diff --git a/patches.suse/bpf-Disallow-unprivileged-bpf-by-default.patch b/patches.suse/bpf-Disallow-unprivileged-bpf-by-default.patch new file mode 100644 index 0000000..52cc746 --- /dev/null +++ b/patches.suse/bpf-Disallow-unprivileged-bpf-by-default.patch @@ -0,0 +1,54 @@ +From: Pawan Gupta +Date: Fri, 29 Oct 2021 12:43:54 -0700 +Subject: bpf: Disallow unprivileged bpf by default +Patch-mainline: v5.16-rc1 +Git-commit: 8a03e56b253e9691c90bc52ca199323d71b96204 +References: jsc#SLE-22575 + +Disabling unprivileged BPF would help prevent unprivileged users from +creating certain conditions required for potential speculative execution +side-channel attacks on unmitigated affected hardware. + +A deep dive on such attacks and current mitigations is available here [0]. + +Sync with what many distros are currently applying already, and disable +unprivileged BPF by default. An admin can enable this at runtime, if +necessary, as described in 08389d888287 ("bpf: Add kconfig knob for +disabling unpriv bpf by default"). + + [0] "BPF and Spectre: Mitigating transient execution attacks", Daniel Borkmann, eBPF Summit '21 + https://ebpf.io/summit-2021-slides/eBPF_Summit_2021-Keynote-Daniel_Borkmann-BPF_and_Spectre.pdf + +Signed-off-by: Pawan Gupta +Signed-off-by: Daniel Borkmann +Acked-by: Daniel Borkmann +Acked-by: Mark Rutland +Link: https://lore.kernel.org/bpf/0ace9ce3f97656d5f62d11093ad7ee81190c3c25.1635535215.git.pawan.kumar.gupta@linux.intel.com +Acked-by: Shung-Hsi Yu +--- + kernel/bpf/Kconfig | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/kernel/bpf/Kconfig ++++ b/kernel/bpf/Kconfig +@@ -64,6 +64,7 @@ config BPF_JIT_DEFAULT_ON + + config BPF_UNPRIV_DEFAULT_OFF + bool "Disable unprivileged BPF by default" ++ default y + depends on BPF_SYSCALL + help + Disables unprivileged BPF by default by setting the corresponding +@@ -72,6 +73,12 @@ config BPF_UNPRIV_DEFAULT_OFF + disable it by setting it to 1 (from which no other transition to + 0 is possible anymore). + ++ Unprivileged BPF could be used to exploit certain potential ++ speculative execution side-channel vulnerabilities on unmitigated ++ affected hardware. ++ ++ If you are unsure how to answer this question, answer Y. ++ + source "kernel/bpf/preload/Kconfig" + + config BPF_LSM diff --git a/series.conf b/series.conf index a3ffb51..4d7a1c5 100644 --- a/series.conf +++ b/series.conf @@ -4453,6 +4453,7 @@ patches.suse/selftests-bpf-Fix-fd-cleanup-in-sk_lookup-test.patch patches.suse/selftests-bpf-Fix-memory-leak-in-test_ima.patch patches.suse/selftests-bpf-Fix-fclose-pclose-mismatch-in-test_pro.patch + patches.suse/bpf-Disallow-unprivileged-bpf-by-default.patch patches.suse/selftests-bpf-Fix-strobemeta-selftest-regression.patch patches.suse/skmsg-Lose-offset-info-in-sk_psock_skb_ingress.patch patches.suse/selftests-bpf-Fix-also-no-alu32-strobemeta-selftest.patch