Bug #15094

Mitigate BPF security issues on our infrastructure

Added by intrigeri 2017-12-23 08:48:30 . Updated 2017-12-26 10:40:01 .

Status:
Resolved
Priority:
Low
Assignee:
Category:
Infrastructure
Target version:
Start date:
2017-12-23
Due date:
% Done:

100%

Feature Branch:
puppet-tails
Type of work:
Sysadmin
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

https://www.decadent.org.uk/ben/blog/bpf-security-issues-in-debian.html

Seems important (at least LPE and probably remotely exploitable given Ben blogged about it; public exploit is in the wild) and super cheap to implement now (and waiting won’t make it any cheaper).


Subtasks


Related issues

Related to Tails - Bug #15095: Mitigate BPF security issues Rejected 2018-06-11
Blocks Tails - Feature #13242: Core work: Sysadmin (Maintain our already existing services) Confirmed 2017-06-29

History

#1 Updated by intrigeri 2017-12-23 08:49:24

  • Subject changed from Mitigate BPF security issues to Mitigate BPF security issues on our infrastructure

#2 Updated by intrigeri 2017-12-23 08:50:30

  • related to Bug #15095: Mitigate BPF security issues added

#3 Updated by intrigeri 2017-12-23 08:50:51

  • blocks Feature #13242: Core work: Sysadmin (Maintain our already existing services) added

#4 Updated by intrigeri 2017-12-23 13:34:34

Hint: grep sysctl::value in puppet-tails :)

#5 Updated by groente 2017-12-23 21:07:33

  • Assignee changed from bertagaz to groente
  • Feature Branch set to puppet-tails

#6 Updated by groente 2017-12-23 21:36:19

  • Assignee changed from groente to bertagaz

Odd, i thought 99fcfed91a942f1cf34592c2a04d806a3e13f153 would’ve fixed this, but that didn’t have much effect. I ran sysctl manually on all systems, so we’re good ’till the next reboot. Handing the ticket back to you!

#7 Updated by groente 2017-12-25 19:33:33

  • Priority changed from Urgent to Low
  • QA Check set to Info Needed

the problem seems fixed with the last kernel update, but if you have some suggestion why my last commit didn’t result in any changes coming through in /etc/sysctl.conf, that would be much appreciated. thanks!

#8 Updated by bertagaz 2017-12-26 10:40:01

  • Status changed from Confirmed to Resolved
  • Assignee deleted (bertagaz)
  • % Done changed from 0 to 100

groente wrote:
> the problem seems fixed with the last kernel update, but if you have some suggestion why my last commit didn’t result in any changes coming through in /etc/sysctl.conf, that would be much appreciated. thanks!

New kernel has been installed and all systems rebooted, so closing this ticket. I’ve left groente’s change deployed, as I don’t think we need or use this kernel feature.

Indeed your change did not apply in production. That’s because you commited the right thing into the puppet-tails submodule, but did not update this submodule in the main puppet Git repo. See commit dedcbaa in the puppet-lizard-manifests Git repo.
Without this commit in the main repo updating the reference commit used for the puppet-tails submodule, our puppet has no clue it should deploy your last change. That’s only when you push such a commit that your change in a submodule is applied when you run puppet agent.