From ba19953a40bc5baf9127a2f3426fecc4ec8040ab Mon Sep 17 00:00:00 2001 From: Leah Neukirchen Date: Thu, 22 Apr 2021 16:35:21 +0200 Subject: [PATCH] base-files: disable unprivileged eBPF by default. eBPF allowed a fair amount of local privilege escalation in the past, disallow it for ordinary users by default. --- srcpkgs/base-files/files/bpf.conf | 2 ++ srcpkgs/base-files/files/sysctl.conf | 2 +- srcpkgs/base-files/template | 3 ++- 3 files changed, 5 insertions(+), 2 deletions(-) create mode 100644 srcpkgs/base-files/files/bpf.conf diff --git a/srcpkgs/base-files/files/bpf.conf b/srcpkgs/base-files/files/bpf.conf new file mode 100644 index 000000000000..faefda3b8d0e --- /dev/null +++ b/srcpkgs/base-files/files/bpf.conf @@ -0,0 +1,2 @@ +# Block unprivileged use of eBPF +kernel.unprivileged_bpf_disabled=1 diff --git a/srcpkgs/base-files/files/sysctl.conf b/srcpkgs/base-files/files/sysctl.conf index 1e1a2768d677..c8e9eaec96be 100644 --- a/srcpkgs/base-files/files/sysctl.conf +++ b/srcpkgs/base-files/files/sysctl.conf @@ -2,7 +2,7 @@ # User-alterable options are in 10-void-user.conf. # Append the PID to the core filename -kernel.core_uses_pid = 1 +kernel.core_uses_pid=1 # Enable hard and soft link protection fs.protected_hardlinks=1 diff --git a/srcpkgs/base-files/template b/srcpkgs/base-files/template index ff629498408b..758cd54ad147 100644 --- a/srcpkgs/base-files/template +++ b/srcpkgs/base-files/template @@ -1,6 +1,6 @@ # Template file for 'base-files' pkgname=base-files -version=0.141 +version=0.142 revision=11 bootstrap=yes depends="xbps-triggers" @@ -75,6 +75,7 @@ do_install() { # sysctl(8) files vinstall ${FILESDIR}/sysctl.conf 644 usr/lib/sysctl.d 10-void.conf vinstall ${FILESDIR}/sysctl-user.conf 644 usr/lib/sysctl.d 10-void-user.conf + vinstall ${FILESDIR}/bpf.conf 644 usr/lib/sysctl.d 20-bpf.conf # Install common licenses, from Debian. vmkdir usr/share/licenses