[Unstable v2 2/2] UBUNTU: [Config]: set CONFIG_BPF_UNPRIV_DEFAULT_OFF=y

Thadeu Lima de Souza Cascardo cascardo at canonical.com
Fri May 28 14:32:27 UTC 2021 

This option will disable uprivileged BPF by default. It can be reenabled,
though, as it uses the new value 2 for the kernel.unprivileged_bpf_disabled
sysctl. That value disables it, but allows the sysctl knob to be set back
to 0.

This allows sysadmins to enable unprivileged BPF back by using sysctl
config files.

Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
---
 debian.master/config/annotations          | 1 +
 debian.master/config/config.common.ubuntu | 1 +
 2 files changed, 2 insertions(+)

diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index 03e3dacba02d..04e04783d7a6 100644
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -11023,6 +11023,7 @@ CONFIG_LD_DEAD_CODE_DATA_ELIMINATION            policy<{'ppc64el': 'n'}>
 CONFIG_BPF_LSM                                  policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_BPF_SYSCALL                              policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_BPF_JIT_ALWAYS_ON                        policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
+CONFIG_BPF_UNPRIV_DEFAULT_OFF                   policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_USERFAULTFD                              policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_EMBEDDED                                 policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}>
 CONFIG_COMPAT_BRK                               policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}>
diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
index 1caa404e4a2f..eec9edb03aff 100644
--- a/debian.master/config/config.common.ubuntu
+++ b/debian.master/config/config.common.ubuntu
@@ -1258,6 +1258,7 @@ CONFIG_BPF_LSM=y
 # CONFIG_BPF_PRELOAD is not set
 CONFIG_BPF_STREAM_PARSER=y
 CONFIG_BPF_SYSCALL=y
+CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
 CONFIG_BPQETHER=m
 CONFIG_BQL=y
 CONFIG_BRANCH_PROFILE_NONE=y
-- 
2.30.2

More information about the kernel-team mailing list