On Fri, Feb 18, 2022 at 4:27 PM Roberto Sassu via devel <devel@lists.fedoraproject.org> wrote: > > Hi everyone > > I have very exciting news to share. > > Given the difficulty to have the DIGLIM kernel patches > accepted, I checked if I could achieve the same goals > with an eBPF program. > > I focused only on the functionality side, it is probably > required some support from the kernel to have the > same security guarantees of an LSM integrated in the > kernel. > > But, at least for the functionality part, I would say that > thanks to the very extensive support from eBPF, I managed > to almost match what I provided with the kernel patches > (at least for appraisal, not for measurement). > > This is the repo with the code: > > https://github.com/robertosassu/diglim-ebpf > > and the Copr project with binary packages: > > https://copr.fedorainfracloud.org/coprs/robertosassu/DIGLIM-eBPF/ > > Unfortunately, due to a feature introduced only recently > (allow sleepable programs to use the inode map), it will > work only with Fedora 36. Probably, commit 0fe4b381a59e > ("bpf: Allow bpf_local_storage to be used by sleepable programs) > applied to the kernel 5.16 would be sufficient to use > DIGLIM eBPF also in Fedora 35. > > Unlike the previous version of DIGLIM, this one does not > have any dependency (I just had to add rpmplugin.h in > the rpm-devel package). > > It can be configured with two simple commands (please > do it in a testing VM): > > # dnf copr enable robertosassu/DIGLIM-eBPF > # diglim_setup.sh install --default > > After reboot, the kernel will refuse to execute anything > that is not in a package. Updating a package or installing > new ones is supported, DIGLIM eBPF takes care of loading > the new reference values. > > Adding custom software is also possible, as shown with the > following commands: > > # ./script.sh > -bash: ./script.sh: /bin/bash: bad interpreter: Operation not permitted > # compact_gen -d /etc/digest_lists -i script.sh > # diglim_user_client -o add -p /etc/digest_lists/0-file_list-compact-script.sh > Digest list command successful > # ./script.sh > Hello world! > > I know it is too late for Fedora 36, but I hope you could > consider this version for Fedora 37. In the meantime, I will > work on the security guarantees (signature verification of > the digest lists, avoid unplugging of the LSM). > > Any comment or suggestion is very appreciated! > > Thanks > > Roberto
I seem to remember discussions about eBPF programs having certain limitations (related to kernel Lockdown patches and Secure Boot). Has this changed? Is running eBPF programs in stock Fedora (with Secure Boot enabled) possible now? Fabio _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
