[go: up one dir, main page]
|
|
Log in / Subscribe / Register

Auditing io_uring

Auditing io_uring

Posted Jun 4, 2021 1:58 UTC (Fri) by dancol (guest, #142293)
Parent article: Auditing io_uring

Runtime code patching *is* the answer here, sorry. Static keys work fine. What *exactly* is the security concern behind runtime code patching to enable audit rules?

It seems to me like the opposition there is just more "it sounds scary, so no way" FUD-based superstition. Runtime code patching works fine and has worked fine for many years. I can't think of a single good reason that the audit subsystem is too precious for it.

to post comments

Auditing io_uring

Posted Jun 4, 2021 13:35 UTC (Fri) by Paf (subscriber, #91811) [Link]

A very good variation was suggested above:

Patch *out* auditing at runtime, if not having it compiled in gives certification people the willies. (Now if we’re opposed to that, we have to ask ourselves why... and if the security certification people aren’t being so crazy after all.)

Auditing io_uring

Posted Jun 4, 2021 15:59 UTC (Fri) by Nahor (subscriber, #51583) [Link] (4 responses)

My bikeshed guess is that they don't want the attacker to be able to disable the audit. Patching out would not solve that problem.

Auditing io_uring

Posted Jun 4, 2021 19:03 UTC (Fri) by zlynx (guest, #2285) [Link] (3 responses)

What do they imagine would stop the attacker from loading a module of their own to patch out the audit code?

Auditing io_uring

Posted Jun 4, 2021 20:05 UTC (Fri) by Nahor (subscriber, #51583) [Link] (2 responses)

I was thinking that with patching out disallowed, the kernel could be made read-only by the bootloader, but I guess people who care about auditing could still make the kernel RO anyway, while other keep the kernel RW and can patch out the auditing code.

Auditing io_uring

Posted Jun 4, 2021 20:46 UTC (Fri) by zlynx (guest, #2285) [Link] (1 responses)

I am not sure about all other hardware but on x86 I am fairly sure that the only way to make kernel memory truly read-only is with a hypervisor enforcing it. Otherwise anything running at the kernel level can set it read-write again.

This is what Windows does with the Core Isolation setting, which uses Hyper-V to protect the kernel and selected drivers even from other driver code.

So I suppose that if you have a boot loader which can set up and configure a virtual machine to load the kernel into then you could have a read-only kernel image.

Auditing io_uring

Posted Jun 4, 2021 20:54 UTC (Fri) by Nahor (subscriber, #51583) [Link]

An article about making x86 trustworthy was just mentioned yesterday in the LWN weekly edition (https://mjg59.dreamwidth.org/57199.html).

But I'm guessing the issue of audit an io_uring is not specific to x86 anyway.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds