Enable BPF LSM

Linux kernel since 5.7 allows to write eBPF programs which can be attached to LSM hooks. More details here:

https://www.kernel.org/doc/html/v5.9/bpf/bpf_lsm.html

There are already projects trying to leverage that:

• systemd with the restrict-fs feature
  • https://github.com/systemd/systemd/blob/main/src/core/bpf/restrict_fs/restrict-fs.bpf.c
• https://github.com/linux-lock/bpflock
• https://github.com/rancher-sandbox/lockc

However, BPF LSM has to be enabled by adding bpf to CONFIG_LSM.

That was already done in:

• Arch Linux
  • https://github.com/archlinux/svntogit-packages/blob/4615bb2493649ad6fa133f864f94cb95c824f361/trunk/config#L9963
• Fedora
  • https://fedorapeople.org/cgit/thl/public_git/kernel.git/tree/kernel-x86_64-fedora.config?h=kernel-5.17.0-0.rc5.20220225git53ab78cd6d5a.106.vanilla.1.fc34&id=e661d91eb909e777a9d28425ef50fcc5ef7fa5ed#n3291
• openSUSE
  • https://github.com/openSUSE/kernel-source/commit/c2c25b18721866d6211054f542987036ed6e0a50

Without setting that variable in default configs, users who want to try the mentioned projects have to manually edit kernel parameters in /etc/default/grub, which is not really user-friendly.

Could we enable BPF LSM in Manjaro as well?