[PATCH bpf-next v10 5/5] bpf: Only enable BPF LSM hooks when an LSM program is attached
Kees Cook
keescook at chromium.org
Wed May 8 02:35:49 UTC 2024
On Tue, May 07, 2024 at 09:45:09PM -0400, Paul Moore wrote:
> I don't want individual LSMs manipulating the LSM hook state directly;
> they go through the LSM layer to register their hooks, they should go
> through the LSM layer to unregister or enable/disable their hooks.
> I'm going to be pretty inflexible on this point.
No other LSMs unregister or disable hooks. :) Let's drop patch 5; 1-4
stand alone.
> Honestly, I see this more as a problem in the BPF LSM design (although
> one might argue it's an implementation issue?), just as I saw the
> SELinux runtime disable as a problem. If you're upset with the
> runtime hook disable, and you should be, fix the BPF LSM, don't force
> more bad architecture on the LSM layer.
We'll have to come back to this later. It's a separate (but closely
related) issue.
--
Kees Cook
More information about the Linux-security-module-archive
mailing list