Feature #11827

Disable unprivileged BPF

Added by cypherpunks 2016-09-23 00:20:19 . Updated 2017-01-24 20:42:48 .

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Target version:
Start date:
2016-09-22
Due date:
% Done:

100%

Feature Branch:
feature/11827-disable-unprivileged-bpf
Type of work:
Code
Blueprint:

Starter:
0
Affected tool:
Deliverable for:

Description

Since upgrading to kernel 4.6, unprivileged users can use the bpf() syscall, which is a security concern, even with JIT disabled. Tails should set the kernel.unprivileged_bpf_disabled sysctl to 1. No programs on Tails use it, so this won’t cause any regressions, and will increase security quite a bit.


Subtasks


History

#1 Updated by intrigeri 2016-09-24 01:39:26

  • Assignee set to cypherpunks
  • QA Check set to Info Needed

> No programs on Tails use it, so this won’t cause any regressions

May I ask how you’ve checked that?

Once this is clarified, I’m open to running our test suite with this sysctl turned on.

#2 Updated by cypherpunks 2016-09-24 02:52:31

intrigeri wrote:
> > No programs on Tails use it, so this won’t cause any regressions
>
> May I ask how you’ve checked that?
>
> Once this is clarified, I’m open to running our test suite with this sysctl turned on.

It’s only used for things like network profiling in userspace, nothing that a Tails user would have or need. Plus, it wasn’t available before Tails 2.6, so unless new network profiling tools were added to the kernel, removing it has no effect. Note that disabling the bpf() does not mean disabling all BPF/eBPF. Netfilter still uses BPF, seccomp still uses BPF, etc. All it means is that userspace network profiling tools and such will not function.

#3 Updated by intrigeri 2016-09-24 03:28:45

  • Status changed from New to Confirmed
  • Assignee changed from cypherpunks to intrigeri
  • Priority changed from Normal to Low
  • Target version set to Tails_2.9.1

Thanks! I’ll give it a try, possibly for 2.8, but I’ll feel free to postpone to 2.10 or further if I’m short on time.

#4 Updated by intrigeri 2016-09-24 05:50:00

  • QA Check deleted (Info Needed)

#5 Updated by intrigeri 2016-11-10 12:47:05

  • Feature Branch set to feature/11827-disable-unprivileged-bpf

#6 Updated by intrigeri 2016-11-10 15:57:12

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10

#7 Updated by intrigeri 2016-11-11 09:30:09

  • Assignee changed from intrigeri to anonym
  • % Done changed from 10 to 50
  • QA Check set to Ready for QA

Test suite looks good.

#8 Updated by intrigeri 2016-11-11 09:30:41

  • Priority changed from Low to Normal

(Working on it in the first place was low prio, but now that it’s done, merging is normal prio.)

#9 Updated by anonym 2016-11-25 13:18:05

  • Target version changed from Tails_2.9.1 to Tails 2.10

#10 Updated by anonym 2016-11-25 13:26:46

I bumped this feature to the new next major release (given 2.8 was cancelled).

#11 Updated by anonym 2016-11-28 17:20:50

  • Assignee deleted (anonym)
  • % Done changed from 50 to 100
  • QA Check changed from Ready for QA to Pass

#12 Updated by anonym 2016-11-29 04:08:38

  • Status changed from In Progress to Fix committed

Applied in changeset commit:7b944cda88f3de2ef6694d5617dbf30f28cd4873.

#13 Updated by anonym 2017-01-24 20:42:48

  • Status changed from Fix committed to Resolved