Package: systemd
Version: 247.3-5
Severity: wishlist
Tags: security
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
Hi,
TLDR:
$ sudo sysctl kernel.unprivileged_bpf_disabled
kernel.unprivileged_bpf_disabled = 0
please disable unprivileged BPF by default, it seems that it
is not safe to be allowed by default in the general case.
I'm not sure if systemd is the right place to report this
security/wishlist ticket against. I've chosen systemd because it
ships `/etc/sysctl.d/99-sysctl.conf` which seems to me to be the
nearest fit to where `kernel.unprivileged_bpf_disabled` should
be set. Please reassign if there's a better package to stick
this report to.
After reading https://lwn.net/Articles/860597/ I'm under the
impression that allowing unprivileged BPF is too big of a
barn door to leave open at these times.
Currently
* I have no idea which packages that I install use or will use BPF
* I don't know how I could even find out
* even if I knew that a given program *does* use BPF, I estimate
that it'd require me a non-trivial effort to analyze how security
critical that fact is in my context
* considering myself quite a seasoned sysadmin I very much doubt
that the general Debian consumer is even remotely capable of
correctly assesing the preceeding points
Therefore I'd suggest to seriously consider to disable the
unprivileged BPF gun *by default* on freshly installed Debian
systems.
Thanks a lot for taking care of Debian!
*t
-- Package-specific info:
-- System Information:
Debian Release: 11.0
APT prefers testing-security
APT policy: (500, 'testing-security'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-7-amd64 (SMP w/8 CPU threads)
Locale: LANG=de_CH.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8),
LANGUAGE=de_CH:de
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages systemd depends on:
ii adduser 3.118
ii libacl1 2.2.53-10
ii libapparmor1 2.13.6-10
ii libaudit1 1:3.0-2
ii libblkid1 2.36.1-7
ii libc6 2.31-12
ii libcap2 1:2.44-1
ii libcrypt1 1:4.4.18-4
ii libcryptsetup12 2:2.3.5-1
ii libgcrypt20 1.8.7-3
ii libgnutls30 3.7.1-3
ii libgpg-error0 1.38-2
ii libip4tc2 1.8.7-1
ii libkmod2 28-1
ii liblz4-1 1.9.3-2
ii liblzma5 5.2.5-2
ii libmount1 2.36.1-7
ii libpam0g 1.4.0-7
ii libseccomp2 2.5.1-1
ii libselinux1 3.1-3
ii libsystemd0 247.3-5
ii libzstd1 1.4.8+dfsg-2.1
ii mount 2.36.1-7
ii systemd-timesyncd [time-daemon] 247.3-5
ii util-linux 2.36.1-7
Versions of packages systemd recommends:
ii dbus 1.12.20-2
Versions of packages systemd suggests:
ii policykit-1 0.105-31
pn systemd-container <none>
Versions of packages systemd is related to:
pn dracut <none>
ii initramfs-tools 0.140
ii libnss-systemd 247.3-5
ii libpam-systemd 247.3-5
ii udev 247.3-5
-- no debconf information
