APPLIED[U]: [PATCH][G/H] UBUNTU: [Config] Enable CONFIG_BPF_LSM

KP Singh kpsingh at kernel.org
Fri Jan 22 21:22:17 UTC 2021 

On Fri, Jan 22, 2021 at 8:31 PM Kelsey Skunberg
<kelsey.skunberg at canonical.com> wrote:
>
> On 2021-01-22 10:14:25 , Stefan Bader wrote:
> > On 15.12.20 10:03, Andrea Righi wrote:
> > > On Mon, Nov 30, 2020 at 11:14:03PM +0000, KP Singh wrote:
> > >> From: KP Singh <kpsingh at google.com>
> > >>
> > >> Buglink: https://bugs.launchpad.net/bugs/1905975
> > >>
> > >> [Impact]
> > >>
> > >> Allows users to implement MAC and Audit Policies using BPF programs.
> > >>
> > >> The LSM won't be added to the list of active LSMs by default (in
> > >> CONFIG_LSM or lsm= on the boot parameters) yet, as it adds an indirect
> > >> function call overhead by registering an empty callback for all hooks.
> > >>
> > >> The LSM can be made "active" by default when the upstream effort [1] of
> > >> getting rid of this overhead is merged in the mainline kernel.
> > >>
> > >> [Regression Potential]
> > >>
> > >> Since the LSM is not active by default, it does not cause any
> > >> functional or performance regression.
> > >>
> > >> [1]: https://lore.kernel.org/bpf/20200820164753.3256899-1-jackmanb@chromium.org
> > >>
> > >> Signed-off-by: KP Singh <kpsingh at google.com>
> > >> ---
> > >
> > > Applied to unstable. Thanks.

Thanks!

> >
> > I don't think we yet had a Hirsute kernel generally available that had this
> > turned on. Though I know I should be able to trust Kees, I still would like to
> > be cautious with Groovy and wait there was a chance to have this exposed in

CONFIG_BPF_LSM alone does nothing unless it's enabled using CONFIG_LSM or
lsm= kernel command line. But, I guess we could do it after we have a kernel
that uses it on Hirsute.

> > Hirsute to a slightly bugger group.
> >
> > -Stefan
>
> Should this be treated as a NACK for Groovy on this patch for now?

If this is the case should I resubmit this for Groovy after a while?

- KP

>
> -Kelsey
>
> > >
> > > -Andrea
> > >
> >
> >
>
>
>
>
> > --
> > kernel-team mailing list
> > kernel-team at lists.ubuntu.com
> > https://lists.ubuntu.com/mailman/listinfo/kernel-team
>

More information about the kernel-team mailing list