On Mon, Feb 12, 2024 at 11:16 AM Marius Schwarz <fedoradev@xxxxxxxxxxxx> wrote: > In a german developer blog article was the topic raised, that with > uprobes enabled, userland apps can i.e. circumvent tls security(and > other protections), > by telling the kernel to probe the function calls with the uprobes api. > As this enables i.e. the hosting system of a vm or container, to track > activity inside the container, trust is lost i.e. from customer to > hoster. To be fair, you need to be root on the host to do this, but as > it "wasn't possible before", and it is "now" ( out in a greater public > ), it tends to create trust issues, just for being there*. > > As this only works with uprobes enabled and has no use case besides a > developer debugging apps, the question is: > > Do we need this for all others out there enabled by default? Both systemtap and bpftrace can use uprobes. Those capabilities have been important from time to time in my job. That does not mean that my ability to do my job should outweigh security concerns, of course, but I think some effort should be made to find out if use of uprobes via systemtap and bpftrace is common amongst Fedora users. -- Jerry James http://www.jamezone.org/ -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
