APPLIED I/U: Re: [PATCH I/U] UBUNTU: [Config] mark CONFIG_BPF_UNPRIV_DEFAULT_OFF enforced
Paolo Pisati
paolo.pisati at canonical.com
Thu Sep 9 09:35:21 UTC 2021
On Wed, Sep 01, 2021 at 02:44:35PM -0300, Thadeu Lima de Souza Cascardo wrote:
> Setting unprivileged_bpf_disabled to 2 by default will prevent attacks
> using BPF by unprivileged users by default. If necessary, the sysadmin will
> be able to turn this on again by setting unprivileged_bpf_disabled to 0. On
> the other hand, the sysadmin can disable unprivileged BPF without allowing
> it to be reenabled by setting unprivileged_bpf_disabled to 1.
>
> Additionaly, there is a CAP_BPF that allows processes to use BPF without
> having the complete capability set or CAP_SYS_ADMIN.
>
> Mark the option as enforced so derivative kernels will pick it up.
>
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
--
bye,
p.
More information about the kernel-team
mailing list