Bug#991869: release-notes: Document default change for unprivileged calls to bpf()

Tue, 03 Aug 2021 22:45:27 -0700 

Package: release-notes
Severity: normal
X-Debbugs-Cc: car...@debian.org,debian-ker...@lists.debian.org

Hi

There is no pressure on including this but it might be worth
documetning the default change for unprivileged calls to bpf() to be
disabled in the release notes for Debian 11 (bullseye).

Attached is a corresponding patch proposal for the wording.

Regards,
Salvatore

>From d120af71a5a1bc590511a193b7ae790febc38c5c Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <car...@debian.org>
Date: Wed, 4 Aug 2021 07:02:08 +0200
Subject: [PATCH] Document default change for unprivileged calls to bpf()

Starting in src:linux 5.10.46-4 Linux disables unprivileged calls to
bpf() by default. Document the fact in the release notes and explain on
how to revert to keep unprivileged calls to bpf() enabled.

Reference the Debian bug asking for implementing the change as
additional hardening for BPF related security issues.

Signed-off-by: Salvatore Bonaccorso <car...@debian.org>
---
 en/issues.dbk | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/en/issues.dbk b/en/issues.dbk
index f708c325c6a3..29221aba56e9 100644
--- a/en/issues.dbk
+++ b/en/issues.dbk
@@ -322,6 +322,28 @@ user.max_user_namespaces = 0
       </para>
     </section>
 
+    <section id="linux-unprivileged-bpf">
+      <title>Linux disables unprivileged calls to bpf() by default</title>
+      <para>
+        From <literal>Linux</literal> 5.10, Debian disables unprivileged
+        calls to bpf() by default. However, an admin can still change this
+        setting later on, if needed, by writing 0 or 1 to the
+        <literal>kernel.unprivileged_bpf_disabled</literal> sysctl.
+      </para>
+      <para>
+        If you prefer to keep unprivileged calls to bpf() enabled, set
+        the sysctl:
+      </para>
+      <programlisting>
+kernel.unprivileged_bpf_disabled = 0
+      </programlisting>
+      <para>
+        For background on the change as default in Debian see
+        <ulink url="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990411";>
+        the change request</ulink>.
+      </para>
+    </section>
+
     <section id="redmine">
       <!-- buster to bullseye -->
       <title>redmine missing in bullseye</title>
-- 
2.32.0

Reply via email to