Re: [PATCH RESEND] kprobes: Blacklist risky functions from being probed

Next message: Miguel Ojeda: "[PATCH] rust: sync: atomic: separate import &quot;blocks&quot;"
Previous message: Krzysztof Kozlowski: "Re: [PATCH v3 2/2] net: dsa: mt7530: Use GPIO polarity to generate correct reset sequence"
In reply to: ellyndra: "[PATCH RESEND] kprobes: Blacklist risky functions from being probed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Peter Zijlstra

Date: Thu Dec 04 2025 - 09:50:29 EST

On Thu, Dec 04, 2025 at 11:41:41AM -0300, ellyndra wrote:
> From: Elly I Esparza <ellyesparza8@xxxxxxxxx>
>
> Blacklist 'x64_sys_call()' from being kprobed to prevent syscall hooking
> techniques that overwrite the content of a 'case' block inside the main
> syscall dispatch switch statement.
>
> Also blacklist 'kallsyms_lookup_name()' to prevent a potential bypass
> of the blacklist, since this function can be used to discover and target
> arbitrary kernel symbols.
>
> Add a Kconfig option under security/ to enable or disable this feature.
>
> Signed-off-by: Elly I Esparza <ellyesparza8@xxxxxxxxx>
> ---

I'd be okay doing this unconditionally. Pretty much everything else
until that point lives in noinstr which is already excluded from probes.