Disable unprivileged BPF
Since upgrading to kernel 4.6, unprivileged users can use the bpf() syscall, which is a security concern, even with JIT disabled. Tails should set the kernel.unprivileged_bpf_disabled sysctl to 1. No programs on Tails use it, so this won’t cause any regressions, and will increase security quite a bit.
#2 Updated by cypherpunks 2016-09-24 02:52:31
> > No programs on Tails use it, so this won’t cause any regressions
> May I ask how you’ve checked that?
> Once this is clarified, I’m open to running our test suite with this sysctl turned on.
It’s only used for things like network profiling in userspace, nothing that a Tails user would have or need. Plus, it wasn’t available before Tails 2.6, so unless new network profiling tools were added to the kernel, removing it has no effect. Note that disabling the bpf() does not mean disabling all BPF/eBPF. Netfilter still uses BPF, seccomp still uses BPF, etc. All it means is that userspace network profiling tools and such will not function.
#3 Updated by intrigeri 2016-09-24 03:28:45
- Status changed from New to Confirmed
- Assignee changed from cypherpunks to intrigeri
- Priority changed from Normal to Low
- Target version set to Tails_2.9.1
Thanks! I’ll give it a try, possibly for 2.8, but I’ll feel free to postpone to 2.10 or further if I’m short on time.