systemd/SOURCES/1003-orabug32870980-disable-unprivileged-BPF-by-default.patch

From 949d205261192998ed612da48e6d06429c8de629 Mon Sep 17 00:00:00 2001
From: Aleksandr Burmashev <alexander.burmashev@oracle.com>
Date: Fri, 4 Feb 2022 13:24:09 +0100
Subject: Disable unprivileged BPF by default

There are several CVEs whose mitigation is to disable unprivileged BPF
by default.  While all these can, and should, be fixed the issues keep
arising and to be defensive we need to disable unprivileged BPF.
Note that the upstream kernel _does_ permit unprivileged BPF and so
this patch is not suggesting making a change there;  this is a non-invasive,
safe, reversible change.

This patch simply adds this /usr/lib/sysctl.d/01-unprivileged-bpf.conf
to systemd with this content:

~~
kernel.unprivileged_bpf_disabled=1
~~

Orabug: 32870980

Suggested-by: John Haxby <john.haxby@oracle.com>
Signed-off-by: Isaac Chen <isaac.chen@oracle.com>
Reviewed-by: Tony Rodriguez <tony.rodriguez@oracle.com>
Reviewed-by: Laurence Rochfort <laurence.rochfort@oracle.com>
---
 sysctl.d/01-unprivileged-bpf.conf | 6 ++++++
 sysctl.d/meson.build              | 1 +
 2 files changed, 7 insertions(+)
 create mode 100644 sysctl.d/01-unprivileged-bpf.conf

diff --git a/sysctl.d/01-unprivileged-bpf.conf b/sysctl.d/01-unprivileged-bpf.conf
new file mode 100644
index 0000000..1f230ea
--- /dev/null
+++ b/sysctl.d/01-unprivileged-bpf.conf
@@ -0,0 +1,6 @@
+# When running UEK, this file ensures that unprivileged BPF is disabled by
+# default. To enable it, copy this file to /etc/sysctl.d, comment out the
+# last line and reboot.
+#
+# You may also need to rebuild your initramfs with "dracut -f".
+kernel.unprivileged_bpf_disabled=1
diff --git a/sysctl.d/meson.build b/sysctl.d/meson.build
index 6f3db59..07f395d 100644
--- a/sysctl.d/meson.build
+++ b/sysctl.d/meson.build
@@ -3,6 +3,7 @@
 install_data(
         'README',
         '50-default.conf',
+        '01-unprivileged-bpf.conf',
         install_dir : sysctldir)
 
 # Kernel determines PID_MAX_LIMIT by
-- 
2.27.0