I am monitoring illegal task namespace changes using kprobes on wake_up_new_task(), do_exit(), begin_new_exec(), unshare() and setns().
For a few systemd services like timedated or upowerd, the kprobes are not always called, and namespace changes are missed, resulting in false detections.
One scenario was if kprobes were being attached while services were starting, which I addressed with an all_probes_attached flag in a BPF map. But I still get false detections.
Can kprobes get disabled temporarily during suspend/resume, hibernate or live kernel patches? Can I detect this from BPF or usermode?