From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753163AbcKRJIc (ORCPT ); Fri, 18 Nov 2016 04:08:32 -0500 Received: from lifc.univ-fcomte.fr ([194.57.88.66]:41366 "EHLO lifc-proxy.univ-fcomte.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753117AbcKRJIO (ORCPT ); Fri, 18 Nov 2016 04:08:14 -0500 X-Greylist: delayed 311 seconds by postgrey-1.27 at vger.kernel.org; Fri, 18 Nov 2016 04:08:13 EST Date: Fri, 18 Nov 2016 09:56:52 +0100 From: jmfriedt To: linux-kernel@vger.kernel.org Subject: why is the sys_close symbol exported ? Message-ID: <20161118095652.11933ecf@labo> Organization: FEMTO-ST X-Mailer: Claws Mail 3.14.0 (GTK+ 2.24.29; i686-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Following the various rootkit and system call redirection developments, the current way of identifying the location of the system call table seems to be brute force scanning the memory for the location of one of the system calls. This is only possible from a module if the symbol is exported: I see that only one system call symbol is still exported, that is sys_close. Removing this symbol export would hinder one of the ways of finding the systam call table: I have not been able to find the reason for exporting this particular symbol (while sys_open for example is not exported). Can anyone justify why that is ? Thank you, Jean-Michel -- JM Friedt, FEMTO-ST Time & Frequency/SENSeOR, 26 rue de l'Epitaphe, 25000 Besancon, France