Hello, adding some context here as to why LSM hooks are important. LSM
hooks are used by different runtime security tools like Tetragon
(https://tetragon.io/docs/concepts/tracing-policy/hooks/#lsm-bpf) and
Tracee (https://aquasecurity.github.io/tracee/dev/docs/install/lsm-
support/). This was mainly driven by publications of techniques that
allowed bypassing those tools. The most recent publication is using
io_uring. https://www.armosec.io/blog/io_uring-rootkit-bypasses-linux-
security/ and a previous publication showed TOCTOU races are capable of
bypassing system call tracing like kprobes
(https://i.blackhat.com/USA-22/Wednesday/US-22-Guo-Trace-me-if-you-
can.pdf).
Thus, LSM hooks allow for robust runtime security monitoring. Enabling
this by default on Ubuntu allows such hooks to be adapted and leveraged
more widely in security tooling. And as per @esheri3's message (#2), to
be used in 3rd-party-operated infrastructure.
If there is anything that needs to be done, I'd be happy to support that
effort.
--
You received this bug notification because you are subscribed to linux
in Ubuntu.
Matching subscriptions: Bgg, Bmail, Nb
https://bugs.launchpad.net/bugs/2054810
Title:
Adding bpf to CONFIG_LSM in linux kernel
Status in linux package in Ubuntu:
Triaged
Status in linux source package in Jammy:
Triaged
Status in linux source package in Mantic:
Won't Fix
Status in linux source package in Noble:
Triaged
Bug description:
Linux kernel since 5.7 allows to write eBPF programs which can be
attached to LSM hooks. More details here:
https://www.kernel.org/doc/html/v5.9/bpf/bpf_lsm.html
There are already projects trying to leverage that
systemd with the restrict-fs feature
https://github.com/systemd/systemd/blob/main/src/core/bpf/restrict_fs/restrict-fs.bpf.c
https://github.com/linux-lock/bpflock
https://github.com/lockc-project/lockc
However, BPF LSM has to be enabled by adding bpf to CONFIG_LSM.
That was already done in:
Arch Linux
https://github.com/archlinux/svntogit-
packages/blob/4615bb2493649ad6fa133f864f94cb95c824f361/trunk/config#L9963
Fedora
https://fedorapeople.org/cgit/thl/public_git/kernel.git/tree/kernel-x86_64-fedora.config?h=kernel-5.17.0-0.rc5.20220225git53ab78cd6d5a.106.vanilla.1.fc34&id=e661d91eb909e777a9d28425ef50fcc5ef7fa5ed#n3291
openSUSE
https://github.com/openSUSE/kernel-
source/commit/c2c25b18721866d6211054f542987036ed6e0a50
Debian
https://salsa.debian.org/kernel-
team/linux/-/blob/master/debian/config/config?ref_type=heads#L7713
RedHat
https://access.redhat.com/labs/rhcb/RHEL-8.9/kernel-4.18.0-513.18.1.el8/source/blob/redhat/configs/generic/CONFIG_LSM
Could we please enable BPF LSM in Ubuntu kernels as well? Without that
change, users trying to play with the mentioned projects have to edit
their /etc/default/grub to add bpf LSM.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2054810/+subscriptions
Комментариев нет:
Отправить комментарий