View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001289 | channel: kernel/el8 | --kernel--request-for-enhancement-- | public | 2022-11-28 18:42 | 2022-12-14 13:19 |
| Reporter | YJesus | Assigned To | burakkucat | ||
| Priority | high | Severity | feature | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Platform | All | OS | All | OS Version | All |
| Summary | 0001289: Kernel compiled without BPF LSM | ||||
| Description | Major (all?) RedHat Distros Kernels have LSM like: CONFIG_LSM="lockdown,yama,integrity,selinux,bpf" But Elrepo Kernels: CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor" | ||||
| Steps To Reproduce | grep -i lsm /boot/config-`uname -r` | ||||
| Additional Information | I think BPF LSM should be added | ||||
| Tags | No tags attached. | ||||
|
|
Assuming this is for el8, I moved the "Project" from elrepo/el7 to kernel/el8. |
|
|
Yes, but I think that CentOS 7 doesn't have BPF LSM due lack of kernel support (3x doesn't have this feature) so if you could add in the new 5x / 6x kernels that should be nice. |
|
|
Acknowledging your request, which will be enacted in phases. With the recent release of updated kernel-ml package sets for el7 [1], el8 [2] and el9 [3] the first phase has been completed as follows -- RHEL7 (x86_64): $ grep 'LSM' /boot/config-3.10.0-1160.80.1.el7.x86_64 | grep '^CONFIG_' CONFIG_LSM_MMAP_MIN_ADDR=65535 CONFIG_IMA_LSM_RULES=y $ kernel-ml for el7 (x86_64): $ grep 'LSM' config-6.0.11-x86_64 | grep '^CONFIG_' CONFIG_BPF_LSM=y CONFIG_LSM_MMAP_MIN_ADDR=65535 CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_IMA_LSM_RULES=y CONFIG_LSM="yama,integrity,selinux,bpf" $ RHEL8 (x86_64): $ grep 'LSM' /boot/config-4.18.0-425.3.1.el8.x86_64 | grep '^CONFIG_' CONFIG_BPF_LSM=y CONFIG_LSM_MMAP_MIN_ADDR=65535 CONFIG_IMA_LSM_RULES=y CONFIG_LSM="yama,integrity,selinux,bpf" $ kernel-ml for el8 (x86_64): $ grep 'LSM' config-6.0.11-x86_64 | grep '^CONFIG_' CONFIG_BPF_LSM=y CONFIG_LSM_MMAP_MIN_ADDR=65535 CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_IMA_LSM_RULES=y CONFIG_LSM="yama,integrity,selinux,bpf" $ RHEL9 (aarch64): $ grep 'LSM' /boot/config-5.14.0-162.6.1.el9_1.aarch64 | grep '^CONFIG_' CONFIG_BPF_LSM=y CONFIG_LSM_MMAP_MIN_ADDR=65535 CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_IMA_LSM_RULES=y CONFIG_LSM="lockdown,yama,integrity,selinux,bpf" $ kernel-ml for el9 (aarch64): $ grep 'LSM' config-6.0.11-aarch64 | grep '^CONFIG_' CONFIG_BPF_LSM=y CONFIG_LSM_MMAP_MIN_ADDR=65535 CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_IMA_LSM_RULES=y CONFIG_LSM="lockdown,yama,integrity,selinux,bpf" $ RHEL9 (x86_64): $ grep 'LSM' /boot/config-5.14.0-162.6.1.el9_1.x86_64 | grep '^CONFIG_' CONFIG_BPF_LSM=y CONFIG_LSM_MMAP_MIN_ADDR=65535 CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_IMA_LSM_RULES=y CONFIG_LSM="lockdown,yama,integrity,selinux,bpf" $ kernel-ml for el9 (x86_64): $ grep 'LSM' config-6.0.11-x86_64 | grep '^CONFIG_' CONFIG_BPF_LSM=y CONFIG_LSM_MMAP_MIN_ADDR=65535 CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_IMA_LSM_RULES=y CONFIG_LSM="lockdown,yama,integrity,selinux,bpf" $ Assuming that there are no problems reported with these latest kernel-ml package sets, then phase two will be to modify the CONFIG_LSM string (for el7 and el8) to match that for el9. Pictorially -- CONFIG_LSM="yama,integrity,selinux,bpf" ===> CONFIG_LSM="lockdown,yama,integrity,selinux,bpf" Phases three and four will be the corresponding adjustments to the configuration files for the kernel-lt package sets (for el7 and el8). [1] https://lists.elrepo.org/pipermail/elrepo/2022-December/006289.html [2] https://lists.elrepo.org/pipermail/elrepo/2022-December/006290.html [3] https://lists.elrepo.org/pipermail/elrepo/2022-December/006291.html |
|
|
With the recent release of the updated kernel-ml package sets for el7 [1], el8 [2] and el9 [3] the second phase has been completed as follows -- kernel-ml for el7 (x86_64): $ grep 'LSM' config-6.0.12-x86_64 | grep '^CONFIG_' CONFIG_BPF_LSM=y CONFIG_LSM_MMAP_MIN_ADDR=65535 CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_IMA_LSM_RULES=y CONFIG_LSM="lockdown,yama,integrity,selinux,bpf" $ kernel-ml for el8 (x86_64): $ grep 'LSM' config-6.0.12-x86_64 | grep '^CONFIG_' CONFIG_BPF_LSM=y CONFIG_LSM_MMAP_MIN_ADDR=65535 CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_IMA_LSM_RULES=y CONFIG_LSM="lockdown,yama,integrity,selinux,bpf" $ kernel-ml for el9 (aarch64): $ grep 'LSM' config-6.0.12-aarch64 | grep '^CONFIG_' CONFIG_BPF_LSM=y CONFIG_LSM_MMAP_MIN_ADDR=65535 CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_IMA_LSM_RULES=y CONFIG_LSM="lockdown,yama,integrity,selinux,bpf" $ kernel-ml for el9 (x86_64): $ grep 'LSM' config-6.0.12-x86_64 | grep '^CONFIG_' CONFIG_BPF_LSM=y CONFIG_LSM_MMAP_MIN_ADDR=65535 CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_IMA_LSM_RULES=y CONFIG_LSM="lockdown,yama,integrity,selinux,bpf" $ Likewise the recent release of the updated kernel-lt package sets for el7 [4] and el8 [5] completes the third phase as follows -- kernel-lt for el7 (x86_64): $ grep 'LSM' config-5.4.226-x86_64 | grep '^CONFIG_' CONFIG_LSM_MMAP_MIN_ADDR=65535 CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_IMA_LSM_RULES=y CONFIG_LSM="yama,integrity,selinux,bpf" $ kernel-lt for el8 (x86_64): $ grep 'LSM' config-5.4.226-x86_64 | grep '^CONFIG_' CONFIG_LSM_MMAP_MIN_ADDR=65535 CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_IMA_LSM_RULES=y CONFIG_LSM="yama,integrity,selinux,bpf" $ All being well, the next update to the kernel-lt package sets will enact the fourth and final phase. Namely -- CONFIG_LSM="yama,integrity,selinux,bpf" ===> CONFIG_LSM="lockdown,yama,integrity,selinux,bpf" [1] https://lists.elrepo.org/pipermail/elrepo/2022-December/006293.html [2] https://lists.elrepo.org/pipermail/elrepo/2022-December/006295.html [3] https://lists.elrepo.org/pipermail/elrepo/2022-December/006296.html [4] https://lists.elrepo.org/pipermail/elrepo/2022-December/006292.html [5] https://lists.elrepo.org/pipermail/elrepo/2022-December/006294.html |
|
|
The recent release of updated kernel-lt package sets for el7 [1] and el8 [2] completes the fourth and final phase as follows -- kernel-lt for el7 (x86_64): $ grep 'LSM' config-5.4.227-x86_64 | grep '^CONFIG_' CONFIG_LSM_MMAP_MIN_ADDR=65535 CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_IMA_LSM_RULES=y CONFIG_LSM="lockdown,yama,integrity,selinux,bpf" $ kernel-lt for el8 (x86_64): $ grep 'LSM' config-5.4.227-x86_64 | grep '^CONFIG_' CONFIG_LSM_MMAP_MIN_ADDR=65535 CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_IMA_LSM_RULES=y CONFIG_LSM="lockdown,yama,integrity,selinux,bpf" $ Now closing this request as "resolved/fixed". [1] https://lists.elrepo.org/pipermail/elrepo/2022-December/006300.html [2] https://lists.elrepo.org/pipermail/elrepo/2022-December/006301.html |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2022-11-28 18:42 | YJesus | New Issue | |
| 2022-11-28 18:45 | toracat | Assigned To | => burakkucat |
| 2022-11-28 18:45 | toracat | Status | new => assigned |
| 2022-11-28 18:51 | toracat | Project | channel: elrepo/el7 => channel: kernel/el8 |
| 2022-11-28 18:52 | toracat | Note Added: 0008783 | |
| 2022-11-28 19:02 | YJesus | Note Added: 0008784 | |
| 2022-11-29 11:06 | burakkucat | Description Updated | |
| 2022-12-03 13:55 | burakkucat | Status | assigned => acknowledged |
| 2022-12-03 13:55 | burakkucat | Note Added: 0008815 | |
| 2022-12-08 17:05 | burakkucat | Note Edited: 0008815 | |
| 2022-12-08 17:09 | burakkucat | Note Added: 0008832 | |
| 2022-12-08 17:13 | burakkucat | Note Edited: 0008815 | |
| 2022-12-09 13:02 | burakkucat | Note Edited: 0008832 | |
| 2022-12-14 13:19 | burakkucat | Status | acknowledged => resolved |
| 2022-12-14 13:19 | burakkucat | Resolution | open => fixed |
| 2022-12-14 13:19 | burakkucat | Note Added: 0008836 |
