From 22c83929afefc3e9afeecad4c203079489400d73 Mon Sep 17 00:00:00 2001 From: Leah Neukirchen Date: Thu, 22 Apr 2021 16:35:21 +0200 Subject: [PATCH] base-files: disable unprivileged eBPF by default. eBPF allowed a fair amount of local privilege escalation in the past, disallow it for ordinary users by default. --- srcpkgs/base-files/files/sysctl.conf | 5 ++++- srcpkgs/base-files/template | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/srcpkgs/base-files/files/sysctl.conf b/srcpkgs/base-files/files/sysctl.conf index 1e1a2768d677..7b73ee862b4e 100644 --- a/srcpkgs/base-files/files/sysctl.conf +++ b/srcpkgs/base-files/files/sysctl.conf @@ -2,7 +2,7 @@ # User-alterable options are in 10-void-user.conf. # Append the PID to the core filename -kernel.core_uses_pid = 1 +kernel.core_uses_pid=1 # Enable hard and soft link protection fs.protected_hardlinks=1 @@ -13,3 +13,6 @@ kernel.kptr_restrict=1 # Block non-uid-0 kernel profiling kernel.perf_event_paranoid=2 + +# Block unprivileged use of eBPF +kernel.unprivileged_bpf_disabled=1 diff --git a/srcpkgs/base-files/template b/srcpkgs/base-files/template index ff629498408b..9ced039de8d9 100644 --- a/srcpkgs/base-files/template +++ b/srcpkgs/base-files/template @@ -1,6 +1,6 @@ # Template file for 'base-files' pkgname=base-files -version=0.141 +version=0.142 revision=11 bootstrap=yes depends="xbps-triggers"