Skip to content

Commit

Permalink
pkg/sysctl: Prevent ebpf privilege escalation
Browse files Browse the repository at this point in the history 
On 4.9.x and 4.14.x kernels ebpf verifier bugs allow ebpf
programs to access (read/write) random memory. Setting
kernel.unprivileged_bpf_disabled=1 mitigates this somewhat
until it is fixed upstream.

See:
- https://lwn.net/Articles/742170
- https://lwn.net/Articles/742169

Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
  • Loading branch information
@rn
rn committed Dec 25, 2017
1 parent a7e7a39 commit 720fb21
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions pkg/sysctl/etc/sysctl.d/00-linuxkit.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,3 +26,6 @@ kernel.dmesg_restrict = 1
kernel.perf_event_paranoid = 3
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
# Prevent ebpf privilege escalation
# see: https://lwn.net/Articles/742170
kernel.unprivileged_bpf_disabled=1

0 comments on commit 720fb21

Please sign in to comment.