Message ID | 20201130231403.2737154-1-kpsingh@chromium.org |
---|---|
State | New |
Headers | show |
Series | [G/H] UBUNTU: [Config] Enable CONFIG_BPF_LSM | expand |
Hi! On Mon, Nov 30, 2020 at 11:14:03PM +0000, KP Singh wrote: > From: KP Singh <kpsingh@google.com> > > Buglink: https://bugs.launchpad.net/bugs/1905975 > > [Impact] > > Allows users to implement MAC and Audit Policies using BPF programs. > > The LSM won't be added to the list of active LSMs by default (in > CONFIG_LSM or lsm= on the boot parameters) yet, as it adds an indirect > function call overhead by registering an empty callback for all hooks. > > The LSM can be made "active" by default when the upstream effort [1] of > getting rid of this overhead is merged in the mainline kernel. > > [Regression Potential] > > Since the LSM is not active by default, it does not cause any > functional or performance regression. > > [1]: https://lore.kernel.org/bpf/20200820164753.3256899-1-jackmanb@chromium.org > > Signed-off-by: KP Singh <kpsingh@google.com> FWIW, this looks good to me. I'd love to be able to play with the BPF LSM on Ubuntu. :) Adding this CONFIG results in no change in performance unless the user explicitly turns it on a boot (i.e. they really know what they're doing), and when enabled is exposed only to root users. Can this get added to Hirsute, please? (And if that goes well, it'd be nice to get it in Groovy too, but that's not critical.) -Kees > --- > debian.master/config/config.common.ubuntu | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu > index c20145760f29..39f5fffcc641 100644 > --- a/debian.master/config/config.common.ubuntu > +++ b/debian.master/config/config.common.ubuntu > @@ -1216,7 +1216,7 @@ CONFIG_BPF_JIT=y > CONFIG_BPF_JIT_ALWAYS_ON=y > CONFIG_BPF_JIT_DEFAULT_ON=y > CONFIG_BPF_KPROBE_OVERRIDE=y > -# CONFIG_BPF_LSM is not set > +CONFIG_BPF_LSM=y > CONFIG_BPF_STREAM_PARSER=y > CONFIG_BPF_SYSCALL=y > CONFIG_BPQETHER=m > -- > 2.29.2.454.gaff20da3a2-goog >
On Mon, Nov 30, 2020 at 11:14:03PM +0000, KP Singh wrote: > From: KP Singh <kpsingh@google.com> > > Buglink: https://bugs.launchpad.net/bugs/1905975 > > [Impact] > > Allows users to implement MAC and Audit Policies using BPF programs. > > The LSM won't be added to the list of active LSMs by default (in > CONFIG_LSM or lsm= on the boot parameters) yet, as it adds an indirect > function call overhead by registering an empty callback for all hooks. > > The LSM can be made "active" by default when the upstream effort [1] of > getting rid of this overhead is merged in the mainline kernel. > > [Regression Potential] > > Since the LSM is not active by default, it does not cause any > functional or performance regression. > > [1]: https://lore.kernel.org/bpf/20200820164753.3256899-1-jackmanb@chromium.org I think it'd be intersting to have this feature. Moreover it doesn't add any extra overhead if not explicitly enabled, therefore: Acked-by: Andrea Righi <andrea.righi@canonical.com>
On Mon, Nov 30, 2020 at 11:14:03PM +0000, KP Singh wrote: > From: KP Singh <kpsingh@google.com> > > Buglink: https://bugs.launchpad.net/bugs/1905975 > > [Impact] > > Allows users to implement MAC and Audit Policies using BPF programs. > > The LSM won't be added to the list of active LSMs by default (in > CONFIG_LSM or lsm= on the boot parameters) yet, as it adds an indirect > function call overhead by registering an empty callback for all hooks. > > The LSM can be made "active" by default when the upstream effort [1] of > getting rid of this overhead is merged in the mainline kernel. > > [Regression Potential] > > Since the LSM is not active by default, it does not cause any > functional or performance regression. > > [1]: https://lore.kernel.org/bpf/20200820164753.3256899-1-jackmanb@chromium.org > > Signed-off-by: KP Singh <kpsingh@google.com> > --- Applied to unstable. Thanks. -Andrea
On 2020-11-30 23:14:03 , KP Singh wrote: > From: KP Singh <kpsingh@google.com> > > Buglink: https://bugs.launchpad.net/bugs/1905975 > > [Impact] > > Allows users to implement MAC and Audit Policies using BPF programs. > > The LSM won't be added to the list of active LSMs by default (in > CONFIG_LSM or lsm= on the boot parameters) yet, as it adds an indirect > function call overhead by registering an empty callback for all hooks. > > The LSM can be made "active" by default when the upstream effort [1] of > getting rid of this overhead is merged in the mainline kernel. > > [Regression Potential] > > Since the LSM is not active by default, it does not cause any > functional or performance regression. > > [1]: https://lore.kernel.org/bpf/20200820164753.3256899-1-jackmanb@chromium.org > > Signed-off-by: KP Singh <kpsingh@google.com> Acked-by: Khalid Elmously <khalid.elmously@canonical.com> > --- > debian.master/config/config.common.ubuntu | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu > index c20145760f29..39f5fffcc641 100644 > --- a/debian.master/config/config.common.ubuntu > +++ b/debian.master/config/config.common.ubuntu > @@ -1216,7 +1216,7 @@ CONFIG_BPF_JIT=y > CONFIG_BPF_JIT_ALWAYS_ON=y > CONFIG_BPF_JIT_DEFAULT_ON=y > CONFIG_BPF_KPROBE_OVERRIDE=y > -# CONFIG_BPF_LSM is not set > +CONFIG_BPF_LSM=y > CONFIG_BPF_STREAM_PARSER=y > CONFIG_BPF_SYSCALL=y > CONFIG_BPQETHER=m > -- > 2.29.2.454.gaff20da3a2-goog > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
On 15.12.20 10:03, Andrea Righi wrote: > On Mon, Nov 30, 2020 at 11:14:03PM +0000, KP Singh wrote: >> From: KP Singh <kpsingh@google.com> >> >> Buglink: https://bugs.launchpad.net/bugs/1905975 >> >> [Impact] >> >> Allows users to implement MAC and Audit Policies using BPF programs. >> >> The LSM won't be added to the list of active LSMs by default (in >> CONFIG_LSM or lsm= on the boot parameters) yet, as it adds an indirect >> function call overhead by registering an empty callback for all hooks. >> >> The LSM can be made "active" by default when the upstream effort [1] of >> getting rid of this overhead is merged in the mainline kernel. >> >> [Regression Potential] >> >> Since the LSM is not active by default, it does not cause any >> functional or performance regression. >> >> [1]: https://lore.kernel.org/bpf/20200820164753.3256899-1-jackmanb@chromium.org >> >> Signed-off-by: KP Singh <kpsingh@google.com> >> --- > > Applied to unstable. Thanks. I don't think we yet had a Hirsute kernel generally available that had this turned on. Though I know I should be able to trust Kees, I still would like to be cautious with Groovy and wait there was a chance to have this exposed in Hirsute to a slightly bugger group. -Stefan > > -Andrea >
On 2021-01-22 10:14:25 , Stefan Bader wrote: > On 15.12.20 10:03, Andrea Righi wrote: > > On Mon, Nov 30, 2020 at 11:14:03PM +0000, KP Singh wrote: > >> From: KP Singh <kpsingh@google.com> > >> > >> Buglink: https://bugs.launchpad.net/bugs/1905975 > >> > >> [Impact] > >> > >> Allows users to implement MAC and Audit Policies using BPF programs. > >> > >> The LSM won't be added to the list of active LSMs by default (in > >> CONFIG_LSM or lsm= on the boot parameters) yet, as it adds an indirect > >> function call overhead by registering an empty callback for all hooks. > >> > >> The LSM can be made "active" by default when the upstream effort [1] of > >> getting rid of this overhead is merged in the mainline kernel. > >> > >> [Regression Potential] > >> > >> Since the LSM is not active by default, it does not cause any > >> functional or performance regression. > >> > >> [1]: https://lore.kernel.org/bpf/20200820164753.3256899-1-jackmanb@chromium.org > >> > >> Signed-off-by: KP Singh <kpsingh@google.com> > >> --- > > > > Applied to unstable. Thanks. > > I don't think we yet had a Hirsute kernel generally available that had this > turned on. Though I know I should be able to trust Kees, I still would like to > be cautious with Groovy and wait there was a chance to have this exposed in > Hirsute to a slightly bugger group. > > -Stefan Should this be treated as a NACK for Groovy on this patch for now? -Kelsey > > > > -Andrea > > > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
On Fri, Jan 22, 2021 at 8:31 PM Kelsey Skunberg <kelsey.skunberg@canonical.com> wrote: > > On 2021-01-22 10:14:25 , Stefan Bader wrote: > > On 15.12.20 10:03, Andrea Righi wrote: > > > On Mon, Nov 30, 2020 at 11:14:03PM +0000, KP Singh wrote: > > >> From: KP Singh <kpsingh@google.com> > > >> > > >> Buglink: https://bugs.launchpad.net/bugs/1905975 > > >> > > >> [Impact] > > >> > > >> Allows users to implement MAC and Audit Policies using BPF programs. > > >> > > >> The LSM won't be added to the list of active LSMs by default (in > > >> CONFIG_LSM or lsm= on the boot parameters) yet, as it adds an indirect > > >> function call overhead by registering an empty callback for all hooks. > > >> > > >> The LSM can be made "active" by default when the upstream effort [1] of > > >> getting rid of this overhead is merged in the mainline kernel. > > >> > > >> [Regression Potential] > > >> > > >> Since the LSM is not active by default, it does not cause any > > >> functional or performance regression. > > >> > > >> [1]: https://lore.kernel.org/bpf/20200820164753.3256899-1-jackmanb@chromium.org > > >> > > >> Signed-off-by: KP Singh <kpsingh@google.com> > > >> --- > > > > > > Applied to unstable. Thanks. Thanks! > > > > I don't think we yet had a Hirsute kernel generally available that had this > > turned on. Though I know I should be able to trust Kees, I still would like to > > be cautious with Groovy and wait there was a chance to have this exposed in CONFIG_BPF_LSM alone does nothing unless it's enabled using CONFIG_LSM or lsm= kernel command line. But, I guess we could do it after we have a kernel that uses it on Hirsute. > > Hirsute to a slightly bugger group. > > > > -Stefan > > Should this be treated as a NACK for Groovy on this patch for now? If this is the case should I resubmit this for Groovy after a while? - KP > > -Kelsey > > > > > > > -Andrea > > > > > > > > > > > > > -- > > kernel-team mailing list > > kernel-team@lists.ubuntu.com > > https://lists.ubuntu.com/mailman/listinfo/kernel-team >
On 22.01.21 20:31, Kelsey Skunberg wrote: > On 2021-01-22 10:14:25 , Stefan Bader wrote: >> On 15.12.20 10:03, Andrea Righi wrote: >>> On Mon, Nov 30, 2020 at 11:14:03PM +0000, KP Singh wrote: >>>> From: KP Singh <kpsingh@google.com> >>>> >>>> Buglink: https://bugs.launchpad.net/bugs/1905975 >>>> >>>> [Impact] >>>> >>>> Allows users to implement MAC and Audit Policies using BPF programs. >>>> >>>> The LSM won't be added to the list of active LSMs by default (in >>>> CONFIG_LSM or lsm= on the boot parameters) yet, as it adds an indirect >>>> function call overhead by registering an empty callback for all hooks. >>>> >>>> The LSM can be made "active" by default when the upstream effort [1] of >>>> getting rid of this overhead is merged in the mainline kernel. >>>> >>>> [Regression Potential] >>>> >>>> Since the LSM is not active by default, it does not cause any >>>> functional or performance regression. >>>> >>>> [1]: https://lore.kernel.org/bpf/20200820164753.3256899-1-jackmanb@chromium.org >>>> >>>> Signed-off-by: KP Singh <kpsingh@google.com> >>>> --- >>> >>> Applied to unstable. Thanks. >> >> I don't think we yet had a Hirsute kernel generally available that had this >> turned on. Though I know I should be able to trust Kees, I still would like to >> be cautious with Groovy and wait there was a chance to have this exposed in >> Hirsute to a slightly bugger group. >> >> -Stefan > > Should this be treated as a NACK for Groovy on this patch for now? No I would just leave it as pending. And once we have a bit of settling time in hirsute we can add the second ack and pull it in. -Stefan > > -Kelsey > >>> >>> -Andrea >>> >> >> > > > > >> -- >> kernel-team mailing list >> kernel-team@lists.ubuntu.com >> https://lists.ubuntu.com/mailman/listinfo/kernel-team >
Applied to Groovy master-next. Included the annotations changes, too. Thank you! -Kelsey On 2020-11-30 23:14:03 , KP Singh wrote: > From: KP Singh <kpsingh@google.com> > > Buglink: https://bugs.launchpad.net/bugs/1905975 > > [Impact] > > Allows users to implement MAC and Audit Policies using BPF programs. > > The LSM won't be added to the list of active LSMs by default (in > CONFIG_LSM or lsm= on the boot parameters) yet, as it adds an indirect > function call overhead by registering an empty callback for all hooks. > > The LSM can be made "active" by default when the upstream effort [1] of > getting rid of this overhead is merged in the mainline kernel. > > [Regression Potential] > > Since the LSM is not active by default, it does not cause any > functional or performance regression. > > [1]: https://lore.kernel.org/bpf/20200820164753.3256899-1-jackmanb@chromium.org > > Signed-off-by: KP Singh <kpsingh@google.com> > --- > debian.master/config/config.common.ubuntu | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu > index c20145760f29..39f5fffcc641 100644 > --- a/debian.master/config/config.common.ubuntu > +++ b/debian.master/config/config.common.ubuntu > @@ -1216,7 +1216,7 @@ CONFIG_BPF_JIT=y > CONFIG_BPF_JIT_ALWAYS_ON=y > CONFIG_BPF_JIT_DEFAULT_ON=y > CONFIG_BPF_KPROBE_OVERRIDE=y > -# CONFIG_BPF_LSM is not set > +CONFIG_BPF_LSM=y > CONFIG_BPF_STREAM_PARSER=y > CONFIG_BPF_SYSCALL=y > CONFIG_BPQETHER=m > -- > 2.29.2.454.gaff20da3a2-goog > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu index c20145760f29..39f5fffcc641 100644 --- a/debian.master/config/config.common.ubuntu +++ b/debian.master/config/config.common.ubuntu @@ -1216,7 +1216,7 @@ CONFIG_BPF_JIT=y CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_BPF_JIT_DEFAULT_ON=y CONFIG_BPF_KPROBE_OVERRIDE=y -# CONFIG_BPF_LSM is not set +CONFIG_BPF_LSM=y CONFIG_BPF_STREAM_PARSER=y CONFIG_BPF_SYSCALL=y CONFIG_BPQETHER=m