Re: [QUESTION] Kprobes as a module?

From: valdis . kletnieks
Date: Tue May 15 2012 - 15:52:17 EST

On Tue, 15 May 2012 17:24:11 +0900, Namhyung Kim said:
> Probably a dumb question :).
> What prevents the kprobes from being built as a module? We want to use
> the kprobes on our systems, but some guys worried about potential
> security problems. So it'd be great if we can enable/load kprobes as
> needed and then disable/unload after using it. Is it a possible senario?

Any troublemaker who has the ability to set a kprobe would probably also
have theability to just re-load the module before setting the kprobe (unless
you go to a *lot* of trouble to compartmentalize the root user).

So it's not clear there's a security benefit from making it a module. If anything,
it makes it *worse* because you can then surprise a sysadmin who *thought*
they were running a KPROBES=n kernel by loading a module and turning it on...

Attachment: pgp00000.pgp
Description: PGP signature