diff options
author | Martin Weinelt <hexa@darmstadt.ccc.de> | 2022-01-14 10:27:28 +0100 |
---|---|---|
committer | Martin Weinelt <hexa@darmstadt.ccc.de> | 2022-01-15 23:44:19 +0100 |
commit | 3ee206291a20b2d18e651c77bf161ef42108901f (patch) | |
tree | 9c3f242518f23d295a1a1e75dee82d86d7c0573f /pkgs/os-specific/linux/kernel/common-config.nix | |
parent | d4cc90aea59dfc7738532cd10266f607e3f76e05 (diff) | |
download | nixpkgs-3ee206291a20b2d18e651c77bf161ef42108901f.tar nixpkgs-3ee206291a20b2d18e651c77bf161ef42108901f.tar.gz nixpkgs-3ee206291a20b2d18e651c77bf161ef42108901f.tar.bz2 nixpkgs-3ee206291a20b2d18e651c77bf161ef42108901f.tar.lz nixpkgs-3ee206291a20b2d18e651c77bf161ef42108901f.tar.xz nixpkgs-3ee206291a20b2d18e651c77bf161ef42108901f.tar.zst nixpkgs-3ee206291a20b2d18e651c77bf161ef42108901f.zip |
linux: enable BPF_UNPRIV_DEFAULT_OFF between 5.10 and 5.15
Disable unprivileged access to BPF syscalls to prevent denial of service and privilege escalation via a) potential speculative execution side-channel-attacks on unmitigated hardware[0] or b) unvalidated memory access in ringbuffer helper functions[1]. Fixes: CVE-2021-4204, CVE-2022-23222 [0] https://ebpf.io/summit-2021-slides/eBPF_Summit_2021-Keynote-Daniel_Borkmann-BPF_and_Spectre.pdf [1] https://www.openwall.com/lists/oss-security/2022/01/13/1
Diffstat (limited to 'pkgs/os-specific/linux/kernel/common-config.nix')
-rw-r--r-- | pkgs/os-specific/linux/kernel/common-config.nix | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index 14afc85aa7c..93c6b390eb2 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -539,6 +539,7 @@ let UPROBE_EVENT = { optional = true; tristate = whenOlder "4.11" "y";}; UPROBE_EVENTS = { optional = true; tristate = whenAtLeast "4.11" "y";}; BPF_SYSCALL = whenAtLeast "4.4" yes; + BPF_UNPRIV_DEFAULT_OFF = whenBetween "5.10" "5.15" yes; BPF_EVENTS = whenAtLeast "4.4" yes; FUNCTION_PROFILER = yes; RING_BUFFER_BENCHMARK = no; |