Cook: Security things in Linux v5.7
Kees Cook catchesup with the security-related changes in the 5.7 kernel."The kernel's Linux Security Module (LSM) API provide a way to writesecurity modules that have traditionally implemented various MandatoryAccess Control (MAC) systems like SELinux, AppArmor, etc. The LSM hooks arenumerous and no one LSM uses them all, as some hooks are much morespecialized (like those used by IMA, Yama, LoadPin, etc). There was not,however, any way to externally attach to these hooks (not even through aregular loadable kernel module) nor build fully dynamic security policy,until KP Singh landed the API for building LSM policy using BPF. With this,it is possible (for a privileged process) to write kernel LSM hooks in BPF,allowing for totally custom security policy (and reporting)."