From d48c206c9e5757cef0e2f9edd05df2a637a68345 Mon Sep 17 00:00:00 2001
From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Date: Wed, 1 Sep 2021 14:44:35 -0300
Subject: [PATCH] UBUNTU: [Config] mark CONFIG_BPF_UNPRIV_DEFAULT_OFF enforced

Setting unprivileged_bpf_disabled to 2 by default will prevent attacks
using BPF by unprivileged users by default. If necessary, the sysadmin will
be able to turn this on again by setting unprivileged_bpf_disabled to 0. On
the other hand, the sysadmin can disable unprivileged BPF without allowing
it to be reenabled by setting unprivileged_bpf_disabled to 1.

Additionaly, there is a CAP_BPF that allows processes to use BPF without
having the complete capability set or CAP_SYS_ADMIN.

Mark the option as enforced so derivative kernels will pick it up.

Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Acked-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
(copied to debian.oem too)
Signed-off-by: Timo Aaltonen <timo.aaltonen@canonical.com>
---
 debian.master/config/annotations | 1 +
 debian.oem/config/annotations    | 1 +
 2 files changed, 2 insertions(+)

diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index 95348b3c9b0bf..1ed245a150c33 100644
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -11250,6 +11250,7 @@ CONFIG_BPF_UNPRIV_DEFAULT_OFF                   policy<{'amd64': 'y', 'arm64': '
 CONFIG_BPF_JIT                                  policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 #
 CONFIG_BPF_JIT_ALWAYS_ON                        flag<REVIEW>
+CONFIG_BPF_UNPRIV_DEFAULT_OFF                   mark<ENFORCED> note<security reason>
 
 # Menu: General setup >> BPF subsystem >> Preload BPF file system with kernel specific program and map iterators
 CONFIG_BPF_PRELOAD                              policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}>
diff --git a/debian.oem/config/annotations b/debian.oem/config/annotations
index 387f3b18c6651..e205c0723f2f9 100644
--- a/debian.oem/config/annotations
+++ b/debian.oem/config/annotations
@@ -11247,6 +11247,7 @@ CONFIG_BPF_UNPRIV_DEFAULT_OFF                   policy<{'amd64': 'y', 'arm64': '
 CONFIG_BPF_JIT                                  policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 #
 CONFIG_BPF_JIT_ALWAYS_ON                        flag<REVIEW>
+CONFIG_BPF_UNPRIV_DEFAULT_OFF                   mark<ENFORCED> note<security reason>
 
 # Menu: General setup >> BPF subsystem >> Preload BPF file system with kernel specific program and map iterators
 CONFIG_BPF_PRELOAD                              policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}>