SUSE Support

Here When You Need Us

Security Hardening: Use of eBPF by unprivileged users has been disabled by default

This document (000020545) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15
SUSE Linux Enterprise Server 12

Situation

Due to a large amount of security issues found and fixed in the Extended Berkeley Packet Filter (eBPF) code SUSE has decided to restrict the usage to privileged users only to reduce the attack surface.

Privileged users include "root" and programs with the "CAP_BPF" capability in newer kernels can still use eBPF as-is.

 

Resolution

Disabling unprivileged eBPF has been switched to be the default begin of December 2021 in all SUSE Kernels.

To check the privileged state you can look at /proc/sys/kernel/unprivileged_bpf_disabled 
which can have these values:

  • 0: "unprivileged enable"

  • 1: "only privileged users enable (until reboot)". If this value is set, it cannot be cleared until reboot

  • 2: "only privileged users enabled". If this value is set, it can also be changed at runtime to 0 or 1. This value has been added by recent kernel updates and is not available in older versions.


This setting can be changed by root with a systemctl, to enable it temporary for all users:

    sysctl  kernel.unprivileged_bpf_disabled=0

or to persist over reboot by adding

    kernel.unprivileged_bpf_disabled=0

to the /etc/sysctl.conf config file.

Status

Security Alert

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020545
  • Creation Date: 17-Jan-2022
  • Modified Date:17-Jan-2022
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.