On Mon, Jun 24, 2019 at 1:09 PM Andy Lutomirski <luto@xxxxxxxxxx> wrote: > I'm confused. I understand why we're restricting bpf_probe_read(). > Why are we restricting bpf_probe_write_user() and bpf_trace_printk(), > though? Hmm. I think the thinking here was around exfiltration mechanisms, but if the read is blocked then that seems less likely. This seems to trace back to http://kernsec.org/pipermail/linux-security-module-archive/2017-October/003545.html - Joey, do you know the reasoning here?
