Ubuntu
linux package

Adding bpf to CONFIG_LSM in linux kernel

Jammy (22.04)
Bug #2054810

Bug #2054810 reported by roblabla on 2024-02-23

18

This bug affects 5 people

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Triaged	Medium	Joseph Salisbury
	Jammy	Triaged	Medium	Joseph Salisbury
	Mantic	Triaged	Medium	Joseph Salisbury
	Noble	Triaged	Medium	Joseph Salisbury

Bug Description

Linux kernel since 5.7 allows to write eBPF programs which can be attached to LSM hooks. More details here:

https://www.kernel.org/doc/html/v5.9/bpf/bpf_lsm.html

There are already projects trying to leverage that

systemd with the restrict-fs feature
https://github.com/systemd/systemd/blob/main/src/core/bpf/restrict_fs/restrict-fs.bpf.c

https://github.com/linux-lock/bpflock

https://github.com/lockc-project/lockc

However, BPF LSM has to be enabled by adding bpf to CONFIG_LSM.
That was already done in:

Arch Linux

https://github.com/archlinux/svntogit-packages/blob/4615bb2493649ad6fa133f864f94cb95c824f361/trunk/config#L9963

Fedora

https://fedorapeople.org/cgit/thl/public_git/kernel.git/tree/kernel-x86_64-fedora.config?h=kernel-5.17.0-0.rc5.20220225git53ab78cd6d5a.106.vanilla.1.fc34&id=e661d91eb909e777a9d28425ef50fcc5ef7fa5ed#n3291

openSUSE

https://github.com/openSUSE/kernel-source/commit/c2c25b18721866d6211054f542987036ed6e0a50

Debian

https://salsa.debian.org/kernel-team/linux/-/blob/master/debian/config/config?ref_type=heads#L7713

RedHat

https://access.redhat.com/labs/rhcb/RHEL-8.9/kernel-4.18.0-513.18.1.el8/source/blob/redhat/configs/generic/CONFIG_LSM

Could we please enable BPF LSM in Ubuntu kernels as well? Without that change, users trying to play with the mentioned projects have to edit their /etc/default/grub to add bpf LSM.

See original description

Revision history for this message

roblabla (roblabla) wrote on 2024-02-23:

#1

(This is reposting 1964941 which appears to have expired)

roblabla (roblabla) on 2024-02-27

description:

updated

Revision history for this message

Eric Sheridan (esheri3) wrote on 2024-04-08:

#2

Can Ubuntu please consider addressing this as a part of the upcoming 24 LTS release? The ability to leverage LSM based BPF programs on Ubuntu out-of-the-box (ie. without having to update grub and rebooting) opens the door to a growing ecosystem of security tooling. There are major computing environments for which the community cannot control things like Grub settings - such as the Ubuntu images used by Microsoft (via GitHub Actions, Azure Pipelines), GitLab (via Jobs), AWS (via vanilla EC2 instances), etc.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2024-04-08:

#3

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in linux (Ubuntu):
status:	New → Confirmed

Joseph Salisbury (jsalisbury) on 2024-04-17

Changed in linux (Ubuntu):
importance:	Undecided → Medium
assignee:	nobody → Joseph Salisbury (jsalisbury)
Changed in linux (Ubuntu Mantic):
status:	New → Triaged
Changed in linux (Ubuntu Jammy):
status:	New → Triaged
Changed in linux (Ubuntu Noble):
status:	Confirmed → Triaged
Changed in linux (Ubuntu Mantic):
importance:	Undecided → Medium
Changed in linux (Ubuntu Jammy):
importance:	Undecided → Medium
Changed in linux (Ubuntu Mantic):
assignee:	nobody → Joseph Salisbury (jsalisbury)
Changed in linux (Ubuntu Jammy):
assignee:	nobody → Joseph Salisbury (jsalisbury)

Revision history for this message

Eric Sheridan (esheri3) wrote on 2024-04-18:

#4

Joseph - thanks for looking into this. Please let me know if I can be of assistance. I'd be happy to test out the corresponding changes on my end. Just let me know - thank you!!

Revision history for this message

Joseph Salisbury (jsalisbury) wrote on 2024-04-18:

#5

Thanks, Eric! I'm going to build some test kernels and will post them shortly.

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1964941

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.