diff options
author | Martin Weinelt <hexa@darmstadt.ccc.de> | 2022-01-14 10:27:28 +0100 |
---|---|---|
committer | Martin Weinelt <hexa@darmstadt.ccc.de> | 2022-01-15 23:44:19 +0100 |
commit | 3ee206291a20b2d18e651c77bf161ef42108901f (patch) | |
tree | 9c3f242518f23d295a1a1e75dee82d86d7c0573f /nixos/doc/manual/from_md/release-notes/rl-2111.section.xml | |
parent | d4cc90aea59dfc7738532cd10266f607e3f76e05 (diff) | |
download | nixpkgs-3ee206291a20b2d18e651c77bf161ef42108901f.tar nixpkgs-3ee206291a20b2d18e651c77bf161ef42108901f.tar.gz nixpkgs-3ee206291a20b2d18e651c77bf161ef42108901f.tar.bz2 nixpkgs-3ee206291a20b2d18e651c77bf161ef42108901f.tar.lz nixpkgs-3ee206291a20b2d18e651c77bf161ef42108901f.tar.xz nixpkgs-3ee206291a20b2d18e651c77bf161ef42108901f.tar.zst nixpkgs-3ee206291a20b2d18e651c77bf161ef42108901f.zip |
linux: enable BPF_UNPRIV_DEFAULT_OFF between 5.10 and 5.15
Disable unprivileged access to BPF syscalls to prevent denial of service and privilege escalation via a) potential speculative execution side-channel-attacks on unmitigated hardware[0] or b) unvalidated memory access in ringbuffer helper functions[1]. Fixes: CVE-2021-4204, CVE-2022-23222 [0] https://ebpf.io/summit-2021-slides/eBPF_Summit_2021-Keynote-Daniel_Borkmann-BPF_and_Spectre.pdf [1] https://www.openwall.com/lists/oss-security/2022/01/13/1
Diffstat (limited to 'nixos/doc/manual/from_md/release-notes/rl-2111.section.xml')
-rw-r--r-- | nixos/doc/manual/from_md/release-notes/rl-2111.section.xml | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml index 6b706e4aeaa..59da373f38e 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml @@ -1420,6 +1420,15 @@ Superuser created successfully. for those who want to have all RetroArch cores available. </para> </listitem> + <listitem> + <para> + The Linux kernel for security reasons now restricts access to + BPF syscalls via <literal>BPF_UNPRIV_DEFAULT_OFF=y</literal>. + Unprivileged access can be reenabled via the + <literal>kernel.unprivileged_bpf_disabled</literal> sysctl + knob. + </para> + </listitem> </itemizedlist> </section> <section xml:id="sec-release-21.11-notable-changes"> |