LOCK_DOWN_FORCE_INTEGRITY_FOR_FUZZING?
Tetsuo Handa
penguin-kernel at I-love.SAKURA.ne.jp
Sat Mar 18 06:31:59 UTC 2023
On 2023/03/14 19:02, Dmitry Vyukov wrote:
> At least for us it is OK if it can be enabled only via kernel config
> (no cmd line) and named accordingly
> (TEST_ONLY_DONT_ENABLE_IN_PRODUCTION).
3 years ago, there were several discussions on whether we can use build-time (i.e.
kernel config) options. There was a strong suggestion to use boot-time (i.e. kernel
command line) options for switching because Linux 5.6+ can handle very long kernel
command line using a boot-config file.
https://lkml.kernel.org/r/CAHk-=wiVQUo_RJAaivHU5MFdznNOX4GKgJH1xrFc83e9oLnuvQ@mail.gmail.com
But I think that the reality remains that build-time options is the better.
Since I think that syzbot/syzkaller got enough awareness and past record, maybe
it is time to retry persuading Linus about use of build-time options for fuzzing.
More information about the Linux-security-module-archive
mailing list