Re: Bug#990411: systemd: set kernel.unprivileged_bpf_disabled = 1

[Tomas Pospisek <tpo_deb@sourcepole.ch>]

reassign 990411 linux-image-5.10.0-7-amd64

-----

Thanks Michael, reassigning as proposed. Though I'm wondering (and not 
finding) whether there would be a more general package to assign this 
ticket to (such as linux-image-5.x or something).

Any thoughts on this problem in the security or the kernel team?

Thanks and greets to all of you!
*t

On Mon, 28 Jun 2021, Michael Biebl wrote:

> Am 28.06.21 um 14:52 schrieb Tomas Pospisek:
> > Package: systemd
> > Version: 247.3-5
> > Severity: wishlist
> > Tags: security
> > X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
> >
> > Hi,
> >
> > TLDR:
> >
> >      $ sudo sysctl kernel.unprivileged_bpf_disabled
> >      kernel.unprivileged_bpf_disabled = 0
> >
> > please disable unprivileged BPF by default, it seems that it
> > is not safe to be allowed by default in the general case.
> >
> > I'm not sure if systemd is the right place to report this
> > security/wishlist ticket against. I've chosen systemd because it
> > ships `/etc/sysctl.d/99-sysctl.conf` which seems to me to be the
> > nearest fit to where `kernel.unprivileged_bpf_disabled` should
> > be set. Please reassign if there's a better package to stick
> > this report to.
>
> /etc/sysctl.d/99-sysctl.conf is just a symlink pointing at
> 99-sysctl.conf -> ../sysctl.conf
>
> $ dpkg -S /etc/sysctl.conf
> procps: /etc/sysctl.conf
>
> tbh, I'd prefer the security oder kernel team to make that judgement call.