Security Hardening: Use of eBPF by unprivileged users has been disabled by default
This document (000020545) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 12
Situation
Privileged users include "root" and programs with the "CAP_BPF" capability in newer kernels can still use eBPF as-is.
Resolution
Disabling unprivileged eBPF has been switched to be the default begin of December 2021 in all SUSE Kernels.
To check the privileged state you can look at /proc/sys/kernel/unprivileged_bpf_disabled
which can have these values:
-
0: "unprivileged enable"
-
1: "only privileged users enable (until reboot)". If this value is set, it cannot be cleared until reboot
-
2: "only privileged users enabled". If this value is set, it can also be changed at runtime to 0 or 1. This value has been added by recent kernel updates and is not available in older versions.
This setting can be changed by root with a systemctl, to enable it temporary for all users:
sysctl kernel.unprivileged_bpf_disabled=0
or to persist over reboot by adding
kernel.unprivileged_bpf_disabled=0
to the /etc/sysctl.conf config file.
Status
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020545
- Creation Date: 17-Jan-2022
- Modified Date:17-Jan-2022
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
