> reading kernel memory directly God I hope not

epcoa · on Feb 3, 2024

https://man.freebsd.org/cgi/man.cgi?query=kvm&sektion=3&n=1

The aforementioned tools use these interfaces.

Emphasis on most of the sundry information for the live kernel now comes from sysctl, I note the (root only) mem/kmem interface for completeness and rare utilities (eg btsockstat) use it.

Going way back, this is how it all used to work, the more structured interfaces were a 90s thing. https://github.com/v7unix/v7unix/blob/master/v7/usr/src/cmd/... Even early Linux used kmem for ps. Not ideal https://cdn.kernel.org/pub/linux/kernel/Historic/old-version... Also why the package is still called procps, for a while it coexisted with kmem-ps.

adrian_b · on Feb 3, 2024

I do not know what the previous poster was talking about, but, while unrestricted access to kernel memory is of course unacceptable, a perfectly secure and useful means for the kernel to provide information to a user process is to map a page as read-only in the user address space, from where the user process could get the information without the overhead of a system call.

For information of general interest such a special kernel page could be mapped as read-only in the address space of all user processes.

Much of the information that is provided in the special file systems /proc and /sys could have been provided in some appropriate data structures in such read-only shared memory, for a faster access, by avoiding the overhead of file system calls and of file text parsing.