Project

General

Profile

Feature #11827

Disable unprivileged BPF

Added by cypherpunks about 3 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
09/22/2016
Due date:
% Done:

100%

Feature Branch:
feature/11827-disable-unprivileged-bpf
Type of work:
Code
Blueprint:
Starter:
No
Affected tool:

Description

Since upgrading to kernel 4.6, unprivileged users can use the bpf() syscall, which is a security concern, even with JIT disabled. Tails should set the kernel.unprivileged_bpf_disabled sysctl to 1. No programs on Tails use it, so this won't cause any regressions, and will increase security quite a bit.

Associated revisions

Revision 62c9c348 (diff)
Added by intrigeri almost 3 years ago

Disable unprivileged BPF (refs: #11827).

Since upgrading to kernel 4.6, unprivileged users can use the bpf() syscall,
which is a security concern, even with JIT disabled. So we disable that.
This feature wasn't available before Linux 4.6, so disabling it should
not cause any regressions.

Thanks to "cypherpunks" for the suggestion.

Revision 7b944cda
Added by anonym almost 3 years ago

Merge remote-tracking branch 'origin/feature/11827-disable-unprivileged-bpf' into devel

Fix-committed: #11827

History

#1 Updated by intrigeri about 3 years ago

  • Assignee set to cypherpunks
  • QA Check set to Info Needed

No programs on Tails use it, so this won't cause any regressions

May I ask how you've checked that?

Once this is clarified, I'm open to running our test suite with this sysctl turned on.

#2 Updated by cypherpunks about 3 years ago

intrigeri wrote:

No programs on Tails use it, so this won't cause any regressions

May I ask how you've checked that?

Once this is clarified, I'm open to running our test suite with this sysctl turned on.

It's only used for things like network profiling in userspace, nothing that a Tails user would have or need. Plus, it wasn't available before Tails 2.6, so unless new network profiling tools were added to the kernel, removing it has no effect. Note that disabling the bpf() does not mean disabling all BPF/eBPF. Netfilter still uses BPF, seccomp still uses BPF, etc. All it means is that userspace network profiling tools and such will not function.

#3 Updated by intrigeri about 3 years ago

  • Status changed from New to Confirmed
  • Assignee changed from cypherpunks to intrigeri
  • Priority changed from Normal to Low
  • Target version set to Tails_2.9.1

Thanks! I'll give it a try, possibly for 2.8, but I'll feel free to postpone to 2.10 or further if I'm short on time.

#4 Updated by intrigeri about 3 years ago

  • QA Check deleted (Info Needed)

#5 Updated by intrigeri almost 3 years ago

  • Feature Branch set to feature/11827-disable-unprivileged-bpf

#6 Updated by intrigeri almost 3 years ago

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10

#7 Updated by intrigeri almost 3 years ago

  • Assignee changed from intrigeri to anonym
  • % Done changed from 10 to 50
  • QA Check set to Ready for QA

Test suite looks good.

#8 Updated by intrigeri almost 3 years ago

  • Priority changed from Low to Normal

(Working on it in the first place was low prio, but now that it's done, merging is normal prio.)

#9 Updated by anonym almost 3 years ago

  • Target version changed from Tails_2.9.1 to Tails 2.10

#10 Updated by anonym almost 3 years ago

I bumped this feature to the new next major release (given 2.8 was cancelled).

#11 Updated by anonym almost 3 years ago

  • Assignee deleted (anonym)
  • % Done changed from 50 to 100
  • QA Check changed from Ready for QA to Pass

#12 Updated by anonym almost 3 years ago

  • Status changed from In Progress to Fix committed

#13 Updated by anonym over 2 years ago

  • Status changed from Fix committed to Resolved

Also available in: Atom PDF