[ Added Masami too. Start of thread is here: http://lkml.kernel.org/r/20190215174712.372898450@xxxxxxxxxxx ] On Mon, 18 Feb 2019 10:23:44 -0800 Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote: > So it would be good to not just say "user or kernel", but actually say > what *kind* of kernel access it expects. Note, kprobes are a different kind of beast. I've used kprobes to probe userspace information as well as kernel. Heck, I could see someone even using kprobes to probe IO memory to check if a device is doing what they expect it's doing. Basically, a kprobe is mostly used for debugging what's happening in a live kernel, to read any address. But for those that are more security minded, perhaps we could add "layers" via CONFIG or /sys files that prevent kprobes from doing certain kinds of probes? -- Steve