[PATCH ebpf v3] bpf: Disallow unprivileged bpf by default

From: Pawan Gupta
Date: Fri Oct 29 2021 - 15:41:55 EST

Next message: Sean Christopherson: "Re: [PATCH] KVM: x86: Shove vp_bitmap handling down into sparse_set_to_vcpu_mask()"
Previous message: Bean Huo: "[PATCH v1 2/2] scsi: ufshpb: Delete ufshpb_set_write_buf_cmd()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Disabling unprivileged BPF would help prevent unprivileged users from
creating the conditions required for potential speculative execution
side-channel attacks on affected hardware. A deep dive on such attacks
and mitigation is available here [1].

Sync with what many distros are currently applying, disable unprivileged
BPF by default. An admin can enable this at runtime, if necessary.

[1] https://ebpf.io/summit-2021-slides/eBPF_Summit_2021-Keynote-Daniel_Borkmann-BPF_and_Spectre.pdf

Signed-off-by: Pawan Gupta <pawan.kumar.gupta@xxxxxxxxxxxxxxx>
---
v3:
- Drop the conditional default for CONFIG_BPF_UNPRIV_DEFAULT_OFF until
we have an arch generic way to determine arch-common spectre type bugs.
[Mark Rutland, Daniel Borkmann].
- Also drop the patch to Generalize ARM's CONFIG_CPU_SPECTRE.
- Minor changes to commit message.

v2: https://lore.kernel.org/lkml/cover.1635383031.git.pawan.kumar.gupta@xxxxxxxxxxxxxxx/
- Generalize ARM's CONFIG_CPU_SPECTRE to be available for all architectures.
- Make CONFIG_BPF_UNPRIV_DEFAULT_OFF depend on CONFIG_CPU_SPECTRE.
- Updated commit message to reflect the dependency on CONFIG_CPU_SPECTRE.
- Add reference to BPF spectre presentation in commit message.

v1: https://lore.kernel.org/all/d37b01e70e65dced2659561ed5bc4b2ed1a50711.1635367330.git.pawan.kumar.gupta@xxxxxxxxxxxxxxx/

kernel/bpf/Kconfig | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/kernel/bpf/Kconfig b/kernel/bpf/Kconfig
index a82d6de86522..73d446294455 100644
--- a/kernel/bpf/Kconfig
+++ b/kernel/bpf/Kconfig
@@ -64,6 +64,7 @@ config BPF_JIT_DEFAULT_ON

config BPF_UNPRIV_DEFAULT_OFF
bool "Disable unprivileged BPF by default"
+ default y
depends on BPF_SYSCALL
help
Disables unprivileged BPF by default by setting the corresponding
@@ -72,6 +73,10 @@ config BPF_UNPRIV_DEFAULT_OFF
disable it by setting it to 1 (from which no other transition to
0 is possible anymore).

+ Unprivileged BPF can be used to exploit potential speculative
+ execution side-channel vulnerabilities on affected hardware. If you
+ are concerned about it, answer Y.
+
source "kernel/bpf/preload/Kconfig"

config BPF_LSM
--
2.31.1

Next message: Sean Christopherson: "Re: [PATCH] KVM: x86: Shove vp_bitmap handling down into sparse_set_to_vcpu_mask()"
Previous message: Bean Huo: "[PATCH v1 2/2] scsi: ufshpb: Delete ufshpb_set_write_buf_cmd()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]