> On a streamlined kernel config I've been toying with
> disabling /dev/ksyms but will probably leave it enabled. I've
> read theo saying in the archive, something like netstat should be
> updated to use the vmstat mechanisms

What I said is that first (a) kernel-support to give netstat what it
wants, and then (b) netstat code itself to use this information should
be written...  it should probably use a sysctl interface, yes, like
vmstat and other programs do.

As you know, the code is a mess.  Even if it is cleaned up, it still
retains a nasty problem.  Today the kvm-snooping parts of netstat have
a non-atomic view of the network stack since it is "kernel memory
snooping".  (most kvm-programs always have been broken in that
respect; that is the 2nd reason why we have fewer end fewer kvm
snoopers).  If this is going to be fixed, it would be a nice idea to
try to make it have an atomic view.  That is difficult since the parts
that remain look at so much stuff.

> but the nestat code is horrible
> to work on. 

It is.

There's only a few parts of netstat that need rewrite, but they are
the nastiest parts.  We have already done the easy parts.

In some kvm-capable programs it remains desirable to still be able to
use them against crash dumps.  netstat is probably one of those programs.
We've managed to write "conditional" code for most of the traditional programs
so that this is possible; in other cases we dropped that functionality since it
does not help with kernel deugging.

In the case of netstat it might be easier to first forget about
backwards compat for crash dumps and simply write new sysctl
code.. then once that is done re-add backwards compat back later.
It is probably going to be easier.

> Does netstat just use it for speed reasons or for normal user access to
> the info too and what else breaks.

Go read it a bit more.  It is following datastructure pointers
throughout the kernel to build a view, which it then displays in some
way.

> Does disabling it make an attackers job slightly more difficult at all?

These programs are all bad.  They are a setgid kmem userland programs
racing against the kernel's live pointer manipulation.  netstat is one
of the last kvm users for a reason -- kvm readers are bad!  All the others
have been fixed.

Reply via email to