Enable BPF LSM in Linux distros

[vadorovsky]

Currently Linux distributions don't enable BPF LSM by default. Enabling it requires editing GRUB configuration and providing custom kernel parameter like:

GRUB_CMDLINE_LINUX="lsm=lockdown,capability,bpf"

This is not really convenient and we should rather push distros to enable that.

To change that, we need to add bpf to the CONFIG_LSM list in kernel configs.

Distros support:

• openSUSE
  • done: openSUSE/kernel-source@c2c25b1
• Fedora
  • https://fedorapeople.org/cgit/thl/public_git/kernel.git/tree/kernel-x86_64-fedora.config#n3294
• Ubuntu
  • https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1964941
• Debian
• Manjaro
  • https://gitlab.manjaro.org/packages/core/linux517/-/issues/2
• Arch
  • https://github.com/archlinux/svntogit-packages/blob/packages/linux/trunk/config#L9963

[akshatagarwl]

Is this for enabling CONFIG_BPF_LSM or adding bpf to the list of active LSMs through CONFIG_LSM? Since most if not all of the mentioned distros have already enabled CONFIG_BPF_LSM (1, 2, 3)

[vadorovsky]

@humancalico It's for adding bpf to the CONFIG_LSM list, sorry for not being clear.

We've already done it for openSUSE:
openSUSE/kernel-source@c2c25b1

[holyspectral]

For others who found this issue like me, here is the new ticket for Ubuntu (the original one has expired): https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2054810

[dorkamotorka]

Any progress on the ubuntu distro? According to the Ubuntu Ticket appears not :(