Re: [PATCH v3] killswitch: add per-function short-circuit mitigation primitive

Next message: Jens Remus: "[PATCH v16 11/20] unwind_user/sframe: Show file name in debug output"
Previous message: Simon Horman: "Re: [PATCH net] l2tp: use list_del_rcu in l2tp_session_unhash"
In reply to: Song Liu: "Re: [PATCH v3] killswitch: add per-function short-circuit mitigation primitive"
Next in thread: Song Liu: "Re: [PATCH v3] killswitch: add per-function short-circuit mitigation primitive"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Sasha Levin

Date: Thu May 21 2026 - 11:52:09 EST

On Tue, May 19, 2026 at 03:00:15PM -0700, Song Liu wrote:

On Tue, May 19, 2026 at 12:57 PM Sasha Levin <sashal@xxxxxxxxxx> wrote:
[...]

>Fully agree with Song here that there is no clear boundary, and that the
>killswitch could lead to arbitrary, hard to debug breakage if applied to
>the wrong function.. introducing worse bugs than the one being mitigated
>or even /short-circuit LSM enforcement/ (engage security_file_open 0,
>engage cap_capable 0, engage apparmor_* etc).

This is similar to livepatch, right? Do we need guardrails there too?

livepatch has the same guardrails as other kernel modules:
CONFIG_MODULE_SIG, CONFIG_MODULE_SIG_FORCE, etc.

Which the user can choose to enable or disable. Livepatches will work just fine
with CONFIG_MODULE_SIG=n, right?

With the whitelist approach, the user has no choice but to accept it.

Would it make sense to allow disabling the whitelist via a kernel config or
some runtime flag?

--
Thanks,
Sasha