On 5/19/26 9:57 PM, Sasha Levin wrote:
On Tue, May 19, 2026 at 02:13:26PM +0200, Daniel Borkmann wrote:
On 5/19/26 1:59 AM, Song Liu wrote:
On Mon, May 18, 2026 at 6:33 AM Sasha Levin <[email protected]> wrote:
On Sun, May 17, 2026 at 11:37:36PM -0700, Song Liu wrote:
On Sun, May 17, 2026 at 6:49 AM Sasha Levin <[email protected]> wrote:
* fail_function (CONFIG_FUNCTION_ERROR_INJECTION) is disabled in
most production kernels. Even where enabled, it only works on
functions pre-annotated with ALLOW_ERROR_INJECTION() in source -
no help for a freshly-disclosed CVE. The debugfs UI is blocked by
lockdown=integrity and the override is probabilistic.
* BPF override (bpf_override_return) honors the same
ALLOW_ERROR_INJECTION() whitelist, and BPF itself is off in many
production kernels. Even where on, the operator interface is
"load a verified BPF program," not a one-line write.
If it is OK for killswitch to attach to any kernel functions, do we still
need ALLOW_ERROR_INJECTION() for fail_function and BPF
override? Shall we instead also allow fail_function and BPF override
to attach to any kernel functions?
I don't think so. ALLOW_ERROR_INJECTION is not a security mechanism, it's an
integrity/safety mechanism for both bpf and fault injection.
It protects against a "developer or CI script doing legitimate fault injection
accidentally panics the box" scenario, not an "attacker gets in" one.
There really isn't a clear boundary between "security mechanism" and
"non-security mechanism". As we are making killswitch available
everywhere under root, users will soon learn to use it to do fault injection,
and potentially much more scary things. (Think about agents with sudo
access).
Fully agree with Song here that there is no clear boundary, and that the
killswitch could lead to arbitrary, hard to debug breakage if applied to
the wrong function.. introducing worse bugs than the one being mitigated
or even /short-circuit LSM enforcement/ (engage security_file_open 0,
engage cap_capable 0, engage apparmor_* etc).
This is similar to livepatch, right? Do we need guardrails there too?
Or do we just trust root to do the right thing for it's systems without needing
to be it's babysitter?
[See Song's reply.]
The ALLOW_ERROR_INJECTION() provides a curated white-list where you may
return with an error without causing more severe damage (assuming the
error handling code is right). The right thing would be to more widely
apply ALLOW_ERROR_INJECTION() or to figure out a better way to safely
enable the latter without explicit function annotation.
Sure, this would also work. How do you see this happening? Can we let a certain
user/pid/etc disable the allowlist if they choose to?
I don't think we should, given then we're back to square one where root
or some other user would be able to just override/bypass an LSM.
[...]
How do you see this working with the allowlist?
We should look at the underlying areas where most of the CVE-like fixes
took place (these days should be more easily doable given Claude and friends)
and based on that either extend ALLOW_ERROR_INJECTION() or (better) create
new hooks which BPF LSM can consume where you can then have a policy to reject
requests and tighten the attack surface. For example, the AF_ALG stuff you
can already easily cover today ...
#include "vmlinux.h"
#include <bpf/bpf_helpers.h>
#include <bpf/bpf_tracing.h>
#define AF_ALG 38
#define EPERM 1
char _license[] SEC("license") = "Dual BSD/GPL";
SEC("lsm/socket_create")
int BPF_PROG(block_af_alg, int family, int type, int protocol, int kern)
{
if (family == AF_ALG)
return -EPERM;
return 0;
}
... the problem is that distros enable and pull in all sort of crap which
then non-root could pull in via request_module() as an example; similarly
for netlink we want to have a BPF LSM policy to parse into netlink requests
and then reject based on certain attribute matching (both on our todo list)
which would have helped in case of exotic tc cls/act/qdisc modules to prevent
them to be pulled from userns. I bet there are a ton more examples once we
look further into the data.
Thanks,
Daniel
