Hi Frederick, On Thu, Dec 7, 2023 at 3:30 PM Frederick Lawler <fred@xxxxxxxxxxxxxx> wrote: > [...] > > While, I think this may be doable with existing LSM hooks but we need > > to probably have to cover multiple hook points needed to prevent one > > action which makes a good case for another LSM hook, perhaps something > > in the link->ops->detach path like > > https://elixir.bootlin.com/linux/latest/source/kernel/bpf/syscall.c#L5074 > > > > What do you think? > > That's what I was thinking for option (4) "introduce a > security_bpf_prog_unload()". Anyway, I agree. Paul brought up a good > point that he'd like to see more discussion around this idea [1]. > Mucking with the mounts (see below) is a bit of a mess, and there could > still exist other methods for unloading I'm not aware of yet. > > Yesterday I whipped up a hack such that: > > mkdir -p /run/fs/bpf-lsm > mount -t bpf none /run/fs/bpf-lsm > ./load-policies /run/fs/bpf-lsm Trying to understand the solution here. Does load-policies add multiple policies to stop different ways to unload the LSM BPF program (unpin, umount, etc.)? So the only way to unload these policies is reboot. If this is the case, could you please share the list of hooks needed to achieve a secure result? If the list is really long, we should probably add an option to permanently load and attach a program (until reboot). Thanks, Song
