On Wed, Feb 18, 2026 at 10:52:04AM -0500, Steven Rostedt wrote: > Honesty, if you are worried about this, just run LOCKDOWN on tracing, and > prevent *ALL* kprobes. Because yes, there's a 1000 ways to get this > information once you have kprobes enabled and have root access. This patch > is hurting legitimate debugging of running systems more than it is limiting > rootkits from hacking the kernel.
Yeah, I agree. If kprobes is available, there is a lot of harm an attacker can already do. If a bright line between root/ring-0 is desired, a system needs to be configured to be using lockdown or similar things to turn off the interfaces that let root write to kernel state. -- Kees Cook
