[Bug 1205603] New: bpf lsm enabled but not included in LSM list
https://bugzilla.suse.com/show_bug.cgi?id=1205603 Bug ID: 1205603 Summary: bpf lsm enabled but not included in LSM list Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-bugs@opensuse.org Reporter: mrueckert@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- During my system upgrades i noticed the following message: ```systemd[1]: bpf-lsm: BPF LSM hook not enabled in the kernel, BPF LSM not supported``` but we have: ```CONFIG_BPF_LSM=y``` i asked Frank Bui what it checks for. it checks for the string "bpf" in this list: ``` cat /sys/kernel/security/lsm lockdown,capability,apparmor ``` it seems ```CONFIG_LSM="integrity,apparmor"``` needs an update. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1205603 https://bugzilla.suse.com/show_bug.cgi?id=1205603#c1 --- Comment #1 from Jeff Mahoney <jeffm@suse.com> --- The default value for this in the upstream kernel when apparmor is the default LSM: landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1205603 Franck Bui <fbui@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fbui@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1205603 https://bugzilla.suse.com/show_bug.cgi?id=1205603#c2 Takashi Iwai <tiwai@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tiwai@suse.com --- Comment #2 from Takashi Iwai <tiwai@suse.com> --- bpf was removed from the list explicitly, at commit 0a20128a486536db31e484f5848e239f8acd0fba: Revert "config: Enable BPF LSM" (bsc#1197746) This reverts commit c2c25b18721866d6211054f542987036ed6e0a50. This config change was reported to break boot if SELinux is enabled. Revert until we have a fix. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1205603 https://bugzilla.suse.com/show_bug.cgi?id=1205603#c3 --- Comment #3 from Marcus R�ckert <mrueckert@suse.com> --- well there was more removed than just bpf :) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1205603 https://bugzilla.suse.com/show_bug.cgi?id=1205603#c4 --- Comment #4 from Takashi Iwai <tiwai@suse.com> --- Not really, others haven't been added from the beginning in our config. OTOH, bpf was added once but removed later due to a regression. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1205603 https://bugzilla.suse.com/show_bug.cgi?id=1205603#c5 Alexander Bergmann <abergmann@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |abergmann@suse.com --- Comment #5 from Alexander Bergmann <abergmann@suse.com> --- I've came across the problem that YAMA is not initialized during boot. There is also no /proc/sys/kernel/yama directory because of this. It looks like yama is also missing inside the CONFIG_LSM variable. Compared to Ubuntu, where the access to the ptrace_scope switch is possible, the SUSE configuration also missing 'Landlock support' and 'kernel lockdown'. CONFIG_LSM="landlock,lockdown,yama,integrity,apparmor" -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1205603 Pavel Dost�l <pdostal@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pdostal@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com