`

Show only events generated by processes with this uid

Default value: ""

Example output

$ sudo ig run trace_init_module:v0.52.0
RUNTIME.CONTAINERNAME COMM  PID   TID   LEN  PARAM_VALUES
...                  insmod 1234  1234  4096 foo=bar

Requirements​

Getting started​

Flags​

--pid​

--uid​

Example output​