From: Sasha Levin <sashal@kernel.org>
To: Paul Moore <paul@paul-moore.com>
Cc: Song Liu <song@kernel.org>,
corbet@lwn.net, akpm@linux-foundation.org,
skhan@linuxfoundation.org, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
gregkh@linuxfoundation.org,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH] killswitch: add per-function short-circuit mitigation primitive
Date: Mon, 18 May 2026 20:31:19 -0400 [thread overview]
Message-ID: <aguvV8QCxK28ZHct@laps> (raw)
In-Reply-To: <CAHC9VhS1DJNs9gDB6gD9WKhL08giSVajBskZ+=mY0AWRCAsw7Q@mail.gmail.com>
On Mon, May 18, 2026 at 05:29:32PM -0400, Paul Moore wrote:
>From my perspective there are two different issues here: should
>killswitch be a LSM, and should killswitch leverage kprobes to be able
>to "kill" security related symbols. After all, are we okay with
>killswitch killing capable() and friends?
killswitch doesn't do it on it's own. It may be instructed by root to do that,
at which point that is root's problem.
>In my opinion, making killswitch an LSM is more of a procedural item
>that deals with how we view a capability like killswitch. I
>personally view killswitch as somewhat similar to Lockdown, which is
>why I made the suggestion.
Maybe I'm not all that familiar with LSMs, but we would need to be able to stop
"random" code paths from executing, and I don't think we can create LSM hooks
at that granularity, no?
>The use of kprobes, while an interesting idea, presents problems as
>allowing any kernel symbol to be killed introduces the potential for
>security regressions. As a reminder, some LSMs, as well as other
>kernel subsystems, have mechanisms in place to restrict root and/or
>enforce one-way configuration locks; while many people equate "root"
>with full control, in many cases today that is not strictly correct.
killswitch "complies" with lockdown. Is there a different scenario which we
should be blocking?
>Yes, kprobes have been around for some time, this is not a new
>problem, but killswitch makes it far more convenient and accessible to
>do dangerous things with kprobes. If killswitch makes it past the RFC
>stage without any significant changes to its kill mechanism, we may
>need to start considering more liberal usage of NOKPROBE_SYMBOL()
>which I think would be an unfortunate casualty.
Why? If I don't really mind the security impact, I want to be able to have a
killswitch-like interface on my systems. If an attacker is in my systems,
killswitch is the least of my concerns I think.
If you are security concious, just don't enable CONFIG_KILLSWITCH?
--
Thanks,
Sasha
next prev parent reply other threads:[~2026-05-19 0:31 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20260507070547.2268452-1-sashal@kernel.org>
2026-05-15 3:48 ` [PATCH] killswitch: add per-function short-circuit mitigation primitive Paul Moore
2026-05-18 6:31 ` Song Liu
2026-05-18 21:29 ` Paul Moore
2026-05-18 23:22 ` Song Liu
2026-05-18 23:57 ` Paul Moore
2026-05-19 0:01 ` Song Liu
2026-05-19 2:55 ` Paul Moore
2026-05-19 0:21 ` Sasha Levin
2026-05-19 0:31 ` Sasha Levin [this message]
2026-05-19 3:08 ` Paul Moore
2026-05-19 20:00 ` Sasha Levin
2026-05-19 20:50 ` Paul Moore
2026-05-19 5:29 ` Song Liu
2026-05-19 20:33 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aguvV8QCxK28ZHct@laps \
--to=sashal@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=corbet@lwn.net \
--cc=gregkh@linuxfoundation.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=skhan@linuxfoundation.org \
--cc=song@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox