Control: tag -1 patch I think disabling unprivileged BPF is probably sensible. So far as I know, it is quite limited in usefulness (without exploiting verifier bugs :-). If it can't be enabled again, this should maybe be done with a sysctl config file in linux-base rather than being a built-in default that can never be overridden.
But I don't see *why* it shouldn't be possible to enable again. That
makes sense for e.g. kernel.modules_disabled where it's a way for root
to drop privileges, but root always retains the ability to use BPF.
This (untested) patch should fix the default while allowing it to be
changed back:
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -50,7 +50,7 @@ static DEFINE_SPINLOCK(map_idr_lock);
static DEFINE_IDR(link_idr);
static DEFINE_SPINLOCK(link_idr_lock);
-int sysctl_unprivileged_bpf_disabled __read_mostly;
+int sysctl_unprivileged_bpf_disabled __read_mostly = 1;
static const struct bpf_map_ops * const bpf_map_types[] = {
#define BPF_PROG_TYPE(_id, _name, prog_ctx_type, kern_ctx_type)
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -2639,9 +2639,8 @@ static struct ctl_table kern_table[] = {
.data = &sysctl_unprivileged_bpf_disabled,
.maxlen = sizeof(sysctl_unprivileged_bpf_disabled),
.mode = 0644,
- /* only handle a transition from default "0" to "1" */
.proc_handler = proc_dointvec_minmax,
- .extra1 = SYSCTL_ONE,
+ .extra1 = SYSCTL_ZERO,
.extra2 = SYSCTL_ONE,
},
{
--- END ---
Ben.
--
Ben Hutchings
It is easier to write an incorrect program
than to understand a correct one.
signature.asc
Description: This is a digitally signed message part
