bpf: Fix unprivileged_bpf_disabled setup
There's recent change [1] that adds new config option and sets
unprivileged_bpf_disabled to 2 if the option is enabled
(CONFIG_BPF_UNPRIV_DEFAULT_OFF).
The current RHEL specific behaviour is to set unprivileged_bpf_disabled
to 1 by default and add boot command line argument to enable
unpriv bpf.
The config option is enabled in previous patch, adding the taint
for proc/sysctl unprivileged_bpf_disabled setup.
# sysctl kernel.unprivileged_bpf_disabled
kernel.unprivileged_bpf_disabled = 2
# cat /proc/sys/kernel/tainted
0
# sysctl kernel.unprivileged_bpf_disabled=0
[ 45.751085] Unprivileged BPF has been enabled, tainting the kernel
kernel.unprivileged_bpf_disabled = 0
# sysctl kernel.unprivileged_bpf_disabled=1
kernel.unprivileged_bpf_disabled = 1
# sysctl kernel.unprivileged_bpf_disabled=0
sysctl: setting key "kernel.unprivileged_bpf_disabled": Operation not permitted
# sysctl kernel.unprivileged_bpf_disabled=2
sysctl: setting key "kernel.unprivileged_bpf_disabled": Operation not permitted
# cat /proc/sys/kernel/tainted
2147483648
[1] 08389d8882
("bpf: Add kconfig knob for disabling unpriv bpf by default")
[2] 607f0e89af7e ("bpf: set unprivileged_bpf_disabled to 1 by default, add a boot parameter")
Fixes: 607f0e89af7e ("bpf: set unprivileged_bpf_disabled to 1 by default, add a boot parameter")
Signed-off-by: Jiri Olsa <jolsa@redhat.com>
This commit is contained in:
parent
9b983d6407
commit
4de19e7554
|
@ -5893,12 +5893,13 @@
|
|||
[X86] Cause panic on unknown NMI.
|
||||
|
||||
unprivileged_bpf_disabled=
|
||||
Format: { "0" | "1" }
|
||||
Format: { "0" | "1" | "2" }
|
||||
Sets the initial value of
|
||||
kernel.unprivileged_bpf_disabled sysctl knob.
|
||||
0 - unprivileged bpf() syscall access is enabled.
|
||||
1 - unprivileged bpf() syscall access is disabled.
|
||||
Default value is 1.
|
||||
1 - unprivileged bpf() syscall access is disabled permanently.
|
||||
2 - unprivileged bpf() syscall access is disabled.
|
||||
Default value is 2.
|
||||
|
||||
usbcore.authorized_default=
|
||||
[USB] Default USB device authorization:
|
||||
|
|
|
@ -51,9 +51,6 @@ static DEFINE_SPINLOCK(map_idr_lock);
|
|||
static DEFINE_IDR(link_idr);
|
||||
static DEFINE_SPINLOCK(link_idr_lock);
|
||||
|
||||
/* RHEL-only: default to 1 */
|
||||
int sysctl_unprivileged_bpf_disabled __read_mostly = 1;
|
||||
|
||||
static int __init unprivileged_bpf_setup(char *str)
|
||||
{
|
||||
unsigned long disabled;
|
||||
|
|
|
@ -243,6 +243,11 @@ static int bpf_unpriv_handler(struct ctl_table *table, int write,
|
|||
if (write && !ret) {
|
||||
if (locked_state && unpriv_enable != 1)
|
||||
return -EPERM;
|
||||
if (!unpriv_enable) {
|
||||
pr_warn("Unprivileged BPF has been enabled, "
|
||||
"tainting the kernel");
|
||||
add_taint(TAINT_UNPRIVILEGED_BPF, LOCKDEP_STILL_OK);
|
||||
}
|
||||
*(int *)table->data = unpriv_enable;
|
||||
}
|
||||
return ret;
|
||||
|
|
Loading…
Reference in New Issue