59 lines
1.9 KiB
Diff
59 lines
1.9 KiB
Diff
From 949d205261192998ed612da48e6d06429c8de629 Mon Sep 17 00:00:00 2001
|
|
From: Aleksandr Burmashev <alexander.burmashev@oracle.com>
|
|
Date: Fri, 4 Feb 2022 13:24:09 +0100
|
|
Subject: Disable unprivileged BPF by default
|
|
|
|
There are several CVEs whose mitigation is to disable unprivileged BPF
|
|
by default. While all these can, and should, be fixed the issues keep
|
|
arising and to be defensive we need to disable unprivileged BPF.
|
|
Note that the upstream kernel _does_ permit unprivileged BPF and so
|
|
this patch is not suggesting making a change there; this is a non-invasive,
|
|
safe, reversible change.
|
|
|
|
This patch simply adds this /usr/lib/sysctl.d/01-unprivileged-bpf.conf
|
|
to systemd with this content:
|
|
|
|
~~
|
|
kernel.unprivileged_bpf_disabled=1
|
|
~~
|
|
|
|
Orabug: 32870980
|
|
|
|
Suggested-by: John Haxby <john.haxby@oracle.com>
|
|
Signed-off-by: Isaac Chen <isaac.chen@oracle.com>
|
|
Reviewed-by: Tony Rodriguez <tony.rodriguez@oracle.com>
|
|
Reviewed-by: Laurence Rochfort <laurence.rochfort@oracle.com>
|
|
---
|
|
sysctl.d/01-unprivileged-bpf.conf | 6 ++++++
|
|
sysctl.d/meson.build | 1 +
|
|
2 files changed, 7 insertions(+)
|
|
create mode 100644 sysctl.d/01-unprivileged-bpf.conf
|
|
|
|
diff --git a/sysctl.d/01-unprivileged-bpf.conf b/sysctl.d/01-unprivileged-bpf.conf
|
|
new file mode 100644
|
|
index 0000000..1f230ea
|
|
--- /dev/null
|
|
+++ b/sysctl.d/01-unprivileged-bpf.conf
|
|
@@ -0,0 +1,6 @@
|
|
+# When running UEK, this file ensures that unprivileged BPF is disabled by
|
|
+# default. To enable it, copy this file to /etc/sysctl.d, comment out the
|
|
+# last line and reboot.
|
|
+#
|
|
+# You may also need to rebuild your initramfs with "dracut -f".
|
|
+kernel.unprivileged_bpf_disabled=1
|
|
diff --git a/sysctl.d/meson.build b/sysctl.d/meson.build
|
|
index 6f3db59..07f395d 100644
|
|
--- a/sysctl.d/meson.build
|
|
+++ b/sysctl.d/meson.build
|
|
@@ -3,6 +3,7 @@
|
|
install_data(
|
|
'README',
|
|
'50-default.conf',
|
|
+ '01-unprivileged-bpf.conf',
|
|
install_dir : sysctldir)
|
|
|
|
# Kernel determines PID_MAX_LIMIT by
|
|
--
|
|
2.27.0
|
|
|