Package: systemd Version: 247.3-5 Severity: wishlist Tags: security X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
Hi, TLDR: $ sudo sysctl kernel.unprivileged_bpf_disabled kernel.unprivileged_bpf_disabled = 0 please disable unprivileged BPF by default, it seems that it is not safe to be allowed by default in the general case. I'm not sure if systemd is the right place to report this security/wishlist ticket against. I've chosen systemd because it ships `/etc/sysctl.d/99-sysctl.conf` which seems to me to be the nearest fit to where `kernel.unprivileged_bpf_disabled` should be set. Please reassign if there's a better package to stick this report to. After reading https://lwn.net/Articles/860597/ I'm under the impression that allowing unprivileged BPF is too big of a barn door to leave open at these times. Currently * I have no idea which packages that I install use or will use BPF * I don't know how I could even find out * even if I knew that a given program *does* use BPF, I estimate that it'd require me a non-trivial effort to analyze how security critical that fact is in my context * considering myself quite a seasoned sysadmin I very much doubt that the general Debian consumer is even remotely capable of correctly assesing the preceeding points Therefore I'd suggest to seriously consider to disable the unprivileged BPF gun *by default* on freshly installed Debian systems. Thanks a lot for taking care of Debian! *t -- Package-specific info: -- System Information: Debian Release: 11.0 APT prefers testing-security APT policy: (500, 'testing-security'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-7-amd64 (SMP w/8 CPU threads) Locale: LANG=de_CH.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8), LANGUAGE=de_CH:de Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages systemd depends on: ii adduser 3.118 ii libacl1 2.2.53-10 ii libapparmor1 2.13.6-10 ii libaudit1 1:3.0-2 ii libblkid1 2.36.1-7 ii libc6 2.31-12 ii libcap2 1:2.44-1 ii libcrypt1 1:4.4.18-4 ii libcryptsetup12 2:2.3.5-1 ii libgcrypt20 1.8.7-3 ii libgnutls30 3.7.1-3 ii libgpg-error0 1.38-2 ii libip4tc2 1.8.7-1 ii libkmod2 28-1 ii liblz4-1 1.9.3-2 ii liblzma5 5.2.5-2 ii libmount1 2.36.1-7 ii libpam0g 1.4.0-7 ii libseccomp2 2.5.1-1 ii libselinux1 3.1-3 ii libsystemd0 247.3-5 ii libzstd1 1.4.8+dfsg-2.1 ii mount 2.36.1-7 ii systemd-timesyncd [time-daemon] 247.3-5 ii util-linux 2.36.1-7 Versions of packages systemd recommends: ii dbus 1.12.20-2 Versions of packages systemd suggests: ii policykit-1 0.105-31 pn systemd-container <none> Versions of packages systemd is related to: pn dracut <none> ii initramfs-tools 0.140 ii libnss-systemd 247.3-5 ii libpam-systemd 247.3-5 ii udev 247.3-5 -- no debconf information