From: Lorenzo Fontana <fontanalorenz@gmail.com>
To: KP Singh <kpsingh@chromium.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>,
open list <linux-kernel@vger.kernel.org>,
bpf <bpf@vger.kernel.org>,
Linux Security Module list
<linux-security-module@vger.kernel.org>,
Jonathan Corbet <corbet@lwn.net>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
Alexei Starovoitov <ast@kernel.org>,
Martin KaFai Lau <kafai@fb.com>, Song Liu <songliubraving@fb.com>,
Yonghong Song <yhs@fb.com>, Andrii Nakryiko <andriin@fb.com>,
John Fastabend <john.fastabend@gmail.com>
Subject: Re: [PATCH] bpf: lsm: Disable or enable BPF LSM at boot time
Date: Mon, 6 Jul 2020 22:06:40 +0200 [thread overview]
Message-ID: <20200706200640.GA234619@gallifrey> (raw)
In-Reply-To: <CACYkzJ78HOP8SZ3jU0DnH0b4f8580AuP4fdG5K3xgaHa8VYaZw@mail.gmail.com>
On Mon, Jul 06, 2020 at 08:59:13PM +0200, KP Singh wrote:
> On Mon, Jul 6, 2020 at 8:51 PM Daniel Borkmann <daniel@iogearbox.net> wrote:
> >
> > On 7/6/20 6:57 PM, Lorenzo Fontana wrote:
> > > This option adds a kernel parameter 'bpf_lsm',
> > > which allows the BPF LSM to be disabled at boot.
> > > The purpose of this option is to allow a single kernel
> > > image to be distributed with the BPF LSM built in,
> > > but not necessarily enabled.
> > >
> > > Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>
> >
> > Well, this explains what the patch is doing but not *why* you need it exactly.
> > Please explain your concrete use-case for this patch.
>
> Also, this patch is not really needed as it can already be done with the current
> kernel parameters.
>
> LSMs can be enabled on the command line
> with the lsm= parameter. So you can just pass lsm="selinux,capabilities" etc
> and not pass "bpf" and it will disable the BPF_LSM.
>
> - KP
>
> >
> > Thanks,
> > Daniel
Hi,
Thanks Daniel and KP for looking into this, I really appreciate it!
The *why* I need it is because I need to ship the kernel with BPF LSM
disabled at boot time.
The use case is exactly the same as the one described by KP, however
for a personal preference I prefer to pass specifically bpf_lsm=1 or
bpf_lsm=0 - It's easier to change programmatically in my scripts
with a simple sprintf("bpf_lsm=%d", value). I do the same
with "selinux=1" and "selinux=0" in my systems.
From what I can see by reading the code and testing, the two ways
bot act on 'lsm_info.enabled' defined in 'lsm_hooks.h'.
So it's not just a personal preference, I just want the same set
of options available to me as I do with selinux.
Thanks a lot,
Lore
next prev parent reply other threads:[~2020-07-06 20:06 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-06 16:57 [PATCH] bpf: lsm: Disable or enable BPF LSM at boot time Lorenzo Fontana
2020-07-06 18:51 ` Daniel Borkmann
2020-07-06 18:59 ` KP Singh
2020-07-06 20:06 ` Lorenzo Fontana [this message]
2020-07-06 20:30 ` KP Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200706200640.GA234619@gallifrey \
--to=fontanalorenz@gmail.com \
--cc=andriin@fb.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=corbet@lwn.net \
--cc=daniel@iogearbox.net \
--cc=jmorris@namei.org \
--cc=john.fastabend@gmail.com \
--cc=kafai@fb.com \
--cc=kpsingh@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=songliubraving@fb.com \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).