[Bug 1205603] New: bpf lsm enabled but not included in LSM list
https://bugzilla.suse.com/show_bug.cgi?id=1205603 Bug ID: 1205603 Summary: bpf lsm enabled but not included in LSM list Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-bugs@opensuse.org Reporter: mrueckert@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- During my system upgrades i noticed the following message: ```systemd[1]: bpf-lsm: BPF LSM hook not enabled in the kernel, BPF LSM not supported``` but we have: ```CONFIG_BPF_LSM=y``` i asked Frank Bui what it checks for. it checks for the string "bpf" in this list: ``` cat /sys/kernel/security/lsm lockdown,capability,apparmor ``` it seems ```CONFIG_LSM="integrity,apparmor"``` needs an update. -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1205603 https://bugzilla.suse.com/show_bug.cgi?id=1205603#c1 --- Comment #1 from Jeff Mahoney <jeffm@suse.com> --- The default value for this in the upstream kernel when apparmor is the default LSM: landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1205603 https://bugzilla.suse.com/show_bug.cgi?id=1205603#c2 Takashi Iwai <tiwai@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tiwai@suse.com --- Comment #2 from Takashi Iwai <tiwai@suse.com> --- bpf was removed from the list explicitly, at commit 0a20128a486536db31e484f5848e239f8acd0fba: Revert "config: Enable BPF LSM" (bsc#1197746) This reverts commit c2c25b18721866d6211054f542987036ed6e0a50. This config change was reported to break boot if SELinux is enabled. Revert until we have a fix. -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1205603 https://bugzilla.suse.com/show_bug.cgi?id=1205603#c3 --- Comment #3 from Marcus R�ckert <mrueckert@suse.com> --- well there was more removed than just bpf :) -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1205603 https://bugzilla.suse.com/show_bug.cgi?id=1205603#c4 --- Comment #4 from Takashi Iwai <tiwai@suse.com> --- Not really, others haven't been added from the beginning in our config. OTOH, bpf was added once but removed later due to a regression. -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1205603 https://bugzilla.suse.com/show_bug.cgi?id=1205603#c5 Alexander Bergmann <abergmann@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |abergmann@suse.com --- Comment #5 from Alexander Bergmann <abergmann@suse.com> --- I've came across the problem that YAMA is not initialized during boot. There is also no /proc/sys/kernel/yama directory because of this. It looks like yama is also missing inside the CONFIG_LSM variable. Compared to Ubuntu, where the access to the ptrace_scope switch is possible, the SUSE configuration also missing 'Landlock support' and 'kernel lockdown'. CONFIG_LSM="landlock,lockdown,yama,integrity,apparmor" -- You are receiving this mail because: You are the assignee for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1205603 http://bugzilla.suse.com/show_bug.cgi?id=1205603#c10 Marcus Rückert <mrueckert@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #10 from Marcus Rückert <mrueckert@suse.com> --- this seems fixed in TW -- You are receiving this mail because: You are the assignee for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1205603 http://bugzilla.suse.com/show_bug.cgi?id=1205603#c11 Marcus Rückert <mrueckert@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|FIXED |--- Status|RESOLVED |REOPENED --- Comment #11 from Marcus Rückert <mrueckert@suse.com> --- reopen in case we want to update the list also in leap/SLE -- You are receiving this mail because: You are the assignee for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1205603 http://bugzilla.suse.com/show_bug.cgi?id=1205603#c12 Dirk Mueller <dmueller@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(jeffm@suse.com) CC| |jeffm@suse.com --- Comment #12 from Dirk Mueller <dmueller@suse.com> --- Jeff, this needs to be fixed in the ALP kernel as well (and SLE etc)? not listing selinux in SLE15 seems wrong -- You are receiving this mail because: You are the assignee for the bug.
participants (1)
-
bugzilla_noreply@suse.com