Skip to content

Comments

linux-kernel: enable BPF_LSM#144227

Merged
Artturin merged 1 commit intoNixOS:stagingfrom
akshatagarwl:bpf-lsm
Nov 18, 2021
Merged

linux-kernel: enable BPF_LSM#144227
Artturin merged 1 commit intoNixOS:stagingfrom
akshatagarwl:bpf-lsm

Conversation

@akshatagarwl
Copy link
Member

@akshatagarwl akshatagarwl commented Nov 2, 2021

Enables instrumentation of the security hooks with BPF programs for
implementing dynamic MAC and Audit Policies.

Motivation for this change
Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • 21.11 Release Notes (or backporting 21.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

@github-actions github-actions bot added the 6.topic: kernel The Linux kernel label Nov 2, 2021
@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 1001-2500 This PR causes many rebuilds on Linux and should target the staging branches. labels Nov 2, 2021
@akshatagarwl akshatagarwl requested a review from alyssais November 8, 2021 05:55
jonringer
jonringer reviewed Nov 8, 2021
View reviewed changes
Copy link
Contributor

@jonringer jonringer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

since this change causes over 500 rebuilds, do you mind targeting the staging branch

# finding the common merge base will avoid pinging all CODEOWNERs
common=$(git merge-base origin/master origin/staging)
git rebase --onto=$common HEAD~1 # or however many commits you want to pull
git push .. ... --force

then change the base branch in the github PR from master -> staging

See https://nixos.org/nixpkgs/manual/#submitting-changes-staging-branch for more details on staging branch

@jonringer
Copy link
Contributor

jonringer commented Nov 8, 2021

What's the supporting use case for this? Seems like unlikely that a mainstream user would need to use this.

@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 6.topic: printing Drivers, CUPS & Co. 6.topic: python Python is a high-level, general-purpose programming language. 6.topic: qt/kde Object-oriented framework for GUI creation 6.topic: rust General-purpose programming language emphasizing performance, type safety, and concurrency. 6.topic: stdenv Standard environment 6.topic: steam Steam game store/launcher (store.steampowered.com) 6.topic: systemd Software suite that provides an array of system components for Linux operating systems. 6.topic: vim Advanced text editor 8.has: changelog This PR adds or changes release notes 8.has: documentation This PR adds or changes documentation 8.has: module (update) This PR changes an existing module in `nixos/` labels Nov 9, 2021
@github-actions github-actions bot removed 6.topic: vim Advanced text editor 6.topic: stdenv Standard environment 8.has: changelog This PR adds or changes release notes 6.topic: systemd Software suite that provides an array of system components for Linux operating systems. 6.topic: printing Drivers, CUPS & Co. 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: documentation This PR adds or changes documentation 8.has: module (update) This PR changes an existing module in `nixos/` labels Nov 9, 2021
@akshatagarwl
linux-kernel: enable BPF_LSM
972d7e7 
Enables instrumentation of the security hooks with BPF programs for
implementing dynamic MAC and Audit Policies.

The BPF LSM was merged into the Linux kernel 5.7

This has already been enabled in Fedora (version 33 onwards), Ubuntu
(Hirsute Hippo), Flatcar Linux, Arch Linux.

Distros like Ubuntu don't enable bpf in CONFIG_LSM by default to avoid
any performance penalty so similar to that this commit enables
CONFIG_BPF_LSM but doesn't add bpf to the default list in CONFIG_LSM,
users willing to use this feature could boot with the lsm=...bpf
parameter on the kernel

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=641cd7b06c911c5935c34f24850ea18690649917
https://outflux.net/blog/archives/2020/09/21/security-things-in-linux-v5-7/
https://lwn.net/Articles/813057/
flatcar/Flatcar#343
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1905975
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983329
@dasJ dasJ removed their request for review November 9, 2021 11:03
@akshatagarwl
Copy link
Member Author

akshatagarwl commented Nov 9, 2021

finding the common merge base will avoid pinging all CODEOWNERs

Sorry, I didn't look at this before

What's the supporting use case for this? Seems like unlikely that a mainstream user would need to use this.

@jonringer I've added some more details in the commit message. Can you check that out?

@Artturin
Copy link
Member

Artturin commented Nov 10, 2021

arch sets this https://github.com/archlinux/svntogit-packages/blob/9fb55235d5b8642b4893c92ee943d06360ce1f45/trunk/config#L123

@Mic92
Copy link
Member

Mic92 commented Nov 11, 2021

What's the supporting use case for this? Seems like unlikely that a mainstream user would need to use this.

I can see how this could be used for container security policies - but I have not seen any mainstream container runtimes using it yet (I guess because it's still quite fresh?). Since we don't enable any LSM in NixOS by default this probably does not have any effects for mainstream user (except slightly higher disk space for the kernel module) and then it seems to be only used in lsm when enabled during boot.

@akshatagarwl
Copy link
Member Author

akshatagarwl commented Nov 11, 2021

I can see how this could be used for container security policies - but I have not seen any mainstream container runtimes using it yet (I guess because it's still quite fresh?)

You're right. It's still very new and there have been some research projects that use this (eg https://github.com/willfindlay/bpfcontain-rs/) but no mainstream container runtimes use it yet.

Mic92
Mic92 approved these changes Nov 14, 2021
View reviewed changes
Copy link
Member

@Mic92 Mic92 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am fine with having this.
@dasJ @ajs124 Thoughts?

@dasJ
Copy link
Member

dasJ commented Nov 14, 2021

Don't see an issue, even with LSM users like us. This shouldn't affect anything that already exists imo

jonringer
jonringer approved these changes Nov 14, 2021
View reviewed changes
Copy link
Contributor

@jonringer jonringer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't have a strong opinion

@Artturin Artturin merged commit f57a2a6 into NixOS:staging Nov 18, 2021
@akshatagarwl akshatagarwl deleted the bpf-lsm branch November 18, 2021 06:18
@dasJ dasJ mentioned this pull request Mar 30, 2022
Merged
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mic92 Mic92 Mic92 approved these changes

+1 more reviewer

@jonringer jonringer jonringer approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

6.topic: kernel The Linux kernel 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 1001-2500 This PR causes many rebuilds on Linux and should target the staging branches.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@akshatagarwl @jonringer @Artturin @Mic92 @dasJ