This BPF_UNPRIV_DEFAULT_OFF option was introduced in v5.13 in
08389d888287 ("bpf: Add kconfig knob for disabling unpriv bpf by
default")
But it was added as one of those somewhat confusing double negative
things, and so the implicit "default n" that Kconfig processing meant
that unpriv eBPF was enabled by default in v5.13 through v5.15.
In v5.16 it was corrected with commit 8a03e56b253e ("bpf: Disallow
unprivileged bpf by default") since there were security concerns
relating to having it enabled.
In that commit we see "Sync with what many distros are currently
applying already, and disable unprivileged BPF by default."
In a generic x86-64 Yocto boot we currently see this in dmesg as:
Spectre V2 : WARNING: Unprivileged eBPF is enabled with eIBRS on,
data leaks possible via Spectre v2 BHB attacks!
I've suggested the stable team do a backport to v5.15, but in any
event, it probably makes sense for us to be explicit on our default.
Signed-off-by: Paul Gortmaker <[email protected]>
diff --git a/features/bpf/bpf.cfg b/features/bpf/bpf.cfg
index b90e87a51e00..50c27ceb09c5 100644
--- a/features/bpf/bpf.cfg
+++ b/features/bpf/bpf.cfg
@@ -3,4 +3,5 @@ CONFIG_BPF=y
CONFIG_BPF_SYSCALL=y
CONFIG_BPF_JIT=y
CONFIG_BPF_EVENTS=y
+CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
CONFIG_CGROUP_BPF=y
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#11301):
https://lists.yoctoproject.org/g/linux-yocto/message/11301
Mute This Topic: https://lists.yoctoproject.org/mt/91070788/21656
Group Owner: [email protected]
Unsubscribe: https://lists.yoctoproject.org/g/linux-yocto/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
