Control: tag -1 patch I think disabling unprivileged BPF is probably sensible. So far as I know, it is quite limited in usefulness (without exploiting verifier bugs :-). If it can't be enabled again, this should maybe be done with a sysctl config file in linux-base rather than being a built-in default that can never be overridden.
But I don't see *why* it shouldn't be possible to enable again. That makes sense for e.g. kernel.modules_disabled where it's a way for root to drop privileges, but root always retains the ability to use BPF. This (untested) patch should fix the default while allowing it to be changed back: --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -50,7 +50,7 @@ static DEFINE_SPINLOCK(map_idr_lock); static DEFINE_IDR(link_idr); static DEFINE_SPINLOCK(link_idr_lock); -int sysctl_unprivileged_bpf_disabled __read_mostly; +int sysctl_unprivileged_bpf_disabled __read_mostly = 1; static const struct bpf_map_ops * const bpf_map_types[] = { #define BPF_PROG_TYPE(_id, _name, prog_ctx_type, kern_ctx_type) --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -2639,9 +2639,8 @@ static struct ctl_table kern_table[] = { .data = &sysctl_unprivileged_bpf_disabled, .maxlen = sizeof(sysctl_unprivileged_bpf_disabled), .mode = 0644, - /* only handle a transition from default "0" to "1" */ .proc_handler = proc_dointvec_minmax, - .extra1 = SYSCTL_ONE, + .extra1 = SYSCTL_ZERO, .extra2 = SYSCTL_ONE, }, { --- END --- Ben. -- Ben Hutchings It is easier to write an incorrect program than to understand a correct one.
signature.asc
Description: This is a digitally signed message part