[Kernel-packages] [Bug 1964941] Re: Adding bpf to CONFIG_LSM in 5.13 kernels

Cameron Walker Tue, 26 Apr 2022 11:30:56 -0700

I also noticed this issue with the latest Ubuntu 22.04 amd64 release
image (ami-09d56f8956ab235b3). It does not have "bpf" in CONFIG_LSM.


root@xxxx:/home/ubuntu# uname -a
Linux xxxx 5.15.0-1004-aws #6-Ubuntu SMP Thu Mar 31 09:44:20 UTC 2022 x86_64 
x86_64 x86_64 GNU/Linux
root@xxxx:/home/ubuntu#

root@xxxx:/home/ubuntu# grep LSM /boot/config-$(uname -r)
CONFIG_BPF_LSM=y
CONFIG_IIO_ST_LSM6DSX=m
CONFIG_IIO_ST_LSM6DSX_I2C=m
CONFIG_IIO_ST_LSM6DSX_SPI=m
CONFIG_IIO_ST_LSM6DSX_I3C=m
CONFIG_IIO_ST_LSM9DS0=m
CONFIG_IIO_ST_LSM9DS0_I2C=m
CONFIG_IIO_ST_LSM9DS0_SPI=m
CONFIG_LSM_MMAP_MIN_ADDR=0
CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
CONFIG_IMA_LSM_RULES=y
CONFIG_LSM="landlock,lockdown,yama,integrity,apparmor"
root@xxxx:/home/ubuntu#


Update: I thought this was an immutable kernel config option, but I found the 
corresponding kernel boot flag.

./Documentation/admin-guide/kernel-parameters.txt

        lsm=lsm1,...,lsmN
                        [SECURITY] Choose order of LSM initialization. This
                        overrides CONFIG_LSM, and the "security=" parameter.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1964941

Title:
   Adding bpf to CONFIG_LSM in 5.13 kernels

Status in linux package in Ubuntu:
  Incomplete

Bug description:
  Linux kernel since 5.7 allows to write eBPF programs which can be
  attached to LSM hooks. More details here:

  https://www.kernel.org/doc/html/v5.9/bpf/bpf_lsm.html

  There are already projects trying to leverage that

  systemd with the restrict-fs feature
  
https://github.com/systemd/systemd/blob/main/src/core/bpf/restrict_fs/restrict-fs.bpf.c

  https://github.com/linux-lock/bpflock

  https://github.com/lockc-project/lockc

  However, BPF LSM has to be enabled by adding bpf to CONFIG_LSM.
  That was already done in:

  Arch Linux

  https://github.com/archlinux/svntogit-
  packages/blob/4615bb2493649ad6fa133f864f94cb95c824f361/trunk/config#L9963

  Fedora

  
https://fedorapeople.org/cgit/thl/public_git/kernel.git/tree/kernel-x86_64-fedora.config?h=kernel-5.17.0-0.rc5.20220225git53ab78cd6d5a.106.vanilla.1.fc34&id=e661d91eb909e777a9d28425ef50fcc5ef7fa5ed#n3291

  openSUSE

  https://github.com/openSUSE/kernel-
  source/commit/c2c25b18721866d6211054f542987036ed6e0a50

  Could we please enable BPF LSM in Ubuntu kernels as well? Without that
  change, users trying to play with the mentioned projects have to edit
  their /etc/default/grub to add bpf LSM.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1964941/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1964941] Re: Adding bpf to CONFIG_LSM in 5.13 kernels

Reply via email to