Post Syndicated from original https://lwn.net/Articles/832132/rss

Kees Cook catches
up with the security-related changes in the 5.7 kernel.
“The kernel’s Linux Security Module (LSM) API provide a way to write
security modules that have traditionally implemented various Mandatory
Access Control (MAC) systems like SELinux, AppArmor, etc. The LSM hooks are
numerous and no one LSM uses them all, as some hooks are much more
specialized (like those used by IMA, Yama, LoadPin, etc). There was not,
however, any way to externally attach to these hooks (not even through a
regular loadable kernel module) nor build fully dynamic security policy,
until KP Singh landed the API for building LSM policy using BPF. With this,
it is possible (for a privileged process) to write kernel LSM hooks in BPF,
allowing for totally custom security policy (and reporting).”