[PATCH 23/27] bpf: Restrict kernel image access functions when the kernel is locked down

Matthew Garrett mjg59 at google.com
Thu Mar 28 20:08:39 UTC 2019

On Thu, Mar 28, 2019 at 12:23 PM James Morris <jmorris at namei.org> wrote:
> On Thu, 28 Mar 2019, Matthew Garrett wrote:
> > On Wed, Mar 27, 2019 at 8:15 PM James Morris <jmorris at namei.org> wrote:
> > > OTOH, this seems like a combination of mechanism and policy. The 3 modes
> > > are a help here, but I wonder if they may be too coarse grained still,
> > > e.g. if someone wants to allow a specific mechanism according to their own
> > > threat model and mitigations.
> >
> > In general the interfaces blocked by these patches could also be
> > blocked with an LSM, and I'd guess that people with more fine-grained
> > requirements would probably take that approach.
> So... I have to ask, why not use LSM for this in the first place?
> Either with an existing module or perhaps a lockdown LSM?

Some of it isn't really achievable that way - for instance, enforcing
module or kexec signatures. We have other mechanisms that can be used
to enable that which could be done at the more fine-grained level, but
a design goal was to make it possible to automatically enable a full
set of integrity protections under specified circumstances.

More information about the Linux-security-module-archive mailing list