[PATCH bpf-next v10 5/5] bpf: Only enable BPF LSM hooks when an LSM program is attached

Kees Cook keescook at chromium.org
Wed May 8 02:35:49 UTC 2024


On Tue, May 07, 2024 at 09:45:09PM -0400, Paul Moore wrote:
> I don't want individual LSMs manipulating the LSM hook state directly;
> they go through the LSM layer to register their hooks, they should go
> through the LSM layer to unregister or enable/disable their hooks.
> I'm going to be pretty inflexible on this point.

No other LSMs unregister or disable hooks. :) Let's drop patch 5; 1-4
stand alone.

> Honestly, I see this more as a problem in the BPF LSM design (although
> one might argue it's an implementation issue?), just as I saw the
> SELinux runtime disable as a problem.  If you're upset with the
> runtime hook disable, and you should be, fix the BPF LSM, don't force
> more bad architecture on the LSM layer.

We'll have to come back to this later. It's a separate (but closely
related) issue.

-- 
Kees Cook



More information about the Linux-security-module-archive mailing list