Re: [RFC 0/1] BPF tracing for arm64 using fprobe

[Jiri Kosina]

On Mon, 21 Nov 2022, KP Singh wrote:

> > Looking at the Kconfigs, I see
> >
> > CONFIG_FUNCTION_ERROR_INJECTION is set when
> > CONFIG_HAVE_FUNCTION_ERROR_INJECTION is set, and when CONFIG_KPROBES is set.
> >
> > And ALLOW_ERROR_INJECTION() is set when CONFIG_FUNCTION_ERROR_INJECTION is.
> >
> > There's no way to turn it off on x86 except by disabling kprobes!
> >
> > WTF!
> >
> > I don't want a kernel that can add error injection just because kprobes is
> > enabled. There's two kinds of kprobes. One that is for visibility only (for
> > tracing) and one that can be used for functional changes. I want the
> > visibility without the ability to change the kernel. The visibility portion
> > is very useful for security, where as the modifying one can be used to
> > circumvent security.
> 
> I am not sure how they can circumvent security since this needs root /
> root equivalent permissions. Fault injection is actually a very useful
> debugging tool.

There are environments where root is untrusted (e.g. secure boot), and 
there is a whole mechanism in kernel for dealing with that (all the 
CONFIG_LOCKDOWN_LSM handling). Seems like error injection should be wired 
up into lockdown handling at minimum.

-- 
Jiri Kosina
SUSE Labs