Hello, adding some context here as to why LSM hooks are important. LSM hooks are used by different runtime security tools like Tetragon (https://tetragon.io/docs/concepts/tracing-policy/hooks/#lsm-bpf) and Tracee (https://aquasecurity.github.io/tracee/dev/docs/install/lsm- support/). This was mainly driven by publications of techniques that allowed bypassing those tools. The most recent publication is using io_uring. https://www.armosec.io/blog/io_uring-rootkit-bypasses-linux- security/ and a previous publication showed TOCTOU races are capable of bypassing system call tracing like kprobes (https://i.blackhat.com/USA-22/Wednesday/US-22-Guo-Trace-me-if-you- can.pdf).
Thus, LSM hooks allow for robust runtime security monitoring. Enabling this by default on Ubuntu allows such hooks to be adapted and leveraged more widely in security tooling. And as per @esheri3's message (#2), to be used in 3rd-party-operated infrastructure. If there is anything that needs to be done, I'd be happy to support that effort. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2054810 Title: Adding bpf to CONFIG_LSM in linux kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2054810/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
