[linux-yocto] [PATCH 1/1] bpf: Disallow unprivileged bpf by default

Fri, 13 May 2022 02:07:09 -0700 

From: Pawan Gupta <[email protected]>

commit 8a03e56b253e9691c90bc52ca199323d71b96204 upstream.

Disabling unprivileged BPF would help prevent unprivileged users from
creating certain conditions required for potential speculative execution
side-channel attacks on unmitigated affected hardware.

A deep dive on such attacks and current mitigations is available here [0].

Sync with what many distros are currently applying already, and disable
unprivileged BPF by default. An admin can enable this at runtime, if
necessary, as described in 08389d888287 ("bpf: Add kconfig knob for
disabling unpriv bpf by default").

  [0] "BPF and Spectre: Mitigating transient execution attacks", Daniel 
Borkmann, eBPF Summit '21
      
https://ebpf.io/summit-2021-slides/eBPF_Summit_2021-Keynote-Daniel_Borkmann-BPF_and_Spectre.pdf

Signed-off-by: Pawan Gupta <[email protected]>
Signed-off-by: Daniel Borkmann <[email protected]>
Acked-by: Daniel Borkmann <[email protected]>
Acked-by: Mark Rutland <[email protected]>
Link: 
https://lore.kernel.org/bpf/0ace9ce3f97656d5f62d11093ad7ee81190c3c25.1635535215.git.pawan.kumar.gu...@linux.intel.com
Signed-off-by: Paul Gortmaker <[email protected]>
---
 kernel/bpf/Kconfig | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/kernel/bpf/Kconfig b/kernel/bpf/Kconfig
index a82d6de86522..d24d518ddd63 100644
--- a/kernel/bpf/Kconfig
+++ b/kernel/bpf/Kconfig
@@ -64,6 +64,7 @@ config BPF_JIT_DEFAULT_ON
 
 config BPF_UNPRIV_DEFAULT_OFF
        bool "Disable unprivileged BPF by default"
+       default y
        depends on BPF_SYSCALL
        help
          Disables unprivileged BPF by default by setting the corresponding
@@ -72,6 +73,12 @@ config BPF_UNPRIV_DEFAULT_OFF
          disable it by setting it to 1 (from which no other transition to
          0 is possible anymore).
 
+         Unprivileged BPF could be used to exploit certain potential
+         speculative execution side-channel vulnerabilities on unmitigated
+         affected hardware.
+
+         If you are unsure how to answer this question, answer Y.
+
 source "kernel/bpf/preload/Kconfig"
 
 config BPF_LSM
-- 
2.32.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#11303): 
https://lists.yoctoproject.org/g/linux-yocto/message/11303
Mute This Topic: https://lists.yoctoproject.org/mt/91076844/21656
Group Owner: [email protected]
Unsubscribe: https://lists.yoctoproject.org/g/linux-yocto/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to