On Mon, 21 Nov 2022, KP Singh wrote: > > Looking at the Kconfigs, I see > > > > CONFIG_FUNCTION_ERROR_INJECTION is set when > > CONFIG_HAVE_FUNCTION_ERROR_INJECTION is set, and when CONFIG_KPROBES is set. > > > > And ALLOW_ERROR_INJECTION() is set when CONFIG_FUNCTION_ERROR_INJECTION is. > > > > There's no way to turn it off on x86 except by disabling kprobes! > > > > WTF! > > > > I don't want a kernel that can add error injection just because kprobes is > > enabled. There's two kinds of kprobes. One that is for visibility only (for > > tracing) and one that can be used for functional changes. I want the > > visibility without the ability to change the kernel. The visibility portion > > is very useful for security, where as the modifying one can be used to > > circumvent security. > > I am not sure how they can circumvent security since this needs root / > root equivalent permissions. Fault injection is actually a very useful > debugging tool. There are environments where root is untrusted (e.g. secure boot), and there is a whole mechanism in kernel for dealing with that (all the CONFIG_LOCKDOWN_LSM handling). Seems like error injection should be wired up into lockdown handling at minimum. -- Jiri Kosina SUSE Labs
