From: Sasha Levin <sashal@kernel.org>
To: Song Liu <song@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>,
linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org,
linux-kselftest@vger.kernel.org, bpf@vger.kernel.org,
live-patching@vger.kernel.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
Jonathan Corbet <corbet@lwn.net>,
Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
Joshua Peisach <jpeisach@ubuntu.com>,
Florian Weimer <fw@deneb.enyo.de>,
Breno Leitao <leitao@debian.org>,
Anthony Iliopoulos <ailiop@suse.com>,
Michal Hocko <mhocko@suse.com>, Jiri Olsa <jolsa@kernel.org>,
John Fastabend <john.fastabend@gmail.com>,
Christian Brauner <brauner@kernel.org>,
KP Singh <kpsingh@kernel.org>
Subject: Re: [PATCH v3] killswitch: add per-function short-circuit mitigation primitive
Date: Sat, 23 May 2026 09:41:18 -0400 [thread overview]
Message-ID: <ahGufsGqmLZZQL4M@laps> (raw)
In-Reply-To: <CAPhsuW7sbt5B+ZeGW8O2JMJ0ELPU-vhZFNvbB+0Q8XhZg6pKYw@mail.gmail.com>
On Thu, May 21, 2026 at 11:16:46AM -0700, Song Liu wrote:
>On Thu, May 21, 2026 at 8:31 AM Sasha Levin <sashal@kernel.org> wrote:
>>
>> On Thu, May 21, 2026 at 11:11:16AM +0200, Daniel Borkmann wrote:
>> >On 5/19/26 9:57 PM, Sasha Levin wrote:
>> >>Sure, this would also work. How do you see this happening? Can we let a certain
>> >>user/pid/etc disable the allowlist if they choose to?
>> >
>> >I don't think we should, given then we're back to square one where root
>> >or some other user would be able to just override/bypass an LSM.
>>
>> killswitch already disables itself when lockdown is active. We can easily
>> disable it too when one of the LSMs that cares about this is active.
>>
>> >[...]
>> >>How do you see this working with the allowlist?
>> >
>> >We should look at the underlying areas where most of the CVE-like fixes
>> >took place (these days should be more easily doable given Claude and friends)
>> >and based on that either extend ALLOW_ERROR_INJECTION() or (better) create
>> >new hooks which BPF LSM can consume where you can then have a policy to reject
>> >requests and tighten the attack surface. For example, the AF_ALG stuff you
>>
>> So we could grow the LSM tentacles deeper into the kernel, and we can see where
>> current CVEs are happening, which I suspect is the darker corners of the kernel
>> (old unmaintained, rarely used code), but this definitely won't stay the case,
>> right? Newer and better LLMs will discover issues elsewhere, and once the low
>> hanging fruits are picked off of the current target subsystems, researchers
>> will move elsewhere. We will be dooming ourselves to an endless cat and mouse
>> game where we go add LSM hooks after some big security issue goes public.
>
>Do we really need to add new LSM hooks for recent CVEs?
>
>The LSM hooks are designed to cover all the user-kernel interfaces. Then
>with properly designed policies, we should have coverage for potential CVEs.
>Existing LSM hooks may not be perfect, but we can improve the hooks,
>potentially with the help of smart LLMs, so that these hooks can cover
>future security issues. In some cases, we will need new policies, but I don't
>think new hooks will be needed for most of these CVEs.
Running a quick LLM evaluation on the last ~70 severe CVEs, it seems that about
40% is doable with the current hooks.
--
Thanks,
Sasha
next prev parent reply other threads:[~2026-05-23 13:41 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-08 19:57 [PATCH v2] killswitch: add per-function short-circuit mitigation primitive Sasha Levin
2026-05-09 12:02 ` Florian Weimer
2026-05-09 12:34 ` Sasha Levin
2026-05-11 10:33 ` Anthony Iliopoulos
2026-05-11 11:15 ` Sasha Levin
2026-05-11 17:23 ` Anthony Iliopoulos
2026-05-11 20:12 ` Sasha Levin
2026-05-11 13:14 ` Breno Leitao
2026-05-11 13:41 ` Sasha Levin
2026-05-11 14:59 ` Breno Leitao
2026-05-17 13:48 ` [PATCH v3] " Sasha Levin
2026-05-17 14:17 ` sashiko-bot
2026-05-17 19:19 ` Brandon Taylor
2026-05-18 5:23 ` Greg Kroah-Hartman
2026-05-18 6:37 ` Song Liu
2026-05-18 13:33 ` Sasha Levin
2026-05-18 23:59 ` Song Liu
2026-05-19 0:22 ` Sasha Levin
2026-05-19 12:13 ` Daniel Borkmann
2026-05-19 19:57 ` Sasha Levin
2026-05-19 22:00 ` Song Liu
2026-05-21 14:38 ` Sasha Levin
2026-05-21 18:02 ` Song Liu
2026-05-21 9:11 ` Daniel Borkmann
2026-05-21 15:31 ` Sasha Levin
2026-05-21 18:16 ` Song Liu
2026-05-23 13:41 ` Sasha Levin [this message]
2026-05-26 13:10 ` Daniel Borkmann
2026-05-26 14:29 ` Sasha Levin
2026-06-04 21:18 ` Justin Suess
2026-05-18 23:52 ` Song Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ahGufsGqmLZZQL4M@laps \
--to=sashal@kernel.org \
--cc=ailiop@suse.com \
--cc=akpm@linux-foundation.org \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=corbet@lwn.net \
--cc=daniel@iogearbox.net \
--cc=fw@deneb.enyo.de \
--cc=gregkh@linuxfoundation.org \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=jpeisach@ubuntu.com \
--cc=kpsingh@kernel.org \
--cc=leitao@debian.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=live-patching@vger.kernel.org \
--cc=mathieu.desnoyers@efficios.com \
--cc=mhocko@suse.com \
--cc=song@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.