Package: kernel Version: 5.10.13-1 Enabling CONFIG_BPF_LSM in the KConfig of Debian Kernels, allowing users to use BPF LSM programs. I can see that all the configs this depends on have already been enabled (the main one being CONFIG_DEBUG_INFO_BTF).
The BPF LSM was merged into the Linux kernel 5.7 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=641cd7b06c911c5935c34f24850ea18690649917 https://outflux.net/blog/archives/2020/09/21/security-things-in-linux-v5-7 It allows users to implement MAC and Audit Policies using BPF programs. As a follow-up from the interest generated by the LSM on BPF/Linux conferences and on request from users, we’d like to request the enabling of CONFIG_BPF_LSM. The LSM won't be added to the list of active LSMs by default (in CONFIG_LSM or lsm= on the boot parameters) yet, as it adds an indirect function call overhead by registering an empty LSM hook for all hooks. However enabling it in the kernel config will support users who wish to use BPF LSM programs without needing to replace their kernel image. The LSM can be made "active" by default when our work on getting rid of this overhead is merged in the kernel: https://lore.kernel.org/bpf/20200820164753.3256899-1-jackm...@chromium.org This has already been enabled by Ubuntu (Hirsute Hippo): https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1905975 and Fedora (version 33 onwards). Regression Potential: None. The LSM is not active by default, so it does not have any performance or functional regression.
