From patchwork Sun Jun 16 14:02:00 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 7860
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature ECDSA (secp384r1))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4W2F8V12nDz3ws3
	for <patchwork@web04.haj.ipfire.org>; Sun, 16 Jun 2024 14:02:50 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature ECDSA (secp384r1))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4W2F8R1VWxz10r;
	Sun, 16 Jun 2024 14:02:47 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4W2F8Q6tdBz2xtd;
	Sun, 16 Jun 2024 14:02:46 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature ECDSA (secp384r1))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4W2F8N42gZz2xtd
	for <development@lists.ipfire.org>; Sun, 16 Jun 2024 14:02:44 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1))
	(No client certificate requested)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 4W2F8L14Shz10r
	for <development@lists.ipfire.org>; Sun, 16 Jun 2024 14:02:40 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=202003ed25519; t=1718546563;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=uyoUZW8YWAhH/ZIew4RE+T1KjFlexbIK2H2cG/ZbJKY=;
	b=4g63QryT0bDRQ9WI+jwKxjdnmKyJ4sVeLPPbJ2o0h8h1GIKsn8BS5/t6kD07hIBZ4e78zs
	b0LnObfigt47tABQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
	t=1718546563;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=uyoUZW8YWAhH/ZIew4RE+T1KjFlexbIK2H2cG/ZbJKY=;
	b=sgv6AHHPDDO/ZRVIgzShvmPRUFeZRnOzo15EQr8kQTb8vN5TTzv3cGRz9+IFsqkBNTKxUp
	T9VXyMaHS9By/ZhptJUKZHIuCtFLUp4mtXG0MxGkYG71338mOpTwg0KA9tNS0+rD0V+AlQ
	zV6KAdso4vHP9PfOycWQBmSRZT/0fEDwRXTmUxX40+lzLsfiROaFisvT39scQtcLi6vvco
	tY/jhpgQbtz7wfXRQjm+8LzI/P9gjJEp1Em1YcKFgrf8inj1s2Eyd7hHz+ZPlJ5GuH40fw
	U6a4GvhfK6J1jAG8JJVqbNXnevuRNTliVUPfTQ2SQGYv/03kmqajnu0uwwS69Q==
Message-ID: <fd80daa9-6a34-425e-9b86-cab27aa6ce0a@ipfire.org>
Date: Sun, 16 Jun 2024 14:02:00 +0000
MIME-Version: 1.0
To: "IPFire: Development" <development@lists.ipfire.org>
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
Subject: [PATCH] sysctl: Disable bpf() calls from unprivileged users without
 toggle option
Message-ID-Hash: PXXIVCGKR6DZDE4RMAGHTOH4HMY75X44
X-Message-ID-Hash: PXXIVCGKR6DZDE4RMAGHTOH4HMY75X44
X-MailFrom: peter.mueller@ipfire.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
Archived-At: 
 <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/message/PXXIVCGKR6DZDE4RMAGHTOH4HMY75X44/>
List-Archive: 
 <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Owner: <mailto:development-owner@lists.ipfire.org>
List-Post: <mailto:development@lists.ipfire.org>
List-Subscribe: <mailto:development-join@lists.ipfire.org>
List-Unsubscribe: <mailto:development-leave@lists.ipfire.org>

According to the Linux kernel documentation, enabling BPF_UNPRIV_DEFAULT_OFF
(which was done in 69dde418f11dc0085cbe061b90f6c002d6d6cce2) will cause
the sysctl kernel.unprivileged_bpf_disabled to default to 2. This
prohibits calls to bpf() from unprivileged users by default, but allows
for such calls to be allowed again during runtime, by setting
kernel.unprivileged_bpf_disabled to 0.

There is no legitimate reason why this should be possible on IPFire,
which is why this patch sets kernel.unprivileged_bpf_disabled to 1
during startup, causing the same effect as 2, but without any option to
revert this setting during runtime. This fixes a Lynis warning.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 config/etc/sysctl.conf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index 31a220e38..51a804043 100644
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -111,3 +111,6 @@ kernel.perf_event_paranoid = 3
 
 # Only processes with CAP_SYS_PTRACE may use ptrace
 kernel.yama.ptrace_scope = 2
+
+# Disable unprivileged calls to bpf() without option to enable during runtime
+kernel.unprivileged_bpf_disabled = 1