From 3ee206291a20b2d18e651c77bf161ef42108901f Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Fri, 14 Jan 2022 10:27:28 +0100 Subject: [PATCH] linux: enable BPF_UNPRIV_DEFAULT_OFF between 5.10 and 5.15 Disable unprivileged access to BPF syscalls to prevent denial of service and privilege escalation via a) potential speculative execution side-channel-attacks on unmitigated hardware[0] or b) unvalidated memory access in ringbuffer helper functions[1]. Fixes: CVE-2021-4204, CVE-2022-23222 [0] https://ebpf.io/summit-2021-slides/eBPF_Summit_2021-Keynote-Daniel_Borkmann-BPF_and_Spectre.pdf [1] https://www.openwall.com/lists/oss-security/2022/01/13/1 --- .../doc/manual/from_md/release-notes/rl-2111.section.xml | 9 +++++++++ nixos/doc/manual/release-notes/rl-2111.section.md | 2 ++ pkgs/os-specific/linux/kernel/common-config.nix | 1 + 3 files changed, 12 insertions(+) diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml index 6b706e4aeaa16..59da373f38e17 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml @@ -1420,6 +1420,15 @@ Superuser created successfully. for those who want to have all RetroArch cores available. + + + The Linux kernel for security reasons now restricts access to + BPF syscalls via BPF_UNPRIV_DEFAULT_OFF=y. + Unprivileged access can be reenabled via the + kernel.unprivileged_bpf_disabled sysctl + knob. + +
diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md index 48adc4ad33cba..1b59842e020bb 100644 --- a/nixos/doc/manual/release-notes/rl-2111.section.md +++ b/nixos/doc/manual/release-notes/rl-2111.section.md @@ -417,6 +417,8 @@ In addition to numerous new and upgraded packages, this release has the followin - `retroArchCores` has been removed. This means that using `nixpkgs.config.retroarch` to customize RetroArch cores is not supported anymore. Instead, use package overrides, for example: `retroarch.override { cores = with libretro; [ citra snes9x ]; };`. Also, `retroarchFull` derivation is available for those who want to have all RetroArch cores available. +- The Linux kernel for security reasons now restricts access to BPF syscalls via `BPF_UNPRIV_DEFAULT_OFF=y`. Unprivileged access can be reenabled via the `kernel.unprivileged_bpf_disabled` sysctl knob. + ## Other Notable Changes {#sec-release-21.11-notable-changes} diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index 14afc85aa7c06..93c6b390eb2ae 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -539,6 +539,7 @@ let UPROBE_EVENT = { optional = true; tristate = whenOlder "4.11" "y";}; UPROBE_EVENTS = { optional = true; tristate = whenAtLeast "4.11" "y";}; BPF_SYSCALL = whenAtLeast "4.4" yes; + BPF_UNPRIV_DEFAULT_OFF = whenBetween "5.10" "5.15" yes; BPF_EVENTS = whenAtLeast "4.4" yes; FUNCTION_PROFILER = yes; RING_BUFFER_BENCHMARK = no;