Skip to content

About Kernel symbols

As explained in the prerequisites doc, Tracee needs the kernel symbol table for some operations.

A Linux kernel might lack the /proc/kallsyms file due to:

Kernel Configuration: If compiled without CONFIG_KALLSYMS, the kernel won't have this file. This option enables the kernel symbol table, used mainly for debugging.

Security Protocols: Some systems might hide kernel symbols to prevent potential exploits. The /proc/kallsyms file could appear incomplete or even empty to non-root users. The CONFIG_KALLSYMS_ALL option ensures all symbols are visible.

The Linux kernel also offers a setting, /proc/sys/kernel/kptr_restrict, to control kernel symbol visibility:

  • 0: No restrictions.
  • 1: Hide from non-privileged users.
  • 2: Hide from all users.