Thanks! I had also filed a feature request on Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983329
I will keep everyone posted on once make some progress on the static call work so that the LSM can be truly zero overhead and we can also add it back to CONFIG_LSM ** Bug watch added: Debian Bug tracker #983329 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983329 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1905975 Title: kernel: Enable CONFIG_BPF_LSM on Ubuntu Status in linux package in Ubuntu: Confirmed Status in linux source package in Groovy: Confirmed Status in linux source package in Hirsute: Confirmed Bug description: == Impact == Enabling CONFIG_BPF_LSM in the KConfig of Ubuntu Kernels, allowing users to use BPF LSM programs. == Background == The BPF LSM was merged into the Linux kernel 5.7 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=641cd7b06c911c5935c34f24850ea18690649917 https://outflux.net/blog/archives/2020/09/21/security-things-in- linux-v5-7 It allows users to implement MAC and Audit Policies using BPF programs. As a follow-up from the interest generated by the LSM on BPF/Linux conferences and on request from users, we’d like to request the enabling of CONFIG_BPF_LSM on Ubuntu starting with H. The LSM won't be added to the list of active LSMs by default (in CONFIG_LSM or lsm= on the boot parameters) yet, as it adds an indirect function call overhead by registering an empty LSM hook for all hooks. However enabling it in the kernel config will support users who wish to use BPF LSM programs without needing to replace their kernel image. The LSM can be made "active" by default when our work on getting rid of this overhead is merged in the kernel: https://lore.kernel.org/bpf/20200820164753.3256899-1-jackm...@chromium.org == Regression Potential == None. The LSM is not active by default, so it does not have any performance or functional regression. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1905975/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
