linux-kernel: enable BPF_LSM#144227
linux-kernel: enable BPF_LSM#144227Artturin merged 1 commit intoNixOS:stagingfrom akshatagarwl:bpf-lsm
Conversation
jonringer
left a comment
There was a problem hiding this comment.
since this change causes over 500 rebuilds, do you mind targeting the staging branch
# finding the common merge base will avoid pinging all CODEOWNERs
common=$(git merge-base origin/master origin/staging)
git rebase --onto=$common HEAD~1 # or however many commits you want to pull
git push .. ... --force
then change the base branch in the github PR from master -> staging
See https://nixos.org/nixpkgs/manual/#submitting-changes-staging-branch for more details on staging branch
|
What's the supporting use case for this? Seems like unlikely that a mainstream user would need to use this. |
Enables instrumentation of the security hooks with BPF programs for implementing dynamic MAC and Audit Policies. The BPF LSM was merged into the Linux kernel 5.7 This has already been enabled in Fedora (version 33 onwards), Ubuntu (Hirsute Hippo), Flatcar Linux, Arch Linux. Distros like Ubuntu don't enable bpf in CONFIG_LSM by default to avoid any performance penalty so similar to that this commit enables CONFIG_BPF_LSM but doesn't add bpf to the default list in CONFIG_LSM, users willing to use this feature could boot with the lsm=...bpf parameter on the kernel https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=641cd7b06c911c5935c34f24850ea18690649917 https://outflux.net/blog/archives/2020/09/21/security-things-in-linux-v5-7/ https://lwn.net/Articles/813057/ flatcar/Flatcar#343 https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1905975 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983329
Sorry, I didn't look at this before
@jonringer I've added some more details in the commit message. Can you check that out? |
I can see how this could be used for container security policies - but I have not seen any mainstream container runtimes using it yet (I guess because it's still quite fresh?). Since we don't enable any LSM in NixOS by default this probably does not have any effects for mainstream user (except slightly higher disk space for the kernel module) and then it seems to be only used in lsm when enabled during boot. |
You're right. It's still very new and there have been some research projects that use this (eg https://github.com/willfindlay/bpfcontain-rs/) but no mainstream container runtimes use it yet. |
|
Don't see an issue, even with LSM users like us. This shouldn't affect anything that already exists imo |
jonringer
left a comment
There was a problem hiding this comment.
I don't have a strong opinion
Enables instrumentation of the security hooks with BPF programs for
implementing dynamic MAC and Audit Policies.
Motivation for this change
Things done
sandbox = trueset innix.conf? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)