Bug#990411: systemd: set kernel.unprivileged_bpf_disabled = 1
Tomas Pospisek
tpo_deb at sourcepole.ch
Wed Jun 30 19:33:01 BST 2021
reassign 990411 linux-image-5.10.0-7-amd64
-----
Thanks Michael, reassigning as proposed. Though I'm wondering (and not
finding) whether there would be a more general package to assign this
ticket to (such as linux-image-5.x or something).
Any thoughts on this problem in the security or the kernel team?
Thanks and greets to all of you!
*t
On Mon, 28 Jun 2021, Michael Biebl wrote:
> Am 28.06.21 um 14:52 schrieb Tomas Pospisek:
>> Package: systemd
>> Version: 247.3-5
>> Severity: wishlist
>> Tags: security
>> X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
>>
>> Hi,
>>
>> TLDR:
>>
>> $ sudo sysctl kernel.unprivileged_bpf_disabled
>> kernel.unprivileged_bpf_disabled = 0
>>
>> please disable unprivileged BPF by default, it seems that it
>> is not safe to be allowed by default in the general case.
>>
>> I'm not sure if systemd is the right place to report this
>> security/wishlist ticket against. I've chosen systemd because it
>> ships `/etc/sysctl.d/99-sysctl.conf` which seems to me to be the
>> nearest fit to where `kernel.unprivileged_bpf_disabled` should
>> be set. Please reassign if there's a better package to stick
>> this report to.
>
> /etc/sysctl.d/99-sysctl.conf is just a symlink pointing at
> 99-sysctl.conf -> ../sysctl.conf
>
> $ dpkg -S /etc/sysctl.conf
> procps: /etc/sysctl.conf
>
> tbh, I'd prefer the security oder kernel team to make that judgement call.
More information about the Pkg-systemd-maintainers
mailing list