[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <nycvar.YEU.7.76.2211211716270.27249@gjva.wvxbf.pm>
Date: Mon, 21 Nov 2022 17:16:47 +0100 (CET)
From: Jiri Kosina <jikos@...nel.org>
To: KP Singh <kpsingh@...nel.org>
cc: Steven Rostedt <rostedt@...dmis.org>, Chris Mason <clm@...a.com>,
Mark Rutland <mark.rutland@....com>,
Alexei Starovoitov <alexei.starovoitov@...il.com>,
Florent Revest <revest@...omium.org>,
bpf <bpf@...r.kernel.org>, Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Andrii Nakryiko <andrii@...nel.org>,
Brendan Jackman <jackmanb@...gle.com>, markowsky@...gle.com,
Masami Hiramatsu <mhiramat@...nel.org>,
Xu Kuohai <xukuohai@...wei.com>,
LKML <linux-kernel@...r.kernel.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Christoph Hellwig <hch@...radead.org>,
Peter Zijlstra <peterz@...radead.org>
Subject: Re: [RFC 0/1] BPF tracing for arm64 using fprobe
On Mon, 21 Nov 2022, KP Singh wrote:
> > Looking at the Kconfigs, I see
> >
> > CONFIG_FUNCTION_ERROR_INJECTION is set when
> > CONFIG_HAVE_FUNCTION_ERROR_INJECTION is set, and when CONFIG_KPROBES is set.
> >
> > And ALLOW_ERROR_INJECTION() is set when CONFIG_FUNCTION_ERROR_INJECTION is.
> >
> > There's no way to turn it off on x86 except by disabling kprobes!
> >
> > WTF!
> >
> > I don't want a kernel that can add error injection just because kprobes is
> > enabled. There's two kinds of kprobes. One that is for visibility only (for
> > tracing) and one that can be used for functional changes. I want the
> > visibility without the ability to change the kernel. The visibility portion
> > is very useful for security, where as the modifying one can be used to
> > circumvent security.
>
> I am not sure how they can circumvent security since this needs root /
> root equivalent permissions. Fault injection is actually a very useful
> debugging tool.
There are environments where root is untrusted (e.g. secure boot), and
there is a whole mechanism in kernel for dealing with that (all the
CONFIG_LOCKDOWN_LSM handling). Seems like error injection should be wired
up into lockdown handling at minimum.
--
Jiri Kosina
SUSE Labs
Powered by blists - more mailing lists