Owl: klogd architecture Initialization as root Open /proc/kmsg and /dev/log, retain the open fd's Open /dev/kmem and System.map, read relevant data, close them Chroot to /var/empty Drop to user klogd Normal operation as user klogd, in the chrooted environment Read from the /proc/kmsg fd, format the message, and write it to the /dev/log fd