Disable unprivileged BPF by default
Bug #1961338 reported by
Thadeu Lima de Souza Cascardo
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
High
|
Thadeu Lima de Souza Cascardo | ||
Focal |
Fix Released
|
High
|
Thadeu Lima de Souza Cascardo |
Bug Description
[Impact]
Unprivileged users have access to BPF, allowing them to execute code in the kernel under their control. Though restricted and verified, a lot of security issues have been uncovered over the years, indicating that it should be disabled by default in order to protect our users.
Admins can reenable that access or give CAP_BPF to programs if needed.
[Test case]
A qa-regression-
[Potential regression]
Users who rely on unprivileged BPF access will need to change the setting or give CAP_BPF to their programs. Also, sysctl and bpf code might be affected.
CVE References
Changed in linux (Ubuntu): | |
status: | In Progress → Fix Released |
Changed in linux (Ubuntu Focal): | |
status: | New → In Progress |
Changed in linux (Ubuntu Bionic): | |
status: | New → In Progress |
Changed in linux (Ubuntu Xenial): | |
status: | New → Confirmed |
Changed in linux (Ubuntu Focal): | |
importance: | Undecided → High |
Changed in linux (Ubuntu Bionic): | |
importance: | Undecided → High |
Changed in linux (Ubuntu Focal): | |
assignee: | nobody → Thadeu Lima de Souza Cascardo (cascardo) |
Changed in linux (Ubuntu Bionic): | |
assignee: | nobody → Thadeu Lima de Souza Cascardo (cascardo) |
information type: | Private Security → Public Security |
Changed in linux (Ubuntu Xenial): | |
status: | Confirmed → Fix Released |
tags: | added: verification-done-focal |
To post a comment you must log in.
This bug was fixed in the package linux - 5.4.0-104.118
---------------
linux (5.4.0-104.118) focal; urgency=medium
* CVE-2022-23960
- SAUCE: kvm: arm: fix build on 32-bit
linux (5.4.0-103.117) focal; urgency=medium
* CVE-2022-23960 el1_vectors for mitigations WORKAROUND_ 3 to be discovered and MITIGATE_ SPECTRE_ BRANCH_ HISTORY= y
- arm64: Add part number for Arm Cortex-A77
- arm64: Add Neoverse-N2, Cortex-A710 CPU part definition
- arm64: Add Cortex-X2 CPU part definition
- arm64: add ID_AA64ISAR2_EL1 sys register
- SAUCE: arm64: entry.S: Add ventry overflow sanity checks
- SAUCE: arm64: entry: Make the trampoline cleanup optional
- SAUCE: arm64: entry: Free up another register on kpti's tramp_exit path
- SAUCE: arm64: entry: Move the trampoline data page before the text page
- SAUCE: arm64: entry: Allow tramp_alias to access symbols after the 4K
boundary
- SAUCE: arm64: entry: Don't assume tramp_vectors is the start of the vectors
- SAUCE: arm64: entry: Move trampoline macros out of ifdef'd section
- SAUCE: arm64: entry: Make the kpti trampoline's kpti sequence optional
- SAUCE: arm64: entry: Allow the trampoline text to occupy multiple pages
- SAUCE: arm64: entry: Add non-kpti __bp_harden_
- SAUCE: arm64: entry: Add vectors that have the bhb mitigation sequences
- SAUCE: arm64: entry: Add macro for reading symbol addresses from the
trampoline
- SAUCE: arm64: Add percpu vectors for EL1
- SAUCE: arm64: proton-pack: Report Spectre-BHB vulnerabilities as part of
Spectre-v2
- SAUCE: KVM: arm64: Add templates for BHB mitigation sequences
- SAUCE: arm64: Mitigate spectre style branch history side channels
- SAUCE: KVM: arm64: Allow SMCCC_ARCH_
migrated
- SAUCE: arm64: Use the clearbhb instruction in mitigations
- [Config]: set CONFIG_
* CVE-2022-25636
- netfilter: nf_tables_offload: incorrect flow offload action array size
* CVE-2022-0001 v2_user_ select_ mitigation( ) v2=retpoline, amd hw-vuln: Update spectre doc
- x86/speculation: Merge one test in spectre_
- x86,bugs: Unconditionally allow spectre_
- SAUCE: x86/speculation: Rename RETPOLINE_AMD to RETPOLINE_LFENCE
- SAUCE: x86/speculation: Add eIBRS + Retpoline options
- SAUCE: Documentation/
* Disable unprivileged BPF by default (LP: #1961338) BPF_UNPRIV_ DEFAULT_ OFF=y
- bpf: Add kconfig knob for disabling unpriv bpf by default
- [Config] set CONFIG_
-- Thadeu Lima de Souza Cascardo <email address hidden> Wed, 02 Mar 2022 14:10:18 -0300