How to check if a kernel taint flag is present in Linux

Introduction

In this lab, you will learn how to check the taint status of the Linux kernel. We will explore how to determine if the kernel is running in a potentially unsupported or modified state by examining the /proc/sys/kernel/tainted file.

Following the initial check, you will learn how to verify the specific reasons for any kernel taint by inspecting the kernel message buffer using the dmesg command. Finally, you will explore how to inspect kernel symbols using /proc/kallsyms, which can be helpful in understanding the kernel's state and loaded modules.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL linux(("Linux")) -.-> linux/BasicFileOperationsGroup(["Basic File Operations"]) linux(("Linux")) -.-> linux/TextProcessingGroup(["Text Processing"]) linux/BasicFileOperationsGroup -.-> linux/cat("File Concatenating") linux/TextProcessingGroup -.-> linux/grep("Pattern Searching") subgraph Lab Skills linux/cat -.-> lab-558725{{"How to check if a kernel taint flag is present in Linux"}} linux/grep -.-> lab-558725{{"How to check if a kernel taint flag is present in Linux"}} end

Check taint status with cat /proc/sys/kernel/tainted

In this step, we'll learn how to check the "taint" status of the Linux kernel. The kernel can become "tainted" if non-GPL (General Public License) modules are loaded or if certain events occur that might indicate a problem or a non-standard configuration. Checking the taint status is a quick way to see if your kernel is running in a potentially unsupported or modified state.

We can check the kernel's taint status by reading the contents of a special file in the /proc filesystem. The /proc filesystem is a virtual filesystem that provides information about processes and other system information.

Open your terminal if it's not already open. You can do this by clicking the Xfce Terminal icon on the left side of the desktop.

Now, use the cat command to display the content of the /proc/sys/kernel/tainted file. The cat command is used to concatenate and display file content.

Type the following command and press Enter:

cat /proc/sys/kernel/tainted

The output will be a single number.

A value of 0 means the kernel is not tainted.
Any non-zero value indicates that the kernel is tainted. The specific number is a bitmask where each bit represents a different reason for the taint.

For example, if the output was 1, it would indicate that a proprietary module was loaded. If it was 4, it might indicate a kernel warning occurred.

In our LabEx environment, the kernel should not be tainted initially, so you should see 0. This is a good sign, indicating a clean kernel state.

Understanding the taint status is important for debugging kernel issues or ensuring you are running a standard kernel configuration.

Click Continue to proceed to the next step.

Verify taint details in dmesg

In the previous step, we checked the kernel's taint status using /proc/sys/kernel/tainted. While that file gives us a numerical code indicating if the kernel is tainted, it doesn't tell us why it's tainted. For more detailed information about kernel messages, including reasons for tainting, we can use the dmesg command.

The dmesg command is used to examine the kernel ring buffer. This buffer stores messages from the kernel, including device driver information, errors, and warnings. When the kernel becomes tainted, a message is usually logged in the ring buffer explaining the reason.

Open your terminal if it's not already open.

Now, type the following command and press Enter:

dmesg

This command will output a potentially large amount of text, showing all the kernel messages since the system started.

To find specific information related to tainting, we can combine dmesg with the grep command. grep is a powerful tool for searching text patterns. We'll search for lines containing the word "taint".

Type the following command and press Enter:

dmesg | grep taint

The | symbol is called a pipe. It takes the output of the command on the left (dmesg) and sends it as input to the command on the right (grep). So, this command first gets all the kernel messages and then filters them to show only the lines that contain the word "taint".

If your kernel is not tainted (as expected in this environment), this command might not produce any output. This is normal and indicates that no taint events have been logged.

If the kernel were tainted, you would see lines similar to this (the exact message depends on the reason for tainting):

[  ... ] kernel: Linux version ... (tainted: G)
[  ... ] kernel: Disabling lock debugging due to kernel taint

The (tainted: G) part indicates the kernel is tainted, and the letter G specifically means a proprietary module was loaded. Other letters indicate different taint reasons (e.g., P for proprietary module, F for forced module loading, R for restricted license module, etc.).

Using dmesg | grep taint is a crucial step in diagnosing kernel issues when /proc/sys/kernel/tainted shows a non-zero value.

Click Continue to move on.

Inspect kernel symbols with cat /proc/kallsyms

In this step, we will explore another important file in the /proc filesystem: /proc/kallsyms. This file contains the addresses and names of all kernel symbols (functions and variables) that are not explicitly marked as static. It's a crucial tool for kernel debugging and understanding the internal workings of the kernel.

The /proc/kallsyms file lists each kernel symbol with its memory address, type, and name. The format of each line is typically:

<address> <type> <symbol_name>

<address>: The memory address where the symbol is located.
<type>: A single character indicating the type of symbol (e.g., t or T for text/code, d or D for data, b or B for BSS, r or R for read-only data, w or W for weak symbol, U for undefined symbol). Lowercase indicates a local symbol, uppercase indicates a global symbol.
<symbol_name>: The name of the kernel function or variable.

Open your terminal if it's not already open.

Now, let's view the contents of /proc/kallsyms using the cat command. Be aware that this file is very large, so the output will scroll quickly.

Type the following command and press Enter:

cat /proc/kallsyms

You will see a long list of lines, each representing a kernel symbol.

...
ffffffff... T sys_read
ffffffff... T sys_write
ffffffff... D jiffies
...

To make this output more manageable and find specific symbols, we can again use grep. For example, let's search for symbols related to "schedule", which is a core kernel function for managing processes.

Type the following command and press Enter:

cat /proc/kallsyms | grep schedule

This will filter the output to show only lines containing the word "schedule".

ffffffff... T schedule
ffffffff... T schedule_timeout
ffffffff... T schedule_hrtimeout_range
...

This filtered output is much easier to read and allows you to find the addresses and types of specific kernel functions or variables you might be interested in.

Exploring /proc/kallsyms provides valuable insight into the kernel's structure and available functions. It's a fundamental resource for anyone doing kernel development or advanced debugging.

You have now learned how to check the kernel's taint status and inspect kernel symbols using the /proc filesystem and basic Linux commands.

Click Continue to complete this lab.

Summary

In this lab, we learned how to check the taint status of the Linux kernel. We started by using the cat /proc/sys/kernel/tainted command to quickly determine if the kernel is tainted, understanding that a value of 0 indicates a clean state and any non-zero value signifies a tainted kernel with the specific number representing a bitmask of the reasons.

We then proceeded to verify the details of any taint by examining the kernel message buffer using dmesg. This allows us to see specific messages related to the events that caused the kernel to become tainted, providing more context than the numerical code alone. Finally, we explored how to inspect kernel symbols using cat /proc/kallsyms, which can be useful for advanced debugging and understanding the kernel's internal state, although this step was not fully detailed in the provided content.