On Thu, 19 Feb 2026 10:45:02 -0800 Kees Cook <[email protected]> wrote:
> On Wed, Feb 18, 2026 at 10:52:04AM -0500, Steven Rostedt wrote: > > Honesty, if you are worried about this, just run LOCKDOWN on tracing, and > > prevent *ALL* kprobes. Because yes, there's a 1000 ways to get this > > information once you have kprobes enabled and have root access. This patch > > is hurting legitimate debugging of running systems more than it is limiting > > rootkits from hacking the kernel. > > Yeah, I agree. If kprobes is available, there is a lot of harm an > attacker can already do. If a bright line between root/ring-0 is > desired, a system needs to be configured to be using lockdown or similar > things to turn off the interfaces that let root write to kernel state. Agreed. The blacklist (or blocklist) of kprobes is designed for preventing nesting software breakpoint handling, not for security. Thank you, -- Masami Hiramatsu (Google) <[email protected]>
