moritzruth/void-packages
1
0
Fork 0
Code Releases Activity Actions 2

base-files: disable unprivileged eBPF by default.

Browse source 
eBPF allowed a fair amount of local privilege escalation in
the past, disallow it for ordinary users by default.
This commit is contained in:
Leah Neukirchen 2021-04-22 16:35:21 +02:00
parent ff26765ef5
commit eb7791ed34
3 changed files with 5 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

2
srcpkgs/base-files/files/bpf.conf Normal file
View file

@ -0,0 +1,2 @@
# Block unprivileged use of eBPF
kernel.unprivileged_bpf_disabled=1

2
srcpkgs/base-files/files/sysctl.conf
View file

@ -2,7 +2,7 @@
# User-alterable options are in 10-void-user.conf. # User-alterable options are in 10-void-user.conf.
# Append the PID to the core filename # Append the PID to the core filename
kernel.core_uses_pid = 1 kernel.core_uses_pid=1
# Enable hard and soft link protection # Enable hard and soft link protection
fs.protected_hardlinks=1 fs.protected_hardlinks=1

3
srcpkgs/base-files/template
View file

@ -1,6 +1,6 @@
# Template file for 'base-files' # Template file for 'base-files'
pkgname=base-files pkgname=base-files
version=0.141 version=0.142
revision=11 revision=11
bootstrap=yes bootstrap=yes
depends="xbps-triggers" depends="xbps-triggers"
@ -75,6 +75,7 @@ do_install() {
# sysctl(8) files # sysctl(8) files
vinstall ${FILESDIR}/sysctl.conf 644 usr/lib/sysctl.d 10-void.conf vinstall ${FILESDIR}/sysctl.conf 644 usr/lib/sysctl.d 10-void.conf
vinstall ${FILESDIR}/sysctl-user.conf 644 usr/lib/sysctl.d 10-void-user.conf vinstall ${FILESDIR}/sysctl-user.conf 644 usr/lib/sysctl.d 10-void-user.conf
vinstall ${FILESDIR}/bpf.conf 644 usr/lib/sysctl.d 20-bpf.conf
# Install common licenses, from Debian. # Install common licenses, from Debian.
vmkdir usr/share/licenses vmkdir usr/share/licenses