[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#991869: marked as done (release-notes: Document default change for unprivileged calls to bpf())

Your message dated Fri, 6 Aug 2021 06:33:45 +0200
with message-id <YQy7qX4+x/qj9+H3@eldamar.lan>
and subject line Re: Bug#991869: release-notes: Document default change for unprivileged calls to bpf()
has caused the Debian Bug report #991869,
regarding release-notes: Document default change for unprivileged calls to bpf()
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
991869: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991869
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release-notes
Severity: normal
X-Debbugs-Cc: carnil@debian.org,debian-kernel@lists.debian.org

Hi

There is no pressure on including this but it might be worth
documetning the default change for unprivileged calls to bpf() to be
disabled in the release notes for Debian 11 (bullseye).

Attached is a corresponding patch proposal for the wording.

Regards,
Salvatore

>From d120af71a5a1bc590511a193b7ae790febc38c5c Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 4 Aug 2021 07:02:08 +0200
Subject: [PATCH] Document default change for unprivileged calls to bpf()

Starting in src:linux 5.10.46-4 Linux disables unprivileged calls to
bpf() by default. Document the fact in the release notes and explain on
how to revert to keep unprivileged calls to bpf() enabled.

Reference the Debian bug asking for implementing the change as
additional hardening for BPF related security issues.

Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
---
 en/issues.dbk | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/en/issues.dbk b/en/issues.dbk
index f708c325c6a3..29221aba56e9 100644
--- a/en/issues.dbk
+++ b/en/issues.dbk
@@ -322,6 +322,28 @@ user.max_user_namespaces = 0
       </para>
     </section>
 
+    <section id="linux-unprivileged-bpf">
+      <title>Linux disables unprivileged calls to bpf() by default</title>
+      <para>
+        From <literal>Linux</literal> 5.10, Debian disables unprivileged
+        calls to bpf() by default. However, an admin can still change this
+        setting later on, if needed, by writing 0 or 1 to the
+        <literal>kernel.unprivileged_bpf_disabled</literal> sysctl.
+      </para>
+      <para>
+        If you prefer to keep unprivileged calls to bpf() enabled, set
+        the sysctl:
+      </para>
+      <programlisting>
+kernel.unprivileged_bpf_disabled = 0
+      </programlisting>
+      <para>
+        For background on the change as default in Debian see
+        <ulink url="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990411";>
+        the change request</ulink>.
+      </para>
+    </section>
+
     <section id="redmine">
       <!-- buster to bullseye -->
       <title>redmine missing in bullseye</title>
-- 
2.32.0

--- End Message ---
--- Begin Message --- 
On Wed, Aug 04, 2021 at 03:55:32PM +0200, Salvatore Bonaccorso wrote:
> On Wed, Aug 04, 2021 at 07:40:51AM +0200, Salvatore Bonaccorso wrote:
> > Package: release-notes
> > Severity: normal
> > X-Debbugs-Cc: carnil@debian.org,debian-kernel@lists.debian.org
> > 
> > Hi
> > 
> > There is no pressure on including this but it might be worth
> > documetning the default change for unprivileged calls to bpf() to be
> > disabled in the release notes for Debian 11 (bullseye).
> > 
> > Attached is a corresponding patch proposal for the wording.
> 
> Corresponding MR with it at
> https://salsa.debian.org/ddp-team/release-notes/-/merge_requests/117

And was merged, so closing the bug.

Regards,
Salvatore

--- End Message ---
Reply to: