Bug#990411: systemd: set kernel.unprivileged_bpf_disabled = 1
Michael Biebl
biebl at debian.org
Mon Jun 28 14:37:58 BST 2021
Am 28.06.21 um 14:52 schrieb Tomas Pospisek:
> Package: systemd
> Version: 247.3-5
> Severity: wishlist
> Tags: security
> X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
>
> Hi,
>
> TLDR:
>
> $ sudo sysctl kernel.unprivileged_bpf_disabled
> kernel.unprivileged_bpf_disabled = 0
>
> please disable unprivileged BPF by default, it seems that it
> is not safe to be allowed by default in the general case.
>
> I'm not sure if systemd is the right place to report this
> security/wishlist ticket against. I've chosen systemd because it
> ships `/etc/sysctl.d/99-sysctl.conf` which seems to me to be the
> nearest fit to where `kernel.unprivileged_bpf_disabled` should
> be set. Please reassign if there's a better package to stick
> this report to.
/etc/sysctl.d/99-sysctl.conf is just a symlink pointing at
99-sysctl.conf -> ../sysctl.conf
$ dpkg -S /etc/sysctl.conf
procps: /etc/sysctl.conf
tbh, I'd prefer the security oder kernel team to make that judgement call.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20210628/f78a5a39/attachment.sig>
More information about the Pkg-systemd-maintainers
mailing list