On Fri, Feb 20, 2026 at 11:45:40AM +0900, Masami Hiramatsu wrote: > On Thu, 19 Feb 2026 10:45:02 -0800 > Kees Cook <[email protected]> wrote: > > > On Wed, Feb 18, 2026 at 10:52:04AM -0500, Steven Rostedt wrote: > > > Honesty, if you are worried about this, just run LOCKDOWN on tracing, and > > > prevent *ALL* kprobes. Because yes, there's a 1000 ways to get this > > > information once you have kprobes enabled and have root access. This patch > > > is hurting legitimate debugging of running systems more than it is > > > limiting > > > rootkits from hacking the kernel. > > > > Yeah, I agree. If kprobes is available, there is a lot of harm an > > attacker can already do. If a bright line between root/ring-0 is > > desired, a system needs to be configured to be using lockdown or similar > > things to turn off the interfaces that let root write to kernel state. > > Agreed. The blacklist (or blocklist) of kprobes is designed for preventing > nesting software breakpoint handling, not for security.
It still can be useful. As mention in the other thread, we just need to make it clear. I.e. add something like "noprobe_for_security". And if we really, really care it could be conditional on a config option.
