https://bugzilla.suse.com/show_bug.cgi?id=1205603
Bug ID: 1205603 Summary: bpf lsm enabled but not included in LSM list Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-bugs@opensuse.org Reporter: mrueckert@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: ---
During my system upgrades i noticed the following message:
```systemd[1]: bpf-lsm: BPF LSM hook not enabled in the kernel, BPF LSM not supported```
but we have:
```CONFIG_BPF_LSM=y```
i asked Frank Bui what it checks for. it checks for the string "bpf" in this list:
``` cat /sys/kernel/security/lsm lockdown,capability,apparmor ```
it seems ```CONFIG_LSM="integrity,apparmor"``` needs an update.
https://bugzilla.suse.com/show_bug.cgi?id=1205603 https://bugzilla.suse.com/show_bug.cgi?id=1205603#c1
--- Comment #1 from Jeff Mahoney jeffm@suse.com --- The default value for this in the upstream kernel when apparmor is the default LSM:
landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf
https://bugzilla.suse.com/show_bug.cgi?id=1205603
Franck Bui fbui@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |fbui@suse.com
https://bugzilla.suse.com/show_bug.cgi?id=1205603 https://bugzilla.suse.com/show_bug.cgi?id=1205603#c2
Takashi Iwai tiwai@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |tiwai@suse.com
--- Comment #2 from Takashi Iwai tiwai@suse.com --- bpf was removed from the list explicitly, at commit 0a20128a486536db31e484f5848e239f8acd0fba:
Revert "config: Enable BPF LSM" (bsc#1197746)
This reverts commit c2c25b18721866d6211054f542987036ed6e0a50.
This config change was reported to break boot if SELinux is enabled. Revert until we have a fix.
https://bugzilla.suse.com/show_bug.cgi?id=1205603 https://bugzilla.suse.com/show_bug.cgi?id=1205603#c3
--- Comment #3 from Marcus R�ckert mrueckert@suse.com --- well there was more removed than just bpf :)
https://bugzilla.suse.com/show_bug.cgi?id=1205603 https://bugzilla.suse.com/show_bug.cgi?id=1205603#c4
--- Comment #4 from Takashi Iwai tiwai@suse.com --- Not really, others haven't been added from the beginning in our config. OTOH, bpf was added once but removed later due to a regression.
https://bugzilla.suse.com/show_bug.cgi?id=1205603 https://bugzilla.suse.com/show_bug.cgi?id=1205603#c5
Alexander Bergmann abergmann@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |abergmann@suse.com
--- Comment #5 from Alexander Bergmann abergmann@suse.com --- I've came across the problem that YAMA is not initialized during boot. There is also no /proc/sys/kernel/yama directory because of this.
It looks like yama is also missing inside the CONFIG_LSM variable. Compared to Ubuntu, where the access to the ptrace_scope switch is possible, the SUSE configuration also missing 'Landlock support' and 'kernel lockdown'.
CONFIG_LSM="landlock,lockdown,yama,integrity,apparmor"
https://bugzilla.suse.com/show_bug.cgi?id=1205603
Pavel Dost�l pdostal@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |pdostal@suse.com
-
bugzilla_noreply@suse.com