Live-patching security vulnerabilities inside the Linux kernel with eBPF Linux Security Module

The text discusses Linux Security Modules (LSM) and how they can be used to implement security policies in the Linux kernel. It introduces LSM BPF, a new way of implementing granular security policies without configuration or loading a kernel module. The author then presents a real-world problem involving unshare syscall and privilege escalation, and demonstrates how LSM BPF can be used to solve this issue by tracking down the appropriate hook candidate and writing an LSM BPF program. Finally, the text discusses the performance impact of the solution and proposes a patch for propagating error codes from the cred_prepare hook up the call stack.