Bug #15094
Mitigate BPF security issues on our infrastructure
100%
Description
https://www.decadent.org.uk/ben/blog/bpf-security-issues-in-debian.html
Seems important (at least LPE and probably remotely exploitable given Ben blogged about it; public exploit is in the wild) and super cheap to implement now (and waiting won’t make it any cheaper).
Subtasks
Related issues
Related to Tails - |
Rejected | 2018-06-11 | |
Blocks Tails - Feature #13242: Core work: Sysadmin (Maintain our already existing services) | Confirmed | 2017-06-29 |
History
#1 Updated by intrigeri 2017-12-23 08:49:24
- Subject changed from Mitigate BPF security issues to Mitigate BPF security issues on our infrastructure
#2 Updated by intrigeri 2017-12-23 08:50:30
- related to
Bug #15095: Mitigate BPF security issues added
#3 Updated by intrigeri 2017-12-23 08:50:51
- blocks Feature #13242: Core work: Sysadmin (Maintain our already existing services) added
#4 Updated by intrigeri 2017-12-23 13:34:34
Hint: grep sysctl::value
in puppet-tails :)
#5 Updated by groente 2017-12-23 21:07:33
- Assignee changed from bertagaz to groente
- Feature Branch set to puppet-tails
#6 Updated by groente 2017-12-23 21:36:19
- Assignee changed from groente to bertagaz
Odd, i thought 99fcfed91a942f1cf34592c2a04d806a3e13f153 would’ve fixed this, but that didn’t have much effect. I ran sysctl manually on all systems, so we’re good ’till the next reboot. Handing the ticket back to you!
#7 Updated by groente 2017-12-25 19:33:33
- Priority changed from Urgent to Low
- QA Check set to Info Needed
the problem seems fixed with the last kernel update, but if you have some suggestion why my last commit didn’t result in any changes coming through in /etc/sysctl.conf, that would be much appreciated. thanks!
#8 Updated by bertagaz 2017-12-26 10:40:01
- Status changed from Confirmed to Resolved
- Assignee deleted (
bertagaz) - % Done changed from 0 to 100
groente wrote:
> the problem seems fixed with the last kernel update, but if you have some suggestion why my last commit didn’t result in any changes coming through in /etc/sysctl.conf, that would be much appreciated. thanks!
New kernel has been installed and all systems rebooted, so closing this ticket. I’ve left groente’s change deployed, as I don’t think we need or use this kernel feature.
Indeed your change did not apply in production. That’s because you commited the right thing into the puppet-tails submodule, but did not update this submodule in the main puppet Git repo. See commit dedcbaa
in the puppet-lizard-manifests
Git repo.
Without this commit in the main repo updating the reference commit used for the puppet-tails submodule, our puppet has no clue it should deploy your last change. That’s only when you push such a commit that your change in a submodule is applied when you run puppet agent.