sysctl: Disable bpf() calls from unprivileged users without toggle option

According to the Linux kernel documentation, enabling BPF_UNPRIV_DEFAULT_OFF
(which was done in 69dde418f11dc0085cbe061b90f6c002d6d6cce2) will cause
the sysctl kernel.unprivileged_bpf_disabled to default to 2. This
prohibits calls to bpf() from unprivileged users by default, but allows
for such calls to be allowed again during runtime, by setting
kernel.unprivileged_bpf_disabled to 0.

There is no legitimate reason why this should be possible on IPFire,
which is why this patch sets kernel.unprivileged_bpf_disabled to 1
during startup, causing the same effect as 2, but without any option to
revert this setting during runtime. This fixes a Lynis warning.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index 31a220e384ea44ceb9d85b9257f03188f7474733..51a80404303b81b003f1a19a327fc50e32e2a118 100644 (file)
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -111,3 +111,6 @@ kernel.perf_event_paranoid = 3
 
 # Only processes with CAP_SYS_PTRACE may use ptrace
 kernel.yama.ptrace_scope = 2
+
+# Disable unprivileged calls to bpf() without option to enable during runtime
+kernel.unprivileged_bpf_disabled = 1