Re: [PATCH] bpf: lsm: Disable or enable BPF LSM at boot time

[Lorenzo Fontana <fontanalorenz@gmail.com>]

On Mon, Jul 06, 2020 at 08:59:13PM +0200, KP Singh wrote:
> On Mon, Jul 6, 2020 at 8:51 PM Daniel Borkmann <daniel@iogearbox.net> wrote:
> >
> > On 7/6/20 6:57 PM, Lorenzo Fontana wrote:
> > > This option adds a kernel parameter 'bpf_lsm',
> > > which allows the BPF LSM to be disabled at boot.
> > > The purpose of this option is to allow a single kernel
> > > image to be distributed with the BPF LSM built in,
> > > but not necessarily enabled.
> > >
> > > Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
> >
> > Well, this explains what the patch is doing but not *why* you need it exactly.
> > Please explain your concrete use-case for this patch.
> 
> Also, this patch is not really needed as it can already be done with the current
> kernel parameters.
> 
> LSMs can be enabled on the command line
> with the lsm= parameter. So you can just pass lsm="selinux,capabilities" etc
> and not pass "bpf" and it will disable the BPF_LSM.
> 
> - KP
> 
> >
> > Thanks,
> > Daniel

Hi,
Thanks Daniel and KP for looking into this, I really appreciate it!

The *why* I need it is because I need to ship the kernel with BPF LSM
disabled at boot time.

The use case is exactly the same as the one described by KP, however
for a personal preference I prefer to pass specifically bpf_lsm=1 or
bpf_lsm=0 - It's easier to change programmatically in my scripts
with a simple sprintf("bpf_lsm=%d", value). I do the same
with "selinux=1" and "selinux=0" in my systems.
From what I can see by reading the code and testing, the two ways
bot act on 'lsm_info.enabled' defined in 'lsm_hooks.h'.
So it's not just  a personal preference, I just want the same set
of options available to me as I do with selinux.

Thanks a lot,
Lore