Ubuntu
linux package

Adding bpf to CONFIG_LSM in 5.13 kernels

Bug #1964941 reported by Michal Rostecki
20
This bug affects 4 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Triaged
Medium
Unassigned

Bug Description

Linux kernel since 5.7 allows to write eBPF programs which can be attached to LSM hooks. More details here:

https://www.kernel.org/doc/html/v5.9/bpf/bpf_lsm.html

There are already projects trying to leverage that

systemd with the restrict-fs feature
https://github.com/systemd/systemd/blob/main/src/core/bpf/restrict_fs/restrict-fs.bpf.c

https://github.com/linux-lock/bpflock

https://github.com/lockc-project/lockc

However, BPF LSM has to be enabled by adding bpf to CONFIG_LSM.
That was already done in:

Arch Linux

https://github.com/archlinux/svntogit-packages/blob/4615bb2493649ad6fa133f864f94cb95c824f361/trunk/config#L9963

Fedora

https://fedorapeople.org/cgit/thl/public_git/kernel.git/tree/kernel-x86_64-fedora.config?h=kernel-5.17.0-0.rc5.20220225git53ab78cd6d5a.106.vanilla.1.fc34&id=e661d91eb909e777a9d28425ef50fcc5ef7fa5ed#n3291

openSUSE

https://github.com/openSUSE/kernel-source/commit/c2c25b18721866d6211054f542987036ed6e0a50

Could we please enable BPF LSM in Ubuntu kernels as well? Without that change, users trying to play with the mentioned projects have to edit their /etc/default/grub to add bpf LSM.

Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1964941

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Cameron Walker (cameron-walker-f5) wrote (last edit ):

I also noticed this issue with the latest Ubuntu 22.04 amd64 release image (ami-09d56f8956ab235b3). It does not have "bpf" in CONFIG_LSM.

root@xxxx:/home/ubuntu# uname -a
Linux xxxx 5.15.0-1004-aws #6-Ubuntu SMP Thu Mar 31 09:44:20 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
root@xxxx:/home/ubuntu#

root@xxxx:/home/ubuntu# grep LSM /boot/config-$(uname -r)
CONFIG_BPF_LSM=y
CONFIG_IIO_ST_LSM6DSX=m
CONFIG_IIO_ST_LSM6DSX_I2C=m
CONFIG_IIO_ST_LSM6DSX_SPI=m
CONFIG_IIO_ST_LSM6DSX_I3C=m
CONFIG_IIO_ST_LSM9DS0=m
CONFIG_IIO_ST_LSM9DS0_I2C=m
CONFIG_IIO_ST_LSM9DS0_SPI=m
CONFIG_LSM_MMAP_MIN_ADDR=0
CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
CONFIG_IMA_LSM_RULES=y
CONFIG_LSM="landlock,lockdown,yama,integrity,apparmor"
root@xxxx:/home/ubuntu#

Update: I thought this was an immutable kernel config option, but I found the corresponding kernel boot flag.

./Documentation/admin-guide/kernel-parameters.txt

        lsm=lsm1,...,lsmN
                        [SECURITY] Choose order of LSM initialization. This
                        overrides CONFIG_LSM, and the "security=" parameter.

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for linux (Ubuntu) because there has been no activity for 60 days.]

Changed in linux (Ubuntu):
status: Incomplete → Expired
Joseph Salisbury (jsalisbury)
Changed in linux (Ubuntu):
status: Expired → Triaged
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.