Disable unprivileged BPF
Since upgrading to kernel 4.6, unprivileged users can use the bpf() syscall, which is a security concern, even with JIT disabled. Tails should set the kernel.unprivileged_bpf_disabled sysctl to 1. No programs on Tails use it, so this won't cause any regressions, and will increase security quite a bit.
Disable unprivileged BPF (refs: #11827).
Since upgrading to kernel 4.6, unprivileged users can use the bpf() syscall,
which is a security concern, even with JIT disabled. So we disable that.
This feature wasn't available before Linux 4.6, so disabling it should
not cause any regressions.
Thanks to "cypherpunks" for the suggestion.
#2 Updated by cypherpunks over 3 years ago
No programs on Tails use it, so this won't cause any regressions
May I ask how you've checked that?
Once this is clarified, I'm open to running our test suite with this sysctl turned on.
It's only used for things like network profiling in userspace, nothing that a Tails user would have or need. Plus, it wasn't available before Tails 2.6, so unless new network profiling tools were added to the kernel, removing it has no effect. Note that disabling the bpf() does not mean disabling all BPF/eBPF. Netfilter still uses BPF, seccomp still uses BPF, etc. All it means is that userspace network profiling tools and such will not function.
#3 Updated by intrigeri over 3 years ago
- Status changed from New to Confirmed
- Assignee changed from cypherpunks to intrigeri
- Priority changed from Normal to Low
- Target version set to Tails_2.9.1
Thanks! I'll give it a try, possibly for 2.8, but I'll feel free to postpone to 2.10 or further if I'm short on time.