Merge pull request #154994 from mweinelt/kernel-disable-unpriv-ebpf

linux: enable BPF_UNPRIV_DEFAULT_OFF on 5.10 and later
This commit is contained in:
Bernardo Meurer 2022-01-16 00:46:51 +00:00 committed by GitHub
commit 4fa2647449
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 12 additions and 0 deletions

View File

@ -1420,6 +1420,15 @@ Superuser created successfully.
for those who want to have all RetroArch cores available.
</para>
</listitem>
<listitem>
<para>
The Linux kernel for security reasons now restricts access to
BPF syscalls via <literal>BPF_UNPRIV_DEFAULT_OFF=y</literal>.
Unprivileged access can be reenabled via the
<literal>kernel.unprivileged_bpf_disabled</literal> sysctl
knob.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-21.11-notable-changes">

View File

@ -417,6 +417,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- `retroArchCores` has been removed. This means that using `nixpkgs.config.retroarch` to customize RetroArch cores is not supported anymore. Instead, use package overrides, for example: `retroarch.override { cores = with libretro; [ citra snes9x ]; };`. Also, `retroarchFull` derivation is available for those who want to have all RetroArch cores available.
- The Linux kernel for security reasons now restricts access to BPF syscalls via `BPF_UNPRIV_DEFAULT_OFF=y`. Unprivileged access can be reenabled via the `kernel.unprivileged_bpf_disabled` sysctl knob.
## Other Notable Changes {#sec-release-21.11-notable-changes}

View File

@ -539,6 +539,7 @@ let
UPROBE_EVENT = { optional = true; tristate = whenOlder "4.11" "y";};
UPROBE_EVENTS = { optional = true; tristate = whenAtLeast "4.11" "y";};
BPF_SYSCALL = whenAtLeast "4.4" yes;
BPF_UNPRIV_DEFAULT_OFF = whenBetween "5.10" "5.15" yes;
BPF_EVENTS = whenAtLeast "4.4" yes;
FUNCTION_PROFILER = yes;
RING_BUFFER_BENCHMARK = no;