Super cool. Also, love reading high quality linux patches. I think many, myself previously included, are afraid to even read the kernel source as one thinks it must be super complex. Of course some parts really are. However, the code is honestly of such high quality. I also highly value that feeling of realizing something once thought 'arcane' was actually only made by other humans, and it is legal to go read it and learn from it.
Clever! I know some will say it's like closing the barn door after the horse left, but having this in place to mitigate future vulnerabilities will be handy.
I may be wrong, but on a correctly-configured system, one would have to have root access to act nefariously. Since this is intended to prevent exploitation of vulnerabilities that enable privilege escalation, it feels like a net win.
IIRC canonical makes patches for official ubuntu kernels but acts like a Chinese restaurant (closed kitchen, orders come in through a small hatch behind the counter)
Super cool. Also, love reading high quality linux patches. I think many, myself previously included, are afraid to even read the kernel source as one thinks it must be super complex. Of course some parts really are. However, the code is honestly of such high quality. I also highly value that feeling of realizing something once thought 'arcane' was actually only made by other humans, and it is legal to go read it and learn from it.
Clever! I know some will say it's like closing the barn door after the horse left, but having this in place to mitigate future vulnerabilities will be handy.
ok, but what kind of nefarious use case will it enable if it is accessible to malfeasance.
I may be wrong, but on a correctly-configured system, one would have to have root access to act nefariously. Since this is intended to prevent exploitation of vulnerabilities that enable privilege escalation, it feels like a net win.
I guess it could disable the killswitch
besides that.
Better tooling for kpatch would be nice tho
IIRC canonical makes patches for official ubuntu kernels but acts like a Chinese restaurant (closed kitchen, orders come in through a small hatch behind the counter)
If I'm a malicious actor that gets root, can I killswitch the killswitch?
you're on the other side of the secure door already
killswitch is to prevent you from gaining root
Once you’ve got root, you don’t need to exploit compromised code to do whatever you want.