[linux-yocto] [PATCH 1/1] bpf: Disallow unprivileged bpf by default

[Paul Gortmaker]

From: Pawan Gupta 

commit 8a03e56b253e9691c90bc52ca199323d71b96204 upstream.

Disabling unprivileged BPF would help prevent unprivileged users from
creating certain conditions required for potential speculative execution
side-channel attacks on unmitigated affected hardware.

A deep dive on such attacks and current mitigations is available here [0].

Sync with what many distros are currently applying already, and disable
unprivileged BPF by default. An admin can enable this at runtime, if
necessary, as described in 08389d888287 ("bpf: Add kconfig knob for
disabling unpriv bpf by default").

  [0] "BPF and Spectre: Mitigating transient execution attacks", Daniel 
Borkmann, eBPF Summit '21
  
https://ebpf.io/summit-2021-slides/eBPF_Summit_2021-Keynote-Daniel_Borkmann-BPF_and_Spectre.pdf

Signed-off-by: Pawan Gupta 
Signed-off-by: Daniel Borkmann 
Acked-by: Daniel Borkmann 
Acked-by: Mark Rutland 
Link: 
https://lore.kernel.org/bpf/0ace9ce3f97656d5f62d11093ad7ee81190c3c25.1635535215.git.pawan.kumar.gu...@linux.intel.com
Signed-off-by: Paul Gortmaker 
---
 kernel/bpf/Kconfig | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/kernel/bpf/Kconfig b/kernel/bpf/Kconfig
index a82d6de86522..d24d518ddd63 100644
--- a/kernel/bpf/Kconfig
+++ b/kernel/bpf/Kconfig
@@ -64,6 +64,7 @@ config BPF_JIT_DEFAULT_ON
 
 config BPF_UNPRIV_DEFAULT_OFF
bool "Disable unprivileged BPF by default"
+   default y
depends on BPF_SYSCALL
help
  Disables unprivileged BPF by default by setting the corresponding
@@ -72,6 +73,12 @@ config BPF_UNPRIV_DEFAULT_OFF
  disable it by setting it to 1 (from which no other transition to
  0 is possible anymore).
 
+ Unprivileged BPF could be used to exploit certain potential
+ speculative execution side-channel vulnerabilities on unmitigated
+ affected hardware.
+
+ If you are unsure how to answer this question, answer Y.
+
 source "kernel/bpf/preload/Kconfig"
 
 config BPF_LSM
-- 
2.32.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#11303): 
https://lists.yoctoproject.org/g/linux-yocto/message/11303
Mute This Topic: https://lists.yoctoproject.org/mt/91076844/21656
Group Owner: linux-yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/linux-yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[linux-yocto] [PATCH v5.15 0/1] backport default eBPF setting from v5.16

[Paul Gortmaker]

I won't repeat what I already wrote for the parallel yocto-kernel-cache
commit, other than to add that I did ask the stable team if they would
consider backporting this and was told that "people are not creating new
.config files for 5.15 anymore".

I can understand their point, but that obviously isn't true from the
point of view of Yocto.  Since they aren't going to backport it, we do
it ourselves to ensure we get the right setting if people aren't using
the bpf.scc and for the self documenting factor in the source.

Please apply to v5.15/standard/base whenever you have a chance.

Thanks,
Paul.
---

Pawan Gupta (1):
  bpf: Disallow unprivileged bpf by default

 kernel/bpf/Kconfig | 7 +++
 1 file changed, 7 insertions(+)

-- 
2.32.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#11304): 
https://lists.yoctoproject.org/g/linux-yocto/message/11304
Mute This Topic: https://lists.yoctoproject.org/mt/91076845/21656
Group Owner: linux-yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/linux-yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-