Table of Contents

KRSI (appeared in Kernel v5.7) stands for Kernel Runtime Security Instrumentation and the target of this patch is to allow users to implement lsm hooks by utilizing bpf compiled code. This gets interesting for a couple of reasons:

• Kernel function call flow mutation: first application of ebpf where injected code is actually capable reject / blocking the execution of some kernel logic
• Flexibility: ebpf can be attached / removed on the fly

LSM

• Before, Linux was limited to Discretionary Access Control,
• Now, MAC extensions in Linux are implemented as LSMs, and this includes KRSI, SELinux, etc.

ENABLE KRSI

BOOT PARAMETER

Check current boot parameter cat /proc/cmdline

Edit the boot parameters sudo vim /etc/default/grub

Example:

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash foo=bar"

Check LSM config params

zgrep CONFIG_LSM= /boot/config-5.12.0-051200-lowlatency
sudo update-grub

modify /etc/default/grub


KRSI is LSMs

Figure:  Security Enforcement by KRSI & eBPF

“Kernel Runtime Security Instrumentation,” or KRSI (Google: Singh, 2019 September).

It allowed an administrator to attach BPF programs to the various LSM hooks, and it could also inject an error to block the operation in question. This gave administrators the ability to define their own MAC policies with arbitrary code.

Scenario: pre-defined malicious operations will be monitored by Falco and enforced by KRSI module

How KRSI inter-operate with eBPF: eBPF program is attached to LSM hooks