merged.
SRCREVs will follow in a bit.
Things were delayed a bit .. for obvious reasons for anyone from
Ottawa.
Bruce
In message: [kernel-cache v5.15+] bpf: explicitly disable unpriv eBPF by default
on 12/05/2022 Paul Gortmaker wrote:
> This BPF_UNPRIV_DEFAULT_OFF option was introduced in v5.13 in
> 08389d888287 ("bpf: Add kconfig knob for disabling unpriv bpf by
> default")
>
> But it was added as one of those somewhat confusing double negative
> things, and so the implicit "default n" that Kconfig processing meant
> that unpriv eBPF was enabled by default in v5.13 through v5.15.
>
> In v5.16 it was corrected with commit 8a03e56b253e ("bpf: Disallow
> unprivileged bpf by default") since there were security concerns
> relating to having it enabled.
>
> In that commit we see "Sync with what many distros are currently
> applying already, and disable unprivileged BPF by default."
>
> In a generic x86-64 Yocto boot we currently see this in dmesg as:
>
> Spectre V2 : WARNING: Unprivileged eBPF is enabled with eIBRS on,
> data leaks possible via Spectre v2 BHB attacks!
>
> I've suggested the stable team do a backport to v5.15, but in any
> event, it probably makes sense for us to be explicit on our default.
>
> Signed-off-by: Paul Gortmaker <[email protected]>
>
> diff --git a/features/bpf/bpf.cfg b/features/bpf/bpf.cfg
> index b90e87a51e00..50c27ceb09c5 100644
> --- a/features/bpf/bpf.cfg
> +++ b/features/bpf/bpf.cfg
> @@ -3,4 +3,5 @@ CONFIG_BPF=y
> CONFIG_BPF_SYSCALL=y
> CONFIG_BPF_JIT=y
> CONFIG_BPF_EVENTS=y
> +CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
> CONFIG_CGROUP_BPF=y
> --
> 2.25.1
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#11315):
https://lists.yoctoproject.org/g/linux-yocto/message/11315
Mute This Topic: https://lists.yoctoproject.org/mt/91070788/21656
Group Owner: [email protected]
Unsubscribe: https://lists.yoctoproject.org/g/linux-yocto/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
