Super cool. Also, love reading high quality linux patches. I think many, myself previously included, are afraid to even read the kernel source as one thinks it must be super complex. Of course some parts really are. However, the code is honestly of such high quality. I also highly value that feeling of realizing something once thought 'arcane' was actually only made by other humans, and it is legal to go read it and learn from it.
by PeterWhittaker
1 subcomments
Clever! I know some will say it's like closing the barn door after the horse left, but having this in place to mitigate future vulnerabilities will be handy.
by Phelinofist
1 subcomments
Could something like this also be done via BPF?
by DoctorOetker
0 subcomment
this sounds simple, but not running a function doesn't on its own mean safe behavior, if the caller code wasn't written keeping in mind this novel potential refusal as an outcome
still i believe this is the right direction
by frumiousirc
3 subcomments
If I'm a malicious actor that gets root, can I killswitch the killswitch?
by tosti
0 subcomment
Better tooling for kpatch would be nice tho
IIRC canonical makes patches for official ubuntu kernels but acts like a Chinese restaurant (closed kitchen, orders come in through a small hatch behind the counter)
by xuhu
0 subcomment
Is there any library that does this safely for user-mode and is currently used in production ?
Hacker News