Fixes wrong CPU vulnerability output:
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation:Vulnerable: Unprivileged eBPF enabled
It's enabled but CONFIG_BPF_UNPRIV_DEFAULT_OFF being unset causes the warning.
This warning happens on ARM32 and ARM64 devices.
Edited with:
find -name "*.config" -exec sed -i 's/# CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set/CONFIG_BPF_UNPRIV_DEFAULT_OFF=y/g' '{}' ;
CONFIG_BPF_UNPRIV_DEFAULT_OFF is a Linux kernel build-time hardening option that disables unprivileged use of the bpf() syscall (and thus unprivileged eBPF loading) by default by setting kernel.unprivileged_bpf_disabled=2 at boot. With this default, only privileged processes (e.g., with CAP_SYS_ADMIN / CAP_BPF, depending on kernel) can load eBPF unless an administrator explicitly relaxes it. [1], [2]
Operational behavior you should know
kernel.unprivileged_bpf_disabled semantics (as documented in the kernel sysctl docs/patch):
0: unprivileged bpf() allowed
1: unprivileged bpf() blocked and cannot be re-enabled until reboot (no transition back to 0 while running)
2: unprivileged bpf() blocked but admin can later switch to 0 or 1 if needed
If CONFIG_BPF_UNPRIV_DEFAULT_OFF=y, the default becomes 2 instead of 0. [2]
Signed-off-by: Rosen Penev <rosenp@gmail.com>
65d823f343