From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: [PATCH] sysctl: Disable bpf() calls from unprivileged users without toggle option Date: Sun, 16 Jun 2024 14:02:00 +0000 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4377221858682409381==" List-Id: --===============4377221858682409381== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit According to the Linux kernel documentation, enabling BPF_UNPRIV_DEFAULT_OFF (which was done in 69dde418f11dc0085cbe061b90f6c002d6d6cce2) will cause the sysctl kernel.unprivileged_bpf_disabled to default to 2. This prohibits calls to bpf() from unprivileged users by default, but allows for such calls to be allowed again during runtime, by setting kernel.unprivileged_bpf_disabled to 0. There is no legitimate reason why this should be possible on IPFire, which is why this patch sets kernel.unprivileged_bpf_disabled to 1 during startup, causing the same effect as 2, but without any option to revert this setting during runtime. This fixes a Lynis warning. Signed-off-by: Peter Müller --- config/etc/sysctl.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index 31a220e38..51a804043 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -111,3 +111,6 @@ kernel.perf_event_paranoid = 3 # Only processes with CAP_SYS_PTRACE may use ptrace kernel.yama.ptrace_scope = 2 + +# Disable unprivileged calls to bpf() without option to enable during runtime +kernel.unprivileged_bpf_disabled = 1 -- 2.35.3 --===============4377221858682409381==--