| Message ID | 20210901174435.497412-1-cascardo@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | [I/U] UBUNTU: [Config] mark CONFIG_BPF_UNPRIV_DEFAULT_OFF enforced | expand |
On 01/09/2021 18:44, Thadeu Lima de Souza Cascardo wrote: > Setting unprivileged_bpf_disabled to 2 by default will prevent attacks > using BPF by unprivileged users by default. If necessary, the sysadmin will > be able to turn this on again by setting unprivileged_bpf_disabled to 0. On > the other hand, the sysadmin can disable unprivileged BPF without allowing > it to be reenabled by setting unprivileged_bpf_disabled to 1. > > Additionaly, there is a CAP_BPF that allows processes to use BPF without > having the complete capability set or CAP_SYS_ADMIN. > > Mark the option as enforced so derivative kernels will pick it up. > > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> > --- > debian.master/config/annotations | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/debian.master/config/annotations b/debian.master/config/annotations > index f1435df44bdd..f3450201abc2 100644 > --- a/debian.master/config/annotations > +++ b/debian.master/config/annotations > @@ -11044,6 +11044,7 @@ CONFIG_BPF_UNPRIV_DEFAULT_OFF policy<{'amd64': 'y', 'arm64': ' > CONFIG_BPF_JIT policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> > # > CONFIG_BPF_JIT_ALWAYS_ON flag<REVIEW> > +CONFIG_BPF_UNPRIV_DEFAULT_OFF mark<ENFORCED> note<security reason> > > # Menu: General setup >> BPF subsystem >> Preload BPF file system with kernel specific program and map iterators > CONFIG_BPF_PRELOAD policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}> > Acked-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com> On 9/1/21 11:44 AM, Thadeu Lima de Souza Cascardo wrote: > Setting unprivileged_bpf_disabled to 2 by default will prevent attacks > using BPF by unprivileged users by default. If necessary, the sysadmin will > be able to turn this on again by setting unprivileged_bpf_disabled to 0. On > the other hand, the sysadmin can disable unprivileged BPF without allowing > it to be reenabled by setting unprivileged_bpf_disabled to 1. > > Additionaly, there is a CAP_BPF that allows processes to use BPF without > having the complete capability set or CAP_SYS_ADMIN. > > Mark the option as enforced so derivative kernels will pick it up. > > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> > --- > debian.master/config/annotations | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/debian.master/config/annotations b/debian.master/config/annotations > index f1435df44bdd..f3450201abc2 100644 > --- a/debian.master/config/annotations > +++ b/debian.master/config/annotations > @@ -11044,6 +11044,7 @@ CONFIG_BPF_UNPRIV_DEFAULT_OFF policy<{'amd64': 'y', 'arm64': ' > CONFIG_BPF_JIT policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> > # > CONFIG_BPF_JIT_ALWAYS_ON flag<REVIEW> > +CONFIG_BPF_UNPRIV_DEFAULT_OFF mark<ENFORCED> note<security reason> > > # Menu: General setup >> BPF subsystem >> Preload BPF file system with kernel specific program and map iterators > CONFIG_BPF_PRELOAD policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}> >
On Wed, Sep 01, 2021 at 02:44:35PM -0300, Thadeu Lima de Souza Cascardo wrote: > Setting unprivileged_bpf_disabled to 2 by default will prevent attacks > using BPF by unprivileged users by default. If necessary, the sysadmin will > be able to turn this on again by setting unprivileged_bpf_disabled to 0. On > the other hand, the sysadmin can disable unprivileged BPF without allowing > it to be reenabled by setting unprivileged_bpf_disabled to 1. > > Additionaly, there is a CAP_BPF that allows processes to use BPF without > having the complete capability set or CAP_SYS_ADMIN. > > Mark the option as enforced so derivative kernels will pick it up. > > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
diff --git a/debian.master/config/annotations b/debian.master/config/annotations index f1435df44bdd..f3450201abc2 100644 --- a/debian.master/config/annotations +++ b/debian.master/config/annotations @@ -11044,6 +11044,7 @@ CONFIG_BPF_UNPRIV_DEFAULT_OFF policy<{'amd64': 'y', 'arm64': ' CONFIG_BPF_JIT policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> # CONFIG_BPF_JIT_ALWAYS_ON flag<REVIEW> +CONFIG_BPF_UNPRIV_DEFAULT_OFF mark<ENFORCED> note<security reason> # Menu: General setup >> BPF subsystem >> Preload BPF file system with kernel specific program and map iterators CONFIG_BPF_PRELOAD policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}>
Setting unprivileged_bpf_disabled to 2 by default will prevent attacks using BPF by unprivileged users by default. If necessary, the sysadmin will be able to turn this on again by setting unprivileged_bpf_disabled to 0. On the other hand, the sysadmin can disable unprivileged BPF without allowing it to be reenabled by setting unprivileged_bpf_disabled to 1. Additionaly, there is a CAP_BPF that allows processes to use BPF without having the complete capability set or CAP_SYS_ADMIN. Mark the option as enforced so derivative kernels will pick it up. Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> --- debian.master/config/annotations | 1 + 1 file changed, 1 insertion(+)