[PATCH] bpf: lsm: Disable or enable BPF LSM at boot time

KP Singh kpsingh at chromium.org
Mon Jul 6 20:30:49 UTC 2020


On Mon, Jul 6, 2020 at 10:06 PM Lorenzo Fontana <fontanalorenz at gmail.com> wrote:
>
> On Mon, Jul 06, 2020 at 08:59:13PM +0200, KP Singh wrote:
> > On Mon, Jul 6, 2020 at 8:51 PM Daniel Borkmann <daniel at iogearbox.net> wrote:
> > >
> > > On 7/6/20 6:57 PM, Lorenzo Fontana wrote:
> > > > This option adds a kernel parameter 'bpf_lsm',
> > > > which allows the BPF LSM to be disabled at boot.
> > > > The purpose of this option is to allow a single kernel
> > > > image to be distributed with the BPF LSM built in,
> > > > but not necessarily enabled.
> > > >
> > > > Signed-off-by: Lorenzo Fontana <fontanalorenz at gmail.com>
> > >
> > > Well, this explains what the patch is doing but not *why* you need it exactly.
> > > Please explain your concrete use-case for this patch.
> >
> > Also, this patch is not really needed as it can already be done with the current
> > kernel parameters.
> >
> > LSMs can be enabled on the command line
> > with the lsm= parameter. So you can just pass lsm="selinux,capabilities" etc
> > and not pass "bpf" and it will disable the BPF_LSM.
> >
> > - KP
> >
> > >
> > > Thanks,
> > > Daniel
>
> Hi,
> Thanks Daniel and KP for looking into this, I really appreciate it!
>
> The *why* I need it is because I need to ship the kernel with BPF LSM
> disabled at boot time.
>
> The use case is exactly the same as the one described by KP, however
> for a personal preference I prefer to pass specifically bpf_lsm=1 or
> bpf_lsm=0 - It's easier to change programmatically in my scripts
> with a simple sprintf("bpf_lsm=%d", value). I do the same
> with "selinux=1" and "selinux=0" in my systems.
> From what I can see by reading the code and testing, the two ways
> bot act on 'lsm_info.enabled' defined in 'lsm_hooks.h'.
> So it's not just  a personal preference, I just want the same set
> of options available to me as I do with selinux.

The "selinux=" option existed before the "lsm=" parameter was added and it
now exists only for backward compatibility. I added Paul and Stephen to Cc
who might have more information about this.

- KP

>
> Thanks a lot,
> Lore



More information about the Linux-security-module-archive mailing list