From: Sasha Levin <sashal@kernel.org>
To: Song Liu <song@kernel.org>
Cc: linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org,
linux-kselftest@vger.kernel.org, bpf@vger.kernel.org,
live-patching@vger.kernel.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
Jonathan Corbet <corbet@lwn.net>,
Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
Joshua Peisach <jpeisach@ubuntu.com>,
Florian Weimer <fw@deneb.enyo.de>,
Breno Leitao <leitao@debian.org>,
Anthony Iliopoulos <ailiop@suse.com>,
Michal Hocko <mhocko@suse.com>, Jiri Olsa <jolsa@kernel.org>
Subject: Re: [PATCH v3] killswitch: add per-function short-circuit mitigation primitive
Date: Mon, 18 May 2026 09:33:02 -0400 [thread overview]
Message-ID: <agsVDqdALBoHEHlv@laps> (raw)
In-Reply-To: <CAPhsuW4x8shWon8Moi5VgCq2n4E2EzaaauZ2HHpy42Rp1Y-J-g@mail.gmail.com>
On Sun, May 17, 2026 at 11:37:36PM -0700, Song Liu wrote:
>On Sun, May 17, 2026 at 6:49 AM Sasha Levin <sashal@kernel.org> wrote:
>> * fail_function (CONFIG_FUNCTION_ERROR_INJECTION) is disabled in
>> most production kernels. Even where enabled, it only works on
>> functions pre-annotated with ALLOW_ERROR_INJECTION() in source -
>> no help for a freshly-disclosed CVE. The debugfs UI is blocked by
>> lockdown=integrity and the override is probabilistic.
>>
>> * BPF override (bpf_override_return) honors the same
>> ALLOW_ERROR_INJECTION() whitelist, and BPF itself is off in many
>> production kernels. Even where on, the operator interface is
>> "load a verified BPF program," not a one-line write.
>
>If it is OK for killswitch to attach to any kernel functions, do we still
>need ALLOW_ERROR_INJECTION() for fail_function and BPF
>override? Shall we instead also allow fail_function and BPF override
>to attach to any kernel functions?
I don't think so. ALLOW_ERROR_INJECTION is not a security mechanism, it's an
integrity/safety mechanism for both bpf and fault injection.
It protects against a "developer or CI script doing legitimate fault injection
accidentally panics the box" scenario, not an "attacker gets in" one.
--
Thanks,
Sasha
next prev parent reply other threads:[~2026-05-18 13:33 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20260508195749.1885522-1-sashal@kernel.org>
2026-05-17 13:48 ` [PATCH v3] killswitch: add per-function short-circuit mitigation primitive Sasha Levin
2026-05-17 19:19 ` Brandon Taylor
2026-05-18 5:23 ` Greg Kroah-Hartman
2026-05-18 6:37 ` Song Liu
2026-05-18 13:33 ` Sasha Levin [this message]
2026-05-18 23:59 ` Song Liu
2026-05-19 0:22 ` Sasha Levin
2026-05-18 23:52 ` Song Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agsVDqdALBoHEHlv@laps \
--to=sashal@kernel.org \
--cc=ailiop@suse.com \
--cc=akpm@linux-foundation.org \
--cc=bpf@vger.kernel.org \
--cc=corbet@lwn.net \
--cc=fw@deneb.enyo.de \
--cc=gregkh@linuxfoundation.org \
--cc=jolsa@kernel.org \
--cc=jpeisach@ubuntu.com \
--cc=leitao@debian.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=live-patching@vger.kernel.org \
--cc=mathieu.desnoyers@efficios.com \
--cc=mhocko@suse.com \
--cc=song@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox