Bug#990411: marked as done (systemd: set kernel.unprivileged_bpf_disabled = 1)
Your message dated Tue, 03 Aug 2021 06:33:47 +0000
with message-id <E1mAnzn-000CSB-27@fasolo.debian.org>
and subject line Bug#990411: fixed in linux 5.10.46-4
has caused the Debian Bug report #990411,
regarding systemd: set kernel.unprivileged_bpf_disabled = 1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
990411: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990411
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: systemd: set kernel.unprivileged_bpf_disabled = 1
- From: Tomas Pospisek <tpo_deb@sourcepole.ch>
- Date: Mon, 28 Jun 2021 14:52:25 +0200
- Message-id: <162488474521.12624.14900974705485831457.reportbug@enfi>
Package: systemd
Version: 247.3-5
Severity: wishlist
Tags: security
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
Hi,
TLDR:
$ sudo sysctl kernel.unprivileged_bpf_disabled
kernel.unprivileged_bpf_disabled = 0
please disable unprivileged BPF by default, it seems that it
is not safe to be allowed by default in the general case.
I'm not sure if systemd is the right place to report this
security/wishlist ticket against. I've chosen systemd because it
ships `/etc/sysctl.d/99-sysctl.conf` which seems to me to be the
nearest fit to where `kernel.unprivileged_bpf_disabled` should
be set. Please reassign if there's a better package to stick
this report to.
After reading https://lwn.net/Articles/860597/ I'm under the
impression that allowing unprivileged BPF is too big of a
barn door to leave open at these times.
Currently
* I have no idea which packages that I install use or will use BPF
* I don't know how I could even find out
* even if I knew that a given program *does* use BPF, I estimate
that it'd require me a non-trivial effort to analyze how security
critical that fact is in my context
* considering myself quite a seasoned sysadmin I very much doubt
that the general Debian consumer is even remotely capable of
correctly assesing the preceeding points
Therefore I'd suggest to seriously consider to disable the
unprivileged BPF gun *by default* on freshly installed Debian
systems.
Thanks a lot for taking care of Debian!
*t
-- Package-specific info:
-- System Information:
Debian Release: 11.0
APT prefers testing-security
APT policy: (500, 'testing-security'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-7-amd64 (SMP w/8 CPU threads)
Locale: LANG=de_CH.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8), LANGUAGE=de_CH:de
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages systemd depends on:
ii adduser 3.118
ii libacl1 2.2.53-10
ii libapparmor1 2.13.6-10
ii libaudit1 1:3.0-2
ii libblkid1 2.36.1-7
ii libc6 2.31-12
ii libcap2 1:2.44-1
ii libcrypt1 1:4.4.18-4
ii libcryptsetup12 2:2.3.5-1
ii libgcrypt20 1.8.7-3
ii libgnutls30 3.7.1-3
ii libgpg-error0 1.38-2
ii libip4tc2 1.8.7-1
ii libkmod2 28-1
ii liblz4-1 1.9.3-2
ii liblzma5 5.2.5-2
ii libmount1 2.36.1-7
ii libpam0g 1.4.0-7
ii libseccomp2 2.5.1-1
ii libselinux1 3.1-3
ii libsystemd0 247.3-5
ii libzstd1 1.4.8+dfsg-2.1
ii mount 2.36.1-7
ii systemd-timesyncd [time-daemon] 247.3-5
ii util-linux 2.36.1-7
Versions of packages systemd recommends:
ii dbus 1.12.20-2
Versions of packages systemd suggests:
ii policykit-1 0.105-31
pn systemd-container <none>
Versions of packages systemd is related to:
pn dracut <none>
ii initramfs-tools 0.140
ii libnss-systemd 247.3-5
ii libpam-systemd 247.3-5
ii udev 247.3-5
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: linux
Source-Version: 5.10.46-4
Done: Salvatore Bonaccorso <carnil@debian.org>
We believe that the bug you reported is fixed in the latest version of
linux, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 990411@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated linux package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 03 Aug 2021 07:50:50 +0200
Source: linux
Architecture: source
Version: 5.10.46-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 990411
Changes:
linux (5.10.46-4) unstable; urgency=medium
.
* bpf: Introduce BPF nospec instruction for mitigating Spectre v4
(CVE-2021-34556, CVE-2021-35477)
* bpf: Fix leakage due to insufficient speculative store bypass mitigation
(CVE-2021-34556, CVE-2021-35477)
* bpf: Remove superfluous aux sanitation on subprog rejection
* Ignore ABI changes for bpf_offload_dev_create and bpf_verifier_log_write
* bpf: Add kconfig knob for disabling unpriv bpf by default
* init: Enable BPF_UNPRIV_DEFAULT_OFF (Closes: #990411)
* linux-image: Add NEWS entry documenting that unprivileged calls to bpf() are
disabled by default in Debian.
* bpf: verifier: Allocate idmap scratch in verifier env
* bpf: Fix pointer arithmetic mask tightening under state pruning
Checksums-Sha1:
7ad0f8d3cd45daff12d92ad5dc352b82bd4b64f5 195000 linux_5.10.46-4.dsc
38234ee7c5e8b6a5d12a8b875d423c7c729639dc 4373312 linux_5.10.46-4.debian.tar.xz
193f3f618d7857589b0b78d3005eca40dbea2649 6227 linux_5.10.46-4_source.buildinfo
Checksums-Sha256:
2ac8a8639f90b9fcf09131c359c74949e97df62c180f4eb97a6604ec2228dc15 195000 linux_5.10.46-4.dsc
1c91aa76d70940b2caffc935e9427771c055aca5db87a3f374caa4dedf2bc4f2 4373312 linux_5.10.46-4.debian.tar.xz
6a0b9cf7babf935e3a4c4c815e352eec22d60c36433c6455628935c32e02e153 6227 linux_5.10.46-4_source.buildinfo
Files:
cde18df720117efed4f86bbae3af6f59 195000 kernel optional linux_5.10.46-4.dsc
a4552fc829b1fa6c2559cd4feb79378d 4373312 kernel optional linux_5.10.46-4.debian.tar.xz
0ae47f6029f67cb2a01b3b8268f10aa8 6227 kernel optional linux_5.10.46-4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmEI4FpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EmtQP/iuQ+WRaV76USEoKJtMQTqaFgPnf3hNB
j+lpKWAzjSRtbr8621OKwn3JTJCinetIjxINNO5jbqfLU6143wxNRD1bFBMztEmT
ZTAsLytFEzFbm+Ub8jUWBiKRMrj61cp8xKiR34tkdx8NNtvweSZqRxdUpxaP0Upo
iTzufRAfvSYhGY8PEC4w7xfNRcs5QjWC6uutJ8vU9qRlbJSMgZTb/bjTSYsF+pyn
sPyf6Y1ek+7x9tRJp8buNUNCNcFnv5o/NOc0SUCUd8zPzDuHCzukYypDZmBENjND
yht3N8mE75HUvs7Mnfik9CxEsDUcn9pnDaI32l6fwJq3LedupvHcVae3WZIfKogY
L/7zMWb3qCvY+h9vrC7erpDNQto7MznYQ6egWvEHSCW+BIOxn6q13afZYVzqk24z
bTByp6oDQhDZd3F2ncrbPLBuevDmRKhI7qAjZ+pMgxB4VlW0zIQ2cxCoZail1W9o
Y/iw/ESQcMpgUVpIEVXgGX60kSWDNck6ihRlKVEDuAGjE3z99uKHnF8/W79Jbs0b
p5wjboGAMnRhX5rtEU/7I3XK/7ZeDAipYnXwxHi9AZUDa7u+XSw4xYTiGBzDpmCk
mmswQXAq4bfrbGwIPp3Hj98G5yd0YzpY3pUJrKRYMDUTYEW5U3+aZd/PS0ZBJ6ql
4R2YPR59/nxp
=OtIO
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: