Re: [PATCH bpf-next v1 00/13] MAC and Audit policy using eBPF (KRSI)

From: James Morris
Date: Wed Jan 08 2020 - 13:59:08 EST


On Wed, 8 Jan 2020, Stephen Smalley wrote:

> This appears to impose a very different standard to this eBPF-based LSM than
> has been applied to the existing LSMs, e.g. we are required to preserve
> SELinux policy compatibility all the way back to Linux 2.6.0 such that new
> kernel with old policy does not break userspace. If that standard isn't being
> applied to the eBPF-based LSM, it seems to inhibit its use in major Linux
> distros, since otherwise users will in fact start experiencing breakage on the
> first such incompatible change. Not arguing for or against, just trying to
> make sure I understand correctly...

A different standard would be applied here vs. a standard LSM like
SELinux, which are retrofitted access control systems.

I see KRSI as being more of a debugging / analytical API, rather than an
access control system. You could of course build such a system with KRSI
but it would need to provide a layer of abstraction for general purpose
users.

So yes this would be a special case, as its real value is in being a
special case, i.e. dynamic security telemetry.


--
James Morris
<jmorris@xxxxxxxxx>