On Thu, 2024-05-09 at 10:30 +0200, Jiri Olsa wrote: > > Per the earlier discussion, this cannot be reached unless uretprobes are in > > use, > > which cannot happen without something with privileges taking an action. But > > are > > uretprobes ever used for monitoring applications where security is > > important? Or > > is it strictly a debug-time thing? > > sorry, I don't have that level of detail, but we do have customers > that use uprobes in general or want to use it and complain about > the speed > > there are several tools in bcc [1] that use uretprobes in scripts, > like: > memleak, sslsniff, trace, bashreadline, gethostlatency, argdist, > funclatency Is it possible to have shadow stack only use the non-syscall solution? It seems it exposes a more limited compatibility in that it only allows writing the specific trampoline address. (IIRC) Then shadow stack users could still use uretprobes, but just not the new optimized solution. There are already operations that are slower with shadow stack, like longjmp(), so this could be ok maybe.
