Inspecting

The kernel exposes several read-only surfaces for inspecting live KACS state — /proc/<pid>/token, /sys/kernel/security/kacs/self, /sys/kernel/security/kacs/sessions, and the KACS_IOC_QUERY ioctl on token fds. This page is the map for what each surface gives you and the access rules for reading them.

A token's contents are read via KACS_IOC_QUERY on a token fd. Token fds come from kacs_open_self_token, /proc/<pid>/token, /sys/kernel/security/kacs/self, and a few other paths. Each query is a numbered class returning structured data. This page covers the query mechanism, the catalog of classes, and the two-call pattern for variable-length data.

Active logon sessions are exposed at /sys/kernel/security/kacs/sessions as a text listing. Each token references its session via auth_id, so finding the session associated with a process means querying its primary token's auth_id and looking up that ID in the listing. This page covers the listing format, the lookup pattern, and how to track session lifecycle.

A process's inspectable state spans its token (covered separately), its PSB (PIP fields and mitigation flags), and its process SD. Inspection of another process requires PROCESS_QUERY_INFORMATION on the target plus PIP dominance. This page covers the surfaces and the rules.