davidlt
/
kernel-ark
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

bpf: Fix unprivileged_bpf_disabled setup 

There's recent change [1] that adds new config option and sets
unprivileged_bpf_disabled to 2 if the option is enabled
(CONFIG_BPF_UNPRIV_DEFAULT_OFF).

The current RHEL specific behaviour is to set unprivileged_bpf_disabled
to 1 by default and add boot command line argument to enable
unpriv bpf.

The config option is enabled in previous patch, adding the taint
for proc/sysctl unprivileged_bpf_disabled setup.

  # sysctl kernel.unprivileged_bpf_disabled
  kernel.unprivileged_bpf_disabled = 2
  # cat /proc/sys/kernel/tainted
  0
  # sysctl kernel.unprivileged_bpf_disabled=0
  [   45.751085] Unprivileged BPF has been enabled, tainting the kernel
  kernel.unprivileged_bpf_disabled = 0
  # sysctl kernel.unprivileged_bpf_disabled=1
  kernel.unprivileged_bpf_disabled = 1
  # sysctl kernel.unprivileged_bpf_disabled=0
  sysctl: setting key "kernel.unprivileged_bpf_disabled": Operation not permitted
  # sysctl kernel.unprivileged_bpf_disabled=2
  sysctl: setting key "kernel.unprivileged_bpf_disabled": Operation not permitted
  # cat /proc/sys/kernel/tainted
  2147483648

[1] 08389d8882 ("bpf: Add kconfig knob for disabling unpriv bpf by default")
[2] 607f0e89af7e ("bpf: set unprivileged_bpf_disabled to 1 by default, add a boot parameter")

Fixes: 607f0e89af7e ("bpf: set unprivileged_bpf_disabled to 1 by default, add a boot parameter")
Signed-off-by: Jiri Olsa <jolsa@redhat.com>
This commit is contained in:
Jiri Olsa 2021-06-01 14:15:11 +02:00 committed by Justin M. Forbes
parent 9b983d6407
commit 4de19e7554
No known key found for this signature in database
GPG Key ID: B8FA7924A4B1C140
3 changed files with 9 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
Documentation/admin-guide/kernel-parameters.txt
View File

@ -5893,12 +5893,13 @@
[X86] Cause panic on unknown NMI.
unprivileged_bpf_disabled=
Format: { "0" | "1" }
Format: { "0" | "1" | "2" }
Sets the initial value of
kernel.unprivileged_bpf_disabled sysctl knob.
0 - unprivileged bpf() syscall access is enabled.
1 - unprivileged bpf() syscall access is disabled.
Default value is 1.
1 - unprivileged bpf() syscall access is disabled permanently.
2 - unprivileged bpf() syscall access is disabled.
Default value is 2.
usbcore.authorized_default=
[USB] Default USB device authorization:

3
kernel/bpf/syscall.c
View File

@ -51,9 +51,6 @@ static DEFINE_SPINLOCK(map_idr_lock);
static DEFINE_IDR(link_idr);
static DEFINE_SPINLOCK(link_idr_lock);
/* RHEL-only: default to 1 */
int sysctl_unprivileged_bpf_disabled __read_mostly = 1;
static int __init unprivileged_bpf_setup(char *str)
{
unsigned long disabled;

5
kernel/sysctl.c
View File

@ -243,6 +243,11 @@ static int bpf_unpriv_handler(struct ctl_table *table, int write,
if (write && !ret) {
if (locked_state && unpriv_enable != 1)
return -EPERM;
if (!unpriv_enable) {
pr_warn("Unprivileged BPF has been enabled, "
"tainting the kernel");
add_taint(TAINT_UNPRIVILEGED_BPF, LOCKDEP_STILL_OK);
}
*(int *)table->data = unpriv_enable;
}
return ret;