Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp4461843rwb;
        Mon, 21 Nov 2022 07:53:43 -0800 (PST)
X-Google-Smtp-Source: AA0mqf7hma1mx8/Ae5RNEJHW3tf01uiQc+ShO9JNUF4giGjoTB6/ujgZwZThUvDxwhGxRoya9AWk
X-Received: by 2002:a17:90a:4147:b0:214:2214:869e with SMTP id m7-20020a17090a414700b002142214869emr27909763pjg.76.1669046023473;
        Mon, 21 Nov 2022 07:53:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1669046023; cv=none;
        d=google.com; s=arc-20160816;
        b=pzDZ25wjn6Rt7255beiGeCJ1W5uUtxW6nlHmz7oUjPdYiwcUATg7Y0wzUdYhTGzH45
         ZdTlrw5Xg+ARon1jjfAXKszPqlwOGtw3BqfxS3a3ZqBkCPjdWFs2ILlXeo62/cnve0wI
         gO8RNweM2DDtAs7BbWuK1l7q79aNEb9MiziD0D5hnxZDtGP/f2dLpBeV1Ou4oVtt/ih5
         phSW9QXVwxypF0mCibOWiWbga+PWlWxzVFTItLAX8+E7P4dAmYbjUUfr6hIc0Ct4J9u2
         O5ZOUAzIhxEZS+tBYkiuseBFu4b5BTG+oh8gWr8QwYImGs7GvdrqN7T5AEevWraCNhzn
         Z5/g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=6jUJetri9oaHtQAi0FaEBbw4oTjv6RH1wAXYYuoldoI=;
        b=y9IMdHEt3iFZFt0Zp7BEDZAEr28FizWSciY+0+r8gxhNWsVUP89FaEqtCkT3G65n71
         QH56Kp2+JOjg8oF/58ZJ39B10oIcsZA+hO+Dhw+5PnAv2bqEAdCtLnZQFWOv36Os5znH
         z6iW2XTczT/OhmcG8pFdbOTYuArWfFO/IzWh0VknMsUl53HtN5HqdLhyk7AMrv0MnRf7
         Q1E9f0g2W5E5joyI1Y2/U1ZIGLVTuejfuCqNjijb7O5oY+9PmFpigupHfm9yDkcAk6FQ
         d76AiaDDJBLbmNoznPB9xasK0gg/ofvQ4on7KNwDrvaWjkY4u2MwfC1C9Cw+9QOxd1ZW
         5ygw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=cLN2HXPq;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id z6-20020a17090acb0600b002008d0b0838si10214016pjt.178.2022.11.21.07.53.32;
        Mon, 21 Nov 2022 07:53:43 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=cLN2HXPq;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230468AbiKUPbv (ORCPT <rfc822;2bno13@gmail.com> + 91 others);
        Mon, 21 Nov 2022 10:31:51 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57090 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232391AbiKUPb2 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 21 Nov 2022 10:31:28 -0500
Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AE3AABA59B
        for <linux-kernel@vger.kernel.org>; Mon, 21 Nov 2022 07:30:10 -0800 (PST)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 5EE46B810A8
        for <linux-kernel@vger.kernel.org>; Mon, 21 Nov 2022 15:30:09 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 247F0C4347C
        for <linux-kernel@vger.kernel.org>; Mon, 21 Nov 2022 15:30:08 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1669044608;
        bh=aFTolxzt0R2H3SpbdBNTNqc5USoDLvTFgxXSFnvJ4ts=;
        h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
        b=cLN2HXPqBvynej0YnscnFIDytdgN6QcOf1rw3DvzdDg+afZGJENgxIcHdq+j4nHS0
         3vBxF7NqUyZ7PFCcKzEW88y2zqga3L21rQS1Ox3a5Rq4CdUtzQHgR/YUFlkXrI2jF2
         V1/F/qALui/Dfszu2aPViNJVu7shr3O1ECNK4/Ipe5wiXVXRndtRZ/DgJROdvBMa/L
         2Tr926igsLYuzQ7GrsX2GU7nwdPqkO6khu5K5ZFsh1mYbfOH1a00lYjJ5fD09G05+e
         9ab/vg3eOlZCUwH7+kn60/1aR0cM8L7zFC75GHFqLyPd7uSk8XdkwcxAGce8CRXWqG
         OMZZSDD83GucA==
Received: by mail-lf1-f41.google.com with SMTP id a29so19318526lfj.9
        for <linux-kernel@vger.kernel.org>; Mon, 21 Nov 2022 07:30:08 -0800 (PST)
X-Gm-Message-State: ANoB5pkYjIxoeaOGKmjizx2oMPeSXYsLGxXBknAKJnBwIH71tmI4zzEg
        YlaEP2FqF5wz/IDGNAndIpH607AQFZeh+ZqpOlcsKA==
X-Received: by 2002:a19:5049:0:b0:4b4:661a:1ce1 with SMTP id
 z9-20020a195049000000b004b4661a1ce1mr3765485lfj.136.1669044606050; Mon, 21
 Nov 2022 07:30:06 -0800 (PST)
MIME-Version: 1.0
References: <20221108220651.24492-1-revest@chromium.org> <CAADnVQ+BWpzqOV8dGCR=A3dR3u60CkBkqSXEQHe2kVqFzsgnHw@mail.gmail.com>
 <20221117121617.4e1529d3@gandalf.local.home> <d24cded7-87b1-89f5-fc2a-5346669f6d57@meta.com>
 <20221117174030.0170cd36@gandalf.local.home> <Y3e0KtnQrudxiZbz@FVFF77S0Q05N.cambridge.arm.com>
 <20221118114519.2711d890@gandalf.local.home> <43d5d1f5-c01d-c0db-b421-386331c2b8c1@meta.com>
 <20221118130608.5ba89bd8@gandalf.local.home> <2ab2b854-723a-5f15-8c18-0b5730d1b535@meta.com>
 <CACYkzJ613nhXViBpDuGWeEWzjfSJjbB1=KNpYtNDC6Xn7yizbw@mail.gmail.com> <20221121101537.674f5aca@gandalf.local.home>
In-Reply-To: <20221121101537.674f5aca@gandalf.local.home>
From:   KP Singh <kpsingh@kernel.org>
Date:   Mon, 21 Nov 2022 16:29:54 +0100
X-Gmail-Original-Message-ID: <CACYkzJ6n-9rH7hCeFVtFYFQ9+6MOuQ+J6LwR4PJ6zUN7w3zQhA@mail.gmail.com>
Message-ID: <CACYkzJ6n-9rH7hCeFVtFYFQ9+6MOuQ+J6LwR4PJ6zUN7w3zQhA@mail.gmail.com>
Subject: Re: [RFC 0/1] BPF tracing for arm64 using fprobe
To:     Steven Rostedt <rostedt@goodmis.org>
Cc:     Chris Mason <clm@meta.com>, Mark Rutland <mark.rutland@arm.com>,
        Alexei Starovoitov <alexei.starovoitov@gmail.com>,
        Florent Revest <revest@chromium.org>,
        bpf <bpf@vger.kernel.org>, Alexei Starovoitov <ast@kernel.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Andrii Nakryiko <andrii@kernel.org>,
        Brendan Jackman <jackmanb@google.com>, markowsky@google.com,
        Masami Hiramatsu <mhiramat@kernel.org>,
        Xu Kuohai <xukuohai@huawei.com>,
        LKML <linux-kernel@vger.kernel.org>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Christoph Hellwig <hch@infradead.org>,
        Peter Zijlstra <peterz@infradead.org>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Nov 21, 2022 at 4:15 PM Steven Rostedt <rostedt@goodmis.org> wrote:
>
> On Mon, 21 Nov 2022 14:47:10 +0100
> KP Singh <kpsingh@kernel.org> wrote:
>
> > This annotation already exists, i.e. ALLOW_ERROR_INJECTION
> >
> > Users, with CONFIG_FUNCTION_ERROR_INJECTION, can already modify return
> > values of kernel functions using kprobes and the failure injection
> > framework [1] for functions annotated with ALLOW_ERROR_INJECTION.
> >
> > BPF just provides another way to do the same thing with "modify
> > return" programs and this also respects the error injection list [2]
> > and users can *only* attach these programs to the functions annotated
> > with ALLOW_ERROR_INJECTION.
>
> WAIT!
>
> Looking at the Kconfigs, I see
>
> CONFIG_FUNCTION_ERROR_INJECTION is set when
> CONFIG_HAVE_FUNCTION_ERROR_INJECTION is set, and when CONFIG_KPROBES is set.
>
> And ALLOW_ERROR_INJECTION() is set when CONFIG_FUNCTION_ERROR_INJECTION is.
>
> There's no way to turn it off on x86 except by disabling kprobes!
>
> WTF!
>
> I don't want a kernel that can add error injection just because kprobes is
> enabled. There's two kinds of kprobes. One that is for visibility only (for
> tracing) and one that can be used for functional changes. I want the
> visibility without the ability to change the kernel. The visibility portion
> is very useful for security, where as the modifying one can be used to
> circumvent security.

I am not sure how they can circumvent security since this needs root /
root equivalent permissions. Fault injection is actually a very useful
debugging tool.

>
> As kprobes are set in most production environments, so is error injection.
> Do we really want error injection enabled on production environments?
> I don't.
>
> I think we need this patch ASAP!
>
> -- Steve
>
> diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
> index c3c0b077ade3..9ee72d8860c3 100644
> --- a/lib/Kconfig.debug
> +++ b/lib/Kconfig.debug
> @@ -1874,8 +1874,14 @@ config NETDEV_NOTIFIER_ERROR_INJECT
>           If unsure, say N.
>
>  config FUNCTION_ERROR_INJECTION
> -       def_bool y
> +       bool "Fault-injections of functions"
>         depends on HAVE_FUNCTION_ERROR_INJECTION && KPROBES
> +       help
> +         Add fault injections into various functions that are annotated with
> +         ALLOW_ERROR_INJECTION() in the kernel. BPF may also modify the return
> +         value of theses functions. This is useful to test error paths of code.
> +
> +         If unsure, say N
>
>  config FAULT_INJECTION
>         bool "Fault-injection framework"