Re: [RFC 0/1] BPF tracing for arm64 using fprobe
From: Jiri Kosina
Date: Mon Nov 21 2022 - 11:17:16 EST
On Mon, 21 Nov 2022, KP Singh wrote:
> > Looking at the Kconfigs, I see
> >
> > CONFIG_FUNCTION_ERROR_INJECTION is set when
> > CONFIG_HAVE_FUNCTION_ERROR_INJECTION is set, and when CONFIG_KPROBES is set.
> >
> > And ALLOW_ERROR_INJECTION() is set when CONFIG_FUNCTION_ERROR_INJECTION is.
> >
> > There's no way to turn it off on x86 except by disabling kprobes!
> >
> > WTF!
> >
> > I don't want a kernel that can add error injection just because kprobes is
> > enabled. There's two kinds of kprobes. One that is for visibility only (for
> > tracing) and one that can be used for functional changes. I want the
> > visibility without the ability to change the kernel. The visibility portion
> > is very useful for security, where as the modifying one can be used to
> > circumvent security.
>
> I am not sure how they can circumvent security since this needs root /
> root equivalent permissions. Fault injection is actually a very useful
> debugging tool.
There are environments where root is untrusted (e.g. secure boot), and
there is a whole mechanism in kernel for dealing with that (all the
CONFIG_LOCKDOWN_LSM handling). Seems like error injection should be wired
up into lockdown handling at minimum.
--
Jiri Kosina
SUSE Labs