[PATCH bpf-next v9 0/8] MAC and Audit policy using eBPF (KRSI)

KP Singh kpsingh at chromium.org
Wed Apr 29 12:34:57 UTC 2020 

Thanks for reporting this! Can you share your Kconfig please?


On Wed, Apr 29, 2020 at 2:31 PM Mikko Ylinen
<mikko.ylinen at linux.intel.com> wrote:
>
> Hi,
>
> On 29/03/2020 02:43, KP Singh wrote:
> > # How does it work?
> >
> > The patchset introduces a new eBPF (https://docs.cilium.io/en/v1.6/bpf/)
> > program type BPF_PROG_TYPE_LSM which can only be attached to LSM hooks.
> > Loading and attachment of BPF programs requires CAP_SYS_ADMIN.
> >
> > The new LSM registers nop functions (bpf_lsm_<hook_name>) as LSM hook
> > callbacks. Their purpose is to provide a definite point where BPF
> > programs can be attached as BPF_TRAMP_MODIFY_RETURN trampoline programs
> > for hooks that return an int, and BPF_TRAMP_FEXIT trampoline programs
> > for void LSM hooks.
>
> I have two systems (a NUC and a qemu VM) that fail to boot if I enable
> the BPF LSM without enabling SELinux first. Anything I might be missing
> or are you able to trigger it too?
>
> For instance, the following additional cmdline args: "lsm.debug=1
> lsm="capability,apparmor,bpf" results in:
>
> [    1.251889] Call Trace:
> [    1.252344]  dump_stack+0x57/0x7a
> [    1.252951]  panic+0xe6/0x2a4
> [    1.253497]  ? printk+0x43/0x45
> [    1.254075]  mount_block_root+0x30c/0x31b
> [    1.254798]  mount_root+0x78/0x7b
> [    1.255417]  prepare_namespace+0x13a/0x16b
> [    1.256168]  kernel_init_freeable+0x210/0x222
> [    1.257021]  ? rest_init+0xa5/0xa5
> [    1.257639]  kernel_init+0x9/0xfb
> [    1.258074]  ret_from_fork+0x35/0x40
> [    1.258885] Kernel Offset: 0x11000000 from 0xffffffff81000000
> (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
> [    1.264046] ---[ end Kernel panic - not syncing: VFS: Unable to mount
> root fs on unknown-block(253,3)
>
> Taking out "bpf" or adding "selinux" before it boots OK. I've tried
> with both 5.7-rc2 and -rc3.
>
> LSM logs:
>
> [    0.267219] LSM: Security Framework initializing
> [    0.267844] LSM: first ordering: capability (enabled)
> [    0.267870] LSM: cmdline ignored: capability
> [    0.268869] LSM: cmdline ordering: apparmor (enabled)
> [    0.269508] LSM: cmdline ordering: bpf (enabled)
> [    0.269869] LSM: cmdline disabled: selinux
> [    0.270377] LSM: cmdline disabled: integrity
> [    0.270869] LSM: exclusive chosen: apparmor
> [    0.271869] LSM: cred blob size     = 8
> [    0.272354] LSM: file blob size     = 24
> [    0.272869] LSM: inode blob size    = 0
> [    0.273362] LSM: ipc blob size      = 0
> [    0.273869] LSM: msg_msg blob size  = 0
> [    0.274352] LSM: task blob size     = 32
> [    0.274873] LSM: initializing capability
> [    0.275381] LSM: initializing apparmor
> [    0.275880] AppArmor: AppArmor initialized
> [    0.276437] LSM: initializing bpf
> [    0.276871] LSM support for eBPF active
>
> -- Regards, Mikko

More information about the Linux-security-module-archive mailing list