diff options
author | Justin M. Forbes <jforbes@fedoraproject.org> | 2020-08-12 08:21:58 -0500 |
---|---|---|
committer | Justin M. Forbes <jforbes@fedoraproject.org> | 2020-08-12 08:21:58 -0500 |
commit | 8341d1868d403a53608b5a5fb8e80c73620dea88 (patch) | |
tree | 294058e7692abe966ab4e674b76d783ce6b89979 /0001-bpf-set-unprivileged_bpf_disabled-to-1-by-default-ad.patch | |
parent | 47a895f435cccb2cb14eb5d0c52d2f6d4d904907 (diff) | |
download | kernel-8341d1868d403a53608b5a5fb8e80c73620dea88.tar.gz kernel-8341d1868d403a53608b5a5fb8e80c73620dea88.tar.xz kernel-8341d1868d403a53608b5a5fb8e80c73620dea88.zip |
Cleanups to prepare for stable Fedora
Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
Diffstat (limited to '0001-bpf-set-unprivileged_bpf_disabled-to-1-by-default-ad.patch')
-rw-r--r-- | 0001-bpf-set-unprivileged_bpf_disabled-to-1-by-default-ad.patch | 122 |
1 files changed, 0 insertions, 122 deletions
diff --git a/0001-bpf-set-unprivileged_bpf_disabled-to-1-by-default-ad.patch b/0001-bpf-set-unprivileged_bpf_disabled-to-1-by-default-ad.patch deleted file mode 100644 index 042d8b999..000000000 --- a/0001-bpf-set-unprivileged_bpf_disabled-to-1-by-default-ad.patch +++ /dev/null @@ -1,122 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Eugene Syromiatnikov <esyr@redhat.com> -Date: Thu, 14 Jun 2018 16:36:02 -0400 -Subject: [PATCH] bpf: set unprivileged_bpf_disabled to 1 by default, add a - boot parameter - -Message-id: <133022c6c389ca16060bd20ef69199de0800200b.1528991396.git.esyr@redhat.com> -Patchwork-id: 8250 -O-Subject: [kernel team] [RHEL8 PATCH v4 2/5] [bpf] bpf: set unprivileged_bpf_disabled to 1 by default, add a boot parameter -Bugzilla: 1561171 -RH-Acked-by: Jiri Benc <jbenc@redhat.com> -RH-Acked-by: Jesper Dangaard Brouer <brouer@redhat.com> - -This patch sets kernel.unprivileged_bpf_disabled sysctl knob to 1 -by default, and provides an ability (in a form of a boot-time parameter) -to reset it to 0, as it is impossible to do so in runtime. Since -unprivileged BPF is considered unsupported, it also taints the kernel. - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1561171 -Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=16716594 -Upstream: RHEL only. The patch (in a more generic form) has been - proposed upstream[1] and subsequently rejected. - -[1] https://lkml.org/lkml/2018/5/21/344 - -Upstream Status: RHEL only -Signed-off-by: Eugene Syromiatnikov <esyr@redhat.com> -Signed-off-by: Herton R. Krzesinski <herton@redhat.com> ---- - .../admin-guide/kernel-parameters.txt | 8 +++++++ - include/linux/kernel.h | 2 +- - kernel/bpf/syscall.c | 21 ++++++++++++++++++- - kernel/panic.c | 2 +- - 4 files changed, 30 insertions(+), 3 deletions(-) - -diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt -index fb95fad81c79..a43287854f8a 100644 ---- a/Documentation/admin-guide/kernel-parameters.txt -+++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -5277,6 +5277,14 @@ - unknown_nmi_panic - [X86] Cause panic on unknown NMI. - -+ unprivileged_bpf_disabled= -+ Format: { "0" | "1" } -+ Sets the initial value of -+ kernel.unprivileged_bpf_disabled sysctl knob. -+ 0 - unprivileged bpf() syscall access is enabled. -+ 1 - unprivileged bpf() syscall access is disabled. -+ Default value is 1. -+ - usbcore.authorized_default= - [USB] Default USB device authorization: - (default -1 = authorized except for wireless USB, -diff --git a/include/linux/kernel.h b/include/linux/kernel.h -index 28be75396242..0a0081b10edb 100644 ---- a/include/linux/kernel.h -+++ b/include/linux/kernel.h -@@ -618,7 +618,7 @@ extern enum system_states { - #define TAINT_RESERVED28 28 - #define TAINT_RESERVED29 29 - #define TAINT_RESERVED30 30 --#define TAINT_RESERVED31 31 -+#define TAINT_UNPRIVILEGED_BPF 31 - /* End of Red Hat-specific taint flags */ - #define TAINT_FLAGS_COUNT 32 - #define TAINT_FLAGS_MAX ((1UL << TAINT_FLAGS_COUNT) - 1) -diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c -index 0fd80ac81f70..60f70f31060e 100644 ---- a/kernel/bpf/syscall.c -+++ b/kernel/bpf/syscall.c -@@ -24,6 +24,7 @@ - #include <linux/ctype.h> - #include <linux/nospec.h> - #include <linux/audit.h> -+#include <linux/init.h> - #include <uapi/linux/btf.h> - #include <linux/pgtable.h> - #include <linux/bpf_lsm.h> -@@ -48,7 +49,25 @@ static DEFINE_SPINLOCK(map_idr_lock); - static DEFINE_IDR(link_idr); - static DEFINE_SPINLOCK(link_idr_lock); - --int sysctl_unprivileged_bpf_disabled __read_mostly; -+/* RHEL-only: default to 1 */ -+int sysctl_unprivileged_bpf_disabled __read_mostly = 1; -+ -+static int __init unprivileged_bpf_setup(char *str) -+{ -+ unsigned long disabled; -+ if (!kstrtoul(str, 0, &disabled)) -+ sysctl_unprivileged_bpf_disabled = !!disabled; -+ -+ if (!sysctl_unprivileged_bpf_disabled) { -+ pr_warn("Unprivileged BPF has been enabled " -+ "(unprivileged_bpf_disabled=0 has been supplied " -+ "in boot parameters), tainting the kernel"); -+ add_taint(TAINT_UNPRIVILEGED_BPF, LOCKDEP_STILL_OK); -+ } -+ -+ return 1; -+} -+__setup("unprivileged_bpf_disabled=", unprivileged_bpf_setup); - - static const struct bpf_map_ops * const bpf_map_types[] = { - #define BPF_PROG_TYPE(_id, _name, prog_ctx_type, kern_ctx_type) -diff --git a/kernel/panic.c b/kernel/panic.c -index 534bc76e43da..e3bae852d92f 100644 ---- a/kernel/panic.c -+++ b/kernel/panic.c -@@ -399,7 +399,7 @@ const struct taint_flag taint_flags[TAINT_FLAGS_COUNT] = { - [ TAINT_RESERVED28 ] = { '?', '-', false }, - [ TAINT_RESERVED29 ] = { '?', '-', false }, - [ TAINT_RESERVED30 ] = { '?', '-', false }, -- [ TAINT_RESERVED31 ] = { '?', '-', false }, -+ [ TAINT_UNPRIVILEGED_BPF ] = { 'u', ' ', false }, - }; - - /** --- -2.26.2 - |