On Sun, May 17, 2026 at 6:49 AM Sasha Levin <[email protected]> wrote: > > When a kernel (security) issue goes public, fleets stay exposed until a > patched > kernel is built, distributed, and rebooted into. > > For many such issues the simplest mitigation is to stop calling the buggy > function. Killswitch provides that. An admin writes: > > echo "engage af_alg_sendmsg -1" \ > > /sys/kernel/security/killswitch/control > > After this, af_alg_sendmsg() returns -EPERM on every call without > running its body. The mitigation takes effect immediately, and is dropped on > the next reboot -- by which point a patched kernel is hopefully in place. > > A lot of recent kernel issues sit in code paths most installs only have > enabled > to support a relative minority of users: AF_ALG, ksmbd, nf_tables, vsock, > ax25, > and friends. > > For most users, the cost of "this socket family stops working for the day" is > much smaller than the cost of running a known vulnerable kernel until the fix > lands. > > Why not an existing facility: > > * livepatch needs a built, signed, per-kernel-version module per CVE. > Under Secure Boot the operator can't sign their own, so they wait > for the vendor, and only a minority of vendors actually ship > livepatches. Killswitch covers the days before that module shows > up. > > * fail_function (CONFIG_FUNCTION_ERROR_INJECTION) is disabled in > most production kernels. Even where enabled, it only works on > functions pre-annotated with ALLOW_ERROR_INJECTION() in source - > no help for a freshly-disclosed CVE. The debugfs UI is blocked by > lockdown=integrity and the override is probabilistic. > > * BPF override (bpf_override_return) honors the same > ALLOW_ERROR_INJECTION() whitelist, and BPF itself is off in many > production kernels. Even where on, the operator interface is > "load a verified BPF program," not a one-line write.
If it is OK for killswitch to attach to any kernel functions, do we still need ALLOW_ERROR_INJECTION() for fail_function and BPF override? Shall we instead also allow fail_function and BPF override to attach to any kernel functions? Thanks, Song
