From 949d205261192998ed612da48e6d06429c8de629 Mon Sep 17 00:00:00 2001 From: Aleksandr Burmashev Date: Fri, 4 Feb 2022 13:24:09 +0100 Subject: Disable unprivileged BPF by default There are several CVEs whose mitigation is to disable unprivileged BPF by default. While all these can, and should, be fixed the issues keep arising and to be defensive we need to disable unprivileged BPF. Note that the upstream kernel _does_ permit unprivileged BPF and so this patch is not suggesting making a change there; this is a non-invasive, safe, reversible change. This patch simply adds this /usr/lib/sysctl.d/01-unprivileged-bpf.conf to systemd with this content: ~~ kernel.unprivileged_bpf_disabled=1 ~~ Orabug: 32870980 Suggested-by: John Haxby Signed-off-by: Isaac Chen Reviewed-by: Tony Rodriguez Reviewed-by: Laurence Rochfort --- sysctl.d/01-unprivileged-bpf.conf | 6 ++++++ sysctl.d/meson.build | 1 + 2 files changed, 7 insertions(+) create mode 100644 sysctl.d/01-unprivileged-bpf.conf diff --git a/sysctl.d/01-unprivileged-bpf.conf b/sysctl.d/01-unprivileged-bpf.conf new file mode 100644 index 0000000..1f230ea --- /dev/null +++ b/sysctl.d/01-unprivileged-bpf.conf @@ -0,0 +1,6 @@ +# When running UEK, this file ensures that unprivileged BPF is disabled by +# default. To enable it, copy this file to /etc/sysctl.d, comment out the +# last line and reboot. +# +# You may also need to rebuild your initramfs with "dracut -f". +kernel.unprivileged_bpf_disabled=1 diff --git a/sysctl.d/meson.build b/sysctl.d/meson.build index 6f3db59..07f395d 100644 --- a/sysctl.d/meson.build +++ b/sysctl.d/meson.build @@ -3,6 +3,7 @@ install_data( 'README', '50-default.conf', + '01-unprivileged-bpf.conf', install_dir : sysctldir) # Kernel determines PID_MAX_LIMIT by -- 2.27.0