From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: Borislav Petkov <bp@alien8.de>,
Steven Rostedt <rostedt@goodmis.org>,
LKML <linux-kernel@vger.kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Masami Hiramatsu <mhiramat@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Peter Zijlstra <peterz@infradead.org>,
Kees Cook <keescook@chromium.org>,
Josh Poimboeuf <jpoimboe@redhat.com>,
KP Singh <kpsingh@kernel.org>, Chris Mason <clm@meta.com>,
Mark Rutland <mark.rutland@arm.com>,
Florent Revest <revest@chromium.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Christoph Hellwig <hch@infradead.org>
Subject: Re: [PATCH] error-injection: Add prompt for function error injection
Date: Tue, 22 Nov 2022 09:09:23 +0900 [thread overview]
Message-ID: <20221122090923.9d7de73221be99c8ede30379@kernel.org> (raw)
In-Reply-To: <CAADnVQLJFnu6gARdZ7ckgxeGaSv70jHBiQo+W=zDKO0-ELFGcQ@mail.gmail.com>
On Mon, 21 Nov 2022 15:36:08 -0800
Alexei Starovoitov <alexei.starovoitov@gmail.com> wrote:
> On Mon, Nov 21, 2022 at 11:32 AM Borislav Petkov <bp@alien8.de> wrote:
> >
> > On Mon, Nov 21, 2022 at 10:44:03AM -0500, Steven Rostedt wrote:
> > > From: "Steven Rostedt (Google)" <rostedt@goodmis.org>
> > >
> > > The config to be able to inject error codes into any function annotated
> > > with ALLOW_ERROR_INJECTION() is enabled when CONFIG_FUNCTION_ERROR_INJECTION
> > > is enabled. But unfortunately, this is always enabled on x86 when KPROBES
> > > is enabled, and there's no way to turn it off.
> > >
> > > As kprobes is useful for observability of the kernel, it is useful to have
> > > it enabled in production environments. But error injection should be
> > > avoided. Add a prompt to the config to allow it to be disabled even when
> > > kprobes is enabled, and get rid of the "def_bool y".
> > >
> > > This is a kernel debug feature (it's in Kconfig.debug), and should have
> > > never been something enabled by default.
> > >
> > > Cc: stable@vger.kernel.org
> > > Fixes: 540adea3809f6 ("error-injection: Separate error-injection from kprobe")
> > > Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
> > > ---
> > > lib/Kconfig.debug | 8 +++++++-
> > > 1 file changed, 7 insertions(+), 1 deletion(-)
> >
> > As stated on another thread, debugging production kernels where folks
> > have been injecting errors into functions is not something anyone would
> > like to and have to do. Especially if from looking at system dumps, it
> > is not even clear what has been injected and why, rendering the system
> > unstable and the issue probably unreproducible.
> >
> > Acked-by: Borislav Petkov <bp@suse.de>
>
> The commit log is bogus and the lack of understanding what
> bpf and error injection hooks are used for expressed
> in this thread is quite sad.
> Disabling error injection makes the system _less_ secure.
Why? I thought this was only used for testing. Or, are you
using this for changing the kernel behavior in production
environment?
For example, the commit 540adea3809f6 ("error-injection: Separate
error-injection from kprobe") specifies that some btrfs functions
to whitelist, which is I thought only for the testing btrfs.
Now it seems more functions related to syscalls registered to
the whitelist. (I didn't notice that...) If it is intended to
filter syscalls, I recommend you to use secomp instead of this.
> But giving people an option to reduce security is a decision
> that every distro and data center has to make on their own.
This function-level override should be used carefully just for
testing linux kernel code. For forcibly filtering some functionality,
it should use LSM or have another facility based on jump label.
(yeah, if it is for security, why can you use LSM?)
Thank you,
--
Masami Hiramatsu (Google) <mhiramat@kernel.org>
next prev parent reply other threads:[~2022-11-22 0:09 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-21 15:44 [PATCH] error-injection: Add prompt for function error injection Steven Rostedt
2022-11-21 19:32 ` Borislav Petkov
2022-11-21 23:36 ` Alexei Starovoitov
2022-11-22 0:09 ` Masami Hiramatsu [this message]
2022-11-22 0:24 ` Steven Rostedt
2022-11-22 0:40 ` Steven Rostedt
2022-11-22 10:39 ` Borislav Petkov
2022-11-22 17:42 ` Chris Mason
2022-11-22 18:16 ` Borislav Petkov
2022-11-22 18:29 ` Steven Rostedt
2022-11-22 19:51 ` Chris Mason
2022-11-30 22:37 ` Andrew Morton
2022-12-01 16:58 ` Alexei Starovoitov
2022-12-01 17:39 ` Benjamin Tissoires
2022-12-01 21:12 ` Andrew Morton
2022-12-01 21:13 ` Linus Torvalds
2022-12-02 0:46 ` Jiri Kosina
2022-12-02 0:57 ` Linus Torvalds
2022-12-02 1:03 ` Jiri Kosina
2022-12-02 1:32 ` Steven Rostedt
2022-12-02 1:41 ` Alexei Starovoitov
2022-12-02 15:56 ` Theodore Ts'o
2022-12-02 21:27 ` Alexei Starovoitov
2022-12-02 23:17 ` Steven Rostedt
2022-12-03 0:55 ` Alexei Starovoitov
2022-12-04 22:50 ` Masami Hiramatsu
2022-12-06 2:05 ` Alexei Starovoitov
2022-12-02 14:55 ` Benjamin Tissoires
2022-12-02 19:30 ` Alexei Starovoitov
2022-12-05 17:01 ` Benjamin Tissoires
2022-12-01 14:41 ` Masami Hiramatsu
2022-12-01 16:37 ` [RFC PATCH] panic: Add new taint flag for fault injection Masami Hiramatsu (Google)
2022-12-01 16:39 ` Kees Cook
2022-12-01 16:48 ` Steven Rostedt
2022-12-01 16:53 ` Kees Cook
2022-12-01 19:14 ` Steven Rostedt
2022-12-01 21:00 ` Chris Mason
2022-12-01 21:18 ` Linus Torvalds
2022-12-02 6:17 ` Christoph Hellwig
2022-12-01 21:25 ` Steven Rostedt
2022-12-01 21:29 ` Steven Rostedt
2022-12-02 0:46 ` Masami Hiramatsu
2022-12-01 16:40 ` Steven Rostedt
2022-11-21 22:24 ` [PATCH] error-injection: Add prompt for function error injection Masami Hiramatsu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221122090923.9d7de73221be99c8ede30379@kernel.org \
--to=mhiramat@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=alexei.starovoitov@gmail.com \
--cc=bp@alien8.de \
--cc=clm@meta.com \
--cc=gregkh@linuxfoundation.org \
--cc=hch@infradead.org \
--cc=jpoimboe@redhat.com \
--cc=keescook@chromium.org \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=peterz@infradead.org \
--cc=revest@chromium.org \
--cc=rostedt@goodmis.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox