On Sat, May 09, 2026 at 08:34:11AM -0400, Sasha Levin wrote: > On Sat, May 09, 2026 at 02:02:24PM +0200, Florian Weimer wrote: > > * Sasha Levin: > > > > > When a kernel (security) issue goes public, fleets stay exposed until a > > > patched > > > kernel is built, distributed, and rebooted into. > > > > > > For many such issues the simplest mitigation is to stop calling the buggy > > > function. Killswitch provides that. An admin writes: > > > > > > echo "engage af_alg_sendmsg -1" \ > > > > /sys/kernel/security/killswitch/control > > > > > > After this, af_alg_sendmsg() returns -EPERM on every call without > > > running its body. The mitigation takes effect immediately, and is dropped > > > on > > > the next reboot -- by which point a patched kernel is hopefully in place. > > > > Do you expect this to be safe to enable in kernel lockdown mode (i.e., > > with typical Secure Boot configurations in distributions)? > > Yes: under lockdown, killswitch has to be configured on the cmdline. Runtime > engage is gated on the new LOCKDOWN_KILLSWITCH reason.
Basically this proposal allows for any function to be overridden on a production kernel as long as no lockdown level is enabled, which is quite dangerous. Assuming this is acceptable (which I am not sure it should be), then this is equivalent to the existing error injection code that we already have in the kernel (CONFIG_FAIL_FUNCTION) minus the explicit whitelisting on a per function basis required to permit injection. Given that this achieves the exact same result, then why don't we consider simply removing the whitelisting restriction from fail_function altogether and use that instead? The only thing missing then would be the boot param parsing and setup. This way we'll be removing a few hundred lines of code instead of adding more duplication, while enabling the same functionality. [As a bonus, this would also make the existing framework more practical to use for testing arbitrary function failures. I have been carrying a debug only patch to that effect for a while, which basically just shorts the whitelisting check when CONFIG_FUNCTION_ERROR_INJECTION_ALLOW_ALL=y.] Regards, Anthony
