[Kernel-packages] [Bug 2054810] Re: Adding bpf to CONFIG_LSM in linux kernel
Hi Brian / Magali - makes sense re: not supporting Ubuntu Mantic given its EOL. What about the LTS distros, such as those used by cloud providers per my recent messages? Any progress on or anything we can do to help with getting ",bpf" added to "CONFIG_LSM"? -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2054810 Title: Adding bpf to CONFIG_LSM in linux kernel Status in linux package in Ubuntu: Triaged Status in linux source package in Jammy: Triaged Status in linux source package in Mantic: Won't Fix Status in linux source package in Noble: Triaged Bug description: Linux kernel since 5.7 allows to write eBPF programs which can be attached to LSM hooks. More details here: https://www.kernel.org/doc/html/v5.9/bpf/bpf_lsm.html There are already projects trying to leverage that systemd with the restrict-fs feature https://github.com/systemd/systemd/blob/main/src/core/bpf/restrict_fs/restrict-fs.bpf.c https://github.com/linux-lock/bpflock https://github.com/lockc-project/lockc However, BPF LSM has to be enabled by adding bpf to CONFIG_LSM. That was already done in: Arch Linux https://github.com/archlinux/svntogit- packages/blob/4615bb2493649ad6fa133f864f94cb95c824f361/trunk/config#L9963 Fedora https://fedorapeople.org/cgit/thl/public_git/kernel.git/tree/kernel-x86_64-fedora.config?h=kernel-5.17.0-0.rc5.20220225git53ab78cd6d5a.106.vanilla.1.fc34&id=e661d91eb909e777a9d28425ef50fcc5ef7fa5ed#n3291 openSUSE https://github.com/openSUSE/kernel- source/commit/c2c25b18721866d6211054f542987036ed6e0a50 Debian https://salsa.debian.org/kernel- team/linux/-/blob/master/debian/config/config?ref_type=heads#L7713 RedHat https://access.redhat.com/labs/rhcb/RHEL-8.9/kernel-4.18.0-513.18.1.el8/source/blob/redhat/configs/generic/CONFIG_LSM Could we please enable BPF LSM in Ubuntu kernels as well? Without that change, users trying to play with the mentioned projects have to edit their /etc/default/grub to add bpf LSM. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2054810/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2054810] Re: Adding bpf to CONFIG_LSM in linux kernel
Thanks, Eric! I'm going to build some test kernels and will post them shortly. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2054810 Title: Adding bpf to CONFIG_LSM in linux kernel Status in linux package in Ubuntu: Triaged Status in linux source package in Jammy: Triaged Status in linux source package in Mantic: Triaged Status in linux source package in Noble: Triaged Bug description: Linux kernel since 5.7 allows to write eBPF programs which can be attached to LSM hooks. More details here: https://www.kernel.org/doc/html/v5.9/bpf/bpf_lsm.html There are already projects trying to leverage that systemd with the restrict-fs feature https://github.com/systemd/systemd/blob/main/src/core/bpf/restrict_fs/restrict-fs.bpf.c https://github.com/linux-lock/bpflock https://github.com/lockc-project/lockc However, BPF LSM has to be enabled by adding bpf to CONFIG_LSM. That was already done in: Arch Linux https://github.com/archlinux/svntogit- packages/blob/4615bb2493649ad6fa133f864f94cb95c824f361/trunk/config#L9963 Fedora https://fedorapeople.org/cgit/thl/public_git/kernel.git/tree/kernel-x86_64-fedora.config?h=kernel-5.17.0-0.rc5.20220225git53ab78cd6d5a.106.vanilla.1.fc34&id=e661d91eb909e777a9d28425ef50fcc5ef7fa5ed#n3291 openSUSE https://github.com/openSUSE/kernel- source/commit/c2c25b18721866d6211054f542987036ed6e0a50 Debian https://salsa.debian.org/kernel- team/linux/-/blob/master/debian/config/config?ref_type=heads#L7713 RedHat https://access.redhat.com/labs/rhcb/RHEL-8.9/kernel-4.18.0-513.18.1.el8/source/blob/redhat/configs/generic/CONFIG_LSM Could we please enable BPF LSM in Ubuntu kernels as well? Without that change, users trying to play with the mentioned projects have to edit their /etc/default/grub to add bpf LSM. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2054810/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2054810] Re: Adding bpf to CONFIG_LSM in linux kernel
Joseph - thanks for looking into this. Please let me know if I can be of assistance. I'd be happy to test out the corresponding changes on my end. Just let me know - thank you!! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2054810 Title: Adding bpf to CONFIG_LSM in linux kernel Status in linux package in Ubuntu: Triaged Status in linux source package in Jammy: Triaged Status in linux source package in Mantic: Triaged Status in linux source package in Noble: Triaged Bug description: Linux kernel since 5.7 allows to write eBPF programs which can be attached to LSM hooks. More details here: https://www.kernel.org/doc/html/v5.9/bpf/bpf_lsm.html There are already projects trying to leverage that systemd with the restrict-fs feature https://github.com/systemd/systemd/blob/main/src/core/bpf/restrict_fs/restrict-fs.bpf.c https://github.com/linux-lock/bpflock https://github.com/lockc-project/lockc However, BPF LSM has to be enabled by adding bpf to CONFIG_LSM. That was already done in: Arch Linux https://github.com/archlinux/svntogit- packages/blob/4615bb2493649ad6fa133f864f94cb95c824f361/trunk/config#L9963 Fedora https://fedorapeople.org/cgit/thl/public_git/kernel.git/tree/kernel-x86_64-fedora.config?h=kernel-5.17.0-0.rc5.20220225git53ab78cd6d5a.106.vanilla.1.fc34&id=e661d91eb909e777a9d28425ef50fcc5ef7fa5ed#n3291 openSUSE https://github.com/openSUSE/kernel- source/commit/c2c25b18721866d6211054f542987036ed6e0a50 Debian https://salsa.debian.org/kernel- team/linux/-/blob/master/debian/config/config?ref_type=heads#L7713 RedHat https://access.redhat.com/labs/rhcb/RHEL-8.9/kernel-4.18.0-513.18.1.el8/source/blob/redhat/configs/generic/CONFIG_LSM Could we please enable BPF LSM in Ubuntu kernels as well? Without that change, users trying to play with the mentioned projects have to edit their /etc/default/grub to add bpf LSM. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2054810/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2054810] Re: Adding bpf to CONFIG_LSM in linux kernel
** Changed in: linux (Ubuntu) Importance: Undecided => Medium ** Changed in: linux (Ubuntu) Assignee: (unassigned) => Joseph Salisbury (jsalisbury) ** Also affects: linux (Ubuntu Mantic) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Noble) Importance: Medium Assignee: Joseph Salisbury (jsalisbury) Status: Confirmed ** Changed in: linux (Ubuntu Mantic) Status: New => Triaged ** Changed in: linux (Ubuntu Jammy) Status: New => Triaged ** Changed in: linux (Ubuntu Noble) Status: Confirmed => Triaged ** Changed in: linux (Ubuntu Mantic) Importance: Undecided => Medium ** Changed in: linux (Ubuntu Jammy) Importance: Undecided => Medium ** Changed in: linux (Ubuntu Mantic) Assignee: (unassigned) => Joseph Salisbury (jsalisbury) ** Changed in: linux (Ubuntu Jammy) Assignee: (unassigned) => Joseph Salisbury (jsalisbury) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2054810 Title: Adding bpf to CONFIG_LSM in linux kernel Status in linux package in Ubuntu: Triaged Status in linux source package in Jammy: Triaged Status in linux source package in Mantic: Triaged Status in linux source package in Noble: Triaged Bug description: Linux kernel since 5.7 allows to write eBPF programs which can be attached to LSM hooks. More details here: https://www.kernel.org/doc/html/v5.9/bpf/bpf_lsm.html There are already projects trying to leverage that systemd with the restrict-fs feature https://github.com/systemd/systemd/blob/main/src/core/bpf/restrict_fs/restrict-fs.bpf.c https://github.com/linux-lock/bpflock https://github.com/lockc-project/lockc However, BPF LSM has to be enabled by adding bpf to CONFIG_LSM. That was already done in: Arch Linux https://github.com/archlinux/svntogit- packages/blob/4615bb2493649ad6fa133f864f94cb95c824f361/trunk/config#L9963 Fedora https://fedorapeople.org/cgit/thl/public_git/kernel.git/tree/kernel-x86_64-fedora.config?h=kernel-5.17.0-0.rc5.20220225git53ab78cd6d5a.106.vanilla.1.fc34&id=e661d91eb909e777a9d28425ef50fcc5ef7fa5ed#n3291 openSUSE https://github.com/openSUSE/kernel- source/commit/c2c25b18721866d6211054f542987036ed6e0a50 Debian https://salsa.debian.org/kernel- team/linux/-/blob/master/debian/config/config?ref_type=heads#L7713 RedHat https://access.redhat.com/labs/rhcb/RHEL-8.9/kernel-4.18.0-513.18.1.el8/source/blob/redhat/configs/generic/CONFIG_LSM Could we please enable BPF LSM in Ubuntu kernels as well? Without that change, users trying to play with the mentioned projects have to edit their /etc/default/grub to add bpf LSM. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2054810/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2054810] Re: Adding bpf to CONFIG_LSM in linux kernel
Can Ubuntu please consider addressing this as a part of the upcoming 24 LTS release? The ability to leverage LSM based BPF programs on Ubuntu out-of-the-box (ie. without having to update grub and rebooting) opens the door to a growing ecosystem of security tooling. There are major computing environments for which the community cannot control things like Grub settings - such as the Ubuntu images used by Microsoft (via GitHub Actions, Azure Pipelines), GitLab (via Jobs), AWS (via vanilla EC2 instances), etc. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2054810 Title: Adding bpf to CONFIG_LSM in linux kernel Status in linux package in Ubuntu: Confirmed Bug description: Linux kernel since 5.7 allows to write eBPF programs which can be attached to LSM hooks. More details here: https://www.kernel.org/doc/html/v5.9/bpf/bpf_lsm.html There are already projects trying to leverage that systemd with the restrict-fs feature https://github.com/systemd/systemd/blob/main/src/core/bpf/restrict_fs/restrict-fs.bpf.c https://github.com/linux-lock/bpflock https://github.com/lockc-project/lockc However, BPF LSM has to be enabled by adding bpf to CONFIG_LSM. That was already done in: Arch Linux https://github.com/archlinux/svntogit- packages/blob/4615bb2493649ad6fa133f864f94cb95c824f361/trunk/config#L9963 Fedora https://fedorapeople.org/cgit/thl/public_git/kernel.git/tree/kernel-x86_64-fedora.config?h=kernel-5.17.0-0.rc5.20220225git53ab78cd6d5a.106.vanilla.1.fc34&id=e661d91eb909e777a9d28425ef50fcc5ef7fa5ed#n3291 openSUSE https://github.com/openSUSE/kernel- source/commit/c2c25b18721866d6211054f542987036ed6e0a50 Debian https://salsa.debian.org/kernel- team/linux/-/blob/master/debian/config/config?ref_type=heads#L7713 RedHat https://access.redhat.com/labs/rhcb/RHEL-8.9/kernel-4.18.0-513.18.1.el8/source/blob/redhat/configs/generic/CONFIG_LSM Could we please enable BPF LSM in Ubuntu kernels as well? Without that change, users trying to play with the mentioned projects have to edit their /etc/default/grub to add bpf LSM. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2054810/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2054810] Re: Adding bpf to CONFIG_LSM in linux kernel
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: linux (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2054810 Title: Adding bpf to CONFIG_LSM in linux kernel Status in linux package in Ubuntu: Confirmed Bug description: Linux kernel since 5.7 allows to write eBPF programs which can be attached to LSM hooks. More details here: https://www.kernel.org/doc/html/v5.9/bpf/bpf_lsm.html There are already projects trying to leverage that systemd with the restrict-fs feature https://github.com/systemd/systemd/blob/main/src/core/bpf/restrict_fs/restrict-fs.bpf.c https://github.com/linux-lock/bpflock https://github.com/lockc-project/lockc However, BPF LSM has to be enabled by adding bpf to CONFIG_LSM. That was already done in: Arch Linux https://github.com/archlinux/svntogit- packages/blob/4615bb2493649ad6fa133f864f94cb95c824f361/trunk/config#L9963 Fedora https://fedorapeople.org/cgit/thl/public_git/kernel.git/tree/kernel-x86_64-fedora.config?h=kernel-5.17.0-0.rc5.20220225git53ab78cd6d5a.106.vanilla.1.fc34&id=e661d91eb909e777a9d28425ef50fcc5ef7fa5ed#n3291 openSUSE https://github.com/openSUSE/kernel- source/commit/c2c25b18721866d6211054f542987036ed6e0a50 Debian https://salsa.debian.org/kernel- team/linux/-/blob/master/debian/config/config?ref_type=heads#L7713 RedHat https://access.redhat.com/labs/rhcb/RHEL-8.9/kernel-4.18.0-513.18.1.el8/source/blob/redhat/configs/generic/CONFIG_LSM Could we please enable BPF LSM in Ubuntu kernels as well? Without that change, users trying to play with the mentioned projects have to edit their /etc/default/grub to add bpf LSM. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2054810/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2054810] Re: Adding bpf to CONFIG_LSM in linux kernel
** Description changed: Linux kernel since 5.7 allows to write eBPF programs which can be attached to LSM hooks. More details here: https://www.kernel.org/doc/html/v5.9/bpf/bpf_lsm.html There are already projects trying to leverage that systemd with the restrict-fs feature https://github.com/systemd/systemd/blob/main/src/core/bpf/restrict_fs/restrict-fs.bpf.c https://github.com/linux-lock/bpflock https://github.com/lockc-project/lockc However, BPF LSM has to be enabled by adding bpf to CONFIG_LSM. That was already done in: Arch Linux https://github.com/archlinux/svntogit- packages/blob/4615bb2493649ad6fa133f864f94cb95c824f361/trunk/config#L9963 Fedora https://fedorapeople.org/cgit/thl/public_git/kernel.git/tree/kernel-x86_64-fedora.config?h=kernel-5.17.0-0.rc5.20220225git53ab78cd6d5a.106.vanilla.1.fc34&id=e661d91eb909e777a9d28425ef50fcc5ef7fa5ed#n3291 openSUSE https://github.com/openSUSE/kernel- source/commit/c2c25b18721866d6211054f542987036ed6e0a50 + Debian + + https://salsa.debian.org/kernel- + team/linux/-/blob/master/debian/config/config?ref_type=heads#L7713 + + RedHat + + https://access.redhat.com/labs/rhcb/RHEL-8.9/kernel-4.18.0-513.18.1.el8/source/blob/redhat/configs/generic/CONFIG_LSM + Could we please enable BPF LSM in Ubuntu kernels as well? Without that change, users trying to play with the mentioned projects have to edit their /etc/default/grub to add bpf LSM. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2054810 Title: Adding bpf to CONFIG_LSM in linux kernel Status in linux package in Ubuntu: New Bug description: Linux kernel since 5.7 allows to write eBPF programs which can be attached to LSM hooks. More details here: https://www.kernel.org/doc/html/v5.9/bpf/bpf_lsm.html There are already projects trying to leverage that systemd with the restrict-fs feature https://github.com/systemd/systemd/blob/main/src/core/bpf/restrict_fs/restrict-fs.bpf.c https://github.com/linux-lock/bpflock https://github.com/lockc-project/lockc However, BPF LSM has to be enabled by adding bpf to CONFIG_LSM. That was already done in: Arch Linux https://github.com/archlinux/svntogit- packages/blob/4615bb2493649ad6fa133f864f94cb95c824f361/trunk/config#L9963 Fedora https://fedorapeople.org/cgit/thl/public_git/kernel.git/tree/kernel-x86_64-fedora.config?h=kernel-5.17.0-0.rc5.20220225git53ab78cd6d5a.106.vanilla.1.fc34&id=e661d91eb909e777a9d28425ef50fcc5ef7fa5ed#n3291 openSUSE https://github.com/openSUSE/kernel- source/commit/c2c25b18721866d6211054f542987036ed6e0a50 Debian https://salsa.debian.org/kernel- team/linux/-/blob/master/debian/config/config?ref_type=heads#L7713 RedHat https://access.redhat.com/labs/rhcb/RHEL-8.9/kernel-4.18.0-513.18.1.el8/source/blob/redhat/configs/generic/CONFIG_LSM Could we please enable BPF LSM in Ubuntu kernels as well? Without that change, users trying to play with the mentioned projects have to edit their /etc/default/grub to add bpf LSM. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2054810/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2054810] Re: Adding bpf to CONFIG_LSM in linux kernel
(This is reposting 1964941 which appears to have expired) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2054810 Title: Adding bpf to CONFIG_LSM in linux kernel Status in linux package in Ubuntu: New Bug description: Linux kernel since 5.7 allows to write eBPF programs which can be attached to LSM hooks. More details here: https://www.kernel.org/doc/html/v5.9/bpf/bpf_lsm.html There are already projects trying to leverage that systemd with the restrict-fs feature https://github.com/systemd/systemd/blob/main/src/core/bpf/restrict_fs/restrict-fs.bpf.c https://github.com/linux-lock/bpflock https://github.com/lockc-project/lockc However, BPF LSM has to be enabled by adding bpf to CONFIG_LSM. That was already done in: Arch Linux https://github.com/archlinux/svntogit- packages/blob/4615bb2493649ad6fa133f864f94cb95c824f361/trunk/config#L9963 Fedora https://fedorapeople.org/cgit/thl/public_git/kernel.git/tree/kernel-x86_64-fedora.config?h=kernel-5.17.0-0.rc5.20220225git53ab78cd6d5a.106.vanilla.1.fc34&id=e661d91eb909e777a9d28425ef50fcc5ef7fa5ed#n3291 openSUSE https://github.com/openSUSE/kernel- source/commit/c2c25b18721866d6211054f542987036ed6e0a50 Could we please enable BPF LSM in Ubuntu kernels as well? Without that change, users trying to play with the mentioned projects have to edit their /etc/default/grub to add bpf LSM. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2054810/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp