BoomMicrophone/nixpkgs-suyu
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

linux: enable BPF_UNPRIV_DEFAULT_OFF between 5.10 and 5.15

Browse source 
Disable unprivileged access to BPF syscalls to prevent denial of service
and privilege escalation via

a) potential speculative execution side-channel-attacks on unmitigated
hardware[0]

or

b) unvalidated memory access in ringbuffer helper functions[1].

Fixes: CVE-2021-4204, CVE-2022-23222

[0] https://ebpf.io/summit-2021-slides/eBPF_Summit_2021-Keynote-Daniel_Borkmann-BPF_and_Spectre.pdf
[1] https://www.openwall.com/lists/oss-security/2022/01/13/1
This commit is contained in:
Martin Weinelt 2022-01-14 10:27:28 +01:00
parent d4cc90aea5
commit 3ee206291a
No known key found for this signature in database
GPG key ID: 87C1E9888F856759
3 changed files with 12 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
nixos/doc/manual/from_md/release-notes/rl-2111.section.xml
View file

@ -1420,6 +1420,15 @@ Superuser created successfully.
for those who want to have all RetroArch cores available. for those who want to have all RetroArch cores available.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
The Linux kernel for security reasons now restricts access to
BPF syscalls via <literal>BPF_UNPRIV_DEFAULT_OFF=y</literal>.
Unprivileged access can be reenabled via the
<literal>kernel.unprivileged_bpf_disabled</literal> sysctl
knob.
</para>
</listitem>
</itemizedlist> </itemizedlist>
</section> </section>
<section xml:id="sec-release-21.11-notable-changes"> <section xml:id="sec-release-21.11-notable-changes">

2
nixos/doc/manual/release-notes/rl-2111.section.md
View file

@ -417,6 +417,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- `retroArchCores` has been removed. This means that using `nixpkgs.config.retroarch` to customize RetroArch cores is not supported anymore. Instead, use package overrides, for example: `retroarch.override { cores = with libretro; [ citra snes9x ]; };`. Also, `retroarchFull` derivation is available for those who want to have all RetroArch cores available. - `retroArchCores` has been removed. This means that using `nixpkgs.config.retroarch` to customize RetroArch cores is not supported anymore. Instead, use package overrides, for example: `retroarch.override { cores = with libretro; [ citra snes9x ]; };`. Also, `retroarchFull` derivation is available for those who want to have all RetroArch cores available.
- The Linux kernel for security reasons now restricts access to BPF syscalls via `BPF_UNPRIV_DEFAULT_OFF=y`. Unprivileged access can be reenabled via the `kernel.unprivileged_bpf_disabled` sysctl knob.
## Other Notable Changes {#sec-release-21.11-notable-changes} ## Other Notable Changes {#sec-release-21.11-notable-changes}

1
pkgs/os-specific/linux/kernel/common-config.nix
View file

@ -539,6 +539,7 @@ let
UPROBE_EVENT = { optional = true; tristate = whenOlder "4.11" "y";}; UPROBE_EVENT = { optional = true; tristate = whenOlder "4.11" "y";};
UPROBE_EVENTS = { optional = true; tristate = whenAtLeast "4.11" "y";}; UPROBE_EVENTS = { optional = true; tristate = whenAtLeast "4.11" "y";};
BPF_SYSCALL = whenAtLeast "4.4" yes; BPF_SYSCALL = whenAtLeast "4.4" yes;
BPF_UNPRIV_DEFAULT_OFF = whenBetween "5.10" "5.15" yes;
BPF_EVENTS = whenAtLeast "4.4" yes; BPF_EVENTS = whenAtLeast "4.4" yes;
FUNCTION_PROFILER = yes; FUNCTION_PROFILER = yes;
RING_BUFFER_BENCHMARK = no; RING_BUFFER_BENCHMARK = no;