ACK: [PATCH I/U] UBUNTU: [Config] mark CONFIG_BPF_UNPRIV_DEFAULT_OFF enforced
Tim Gardner
tim.gardner at canonical.com
Wed Sep 1 18:04:30 UTC 2021
Acked-by: Tim Gardner <tim.gardner at canonical.com>
On 9/1/21 11:44 AM, Thadeu Lima de Souza Cascardo wrote:
> Setting unprivileged_bpf_disabled to 2 by default will prevent attacks
> using BPF by unprivileged users by default. If necessary, the sysadmin will
> be able to turn this on again by setting unprivileged_bpf_disabled to 0. On
> the other hand, the sysadmin can disable unprivileged BPF without allowing
> it to be reenabled by setting unprivileged_bpf_disabled to 1.
>
> Additionaly, there is a CAP_BPF that allows processes to use BPF without
> having the complete capability set or CAP_SYS_ADMIN.
>
> Mark the option as enforced so derivative kernels will pick it up.
>
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
> ---
> debian.master/config/annotations | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/debian.master/config/annotations b/debian.master/config/annotations
> index f1435df44bdd..f3450201abc2 100644
> --- a/debian.master/config/annotations
> +++ b/debian.master/config/annotations
> @@ -11044,6 +11044,7 @@ CONFIG_BPF_UNPRIV_DEFAULT_OFF policy<{'amd64': 'y', 'arm64': '
> CONFIG_BPF_JIT policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
> #
> CONFIG_BPF_JIT_ALWAYS_ON flag<REVIEW>
> +CONFIG_BPF_UNPRIV_DEFAULT_OFF mark<ENFORCED> note<security reason>
>
> # Menu: General setup >> BPF subsystem >> Preload BPF file system with kernel specific program and map iterators
> CONFIG_BPF_PRELOAD policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}>
>
--
-----------
Tim Gardner
Canonical, Inc
More information about the kernel-team
mailing list