From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Date: Fri, 29 Oct 2021 12:43:54 -0700
Subject: bpf: Disallow unprivileged bpf by default
Patch-mainline: v5.16-rc1
Git-commit: 8a03e56b253e9691c90bc52ca199323d71b96204
References: jsc#SLE-22573
Disabling unprivileged BPF would help prevent unprivileged users from
creating certain conditions required for potential speculative execution
side-channel attacks on unmitigated affected hardware.
A deep dive on such attacks and current mitigations is available here [0].
Sync with what many distros are currently applying already, and disable
unprivileged BPF by default. An admin can enable this at runtime, if
necessary, as described in 08389d888287 ("bpf: Add kconfig knob for
disabling unpriv bpf by default").
[0] "BPF and Spectre: Mitigating transient execution attacks", Daniel Borkmann, eBPF Summit '21
https://ebpf.io/summit-2021-slides/eBPF_Summit_2021-Keynote-Daniel_Borkmann-BPF_and_Spectre.pdf
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Link: https://lore.kernel.org/bpf/0ace9ce3f97656d5f62d11093ad7ee81190c3c25.1635535215.git.pawan.kumar.gupta@linux.intel.com
Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
---
syu: Patches init/Kconfig instead of kernel/bpf/Kconfig since b24abcff918a
("bpf, kconfig: Add consolidated menu entry for bpf with core options") is not
backported.
---
init/Kconfig | 7 +++++++
1 file changed, 7 insertions(+)
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1710,6 +1710,7 @@ config BPF_JIT_ALWAYS_ON
config BPF_UNPRIV_DEFAULT_OFF
bool "Disable unprivileged BPF by default"
+ default y
depends on BPF_SYSCALL
help
Disables unprivileged BPF by default by setting the corresponding
@@ -1718,6 +1719,12 @@ config BPF_UNPRIV_DEFAULT_OFF
disable it by setting it to 1 (from which no other transition to
0 is possible anymore).
+ Unprivileged BPF could be used to exploit certain potential
+ speculative execution side-channel vulnerabilities on unmitigated
+ affected hardware.
+
+ If you are unsure how to answer this question, answer Y.
+
config USERFAULTFD
bool "Enable userfaultfd() system call"
select ANON_INODES