> On a streamlined kernel config I've been toying with > disabling /dev/ksyms but will probably leave it enabled. I've > read theo saying in the archive, something like netstat should be > updated to use the vmstat mechanisms
What I said is that first (a) kernel-support to give netstat what it wants, and then (b) netstat code itself to use this information should be written... it should probably use a sysctl interface, yes, like vmstat and other programs do. As you know, the code is a mess. Even if it is cleaned up, it still retains a nasty problem. Today the kvm-snooping parts of netstat have a non-atomic view of the network stack since it is "kernel memory snooping". (most kvm-programs always have been broken in that respect; that is the 2nd reason why we have fewer end fewer kvm snoopers). If this is going to be fixed, it would be a nice idea to try to make it have an atomic view. That is difficult since the parts that remain look at so much stuff. > but the nestat code is horrible > to work on. It is. There's only a few parts of netstat that need rewrite, but they are the nastiest parts. We have already done the easy parts. In some kvm-capable programs it remains desirable to still be able to use them against crash dumps. netstat is probably one of those programs. We've managed to write "conditional" code for most of the traditional programs so that this is possible; in other cases we dropped that functionality since it does not help with kernel deugging. In the case of netstat it might be easier to first forget about backwards compat for crash dumps and simply write new sysctl code.. then once that is done re-add backwards compat back later. It is probably going to be easier. > Does netstat just use it for speed reasons or for normal user access to > the info too and what else breaks. Go read it a bit more. It is following datastructure pointers throughout the kernel to build a view, which it then displays in some way. > Does disabling it make an attackers job slightly more difficult at all? These programs are all bad. They are a setgid kmem userland programs racing against the kernel's live pointer manipulation. netstat is one of the last kvm users for a reason -- kvm readers are bad! All the others have been fixed.
