BPF lets users load programs into a running kernel.
Even though BPF programs are checked by the verifier to
ensure that they stay inside certain limits, some users would still like to ensure
that only approved BPF programs are loaded. KP Singh's

patches adding that capability to the kernel were accepted
in version 6.18, but not everyone is
satisfied with his implementation. Blaise Boscaccy, who has been working to get a version of BPF code signing with better auditability
into the kernel for some time, posted

a patch set on top of Singh's changes that alters the loading process to
not invoke security module hooks
until the entire loading process is complete.
The discussion on the patch
set is the continuation of a

long-running disagreement over
the interface for signed BPF programs.

https://lwn.net/Articles/1042625/
--- SBBSecho 3.29-Linux
* Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (86:200/23)