Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp397929ybt; Mon, 6 Jul 2020 12:02:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwLd+8CNEPJZr1YSjGTpVwalByfNh+yatfQKS/1pztyTxiUjTXaWVYvcpMAzdT/wisvUyBH X-Received: by 2002:aa7:d78b:: with SMTP id s11mr52693138edq.319.1594062142113; Mon, 06 Jul 2020 12:02:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594062142; cv=none; d=google.com; s=arc-20160816; b=VR/mDeNjUUFT7793I6mbLVj2hwJeTgTOjjfHiUei+570yjAk4vdp45goYdyTaNSx6k am7mjSN4bJMY13t5nv2KJB+lNxPNTSI33bIypKuJIkDHoZF+BAFgtPkJpOHGaUZJjkUZ qDuo65eglC6zPThcHN/Hb01CXwW7mrQrzpZXKjiIo5CyK42avTQmGRIzZeD7RIBDGAWL 1IBzGZYtnqDsv03ZKZxSQa1Smof0HHQqCmTKtYhtmaan+CgQdwNaYeopO91Emd96EFNp c6L5GKIy0eijsbxuLptTnKT9GD1bXyauWP6OAMYODAeuQNQVeLuNzLGy6H7cJXu8dF5A Bxvw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=Bt4u4JPMznhkNHKuGAbh472Qnx6WWkHIy3F9uekLf+M=; b=zpR845v+qxH+JnOhaUYWw9Exma58gcmlg6WEPMfXkNtdERFvzwSmqUsScPPu7yQufO uvLA8Z5cgwreloDnFqLCahMjnEpvPefVpKzvXc7iN5cpqpczHZFzxIpLxVRMAS9C6j3S K9u6b1z+G2jGWXG+V0clh1nlWI1rf0+7BlDnuJbbYi2Z8u5cfMWTXmO7uiXmXM+P8RMv GKfvixBiNgHe/lkms0fA43F34yKaLrWXV55bBqf4T+fAmpULrVAclQ5xBv59oGRMbdoO y/4wpMmVdiHDiOdQziZAx13409WDJ4QVHriJNU5zyKl88/nR/94jvzMDqLP0WkiKyxOv wO1Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=bN7YWShs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id lu24si12913924ejb.477.2020.07.06.12.01.58; Mon, 06 Jul 2020 12:02:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=bN7YWShs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729853AbgGFS7Z (ORCPT + 99 others); Mon, 6 Jul 2020 14:59:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41306 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729754AbgGFS7Z (ORCPT ); Mon, 6 Jul 2020 14:59:25 -0400 Received: from mail-wm1-x342.google.com (mail-wm1-x342.google.com [IPv6:2a00:1450:4864:20::342]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 06287C061794 for ; Mon, 6 Jul 2020 11:59:24 -0700 (PDT) Received: by mail-wm1-x342.google.com with SMTP id l17so40396679wmj.0 for ; Mon, 06 Jul 2020 11:59:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Bt4u4JPMznhkNHKuGAbh472Qnx6WWkHIy3F9uekLf+M=; b=bN7YWShsuTBQnAjnEvGtGV989roN3XzZ/8UZTlJpfS2ieB4DV66lNQpKQlLzLCE8Oz BN4Tqqrs6qlg0q1KkFjIpmPfP5rfnWU29ZMDyMbftJ86Dv25JtPBLCbNd1DSu4w+MWcL kpTleCHfPrmNBtMaLpXqNKlUPauo3CJ8ewEa4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Bt4u4JPMznhkNHKuGAbh472Qnx6WWkHIy3F9uekLf+M=; b=n37Q9rQlhGf9UO/5ae/oo9G4Yn17EfYF1+rHIYkTcOvM9jwy2hrRWPJZNdx7Ofxgpx u5BKXCxKlaYy06I6bq47a7TogBXuRKIAzpbq439gqR9KQ1hIoNra8EKVVtcx3Q5puo2f LrHyMCIMZS9duAM/C9ljM4tm3aQlFPTxkl2k2ej6MoIn3AXXaqtCbfjS8FWizZiGXxt2 YH8oF/md860rSINxpG1lIc8dI/G+cUcygQg34n/PJ/yBO2xo0YXdW6bA5/fak6SZ1DBA yyVPaqJVsKVpRaUQjlgUsaknA6lcR44sTLHwd8/N5yd4xhEygEcRGd9tOgPENfwHEjrk O3Ow== X-Gm-Message-State: AOAM531+OIFg/ZwE3LZJiOA9NoyXJzHJJQJSFXFu3ibnJ7lBjE/DlDaf RUnK3P3ZjfqR3DdCqWTdB1M3tt5E3B2tXCfxw0ilziwkjK30JA== X-Received: by 2002:a7b:c84d:: with SMTP id c13mr566989wml.170.1594061963644; Mon, 06 Jul 2020 11:59:23 -0700 (PDT) MIME-Version: 1.0 References: <20200706165710.GA208695@gallifrey> <9268bd47-93db-1591-e224-8d3da333636e@iogearbox.net> In-Reply-To: <9268bd47-93db-1591-e224-8d3da333636e@iogearbox.net> From: KP Singh Date: Mon, 6 Jul 2020 20:59:13 +0200 Message-ID: Subject: Re: [PATCH] bpf: lsm: Disable or enable BPF LSM at boot time To: Daniel Borkmann Cc: Lorenzo Fontana , open list , bpf , Linux Security Module list , Jonathan Corbet , James Morris , "Serge E. Hallyn" , Alexei Starovoitov , Martin KaFai Lau , Song Liu , Yonghong Song , Andrii Nakryiko , John Fastabend Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jul 6, 2020 at 8:51 PM Daniel Borkmann wrote: > > On 7/6/20 6:57 PM, Lorenzo Fontana wrote: > > This option adds a kernel parameter 'bpf_lsm', > > which allows the BPF LSM to be disabled at boot. > > The purpose of this option is to allow a single kernel > > image to be distributed with the BPF LSM built in, > > but not necessarily enabled. > > > > Signed-off-by: Lorenzo Fontana > > Well, this explains what the patch is doing but not *why* you need it exactly. > Please explain your concrete use-case for this patch. Also, this patch is not really needed as it can already be done with the current kernel parameters. LSMs can be enabled on the command line with the lsm= parameter. So you can just pass lsm="selinux,capabilities" etc and not pass "bpf" and it will disable the BPF_LSM. - KP > > Thanks, > Daniel