UBUNTU: [Config] mark CONFIG_BPF_UNPRIV_DEFAULT_OFF enforced

Setting unprivileged_bpf_disabled to 2 by default will prevent attacks using BPF by unprivileged users by default. If necessary, the sysadmin will be able to turn this on again by setting unprivileged_bpf_disabled to 0. On the other hand, the sysadmin can disable unprivileged BPF without allowing it to be reenabled by setting unprivileged_bpf_disabled to 1. Additionaly, there is a CAP_BPF that allows processes to use BPF without having the complete capability set or CAP_SYS_ADMIN. Mark the option as enforced so derivative kernels will pick it up. Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Acked-by: Colin Ian King <colin.king@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com> (copied to debian.oem too) Signed-off-by: Timo Aaltonen <timo.aaltonen@canonical.com>
mariux64 · Sep 17, 2021 · d48c206 · d48c206
1 parent 63a7522
commit d48c206
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 0 deletions.
diff --git a/debian.master/config/annotations b/debian.master/config/annotations
@@ -11250,6 +11250,7 @@ CONFIG_BPF_UNPRIV_DEFAULT_OFF                   policy<{'amd64': 'y', 'arm64': '
 CONFIG_BPF_JIT                                  policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 #
 CONFIG_BPF_JIT_ALWAYS_ON                        flag<REVIEW>
+CONFIG_BPF_UNPRIV_DEFAULT_OFF                   mark<ENFORCED> note<security reason>
 
 # Menu: General setup >> BPF subsystem >> Preload BPF file system with kernel specific program and map iterators
 CONFIG_BPF_PRELOAD                              policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}>

diff --git a/debian.oem/config/annotations b/debian.oem/config/annotations
@@ -11247,6 +11247,7 @@ CONFIG_BPF_UNPRIV_DEFAULT_OFF                   policy<{'amd64': 'y', 'arm64': '
 CONFIG_BPF_JIT                                  policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 #
 CONFIG_BPF_JIT_ALWAYS_ON                        flag<REVIEW>
+CONFIG_BPF_UNPRIV_DEFAULT_OFF                   mark<ENFORCED> note<security reason>
 
 # Menu: General setup >> BPF subsystem >> Preload BPF file system with kernel specific program and map iterators
 CONFIG_BPF_PRELOAD                              policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}>