[PATCH] killswitch: add per-function short-circuit mitigation primitive
Song Liu
song at kernel.org
Mon May 18 06:31:45 UTC 2026
On Thu, May 14, 2026 at 8:48 PM Paul Moore <paul at paul-moore.com> wrote:
>
> On Thu, May 7, 2026 at 3:05 AM Sasha Levin <sashal at kernel.org> wrote:
> >
> > When a (security) issue goes public, fleets stay exposed until a patched kernel
> > is built, distributed, and rebooted into.
> >
> > For many such issues the simplest mitigation is to stop calling the buggy
> > function. Killswitch provides that. An admin writes:
> >
> > echo "engage af_alg_sendmsg -1" \
> > > /sys/kernel/security/killswitch/control
> >
> > After this, af_alg_sendmsg() returns -EPERM on every call without
> > running its body. The mitigation takes effect immediately, and is dropped on
> > the next reboot.
> >
> > A lot of recent kernel issues sit in code paths most installs only have enabled
> > to support a relative minority of users: AF_ALG, ksmbd, nf_tables, vsock, ax25,
> > and friends.
> >
> > For most users, the cost of "this socket family stops working for the day" is
> > much smaller than the cost of running a known vulnerable kernel until the fix
> > land.
> >
> > Assisted-by: Claude:claude-opus-4-7
> > Signed-off-by: Sasha Levin <sashal at kernel.org>
> > ---
> > Documentation/admin-guide/index.rst | 1 +
> > Documentation/admin-guide/killswitch.rst | 159 ++++
> > Documentation/admin-guide/tainted-kernels.rst | 8 +
> > MAINTAINERS | 11 +
> > include/linux/killswitch.h | 19 +
> > include/linux/panic.h | 3 +-
> > init/Kconfig | 2 +
> > kernel/Kconfig.killswitch | 31 +
> > kernel/Makefile | 1 +
> > kernel/killswitch.c | 798 ++++++++++++++++++
> > kernel/panic.c | 1 +
> > lib/Kconfig.debug | 13 +
> > lib/Makefile | 1 +
> > lib/test_killswitch.c | 85 ++
> > tools/testing/selftests/Makefile | 1 +
> > tools/testing/selftests/killswitch/.gitignore | 1 +
> > tools/testing/selftests/killswitch/Makefile | 8 +
> > .../selftests/killswitch/cve_31431_test.c | 162 ++++
> > .../selftests/killswitch/killswitch_test.sh | 147 ++++
> > 19 files changed, 1451 insertions(+), 1 deletion(-)
> > create mode 100644 Documentation/admin-guide/killswitch.rst
> > create mode 100644 include/linux/killswitch.h
> > create mode 100644 kernel/Kconfig.killswitch
> > create mode 100644 kernel/killswitch.c
> > create mode 100644 lib/test_killswitch.c
> > create mode 100644 tools/testing/selftests/killswitch/.gitignore
> > create mode 100644 tools/testing/selftests/killswitch/Makefile
> > create mode 100644 tools/testing/selftests/killswitch/cve_31431_test.c
> > create mode 100755 tools/testing/selftests/killswitch/killswitch_test.sh
>
> If we made Lockdown an LSM, we should probably also make killswitch an LSM.
I don't think killswitch can stack with other LSMs. In fact, killswitch
can be used to bypass other LSMs, for example:
echo engage security_file_open 0 > /sys/kernel/security/killswitch/control
will bypass all hooks on security_file_open.
Thanks,
Song
> For the LSM crowd who might be seeing this for the first time, the
> original thread can be found on lore via the link below:
> https://lore.kernel.org/all/20260507070547.2268452-1-sashal@kernel.org
>
> --
> paul-moore.com
>
More information about the Linux-security-module-archive
mailing list