8a03e56b25
Disabling unprivileged BPF would help prevent unprivileged users from
creating certain conditions required for potential speculative execution
side-channel attacks on unmitigated affected hardware.
A deep dive on such attacks and current mitigations is available here [0].
Sync with what many distros are currently applying already, and disable
unprivileged BPF by default. An admin can enable this at runtime, if
necessary, as described in 08389d8882 ("bpf: Add kconfig knob for
disabling unpriv bpf by default").
[0] "BPF and Spectre: Mitigating transient execution attacks", Daniel Borkmann, eBPF Summit '21
https://ebpf.io/summit-2021-slides/eBPF_Summit_2021-Keynote-Daniel_Borkmann-BPF_and_Spectre.pdf
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Link: https://lore.kernel.org/bpf/0ace9ce3f97656d5f62d11093ad7ee81190c3c25.1635535215.git.pawan.kumar.gupta@linux.intel.com
2.8 KiB
SPDX-License-Identifier: GPL-2.0-only
BPF interpreter that, for example, classic socket filters depend on.
config BPF bool
Used by archs to tell that they support BPF JIT compiler plus which
flavour. Only one of the two can be selected for a specific arch since
eBPF JIT supersedes the cBPF JIT.
Classic BPF JIT (cBPF)
config HAVE_CBPF_JIT bool
Extended BPF JIT (eBPF)
config HAVE_EBPF_JIT bool
Used by archs to tell that they want the BPF JIT compiler enabled by
default for kernels that were compiled with BPF JIT support.
config ARCH_WANT_DEFAULT_BPF_JIT bool
menu "BPF subsystem"
config BPF_SYSCALL bool "Enable bpf() system call" select BPF select IRQ_WORK select TASKS_TRACE_RCU select BINARY_PRINTF select NET_SOCK_MSG if NET default n help Enable the bpf() system call that allows to manipulate BPF programs and maps via file descriptors.
config BPF_JIT bool "Enable BPF Just In Time compiler" depends on BPF depends on HAVE_CBPF_JIT || HAVE_EBPF_JIT depends on MODULES help BPF programs are normally handled by a BPF interpreter. This option allows the kernel to generate native code when a program is loaded into the kernel. This will significantly speed-up processing of BPF programs.
Note, an admin should enable this feature changing:
/proc/sys/net/core/bpf_jit_enable
/proc/sys/net/core/bpf_jit_harden (optional)
/proc/sys/net/core/bpf_jit_kallsyms (optional)
config BPF_JIT_ALWAYS_ON bool "Permanently enable BPF JIT and remove BPF interpreter" depends on BPF_SYSCALL && HAVE_EBPF_JIT && BPF_JIT help Enables BPF JIT and removes BPF interpreter to avoid speculative execution of BPF instructions by the interpreter.
config BPF_JIT_DEFAULT_ON def_bool ARCH_WANT_DEFAULT_BPF_JIT || BPF_JIT_ALWAYS_ON depends on HAVE_EBPF_JIT && BPF_JIT
config BPF_UNPRIV_DEFAULT_OFF bool "Disable unprivileged BPF by default" default y depends on BPF_SYSCALL help Disables unprivileged BPF by default by setting the corresponding /proc/sys/kernel/unprivileged_bpf_disabled knob to 2. An admin can still reenable it by setting it to 0 later on, or permanently disable it by setting it to 1 (from which no other transition to 0 is possible anymore).
Unprivileged BPF could be used to exploit certain potential
speculative execution side-channel vulnerabilities on unmitigated
affected hardware.
If you are unsure how to answer this question, answer Y.
source "kernel/bpf/preload/Kconfig"
config BPF_LSM bool "Enable BPF LSM Instrumentation" depends on BPF_EVENTS depends on BPF_SYSCALL depends on SECURITY depends on BPF_JIT help Enables instrumentation of the security hooks with BPF programs for implementing dynamic MAC and Audit Policies.
If you are unsure how to answer this question, answer N.
endmenu # "BPF subsystem"