| 2024-02-23 12:22:34 |
roblabla |
bug |
|
|
added bug |
| 2024-02-27 10:00:23 |
roblabla |
description |
Linux kernel since 5.7 allows to write eBPF programs which can be attached to LSM hooks. More details here:
https://www.kernel.org/doc/html/v5.9/bpf/bpf_lsm.html
There are already projects trying to leverage that
systemd with the restrict-fs feature
https://github.com/systemd/systemd/blob/main/src/core/bpf/restrict_fs/restrict-fs.bpf.c
https://github.com/linux-lock/bpflock
https://github.com/lockc-project/lockc
However, BPF LSM has to be enabled by adding bpf to CONFIG_LSM.
That was already done in:
Arch Linux
https://github.com/archlinux/svntogit-packages/blob/4615bb2493649ad6fa133f864f94cb95c824f361/trunk/config#L9963
Fedora
https://fedorapeople.org/cgit/thl/public_git/kernel.git/tree/kernel-x86_64-fedora.config?h=kernel-5.17.0-0.rc5.20220225git53ab78cd6d5a.106.vanilla.1.fc34&id=e661d91eb909e777a9d28425ef50fcc5ef7fa5ed#n3291
openSUSE
https://github.com/openSUSE/kernel-source/commit/c2c25b18721866d6211054f542987036ed6e0a50
Could we please enable BPF LSM in Ubuntu kernels as well? Without that change, users trying to play with the mentioned projects have to edit their /etc/default/grub to add bpf LSM. |
Linux kernel since 5.7 allows to write eBPF programs which can be attached to LSM hooks. More details here:
https://www.kernel.org/doc/html/v5.9/bpf/bpf_lsm.html
There are already projects trying to leverage that
systemd with the restrict-fs feature
https://github.com/systemd/systemd/blob/main/src/core/bpf/restrict_fs/restrict-fs.bpf.c
https://github.com/linux-lock/bpflock
https://github.com/lockc-project/lockc
However, BPF LSM has to be enabled by adding bpf to CONFIG_LSM.
That was already done in:
Arch Linux
https://github.com/archlinux/svntogit-packages/blob/4615bb2493649ad6fa133f864f94cb95c824f361/trunk/config#L9963
Fedora
https://fedorapeople.org/cgit/thl/public_git/kernel.git/tree/kernel-x86_64-fedora.config?h=kernel-5.17.0-0.rc5.20220225git53ab78cd6d5a.106.vanilla.1.fc34&id=e661d91eb909e777a9d28425ef50fcc5ef7fa5ed#n3291
openSUSE
https://github.com/openSUSE/kernel-source/commit/c2c25b18721866d6211054f542987036ed6e0a50
Debian
https://salsa.debian.org/kernel-team/linux/-/blob/master/debian/config/config?ref_type=heads#L7713
RedHat
https://access.redhat.com/labs/rhcb/RHEL-8.9/kernel-4.18.0-513.18.1.el8/source/blob/redhat/configs/generic/CONFIG_LSM
Could we please enable BPF LSM in Ubuntu kernels as well? Without that change, users trying to play with the mentioned projects have to edit their /etc/default/grub to add bpf LSM. |
|
| 2024-04-08 23:48:18 |
Launchpad Janitor |
linux (Ubuntu): status |
New |
Confirmed |
|
| 2024-04-17 20:05:20 |
Joseph Salisbury |
linux (Ubuntu): importance |
Undecided |
Medium |
|
| 2024-04-17 20:05:29 |
Joseph Salisbury |
linux (Ubuntu): assignee |
|
Joseph Salisbury (jsalisbury) |
|
| 2024-04-17 20:05:53 |
Joseph Salisbury |
nominated for series |
|
Ubuntu Mantic |
|
| 2024-04-17 20:05:53 |
Joseph Salisbury |
bug task added |
|
linux (Ubuntu Mantic) |
|
| 2024-04-17 20:05:53 |
Joseph Salisbury |
nominated for series |
|
Ubuntu Jammy |
|
| 2024-04-17 20:05:53 |
Joseph Salisbury |
bug task added |
|
linux (Ubuntu Jammy) |
|
| 2024-04-17 20:05:53 |
Joseph Salisbury |
nominated for series |
|
Ubuntu Noble |
|
| 2024-04-17 20:05:53 |
Joseph Salisbury |
bug task added |
|
linux (Ubuntu Noble) |
|
| 2024-04-17 20:05:59 |
Joseph Salisbury |
linux (Ubuntu Mantic): status |
New |
Triaged |
|
| 2024-04-17 20:06:02 |
Joseph Salisbury |
linux (Ubuntu Jammy): status |
New |
Triaged |
|
| 2024-04-17 20:06:05 |
Joseph Salisbury |
linux (Ubuntu Noble): status |
Confirmed |
Triaged |
|
| 2024-04-17 20:06:08 |
Joseph Salisbury |
linux (Ubuntu Mantic): importance |
Undecided |
Medium |
|
| 2024-04-17 20:06:10 |
Joseph Salisbury |
linux (Ubuntu Jammy): importance |
Undecided |
Medium |
|
| 2024-04-17 20:06:13 |
Joseph Salisbury |
linux (Ubuntu Mantic): assignee |
|
Joseph Salisbury (jsalisbury) |
|
| 2024-04-17 20:06:15 |
Joseph Salisbury |
linux (Ubuntu Jammy): assignee |
|
Joseph Salisbury (jsalisbury) |
|
