[Kernel-packages] [Bug 2054810] Re: Adding bpf to CONFIG_LSM in linux kernel
Thanks, Eric! I'm going to build some test kernels and will post them shortly. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2054810 Title: Adding bpf to CONFIG_LSM in linux kernel Status in linux package in Ubuntu: Triaged Status in linux source package in Jammy: Triaged Status in linux source package in Mantic: Triaged Status in linux source package in Noble: Triaged Bug description: Linux kernel since 5.7 allows to write eBPF programs which can be attached to LSM hooks. More details here: https://www.kernel.org/doc/html/v5.9/bpf/bpf_lsm.html There are already projects trying to leverage that systemd with the restrict-fs feature https://github.com/systemd/systemd/blob/main/src/core/bpf/restrict_fs/restrict-fs.bpf.c https://github.com/linux-lock/bpflock https://github.com/lockc-project/lockc However, BPF LSM has to be enabled by adding bpf to CONFIG_LSM. That was already done in: Arch Linux https://github.com/archlinux/svntogit- packages/blob/4615bb2493649ad6fa133f864f94cb95c824f361/trunk/config#L9963 Fedora https://fedorapeople.org/cgit/thl/public_git/kernel.git/tree/kernel-x86_64-fedora.config?h=kernel-5.17.0-0.rc5.20220225git53ab78cd6d5a.106.vanilla.1.fc34=e661d91eb909e777a9d28425ef50fcc5ef7fa5ed#n3291 openSUSE https://github.com/openSUSE/kernel- source/commit/c2c25b18721866d6211054f542987036ed6e0a50 Debian https://salsa.debian.org/kernel- team/linux/-/blob/master/debian/config/config?ref_type=heads#L7713 RedHat https://access.redhat.com/labs/rhcb/RHEL-8.9/kernel-4.18.0-513.18.1.el8/source/blob/redhat/configs/generic/CONFIG_LSM Could we please enable BPF LSM in Ubuntu kernels as well? Without that change, users trying to play with the mentioned projects have to edit their /etc/default/grub to add bpf LSM. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2054810/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2054810] Re: Adding bpf to CONFIG_LSM in linux kernel
Joseph - thanks for looking into this. Please let me know if I can be of assistance. I'd be happy to test out the corresponding changes on my end. Just let me know - thank you!! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2054810 Title: Adding bpf to CONFIG_LSM in linux kernel Status in linux package in Ubuntu: Triaged Status in linux source package in Jammy: Triaged Status in linux source package in Mantic: Triaged Status in linux source package in Noble: Triaged Bug description: Linux kernel since 5.7 allows to write eBPF programs which can be attached to LSM hooks. More details here: https://www.kernel.org/doc/html/v5.9/bpf/bpf_lsm.html There are already projects trying to leverage that systemd with the restrict-fs feature https://github.com/systemd/systemd/blob/main/src/core/bpf/restrict_fs/restrict-fs.bpf.c https://github.com/linux-lock/bpflock https://github.com/lockc-project/lockc However, BPF LSM has to be enabled by adding bpf to CONFIG_LSM. That was already done in: Arch Linux https://github.com/archlinux/svntogit- packages/blob/4615bb2493649ad6fa133f864f94cb95c824f361/trunk/config#L9963 Fedora https://fedorapeople.org/cgit/thl/public_git/kernel.git/tree/kernel-x86_64-fedora.config?h=kernel-5.17.0-0.rc5.20220225git53ab78cd6d5a.106.vanilla.1.fc34=e661d91eb909e777a9d28425ef50fcc5ef7fa5ed#n3291 openSUSE https://github.com/openSUSE/kernel- source/commit/c2c25b18721866d6211054f542987036ed6e0a50 Debian https://salsa.debian.org/kernel- team/linux/-/blob/master/debian/config/config?ref_type=heads#L7713 RedHat https://access.redhat.com/labs/rhcb/RHEL-8.9/kernel-4.18.0-513.18.1.el8/source/blob/redhat/configs/generic/CONFIG_LSM Could we please enable BPF LSM in Ubuntu kernels as well? Without that change, users trying to play with the mentioned projects have to edit their /etc/default/grub to add bpf LSM. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2054810/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2054810] Re: Adding bpf to CONFIG_LSM in linux kernel
** Changed in: linux (Ubuntu) Importance: Undecided => Medium ** Changed in: linux (Ubuntu) Assignee: (unassigned) => Joseph Salisbury (jsalisbury) ** Also affects: linux (Ubuntu Mantic) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Noble) Importance: Medium Assignee: Joseph Salisbury (jsalisbury) Status: Confirmed ** Changed in: linux (Ubuntu Mantic) Status: New => Triaged ** Changed in: linux (Ubuntu Jammy) Status: New => Triaged ** Changed in: linux (Ubuntu Noble) Status: Confirmed => Triaged ** Changed in: linux (Ubuntu Mantic) Importance: Undecided => Medium ** Changed in: linux (Ubuntu Jammy) Importance: Undecided => Medium ** Changed in: linux (Ubuntu Mantic) Assignee: (unassigned) => Joseph Salisbury (jsalisbury) ** Changed in: linux (Ubuntu Jammy) Assignee: (unassigned) => Joseph Salisbury (jsalisbury) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2054810 Title: Adding bpf to CONFIG_LSM in linux kernel Status in linux package in Ubuntu: Triaged Status in linux source package in Jammy: Triaged Status in linux source package in Mantic: Triaged Status in linux source package in Noble: Triaged Bug description: Linux kernel since 5.7 allows to write eBPF programs which can be attached to LSM hooks. More details here: https://www.kernel.org/doc/html/v5.9/bpf/bpf_lsm.html There are already projects trying to leverage that systemd with the restrict-fs feature https://github.com/systemd/systemd/blob/main/src/core/bpf/restrict_fs/restrict-fs.bpf.c https://github.com/linux-lock/bpflock https://github.com/lockc-project/lockc However, BPF LSM has to be enabled by adding bpf to CONFIG_LSM. That was already done in: Arch Linux https://github.com/archlinux/svntogit- packages/blob/4615bb2493649ad6fa133f864f94cb95c824f361/trunk/config#L9963 Fedora https://fedorapeople.org/cgit/thl/public_git/kernel.git/tree/kernel-x86_64-fedora.config?h=kernel-5.17.0-0.rc5.20220225git53ab78cd6d5a.106.vanilla.1.fc34=e661d91eb909e777a9d28425ef50fcc5ef7fa5ed#n3291 openSUSE https://github.com/openSUSE/kernel- source/commit/c2c25b18721866d6211054f542987036ed6e0a50 Debian https://salsa.debian.org/kernel- team/linux/-/blob/master/debian/config/config?ref_type=heads#L7713 RedHat https://access.redhat.com/labs/rhcb/RHEL-8.9/kernel-4.18.0-513.18.1.el8/source/blob/redhat/configs/generic/CONFIG_LSM Could we please enable BPF LSM in Ubuntu kernels as well? Without that change, users trying to play with the mentioned projects have to edit their /etc/default/grub to add bpf LSM. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2054810/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2054810] Re: Adding bpf to CONFIG_LSM in linux kernel
Can Ubuntu please consider addressing this as a part of the upcoming 24 LTS release? The ability to leverage LSM based BPF programs on Ubuntu out-of-the-box (ie. without having to update grub and rebooting) opens the door to a growing ecosystem of security tooling. There are major computing environments for which the community cannot control things like Grub settings - such as the Ubuntu images used by Microsoft (via GitHub Actions, Azure Pipelines), GitLab (via Jobs), AWS (via vanilla EC2 instances), etc. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2054810 Title: Adding bpf to CONFIG_LSM in linux kernel Status in linux package in Ubuntu: Confirmed Bug description: Linux kernel since 5.7 allows to write eBPF programs which can be attached to LSM hooks. More details here: https://www.kernel.org/doc/html/v5.9/bpf/bpf_lsm.html There are already projects trying to leverage that systemd with the restrict-fs feature https://github.com/systemd/systemd/blob/main/src/core/bpf/restrict_fs/restrict-fs.bpf.c https://github.com/linux-lock/bpflock https://github.com/lockc-project/lockc However, BPF LSM has to be enabled by adding bpf to CONFIG_LSM. That was already done in: Arch Linux https://github.com/archlinux/svntogit- packages/blob/4615bb2493649ad6fa133f864f94cb95c824f361/trunk/config#L9963 Fedora https://fedorapeople.org/cgit/thl/public_git/kernel.git/tree/kernel-x86_64-fedora.config?h=kernel-5.17.0-0.rc5.20220225git53ab78cd6d5a.106.vanilla.1.fc34=e661d91eb909e777a9d28425ef50fcc5ef7fa5ed#n3291 openSUSE https://github.com/openSUSE/kernel- source/commit/c2c25b18721866d6211054f542987036ed6e0a50 Debian https://salsa.debian.org/kernel- team/linux/-/blob/master/debian/config/config?ref_type=heads#L7713 RedHat https://access.redhat.com/labs/rhcb/RHEL-8.9/kernel-4.18.0-513.18.1.el8/source/blob/redhat/configs/generic/CONFIG_LSM Could we please enable BPF LSM in Ubuntu kernels as well? Without that change, users trying to play with the mentioned projects have to edit their /etc/default/grub to add bpf LSM. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2054810/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2054810] Re: Adding bpf to CONFIG_LSM in linux kernel
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: linux (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2054810 Title: Adding bpf to CONFIG_LSM in linux kernel Status in linux package in Ubuntu: Confirmed Bug description: Linux kernel since 5.7 allows to write eBPF programs which can be attached to LSM hooks. More details here: https://www.kernel.org/doc/html/v5.9/bpf/bpf_lsm.html There are already projects trying to leverage that systemd with the restrict-fs feature https://github.com/systemd/systemd/blob/main/src/core/bpf/restrict_fs/restrict-fs.bpf.c https://github.com/linux-lock/bpflock https://github.com/lockc-project/lockc However, BPF LSM has to be enabled by adding bpf to CONFIG_LSM. That was already done in: Arch Linux https://github.com/archlinux/svntogit- packages/blob/4615bb2493649ad6fa133f864f94cb95c824f361/trunk/config#L9963 Fedora https://fedorapeople.org/cgit/thl/public_git/kernel.git/tree/kernel-x86_64-fedora.config?h=kernel-5.17.0-0.rc5.20220225git53ab78cd6d5a.106.vanilla.1.fc34=e661d91eb909e777a9d28425ef50fcc5ef7fa5ed#n3291 openSUSE https://github.com/openSUSE/kernel- source/commit/c2c25b18721866d6211054f542987036ed6e0a50 Debian https://salsa.debian.org/kernel- team/linux/-/blob/master/debian/config/config?ref_type=heads#L7713 RedHat https://access.redhat.com/labs/rhcb/RHEL-8.9/kernel-4.18.0-513.18.1.el8/source/blob/redhat/configs/generic/CONFIG_LSM Could we please enable BPF LSM in Ubuntu kernels as well? Without that change, users trying to play with the mentioned projects have to edit their /etc/default/grub to add bpf LSM. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2054810/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2054810] Re: Adding bpf to CONFIG_LSM in linux kernel
** Description changed: Linux kernel since 5.7 allows to write eBPF programs which can be attached to LSM hooks. More details here: https://www.kernel.org/doc/html/v5.9/bpf/bpf_lsm.html There are already projects trying to leverage that systemd with the restrict-fs feature https://github.com/systemd/systemd/blob/main/src/core/bpf/restrict_fs/restrict-fs.bpf.c https://github.com/linux-lock/bpflock https://github.com/lockc-project/lockc However, BPF LSM has to be enabled by adding bpf to CONFIG_LSM. That was already done in: Arch Linux https://github.com/archlinux/svntogit- packages/blob/4615bb2493649ad6fa133f864f94cb95c824f361/trunk/config#L9963 Fedora https://fedorapeople.org/cgit/thl/public_git/kernel.git/tree/kernel-x86_64-fedora.config?h=kernel-5.17.0-0.rc5.20220225git53ab78cd6d5a.106.vanilla.1.fc34=e661d91eb909e777a9d28425ef50fcc5ef7fa5ed#n3291 openSUSE https://github.com/openSUSE/kernel- source/commit/c2c25b18721866d6211054f542987036ed6e0a50 + Debian + + https://salsa.debian.org/kernel- + team/linux/-/blob/master/debian/config/config?ref_type=heads#L7713 + + RedHat + + https://access.redhat.com/labs/rhcb/RHEL-8.9/kernel-4.18.0-513.18.1.el8/source/blob/redhat/configs/generic/CONFIG_LSM + Could we please enable BPF LSM in Ubuntu kernels as well? Without that change, users trying to play with the mentioned projects have to edit their /etc/default/grub to add bpf LSM. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2054810 Title: Adding bpf to CONFIG_LSM in linux kernel Status in linux package in Ubuntu: New Bug description: Linux kernel since 5.7 allows to write eBPF programs which can be attached to LSM hooks. More details here: https://www.kernel.org/doc/html/v5.9/bpf/bpf_lsm.html There are already projects trying to leverage that systemd with the restrict-fs feature https://github.com/systemd/systemd/blob/main/src/core/bpf/restrict_fs/restrict-fs.bpf.c https://github.com/linux-lock/bpflock https://github.com/lockc-project/lockc However, BPF LSM has to be enabled by adding bpf to CONFIG_LSM. That was already done in: Arch Linux https://github.com/archlinux/svntogit- packages/blob/4615bb2493649ad6fa133f864f94cb95c824f361/trunk/config#L9963 Fedora https://fedorapeople.org/cgit/thl/public_git/kernel.git/tree/kernel-x86_64-fedora.config?h=kernel-5.17.0-0.rc5.20220225git53ab78cd6d5a.106.vanilla.1.fc34=e661d91eb909e777a9d28425ef50fcc5ef7fa5ed#n3291 openSUSE https://github.com/openSUSE/kernel- source/commit/c2c25b18721866d6211054f542987036ed6e0a50 Debian https://salsa.debian.org/kernel- team/linux/-/blob/master/debian/config/config?ref_type=heads#L7713 RedHat https://access.redhat.com/labs/rhcb/RHEL-8.9/kernel-4.18.0-513.18.1.el8/source/blob/redhat/configs/generic/CONFIG_LSM Could we please enable BPF LSM in Ubuntu kernels as well? Without that change, users trying to play with the mentioned projects have to edit their /etc/default/grub to add bpf LSM. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2054810/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2054810] Re: Adding bpf to CONFIG_LSM in linux kernel
(This is reposting 1964941 which appears to have expired) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2054810 Title: Adding bpf to CONFIG_LSM in linux kernel Status in linux package in Ubuntu: New Bug description: Linux kernel since 5.7 allows to write eBPF programs which can be attached to LSM hooks. More details here: https://www.kernel.org/doc/html/v5.9/bpf/bpf_lsm.html There are already projects trying to leverage that systemd with the restrict-fs feature https://github.com/systemd/systemd/blob/main/src/core/bpf/restrict_fs/restrict-fs.bpf.c https://github.com/linux-lock/bpflock https://github.com/lockc-project/lockc However, BPF LSM has to be enabled by adding bpf to CONFIG_LSM. That was already done in: Arch Linux https://github.com/archlinux/svntogit- packages/blob/4615bb2493649ad6fa133f864f94cb95c824f361/trunk/config#L9963 Fedora https://fedorapeople.org/cgit/thl/public_git/kernel.git/tree/kernel-x86_64-fedora.config?h=kernel-5.17.0-0.rc5.20220225git53ab78cd6d5a.106.vanilla.1.fc34=e661d91eb909e777a9d28425ef50fcc5ef7fa5ed#n3291 openSUSE https://github.com/openSUSE/kernel- source/commit/c2c25b18721866d6211054f542987036ed6e0a50 Could we please enable BPF LSM in Ubuntu kernels as well? Without that change, users trying to play with the mentioned projects have to edit their /etc/default/grub to add bpf LSM. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2054810/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp