From: Sasha Levin <sashal@kernel.org>
To: Song Liu <song@kernel.org>
Cc: linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org,
linux-kselftest@vger.kernel.org, bpf@vger.kernel.org,
live-patching@vger.kernel.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
Jonathan Corbet <corbet@lwn.net>,
Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
Joshua Peisach <jpeisach@ubuntu.com>,
Florian Weimer <fw@deneb.enyo.de>,
Breno Leitao <leitao@debian.org>,
Anthony Iliopoulos <ailiop@suse.com>,
Michal Hocko <mhocko@suse.com>, Jiri Olsa <jolsa@kernel.org>
Subject: Re: [PATCH v3] killswitch: add per-function short-circuit mitigation primitive
Date: Mon, 18 May 2026 20:22:46 -0400 [thread overview]
Message-ID: <agutVsxfG2bg0lnz@laps> (raw)
In-Reply-To: <CAPhsuW44UX663Au=WwHz8MVwnQgLkjxOqpJSCKxNiv3=RpZvqw@mail.gmail.com>
On Mon, May 18, 2026 at 04:59:08PM -0700, Song Liu wrote:
>On Mon, May 18, 2026 at 6:33 AM Sasha Levin <sashal@kernel.org> wrote:
>>
>> On Sun, May 17, 2026 at 11:37:36PM -0700, Song Liu wrote:
>> >On Sun, May 17, 2026 at 6:49 AM Sasha Levin <sashal@kernel.org> wrote:
>> >> * fail_function (CONFIG_FUNCTION_ERROR_INJECTION) is disabled in
>> >> most production kernels. Even where enabled, it only works on
>> >> functions pre-annotated with ALLOW_ERROR_INJECTION() in source -
>> >> no help for a freshly-disclosed CVE. The debugfs UI is blocked by
>> >> lockdown=integrity and the override is probabilistic.
>> >>
>> >> * BPF override (bpf_override_return) honors the same
>> >> ALLOW_ERROR_INJECTION() whitelist, and BPF itself is off in many
>> >> production kernels. Even where on, the operator interface is
>> >> "load a verified BPF program," not a one-line write.
>> >
>> >If it is OK for killswitch to attach to any kernel functions, do we still
>> >need ALLOW_ERROR_INJECTION() for fail_function and BPF
>> >override? Shall we instead also allow fail_function and BPF override
>> >to attach to any kernel functions?
>>
>> I don't think so. ALLOW_ERROR_INJECTION is not a security mechanism, it's an
>> integrity/safety mechanism for both bpf and fault injection.
>>
>> It protects against a "developer or CI script doing legitimate fault injection
>> accidentally panics the box" scenario, not an "attacker gets in" one.
>
>There really isn't a clear boundary between "security mechanism" and
>"non-security mechanism". As we are making killswitch available
>everywhere under root, users will soon learn to use it to do fault injection,
>and potentially much more scary things. (Think about agents with sudo
>access).
Wouldn't the same argument apply to /dev/mem? If you enable that, and you give
whatever tool/agent/etc access to the interface, you're bound to have a really
bad time unless you know what you're doing?
root can already load a killswitch equivalent module, right? there's nothing
really new with killswitch.
--
Thanks,
Sasha
next prev parent reply other threads:[~2026-05-19 0:22 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20260508195749.1885522-1-sashal@kernel.org>
2026-05-17 13:48 ` [PATCH v3] killswitch: add per-function short-circuit mitigation primitive Sasha Levin
2026-05-17 19:19 ` Brandon Taylor
2026-05-18 5:23 ` Greg Kroah-Hartman
2026-05-18 6:37 ` Song Liu
2026-05-18 13:33 ` Sasha Levin
2026-05-18 23:59 ` Song Liu
2026-05-19 0:22 ` Sasha Levin [this message]
2026-05-18 23:52 ` Song Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agutVsxfG2bg0lnz@laps \
--to=sashal@kernel.org \
--cc=ailiop@suse.com \
--cc=akpm@linux-foundation.org \
--cc=bpf@vger.kernel.org \
--cc=corbet@lwn.net \
--cc=fw@deneb.enyo.de \
--cc=gregkh@linuxfoundation.org \
--cc=jolsa@kernel.org \
--cc=jpeisach@ubuntu.com \
--cc=leitao@debian.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=live-patching@vger.kernel.org \
--cc=mathieu.desnoyers@efficios.com \
--cc=mhocko@suse.com \
--cc=song@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox