BPF-LSM Enabled at Boot

BPF-LSM, the ability to attach Berkeley Packet Filter (BPF) programs to Linux Security Module (LSM) hooks to implement some security enhancements, is enabled in all UEK R7 kernel configurations, however it previously required setting the lsm=bpf boot command line option to use the feature.

In this release, bpf is added to CONFIG_LSM so that it doesn't need to be manually enabled at boot.

You can check that BPF is added to LSM by running:

cat /sys/kernel/security/lsm

Note:

This feature was enabled in a UEK R7U3 errata release and is available in kernel-uek-5.15.0-315.196.5 and later.