ACK/Cmnt: [Unstable v2 0/2] set unprivileged_bpf_disabled sysctl default to 2
Andrea Righi
andrea.righi at canonical.com
Mon May 31 10:29:52 UTC 2021
I was actually looking at this right now during the unstable rebase to
5.13-rc4.
I've set it to 'n' initially, because I was worried that enabling it
might break some user-space applications that rely on the possibility to
execute unprivileged bpf code, however, considering that the previous
behavior can be restored by an admin simply by echo-ing a value in
procfs, I think it's worth to enable CONFIG_BPF_UNPRIV_DEFAULT_OFF in
our config.
Therefore:
Acked-by: Andrea Righi <andrea.righi at canonical.com>
On Fri, May 28, 2021 at 11:32:25AM -0300, Thadeu Lima de Souza Cascardo wrote:
> This set introduces a new value for unprivileged_bpf_disabled sysctl, that
> disables unprivileged BPF, but allows it to be reenabled. The value 1 disables
> it, but does not allow it to be set back to 0.
>
> This has been tested to boot just fine and BPF was disabled for unprivileged
> users, but worked for root. It also could be reenabled back, and unprivileged
> users could then run their code inside the kernel again.
>
> v2:
> change tabs to spaces in annotations file
>
> Daniel Borkmann (1):
> bpf: Add kconfig knob for disabling unpriv bpf by default
>
> Thadeu Lima de Souza Cascardo (1):
> UBUNTU: [Config]: set CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
>
> Documentation/admin-guide/sysctl/kernel.rst | 17 +++++++++---
> debian.master/config/annotations | 1 +
> debian.master/config/config.common.ubuntu | 1 +
> init/Kconfig | 10 +++++++
> kernel/bpf/syscall.c | 3 ++-
> kernel/sysctl.c | 29 +++++++++++++++++----
> 6 files changed, 52 insertions(+), 9 deletions(-)
>
> --
> 2.30.2
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list