Re: [PATCH 4.9] bpf: Add kconfig knob for disabling unpriv bpf by default

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Feb 12, 2022 at 09:21:49PM +0000, Frank van der Linden wrote:
> From: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
> 
> commit 08389d888287c3823f80b0216766b71e17f0aba5 upstream.
> 
> Add a kconfig knob which allows for unprivileged bpf to be disabled by default.
> If set, the knob sets /proc/sys/kernel/unprivileged_bpf_disabled to value of 2.
> 
> This still allows a transition of 2 -> {0,1} through an admin. Similarly,
> this also still keeps 1 -> {1} behavior intact, so that once set to permanently
> disabled, it cannot be undone aside from a reboot.
> 
> We've also added extra2 with max of 2 for the procfs handler, so that an admin
> still has a chance to toggle between 0 <-> 2.
> 
> Either way, as an additional alternative, applications can make use of CAP_BPF
> that we added a while ago.
> 
> Signed-off-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
> Signed-off-by: Alexei Starovoitov <ast@xxxxxxxxxx>
> Link: https://lore.kernel.org/bpf/74ec548079189e4e4dffaeb42b8987bb3c852eee.1620765074.git.daniel@xxxxxxxxxxxxx
> [fllinden@xxxxxxxxxx: backported to 4.9]
> Signed-off-by: Frank van der Linden <fllinden@xxxxxxxxxx>
> ---
>  Documentation/sysctl/kernel.txt | 21 +++++++++++++++++++++
>  init/Kconfig                    | 10 ++++++++++
>  kernel/bpf/syscall.c            |  3 ++-
>  kernel/sysctl.c                 | 29 +++++++++++++++++++++++++----
>  4 files changed, 58 insertions(+), 5 deletions(-)

Now queued up, thanks.

greg k-h



[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux