Kernel Runtime Security Instrumentation (KRSI) aims to provide an extensible LSM by allowing privileged users to attach eBPF programs to security hooks to dynamically implement MAC and Audit Policies.
KRSI was introduced in LSS-US 2019 and after an initial overhaul with BTF was presented again in LSS-Europe. It has since then had multiple interesting updates and triggered some meaningful discussions. The talk provides an update on:
- Progress in the mainline kernel and the ongoing discussions.
- New infrastructure merged into BPF to support the BPF LSM use-case.
- Some optimizations that can improve the performance characteristics of the currently existing LSM framework which would not only benefit KRSI but also all other LSMs.
The talk showcases how the design has evolved over time and what trade-offs were considered and what's upcoming after the initial patches are merged.