diff options
| author | Martin Weinelt <hexa@darmstadt.ccc.de> | 2022-01-14 10:27:28 +0100 |
|---|---|---|
| committer | Martin Weinelt <hexa@darmstadt.ccc.de> | 2022-01-15 23:44:19 +0100 |
| commit | 3ee206291a20b2d18e651c77bf161ef42108901f (patch) | |
| tree | 9c3f242518f23d295a1a1e75dee82d86d7c0573f /nixos/doc/manual | |
| parent | d4cc90aea59dfc7738532cd10266f607e3f76e05 (diff) | |
| download | nixpkgs-3ee206291a20b2d18e651c77bf161ef42108901f.tar nixpkgs-3ee206291a20b2d18e651c77bf161ef42108901f.tar.gz nixpkgs-3ee206291a20b2d18e651c77bf161ef42108901f.tar.bz2 nixpkgs-3ee206291a20b2d18e651c77bf161ef42108901f.tar.lz nixpkgs-3ee206291a20b2d18e651c77bf161ef42108901f.tar.xz nixpkgs-3ee206291a20b2d18e651c77bf161ef42108901f.tar.zst nixpkgs-3ee206291a20b2d18e651c77bf161ef42108901f.zip | |
linux: enable BPF_UNPRIV_DEFAULT_OFF between 5.10 and 5.15
Disable unprivileged access to BPF syscalls to prevent denial of service and privilege escalation via a) potential speculative execution side-channel-attacks on unmitigated hardware[0] or b) unvalidated memory access in ringbuffer helper functions[1]. Fixes: CVE-2021-4204, CVE-2022-23222 [0] https://ebpf.io/summit-2021-slides/eBPF_Summit_2021-Keynote-Daniel_Borkmann-BPF_and_Spectre.pdf [1] https://www.openwall.com/lists/oss-security/2022/01/13/1
Diffstat (limited to 'nixos/doc/manual')
| -rw-r--r-- | nixos/doc/manual/from_md/release-notes/rl-2111.section.xml | 9 | ||||
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-2111.section.md | 2 |
2 files changed, 11 insertions, 0 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml index 6b706e4aeaa..59da373f38e 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml @@ -1420,6 +1420,15 @@ Superuser created successfully. for those who want to have all RetroArch cores available. </para> </listitem> + <listitem> + <para> + The Linux kernel for security reasons now restricts access to + BPF syscalls via <literal>BPF_UNPRIV_DEFAULT_OFF=y</literal>. + Unprivileged access can be reenabled via the + <literal>kernel.unprivileged_bpf_disabled</literal> sysctl + knob. + </para> + </listitem> </itemizedlist> </section> <section xml:id="sec-release-21.11-notable-changes"> diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md index 48adc4ad33c..1b59842e020 100644 --- a/nixos/doc/manual/release-notes/rl-2111.section.md +++ b/nixos/doc/manual/release-notes/rl-2111.section.md @@ -417,6 +417,8 @@ In addition to numerous new and upgraded packages, this release has the followin - `retroArchCores` has been removed. This means that using `nixpkgs.config.retroarch` to customize RetroArch cores is not supported anymore. Instead, use package overrides, for example: `retroarch.override { cores = with libretro; [ citra snes9x ]; };`. Also, `retroarchFull` derivation is available for those who want to have all RetroArch cores available. +- The Linux kernel for security reasons now restricts access to BPF syscalls via `BPF_UNPRIV_DEFAULT_OFF=y`. Unprivileged access can be reenabled via the `kernel.unprivileged_bpf_disabled` sysctl knob. + ## Other Notable Changes {#sec-release-21.11-notable-changes} |