[bug report] [regression?] bpf lsm breaks /proc/*/attr/current with security= on commandline
Paul Moore
paul at paul-moore.com
Wed Sep 24 21:24:28 UTC 2025
On Sat, Sep 13, 2025 at 1:01 PM Filip Hejsek <filip.hejsek at gmail.com> wrote:
>
> Hello,
>
> TLDR: because of bpf lsm, putting security=selinux on commandline
> results in /proc/*/attr/current returning errors.
>
> When the legacy security= commandline option is used, the specified lsm
> is added to the end of the lsm list. For example, security=apparmor
> results in the following order of security modules:
>
> capability,landlock,lockdown,yama,bpf,apparmor
>
> In particular, the bpf lsm will be ordered before the chosen major lsm.
>
> This causes reads and writes of /proc/*/attr/current to fail, because
> the bpf hook overrides the apparmor/selinux hook.
What kernel are you using? Things appear to work correctly on my
kernel that is tracking upstream (Fedora Rawhide + some unrelated
bits):
% uname -a
Linux dev-rawhide-1.lan 6.17.0-0.rc7.250923gd1ab3.57.1.secnext.fc44.x86_64 #1 SM
P PREEMPT_DYNAMIC Tue Sep 23 10:07:14 EDT 2025 x86_64 GNU/Linux
% cat /proc/cmdline
BOOT_IMAGE=(hd0,gpt4)/boot/vmlinuz-6.17.0-0.rc7.250923gd1ab3.57.1.secnext.fc44.x
86_64 root=UUID=285029fa-4431-45e9-af1b-298ab0caf16a ro console=ttyS0 mitigation
s=off security=selinux
% cat /sys/kernel/security/lsm; echo ""
lockdown,capability,yama,selinux,bpf,landlock,ipe,ima,evm
% id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
% cat /proc/self/attr/current; echo ""
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
I even ran it against the LSM initialization rework that has been
proposed, but has not yet been accepted/merged, and that worked the
same as above.
Is this a distro kernel with a lot of "special" patches which aren't
present upstream?
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list