KRSI (appeared in Kernel v5.7) stands for Kernel Runtime Security Instrumentation and the target of this patch is to allow users to implement lsm hooks by utilizing bpf compiled code. This gets interesting for a couple of reasons:
- Kernel function call flow mutation: first application of ebpf where injected code is actually capable reject / blocking the execution of some kernel logic
- Flexibility: ebpf can be attached / removed on the fly
- Before, Linux was limited to Discretionary Access Control,
- Now, MAC extensions in Linux are implemented as LSMs, and this includes KRSI, SELinux, etc.
Check current boot parameter
Edit the boot parameters
sudo vim /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash foo=bar"
Check LSM config params
zgrep CONFIG_LSM= /boot/config-5.12.0-051200-lowlatency sudo update-grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash lsm=yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"
KRSI is LSMs
Figure: Security Enforcement by KRSI & eBPF
“Kernel Runtime Security Instrumentation,” or KRSI (Google: Singh, 2019 September).
It allowed an administrator to attach BPF programs to the various LSM hooks, and it could also inject an error to block the operation in question. This gave administrators the ability to define their own MAC policies with arbitrary code.
Scenario: pre-defined malicious operations will be monitored by Falco and enforced by KRSI module
How KRSI inter-operate with eBPF: eBPF program is attached to LSM hooks
Data is transferred to Userspace through Ring Buffer
KRSI vs Landlock
KRSI is a tool for system administrators who are interested in monitoring the behavior of the system as a whole; attaching a BPF program requires the CAP_SYS_ADMIN capability.
Landlock, instead, is intended to allow unprivileged users to sandbox programs that they are running, so no privilege is needed to attach a BPF program to a hook via Landlock (more limited)
KubeArmor (AccuNox) 
- Policy based on LSM (SElinux, AppArmor, KRSI)
- pod security policy?
Teleport (former RackSpace employees) 
- Access Control management: RBAC ACL, server access, database access, cert with expiry
 KRSI https://lwn.net/Articles/808048/
 SANS: mitigating attacks on a supercomputer with KRSI Billy Wilson
 CODE https://github.com/wilsonwr/bcc-lsm-scripts
 CODE lsmtrace https://github.com/lumontec/lsmtrace
 KubeArmor CODE https://github.com/kubearmor/KubeArmor
 Teleport CODE https://goteleport.com/docs/access-controls/introduction/