KRSI – Kernel Runtime Security Instrumentation

KRSI (appeared in Kernel v5.7) stands for Kernel Runtime Security Instrumentation and the target of this patch is to allow users to implement lsm hooks by utilizing bpf compiled code. This gets interesting for a couple of reasons:

  • Kernel function call flow mutation: first application of ebpf where injected code is actually capable reject / blocking the execution of some kernel logic
  • Flexibility: ebpf can be attached / removed on the fly


  • Before, Linux was limited to Discretionary Access Control,
  • Now, MAC extensions in Linux are implemented as LSMs, and this includes KRSI, SELinux, etc.



Check current boot parameter cat /proc/cmdline

Edit the boot parameters sudo vim /etc/default/grub


 GRUB_CMDLINE_LINUX_DEFAULT="quiet splash foo=bar"

Check LSM config params

zgrep CONFIG_LSM= /boot/config-5.12.0-051200-lowlatency
sudo update-grub

modify /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash lsm=yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"


Figure: Security Enforcement by KRSI & eBPF

“Kernel Runtime Security Instrumentation,” or KRSI (Google: Singh, 2019 September).

It allowed an administrator to attach BPF programs to the various LSM hooks, and it could also inject an error to block the operation in question. This gave administrators the ability to define their own MAC policies with arbitrary code.

Scenario: pre-defined malicious operations will be monitored by Falco and enforced by KRSI module

How KRSI inter-operate with eBPF: eBPF program is attached to LSM hooks

Data is transferred to Userspace through Ring Buffer


KRSI vs Landlock

KRSI is a tool for system administrators who are interested in monitoring the behavior of the system as a whole; attaching a BPF program requires the CAP_SYS_ADMIN capability.

Landlock, instead, is intended to allow unprivileged users to sandbox programs that they are running, so no privilege is needed to attach a BPF program to a hook via Landlock (more limited)


KubeArmor (AccuNox) [6]

  • Policy based on LSM (SElinux, AppArmor, KRSI)
  • pod security policy?

Teleport (former RackSpace employees) [7]

  • Access Control management: RBAC ACL, server access, database access, cert with expiry


[1] KRSI

[2] SANS: mitigating attacks on a supercomputer with KRSI Billy Wilson

[3] CODE


[5] CODE lsmtrace

[6] KubeArmor CODE

[7] Teleport CODE

Facebook Comments
, ,

0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x