[Kernel-packages] [Bug 2036281] Re: activate bpf LSM by default
[Expired for linux (Ubuntu) because there has been no activity for 60 days.] ** Changed in: linux (Ubuntu) Status: Incomplete => Expired -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2036281 Title: activate bpf LSM by default Status in linux package in Ubuntu: Expired Bug description: in Fedora/RHEL if I want to see if the bpf LSM is active/available in the kernel I can go here: [root@virtualrocky]# cat /sys/kernel/security/lsm lockdown,capability,yama,selinux,bpf[root@virtualrocky]# but if I do the same thing in Ubuntu 22.0.4 bpf is NOT there: root@virtual-ubuntu2204:/# cat /sys/kernel/security/lsm lockdown,capability,landlock,yama,apparmorroot@virtual-ubuntu2204:/# Please add bpf LSM to the CONFIG_LSM See discourse for background info https://discourse.ubuntu.com/t/ask-us-anything-about-ubuntu- kernels/27664/127?u=why2jjj root@virtual-ubuntu2204:/opt/# cat /proc/version_signature Ubuntu 5.15.0-82.91-generic 5.15.111 THANK YOU! --- ProblemType: Bug ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: jfreyensee 2526 F pulseaudio CRDA: N/A CasperMD5CheckResult: pass CloudArchitecture: x86_64 CloudID: none CloudName: none CloudPlatform: none CloudSubPlatform: config CurrentDesktop: ubuntu:GNOME DistroRelease: Ubuntu 22.04 InstallationDate: Installed on 2023-08-29 (17 days ago) InstallationMedia: Ubuntu-Server 22.04.3 LTS "Jammy Jellyfish" - Release amd64 (20230810) MachineType: Parallels Software International Inc. Parallels Virtual Platform NonfreeKernelModules: prl_fs_freeze prl_fs prl_eth prl_tg Package: linux (not installed) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) LANG=en_US.UTF-8 SHELL=/bin/bash ProcFB: 0 virtio_gpudrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.15.0-82-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro ProcVersionSignature: Ubuntu 5.15.0-82.91-generic 5.15.111 PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: No PulseAudio daemon running, or not running as session daemon. RebootRequiredPkgs: Error: path contained symlinks. RelatedPackageVersions: linux-restricted-modules-5.15.0-82-generic N/A linux-backports-modules-5.15.0-82-generic N/A linux-firmware 20220329.git681281e4-0ubuntu3.18 RfKill: Tags: jammy uec-images Uname: Linux 5.15.0-82-generic x86_64 UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: N/A _MarkForUpload: True dmi.bios.date: 07/03/2023 dmi.bios.release: 18.3 dmi.bios.vendor: Parallels Software International Inc. dmi.bios.version: 18.3.2 (53621) dmi.board.name: Parallels Virtual Platform dmi.board.vendor: Parallels Software International Inc. dmi.board.version: None dmi.chassis.type: 2 dmi.chassis.vendor: Parallels Software International Inc. dmi.ec.firmware.release: 18.3 dmi.modalias: dmi:bvnParallelsSoftwareInternationalInc.:bvr18.3.2(53621):bd07/03/2023:br18.3:efr18.3:svnParallelsSoftwareInternationalInc.:pnParallelsVirtualPlatform:pvrNone:rvnParallelsSoftwareInternationalInc.:rnParallelsVirtualPlatform:rvrNone:cvnParallelsSoftwareInternationalInc.:ct2:cvr:skuUndefined: dmi.product.family: Parallels VM dmi.product.name: Parallels Virtual Platform dmi.product.sku: Undefined dmi.product.version: None dmi.sys.vendor: Parallels Software International Inc. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2036281/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2036281] Re: activate bpf LSM by default
Folks, A big +1 for enabling bpf LSM by default in the bootconfig. We are maintainers of KubeArmor (kubearmor.io) and we see that BPF LSM can go a long way in securing the k8s/containers/VM environments. Not having BPF LSM by default is a hindrance in the security of these systems. While we have not formally performance benchmarked BPF LSM, we enable it for our users using a script (which is a pain) ... None of our users have complained of the performance issue after enabling bpf-lsm. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2036281 Title: activate bpf LSM by default Status in linux package in Ubuntu: Incomplete Bug description: in Fedora/RHEL if I want to see if the bpf LSM is active/available in the kernel I can go here: [root@virtualrocky]# cat /sys/kernel/security/lsm lockdown,capability,yama,selinux,bpf[root@virtualrocky]# but if I do the same thing in Ubuntu 22.0.4 bpf is NOT there: root@virtual-ubuntu2204:/# cat /sys/kernel/security/lsm lockdown,capability,landlock,yama,apparmorroot@virtual-ubuntu2204:/# Please add bpf LSM to the CONFIG_LSM See discourse for background info https://discourse.ubuntu.com/t/ask-us-anything-about-ubuntu- kernels/27664/127?u=why2jjj root@virtual-ubuntu2204:/opt/# cat /proc/version_signature Ubuntu 5.15.0-82.91-generic 5.15.111 THANK YOU! --- ProblemType: Bug ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: jfreyensee 2526 F pulseaudio CRDA: N/A CasperMD5CheckResult: pass CloudArchitecture: x86_64 CloudID: none CloudName: none CloudPlatform: none CloudSubPlatform: config CurrentDesktop: ubuntu:GNOME DistroRelease: Ubuntu 22.04 InstallationDate: Installed on 2023-08-29 (17 days ago) InstallationMedia: Ubuntu-Server 22.04.3 LTS "Jammy Jellyfish" - Release amd64 (20230810) MachineType: Parallels Software International Inc. Parallels Virtual Platform NonfreeKernelModules: prl_fs_freeze prl_fs prl_eth prl_tg Package: linux (not installed) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) LANG=en_US.UTF-8 SHELL=/bin/bash ProcFB: 0 virtio_gpudrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.15.0-82-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro ProcVersionSignature: Ubuntu 5.15.0-82.91-generic 5.15.111 PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: No PulseAudio daemon running, or not running as session daemon. RebootRequiredPkgs: Error: path contained symlinks. RelatedPackageVersions: linux-restricted-modules-5.15.0-82-generic N/A linux-backports-modules-5.15.0-82-generic N/A linux-firmware 20220329.git681281e4-0ubuntu3.18 RfKill: Tags: jammy uec-images Uname: Linux 5.15.0-82-generic x86_64 UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: N/A _MarkForUpload: True dmi.bios.date: 07/03/2023 dmi.bios.release: 18.3 dmi.bios.vendor: Parallels Software International Inc. dmi.bios.version: 18.3.2 (53621) dmi.board.name: Parallels Virtual Platform dmi.board.vendor: Parallels Software International Inc. dmi.board.version: None dmi.chassis.type: 2 dmi.chassis.vendor: Parallels Software International Inc. dmi.ec.firmware.release: 18.3 dmi.modalias: dmi:bvnParallelsSoftwareInternationalInc.:bvr18.3.2(53621):bd07/03/2023:br18.3:efr18.3:svnParallelsSoftwareInternationalInc.:pnParallelsVirtualPlatform:pvrNone:rvnParallelsSoftwareInternationalInc.:rnParallelsVirtualPlatform:rvrNone:cvnParallelsSoftwareInternationalInc.:ct2:cvr:skuUndefined: dmi.product.family: Parallels VM dmi.product.name: Parallels Virtual Platform dmi.product.sku: Undefined dmi.product.version: None dmi.sys.vendor: Parallels Software International Inc. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2036281/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
Re: [Kernel-packages] [Bug 2036281] Re: activate bpf LSM by default
quick google search comes up with: https://falco.org/docs/event-sources/kernel/ https://medium.com/@lumontec/some-freshness-with-linux-security-modules-and-ebpf-676ac363a135 https://blog.aquasec.com/linux-security-with-tracee-and-ebpf https://www.infoq.com/presentations/facebook-google-bpf-linux-kernel/ https://kubearmor.io It's the generic hypothetical solutions that drives innovation to sw engineering. On Tue, Sep 26, 2023 at 6:30 PM Thadeu Lima de Souza Cascardo < 2036...@bugs.launchpad.net> wrote: > > BPF LSM is the only major LSM that has a potential platform available > for targeting generic sw security solutions and generic performance sw > solutions between multiple distros. > > So no specific software solution in mind? Only generic hypothetical > solutions? > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/2036281 > > Title: > activate bpf LSM by default > > Status in linux package in Ubuntu: > Incomplete > > Bug description: > in Fedora/RHEL if I want to see if the bpf LSM is active/available in > the kernel I can go here: > > [root@virtualrocky]# cat /sys/kernel/security/lsm > lockdown,capability,yama,selinux,bpf[root@virtualrocky]# > > but if I do the same thing in Ubuntu 22.0.4 bpf is NOT there: > > root@virtual-ubuntu2204:/# cat /sys/kernel/security/lsm > lockdown,capability,landlock,yama,apparmorroot@virtual-ubuntu2204:/# > > Please add bpf LSM to the CONFIG_LSM > > See discourse for background info > > https://discourse.ubuntu.com/t/ask-us-anything-about-ubuntu- > kernels/27664/127?u=why2jjj > > root@virtual-ubuntu2204:/opt/# cat /proc/version_signature > Ubuntu 5.15.0-82.91-generic 5.15.111 > > THANK YOU! > --- > ProblemType: Bug > ApportVersion: 2.20.11-0ubuntu82.5 > Architecture: amd64 > AudioDevicesInUse: >USERPID ACCESS COMMAND >/dev/snd/controlC0: jfreyensee 2526 F pulseaudio > CRDA: N/A > CasperMD5CheckResult: pass > CloudArchitecture: x86_64 > CloudID: none > CloudName: none > CloudPlatform: none > CloudSubPlatform: config > CurrentDesktop: ubuntu:GNOME > DistroRelease: Ubuntu 22.04 > InstallationDate: Installed on 2023-08-29 (17 days ago) > InstallationMedia: Ubuntu-Server 22.04.3 LTS "Jammy Jellyfish" - Release > amd64 (20230810) > MachineType: Parallels Software International Inc. Parallels Virtual > Platform > NonfreeKernelModules: prl_fs_freeze prl_fs prl_eth prl_tg > Package: linux (not installed) > ProcEnviron: >TERM=xterm-256color >PATH=(custom, no user) >LANG=en_US.UTF-8 >SHELL=/bin/bash > ProcFB: 0 virtio_gpudrmfb > ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.15.0-82-generic > root=/dev/mapper/ubuntu--vg-ubuntu--lv ro > ProcVersionSignature: Ubuntu 5.15.0-82.91-generic 5.15.111 > PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: No > PulseAudio daemon running, or not running as session daemon. > RebootRequiredPkgs: Error: path contained symlinks. > RelatedPackageVersions: >linux-restricted-modules-5.15.0-82-generic N/A >linux-backports-modules-5.15.0-82-generic N/A >linux-firmware > 20220329.git681281e4-0ubuntu3.18 > RfKill: > > Tags: jammy uec-images > Uname: Linux 5.15.0-82-generic x86_64 > UpgradeStatus: No upgrade log present (probably fresh install) > UserGroups: N/A > _MarkForUpload: True > dmi.bios.date: 07/03/2023 > dmi.bios.release: 18.3 > dmi.bios.vendor: Parallels Software International Inc. > dmi.bios.version: 18.3.2 (53621) > dmi.board.name: Parallels Virtual Platform > dmi.board.vendor: Parallels Software International Inc. > dmi.board.version: None > dmi.chassis.type: 2 > dmi.chassis.vendor: Parallels Software International Inc. > dmi.ec.firmware.release: 18.3 > dmi.modalias: > dmi:bvnParallelsSoftwareInternationalInc.:bvr18.3.2(53621):bd07/03/2023:br18.3:efr18.3:svnParallelsSoftwareInternationalInc.:pnParallelsVirtualPlatform:pvrNone:rvnParallelsSoftwareInternationalInc.:rnParallelsVirtualPlatform:rvrNone:cvnParallelsSoftwareInternationalInc.:ct2:cvr:skuUndefined: > dmi.product.family: Parallels VM > dmi.product.name: Parallels Virtual Platform > dmi.product.sku: Undefined > dmi.product.version: None > dmi.sys.vendor: Parallels Software International Inc. > > To manage notifications about this bug go to: > https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2036281/+subscriptions > > -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2036281 Title: activate bpf LSM by default Status in linux package in Ubuntu: Incomplete Bug description: in Fedora/RHEL if I want to see if the bpf LSM is active/available in the kernel I can go here: [root@virtualrocky]# cat /sys/kernel/security/lsm lockdown,capability,yama,selinux,bpf[root@virtualrocky]# but if I do the same
[Kernel-packages] [Bug 2036281] Re: activate bpf LSM by default
quick google search comes up with: https://falco.org/docs/event-sources/kernel/ https://medium.com/@lumontec/some-freshness-with-linux-security-modules-and-ebpf-676ac363a135 https://blog.aquasec.com/linux-security-with-tracee-and-ebpf https://www.infoq.com/presentations/facebook-google-bpf-linux-kernel/ https://kubearmor.io It's the generic hypothetical solutions that drives innovation to sw engineering. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2036281 Title: activate bpf LSM by default Status in linux package in Ubuntu: Incomplete Bug description: in Fedora/RHEL if I want to see if the bpf LSM is active/available in the kernel I can go here: [root@virtualrocky]# cat /sys/kernel/security/lsm lockdown,capability,yama,selinux,bpf[root@virtualrocky]# but if I do the same thing in Ubuntu 22.0.4 bpf is NOT there: root@virtual-ubuntu2204:/# cat /sys/kernel/security/lsm lockdown,capability,landlock,yama,apparmorroot@virtual-ubuntu2204:/# Please add bpf LSM to the CONFIG_LSM See discourse for background info https://discourse.ubuntu.com/t/ask-us-anything-about-ubuntu- kernels/27664/127?u=why2jjj root@virtual-ubuntu2204:/opt/# cat /proc/version_signature Ubuntu 5.15.0-82.91-generic 5.15.111 THANK YOU! --- ProblemType: Bug ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: jfreyensee 2526 F pulseaudio CRDA: N/A CasperMD5CheckResult: pass CloudArchitecture: x86_64 CloudID: none CloudName: none CloudPlatform: none CloudSubPlatform: config CurrentDesktop: ubuntu:GNOME DistroRelease: Ubuntu 22.04 InstallationDate: Installed on 2023-08-29 (17 days ago) InstallationMedia: Ubuntu-Server 22.04.3 LTS "Jammy Jellyfish" - Release amd64 (20230810) MachineType: Parallels Software International Inc. Parallels Virtual Platform NonfreeKernelModules: prl_fs_freeze prl_fs prl_eth prl_tg Package: linux (not installed) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) LANG=en_US.UTF-8 SHELL=/bin/bash ProcFB: 0 virtio_gpudrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.15.0-82-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro ProcVersionSignature: Ubuntu 5.15.0-82.91-generic 5.15.111 PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: No PulseAudio daemon running, or not running as session daemon. RebootRequiredPkgs: Error: path contained symlinks. RelatedPackageVersions: linux-restricted-modules-5.15.0-82-generic N/A linux-backports-modules-5.15.0-82-generic N/A linux-firmware 20220329.git681281e4-0ubuntu3.18 RfKill: Tags: jammy uec-images Uname: Linux 5.15.0-82-generic x86_64 UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: N/A _MarkForUpload: True dmi.bios.date: 07/03/2023 dmi.bios.release: 18.3 dmi.bios.vendor: Parallels Software International Inc. dmi.bios.version: 18.3.2 (53621) dmi.board.name: Parallels Virtual Platform dmi.board.vendor: Parallels Software International Inc. dmi.board.version: None dmi.chassis.type: 2 dmi.chassis.vendor: Parallels Software International Inc. dmi.ec.firmware.release: 18.3 dmi.modalias: dmi:bvnParallelsSoftwareInternationalInc.:bvr18.3.2(53621):bd07/03/2023:br18.3:efr18.3:svnParallelsSoftwareInternationalInc.:pnParallelsVirtualPlatform:pvrNone:rvnParallelsSoftwareInternationalInc.:rnParallelsVirtualPlatform:rvrNone:cvnParallelsSoftwareInternationalInc.:ct2:cvr:skuUndefined: dmi.product.family: Parallels VM dmi.product.name: Parallels Virtual Platform dmi.product.sku: Undefined dmi.product.version: None dmi.sys.vendor: Parallels Software International Inc. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2036281/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2036281] Re: activate bpf LSM by default
> BPF LSM is the only major LSM that has a potential platform available for targeting generic sw security solutions and generic performance sw solutions between multiple distros. So no specific software solution in mind? Only generic hypothetical solutions? -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2036281 Title: activate bpf LSM by default Status in linux package in Ubuntu: Incomplete Bug description: in Fedora/RHEL if I want to see if the bpf LSM is active/available in the kernel I can go here: [root@virtualrocky]# cat /sys/kernel/security/lsm lockdown,capability,yama,selinux,bpf[root@virtualrocky]# but if I do the same thing in Ubuntu 22.0.4 bpf is NOT there: root@virtual-ubuntu2204:/# cat /sys/kernel/security/lsm lockdown,capability,landlock,yama,apparmorroot@virtual-ubuntu2204:/# Please add bpf LSM to the CONFIG_LSM See discourse for background info https://discourse.ubuntu.com/t/ask-us-anything-about-ubuntu- kernels/27664/127?u=why2jjj root@virtual-ubuntu2204:/opt/# cat /proc/version_signature Ubuntu 5.15.0-82.91-generic 5.15.111 THANK YOU! --- ProblemType: Bug ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: jfreyensee 2526 F pulseaudio CRDA: N/A CasperMD5CheckResult: pass CloudArchitecture: x86_64 CloudID: none CloudName: none CloudPlatform: none CloudSubPlatform: config CurrentDesktop: ubuntu:GNOME DistroRelease: Ubuntu 22.04 InstallationDate: Installed on 2023-08-29 (17 days ago) InstallationMedia: Ubuntu-Server 22.04.3 LTS "Jammy Jellyfish" - Release amd64 (20230810) MachineType: Parallels Software International Inc. Parallels Virtual Platform NonfreeKernelModules: prl_fs_freeze prl_fs prl_eth prl_tg Package: linux (not installed) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) LANG=en_US.UTF-8 SHELL=/bin/bash ProcFB: 0 virtio_gpudrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.15.0-82-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro ProcVersionSignature: Ubuntu 5.15.0-82.91-generic 5.15.111 PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: No PulseAudio daemon running, or not running as session daemon. RebootRequiredPkgs: Error: path contained symlinks. RelatedPackageVersions: linux-restricted-modules-5.15.0-82-generic N/A linux-backports-modules-5.15.0-82-generic N/A linux-firmware 20220329.git681281e4-0ubuntu3.18 RfKill: Tags: jammy uec-images Uname: Linux 5.15.0-82-generic x86_64 UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: N/A _MarkForUpload: True dmi.bios.date: 07/03/2023 dmi.bios.release: 18.3 dmi.bios.vendor: Parallels Software International Inc. dmi.bios.version: 18.3.2 (53621) dmi.board.name: Parallels Virtual Platform dmi.board.vendor: Parallels Software International Inc. dmi.board.version: None dmi.chassis.type: 2 dmi.chassis.vendor: Parallels Software International Inc. dmi.ec.firmware.release: 18.3 dmi.modalias: dmi:bvnParallelsSoftwareInternationalInc.:bvr18.3.2(53621):bd07/03/2023:br18.3:efr18.3:svnParallelsSoftwareInternationalInc.:pnParallelsVirtualPlatform:pvrNone:rvnParallelsSoftwareInternationalInc.:rnParallelsVirtualPlatform:rvrNone:cvnParallelsSoftwareInternationalInc.:ct2:cvr:skuUndefined: dmi.product.family: Parallels VM dmi.product.name: Parallels Virtual Platform dmi.product.sku: Undefined dmi.product.version: None dmi.sys.vendor: Parallels Software International Inc. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2036281/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2036281] Re: activate bpf LSM by default
> Adding BPF LSM by default will cause memory and CPU impact to all users Is there a paper study out there that shows the memory and CPU impact for all users when turning on BPF LSM to active? that would be interesting considering that RHEL solutions have the BPF LSM active by default so I assume that in their observations, memory and CPU impact for users is negligible. How did landlocked get chosen to be an active configured LSM by default? what was the compelling reason there? I can't imagine the memory/CPU impact for Landlock is that much less than BPF LSM. Landlock is a newer LSM vs BPF LSM so, if anything that will impact the user because Landlock is a newer LSM, so it has more potential bugs. My compelling reasoning would be promoting easier adaptability of BPF solutions, in industry, as well as testing (BPF is always active like Landlock, apparmor, etc). BPF LSM is the only major LSM that has a potential platform available for targeting generic sw security solutions and generic performance sw solutions between multiple distros. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2036281 Title: activate bpf LSM by default Status in linux package in Ubuntu: Incomplete Bug description: in Fedora/RHEL if I want to see if the bpf LSM is active/available in the kernel I can go here: [root@virtualrocky]# cat /sys/kernel/security/lsm lockdown,capability,yama,selinux,bpf[root@virtualrocky]# but if I do the same thing in Ubuntu 22.0.4 bpf is NOT there: root@virtual-ubuntu2204:/# cat /sys/kernel/security/lsm lockdown,capability,landlock,yama,apparmorroot@virtual-ubuntu2204:/# Please add bpf LSM to the CONFIG_LSM See discourse for background info https://discourse.ubuntu.com/t/ask-us-anything-about-ubuntu- kernels/27664/127?u=why2jjj root@virtual-ubuntu2204:/opt/# cat /proc/version_signature Ubuntu 5.15.0-82.91-generic 5.15.111 THANK YOU! --- ProblemType: Bug ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: jfreyensee 2526 F pulseaudio CRDA: N/A CasperMD5CheckResult: pass CloudArchitecture: x86_64 CloudID: none CloudName: none CloudPlatform: none CloudSubPlatform: config CurrentDesktop: ubuntu:GNOME DistroRelease: Ubuntu 22.04 InstallationDate: Installed on 2023-08-29 (17 days ago) InstallationMedia: Ubuntu-Server 22.04.3 LTS "Jammy Jellyfish" - Release amd64 (20230810) MachineType: Parallels Software International Inc. Parallels Virtual Platform NonfreeKernelModules: prl_fs_freeze prl_fs prl_eth prl_tg Package: linux (not installed) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) LANG=en_US.UTF-8 SHELL=/bin/bash ProcFB: 0 virtio_gpudrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.15.0-82-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro ProcVersionSignature: Ubuntu 5.15.0-82.91-generic 5.15.111 PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: No PulseAudio daemon running, or not running as session daemon. RebootRequiredPkgs: Error: path contained symlinks. RelatedPackageVersions: linux-restricted-modules-5.15.0-82-generic N/A linux-backports-modules-5.15.0-82-generic N/A linux-firmware 20220329.git681281e4-0ubuntu3.18 RfKill: Tags: jammy uec-images Uname: Linux 5.15.0-82-generic x86_64 UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: N/A _MarkForUpload: True dmi.bios.date: 07/03/2023 dmi.bios.release: 18.3 dmi.bios.vendor: Parallels Software International Inc. dmi.bios.version: 18.3.2 (53621) dmi.board.name: Parallels Virtual Platform dmi.board.vendor: Parallels Software International Inc. dmi.board.version: None dmi.chassis.type: 2 dmi.chassis.vendor: Parallels Software International Inc. dmi.ec.firmware.release: 18.3 dmi.modalias: dmi:bvnParallelsSoftwareInternationalInc.:bvr18.3.2(53621):bd07/03/2023:br18.3:efr18.3:svnParallelsSoftwareInternationalInc.:pnParallelsVirtualPlatform:pvrNone:rvnParallelsSoftwareInternationalInc.:rnParallelsVirtualPlatform:rvrNone:cvnParallelsSoftwareInternationalInc.:ct2:cvr:skuUndefined: dmi.product.family: Parallels VM dmi.product.name: Parallels Virtual Platform dmi.product.sku: Undefined dmi.product.version: None dmi.sys.vendor: Parallels Software International Inc. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2036281/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2036281] Re: activate bpf LSM by default
Adding BPF LSM by default will cause memory and CPU impact to all users. Right now, it is possible to add this by changing the kernel boot command line parameters. What is the justification to change the default? Another distro enabling it does not justify it. And one unknown software using it does not justify it. For this latter case, there is the command line option for the unknown number of users of that software. If there is a compelling reason to add it as a default, it will be evaluated, but I don't see that compelling reason now. Would you be able to share why you want the default to be changed? Thank you. Cascardo. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2036281 Title: activate bpf LSM by default Status in linux package in Ubuntu: Incomplete Bug description: in Fedora/RHEL if I want to see if the bpf LSM is active/available in the kernel I can go here: [root@virtualrocky]# cat /sys/kernel/security/lsm lockdown,capability,yama,selinux,bpf[root@virtualrocky]# but if I do the same thing in Ubuntu 22.0.4 bpf is NOT there: root@virtual-ubuntu2204:/# cat /sys/kernel/security/lsm lockdown,capability,landlock,yama,apparmorroot@virtual-ubuntu2204:/# Please add bpf LSM to the CONFIG_LSM See discourse for background info https://discourse.ubuntu.com/t/ask-us-anything-about-ubuntu- kernels/27664/127?u=why2jjj root@virtual-ubuntu2204:/opt/# cat /proc/version_signature Ubuntu 5.15.0-82.91-generic 5.15.111 THANK YOU! --- ProblemType: Bug ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: jfreyensee 2526 F pulseaudio CRDA: N/A CasperMD5CheckResult: pass CloudArchitecture: x86_64 CloudID: none CloudName: none CloudPlatform: none CloudSubPlatform: config CurrentDesktop: ubuntu:GNOME DistroRelease: Ubuntu 22.04 InstallationDate: Installed on 2023-08-29 (17 days ago) InstallationMedia: Ubuntu-Server 22.04.3 LTS "Jammy Jellyfish" - Release amd64 (20230810) MachineType: Parallels Software International Inc. Parallels Virtual Platform NonfreeKernelModules: prl_fs_freeze prl_fs prl_eth prl_tg Package: linux (not installed) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) LANG=en_US.UTF-8 SHELL=/bin/bash ProcFB: 0 virtio_gpudrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.15.0-82-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro ProcVersionSignature: Ubuntu 5.15.0-82.91-generic 5.15.111 PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: No PulseAudio daemon running, or not running as session daemon. RebootRequiredPkgs: Error: path contained symlinks. RelatedPackageVersions: linux-restricted-modules-5.15.0-82-generic N/A linux-backports-modules-5.15.0-82-generic N/A linux-firmware 20220329.git681281e4-0ubuntu3.18 RfKill: Tags: jammy uec-images Uname: Linux 5.15.0-82-generic x86_64 UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: N/A _MarkForUpload: True dmi.bios.date: 07/03/2023 dmi.bios.release: 18.3 dmi.bios.vendor: Parallels Software International Inc. dmi.bios.version: 18.3.2 (53621) dmi.board.name: Parallels Virtual Platform dmi.board.vendor: Parallels Software International Inc. dmi.board.version: None dmi.chassis.type: 2 dmi.chassis.vendor: Parallels Software International Inc. dmi.ec.firmware.release: 18.3 dmi.modalias: dmi:bvnParallelsSoftwareInternationalInc.:bvr18.3.2(53621):bd07/03/2023:br18.3:efr18.3:svnParallelsSoftwareInternationalInc.:pnParallelsVirtualPlatform:pvrNone:rvnParallelsSoftwareInternationalInc.:rnParallelsVirtualPlatform:rvrNone:cvnParallelsSoftwareInternationalInc.:ct2:cvr:skuUndefined: dmi.product.family: Parallels VM dmi.product.name: Parallels Virtual Platform dmi.product.sku: Undefined dmi.product.version: None dmi.sys.vendor: Parallels Software International Inc. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2036281/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2036281] Re: activate bpf LSM by default
> That is at least one less uncomfortable conversation a sw company has with a potential customer why their server needs to be rebooted for the company’s SW solution to use a Linux driver. What software is it? From which company? Is it proprietary or open source? Can we try and see if it works on Ubuntu? ** Changed in: linux (Ubuntu) Status: Confirmed => Incomplete -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2036281 Title: activate bpf LSM by default Status in linux package in Ubuntu: Incomplete Bug description: in Fedora/RHEL if I want to see if the bpf LSM is active/available in the kernel I can go here: [root@virtualrocky]# cat /sys/kernel/security/lsm lockdown,capability,yama,selinux,bpf[root@virtualrocky]# but if I do the same thing in Ubuntu 22.0.4 bpf is NOT there: root@virtual-ubuntu2204:/# cat /sys/kernel/security/lsm lockdown,capability,landlock,yama,apparmorroot@virtual-ubuntu2204:/# Please add bpf LSM to the CONFIG_LSM See discourse for background info https://discourse.ubuntu.com/t/ask-us-anything-about-ubuntu- kernels/27664/127?u=why2jjj root@virtual-ubuntu2204:/opt/# cat /proc/version_signature Ubuntu 5.15.0-82.91-generic 5.15.111 THANK YOU! --- ProblemType: Bug ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: jfreyensee 2526 F pulseaudio CRDA: N/A CasperMD5CheckResult: pass CloudArchitecture: x86_64 CloudID: none CloudName: none CloudPlatform: none CloudSubPlatform: config CurrentDesktop: ubuntu:GNOME DistroRelease: Ubuntu 22.04 InstallationDate: Installed on 2023-08-29 (17 days ago) InstallationMedia: Ubuntu-Server 22.04.3 LTS "Jammy Jellyfish" - Release amd64 (20230810) MachineType: Parallels Software International Inc. Parallels Virtual Platform NonfreeKernelModules: prl_fs_freeze prl_fs prl_eth prl_tg Package: linux (not installed) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) LANG=en_US.UTF-8 SHELL=/bin/bash ProcFB: 0 virtio_gpudrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.15.0-82-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro ProcVersionSignature: Ubuntu 5.15.0-82.91-generic 5.15.111 PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: No PulseAudio daemon running, or not running as session daemon. RebootRequiredPkgs: Error: path contained symlinks. RelatedPackageVersions: linux-restricted-modules-5.15.0-82-generic N/A linux-backports-modules-5.15.0-82-generic N/A linux-firmware 20220329.git681281e4-0ubuntu3.18 RfKill: Tags: jammy uec-images Uname: Linux 5.15.0-82-generic x86_64 UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: N/A _MarkForUpload: True dmi.bios.date: 07/03/2023 dmi.bios.release: 18.3 dmi.bios.vendor: Parallels Software International Inc. dmi.bios.version: 18.3.2 (53621) dmi.board.name: Parallels Virtual Platform dmi.board.vendor: Parallels Software International Inc. dmi.board.version: None dmi.chassis.type: 2 dmi.chassis.vendor: Parallels Software International Inc. dmi.ec.firmware.release: 18.3 dmi.modalias: dmi:bvnParallelsSoftwareInternationalInc.:bvr18.3.2(53621):bd07/03/2023:br18.3:efr18.3:svnParallelsSoftwareInternationalInc.:pnParallelsVirtualPlatform:pvrNone:rvnParallelsSoftwareInternationalInc.:rnParallelsVirtualPlatform:rvrNone:cvnParallelsSoftwareInternationalInc.:ct2:cvr:skuUndefined: dmi.product.family: Parallels VM dmi.product.name: Parallels Virtual Platform dmi.product.sku: Undefined dmi.product.version: None dmi.sys.vendor: Parallels Software International Inc. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2036281/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2036281] Re: activate bpf LSM by default
apport information ** Changed in: linux (Ubuntu) Status: Incomplete => Confirmed ** Tags added: apport-collected jammy uec-images ** Description changed: in Fedora/RHEL if I want to see if the bpf LSM is active/available in the kernel I can go here: [root@virtualrocky]# cat /sys/kernel/security/lsm lockdown,capability,yama,selinux,bpf[root@virtualrocky]# but if I do the same thing in Ubuntu 22.0.4 bpf is NOT there: root@virtual-ubuntu2204:/# cat /sys/kernel/security/lsm lockdown,capability,landlock,yama,apparmorroot@virtual-ubuntu2204:/# Please add bpf LSM to the CONFIG_LSM See discourse for background info https://discourse.ubuntu.com/t/ask-us-anything-about-ubuntu- kernels/27664/127?u=why2jjj root@virtual-ubuntu2204:/opt/# cat /proc/version_signature Ubuntu 5.15.0-82.91-generic 5.15.111 THANK YOU! + --- + ProblemType: Bug + ApportVersion: 2.20.11-0ubuntu82.5 + Architecture: amd64 + AudioDevicesInUse: + USERPID ACCESS COMMAND + /dev/snd/controlC0: jfreyensee 2526 F pulseaudio + CRDA: N/A + CasperMD5CheckResult: pass + CloudArchitecture: x86_64 + CloudID: none + CloudName: none + CloudPlatform: none + CloudSubPlatform: config + CurrentDesktop: ubuntu:GNOME + DistroRelease: Ubuntu 22.04 + InstallationDate: Installed on 2023-08-29 (17 days ago) + InstallationMedia: Ubuntu-Server 22.04.3 LTS "Jammy Jellyfish" - Release amd64 (20230810) + MachineType: Parallels Software International Inc. Parallels Virtual Platform + NonfreeKernelModules: prl_fs_freeze prl_fs prl_eth prl_tg + Package: linux (not installed) + ProcEnviron: + TERM=xterm-256color + PATH=(custom, no user) + LANG=en_US.UTF-8 + SHELL=/bin/bash + ProcFB: 0 virtio_gpudrmfb + ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.15.0-82-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro + ProcVersionSignature: Ubuntu 5.15.0-82.91-generic 5.15.111 + PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: No PulseAudio daemon running, or not running as session daemon. + RebootRequiredPkgs: Error: path contained symlinks. + RelatedPackageVersions: + linux-restricted-modules-5.15.0-82-generic N/A + linux-backports-modules-5.15.0-82-generic N/A + linux-firmware 20220329.git681281e4-0ubuntu3.18 + RfKill: + + Tags: jammy uec-images + Uname: Linux 5.15.0-82-generic x86_64 + UpgradeStatus: No upgrade log present (probably fresh install) + UserGroups: N/A + _MarkForUpload: True + dmi.bios.date: 07/03/2023 + dmi.bios.release: 18.3 + dmi.bios.vendor: Parallels Software International Inc. + dmi.bios.version: 18.3.2 (53621) + dmi.board.name: Parallels Virtual Platform + dmi.board.vendor: Parallels Software International Inc. + dmi.board.version: None + dmi.chassis.type: 2 + dmi.chassis.vendor: Parallels Software International Inc. + dmi.ec.firmware.release: 18.3 + dmi.modalias: dmi:bvnParallelsSoftwareInternationalInc.:bvr18.3.2(53621):bd07/03/2023:br18.3:efr18.3:svnParallelsSoftwareInternationalInc.:pnParallelsVirtualPlatform:pvrNone:rvnParallelsSoftwareInternationalInc.:rnParallelsVirtualPlatform:rvrNone:cvnParallelsSoftwareInternationalInc.:ct2:cvr:skuUndefined: + dmi.product.family: Parallels VM + dmi.product.name: Parallels Virtual Platform + dmi.product.sku: Undefined + dmi.product.version: None + dmi.sys.vendor: Parallels Software International Inc. ** Attachment added: "AlsaInfo.txt" https://bugs.launchpad.net/bugs/2036281/+attachment/5701369/+files/AlsaInfo.txt -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2036281 Title: activate bpf LSM by default Status in linux package in Ubuntu: Confirmed Bug description: in Fedora/RHEL if I want to see if the bpf LSM is active/available in the kernel I can go here: [root@virtualrocky]# cat /sys/kernel/security/lsm lockdown,capability,yama,selinux,bpf[root@virtualrocky]# but if I do the same thing in Ubuntu 22.0.4 bpf is NOT there: root@virtual-ubuntu2204:/# cat /sys/kernel/security/lsm lockdown,capability,landlock,yama,apparmorroot@virtual-ubuntu2204:/# Please add bpf LSM to the CONFIG_LSM See discourse for background info https://discourse.ubuntu.com/t/ask-us-anything-about-ubuntu- kernels/27664/127?u=why2jjj root@virtual-ubuntu2204:/opt/# cat /proc/version_signature Ubuntu 5.15.0-82.91-generic 5.15.111 THANK YOU! --- ProblemType: Bug ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: jfreyensee 2526 F pulseaudio CRDA: N/A CasperMD5CheckResult: pass CloudArchitecture: x86_64 CloudID: none CloudName: none CloudPlatform: none CloudSubPlatform: config CurrentDesktop: ubuntu:GNOME DistroRelease: Ubuntu 22.04 InstallationDate: Installed on 2023-08-29 (17 days ago) InstallationMedia: Ubuntu-Server 22.04.3 LTS "Jammy Jellyfish"