From: Sasha Levin <sashal@kernel.org>
To: Song Liu <song@kernel.org>
Cc: linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org,
linux-kselftest@vger.kernel.org, bpf@vger.kernel.org,
live-patching@vger.kernel.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
Jonathan Corbet <corbet@lwn.net>,
Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
Joshua Peisach <jpeisach@ubuntu.com>,
Florian Weimer <fw@deneb.enyo.de>,
Breno Leitao <leitao@debian.org>,
Anthony Iliopoulos <ailiop@suse.com>,
Michal Hocko <mhocko@suse.com>, Jiri Olsa <jolsa@kernel.org>
Subject: Re: [PATCH v3] killswitch: add per-function short-circuit mitigation primitive
Date: Mon, 18 May 2026 09:33:02 -0400 [thread overview]
Message-ID: <agsVDqdALBoHEHlv@laps> (raw)
In-Reply-To: <CAPhsuW4x8shWon8Moi5VgCq2n4E2EzaaauZ2HHpy42Rp1Y-J-g@mail.gmail.com>
On Sun, May 17, 2026 at 11:37:36PM -0700, Song Liu wrote:
>On Sun, May 17, 2026 at 6:49 AM Sasha Levin <sashal@kernel.org> wrote:
>> * fail_function (CONFIG_FUNCTION_ERROR_INJECTION) is disabled in
>> most production kernels. Even where enabled, it only works on
>> functions pre-annotated with ALLOW_ERROR_INJECTION() in source -
>> no help for a freshly-disclosed CVE. The debugfs UI is blocked by
>> lockdown=integrity and the override is probabilistic.
>>
>> * BPF override (bpf_override_return) honors the same
>> ALLOW_ERROR_INJECTION() whitelist, and BPF itself is off in many
>> production kernels. Even where on, the operator interface is
>> "load a verified BPF program," not a one-line write.
>
>If it is OK for killswitch to attach to any kernel functions, do we still
>need ALLOW_ERROR_INJECTION() for fail_function and BPF
>override? Shall we instead also allow fail_function and BPF override
>to attach to any kernel functions?
I don't think so. ALLOW_ERROR_INJECTION is not a security mechanism, it's an
integrity/safety mechanism for both bpf and fault injection.
It protects against a "developer or CI script doing legitimate fault injection
accidentally panics the box" scenario, not an "attacker gets in" one.
--
Thanks,
Sasha
next prev parent reply other threads:[~2026-05-18 13:33 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-08 19:57 [PATCH v2] killswitch: add per-function short-circuit mitigation primitive Sasha Levin
2026-05-09 12:02 ` Florian Weimer
2026-05-09 12:34 ` Sasha Levin
2026-05-11 10:33 ` Anthony Iliopoulos
2026-05-11 11:15 ` Sasha Levin
2026-05-11 17:23 ` Anthony Iliopoulos
2026-05-11 20:12 ` Sasha Levin
2026-05-11 13:14 ` Breno Leitao
2026-05-11 13:41 ` Sasha Levin
2026-05-11 14:59 ` Breno Leitao
2026-05-17 13:48 ` [PATCH v3] " Sasha Levin
2026-05-17 14:17 ` sashiko-bot
2026-05-17 19:19 ` Brandon Taylor
2026-05-18 5:23 ` Greg Kroah-Hartman
2026-05-18 6:37 ` Song Liu
2026-05-18 13:33 ` Sasha Levin [this message]
2026-05-18 23:59 ` Song Liu
2026-05-19 0:22 ` Sasha Levin
2026-05-19 12:13 ` Daniel Borkmann
2026-05-19 19:57 ` Sasha Levin
2026-05-19 22:00 ` Song Liu
2026-05-21 14:38 ` Sasha Levin
2026-05-21 18:02 ` Song Liu
2026-05-21 9:11 ` Daniel Borkmann
2026-05-21 15:31 ` Sasha Levin
2026-05-21 18:16 ` Song Liu
2026-05-23 13:41 ` Sasha Levin
2026-05-26 13:10 ` Daniel Borkmann
2026-05-26 14:29 ` Sasha Levin
2026-06-04 21:18 ` Justin Suess
2026-05-18 23:52 ` Song Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agsVDqdALBoHEHlv@laps \
--to=sashal@kernel.org \
--cc=ailiop@suse.com \
--cc=akpm@linux-foundation.org \
--cc=bpf@vger.kernel.org \
--cc=corbet@lwn.net \
--cc=fw@deneb.enyo.de \
--cc=gregkh@linuxfoundation.org \
--cc=jolsa@kernel.org \
--cc=jpeisach@ubuntu.com \
--cc=leitao@debian.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=live-patching@vger.kernel.org \
--cc=mathieu.desnoyers@efficios.com \
--cc=mhocko@suse.com \
--cc=song@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.