Do not automatically enable the linux kernel's BPF JIT compiler
The default value of kernel.unprivileged_bpf_disabled is 0 which means this is enabling the BPF JIT compiler for unprivileged users. Given that this is a known attack vector for Spectre variant 1 (CVE-2017-5753) this is not a setting that a utility should be tampering with. Tshark's and dumpcap's help message is changed by Balint Reczey to suggest enabling BPF manually after considering security-related implications. Change-Id: I1cc34cbd6e84485eba9dee79a8700aa388354885 Signed-off-by: Balint Reczey <balint.reczey@canonical.com> Bug: 14313 Reviewed-on: https://code.wireshark.org/review/25192 Reviewed-by: Balint Reczey <balint@balintreczey.hu> Petri-Dish: Balint Reczey <balint@balintreczey.hu> Reviewed-by: João Valverde <j@v6e.pt> Tested-by: Petri Dish Buildbot Reviewed-by: Gerald Combs <gerald@wireshark.org>
This commit is contained in:
parent
aaa980e356
commit
51e0d22ec6
37
dumpcap.c
37
dumpcap.c
|
@ -150,32 +150,6 @@ static void capture_loop_stop(void);
|
|||
/** Close a pipe, or socket if \a from_socket is TRUE */
|
||||
static void cap_pipe_close(int pipe_fd, gboolean from_socket _U_);
|
||||
|
||||
#ifdef __linux__
|
||||
/*
|
||||
* Enable kernel BPF JIT compiler if available.
|
||||
* If any calls fail, just drive on - the JIT compiler might not be
|
||||
* enabled, but filtering will still work, and it's not clear what
|
||||
* we could do if the calls fail; should we just report the error
|
||||
* and not continue to capture, should we report it as a warning, or
|
||||
* what?
|
||||
*/
|
||||
static void
|
||||
enable_kernel_bpf_jit_compiler(void)
|
||||
{
|
||||
int fd;
|
||||
ssize_t written _U_;
|
||||
static const char file[] = "/proc/sys/net/core/bpf_jit_enable";
|
||||
|
||||
fd = ws_open(file, O_WRONLY);
|
||||
if (fd < 0)
|
||||
return;
|
||||
|
||||
written = ws_write(fd, "1", strlen("1"));
|
||||
|
||||
ws_close(fd);
|
||||
}
|
||||
#endif
|
||||
|
||||
#if !defined (__linux__)
|
||||
#ifndef HAVE_PCAP_BREAKLOOP
|
||||
/*
|
||||
|
@ -502,9 +476,10 @@ print_usage(FILE *output)
|
|||
fprintf(output, " -h display this help and exit\n");
|
||||
fprintf(output, "\n");
|
||||
#ifdef __linux__
|
||||
fprintf(output, "WARNING: dumpcap will enable kernel BPF JIT compiler if available.\n");
|
||||
fprintf(output, "You might want to reset it\n");
|
||||
fprintf(output, "By doing \"echo 0 > /proc/sys/net/core/bpf_jit_enable\"\n");
|
||||
fprintf(output, "Dumpcap can benefit from an enabled BPF JIT compiler if available.\n");
|
||||
fprintf(output, "You might want to enable it by executing:\n");
|
||||
fprintf(output, " \"echo 1 > /proc/sys/net/core/bpf_jit_enable\"\n");
|
||||
fprintf(output, "Note that this can make your system less secure!\n");
|
||||
fprintf(output, "\n");
|
||||
#endif
|
||||
fprintf(output, "Example: dumpcap -i eth0 -a duration:60 -w output.pcapng\n");
|
||||
|
@ -4663,10 +4638,6 @@ main(int argc, char *argv[])
|
|||
#endif /* SIGINFO */
|
||||
#endif /* _WIN32 */
|
||||
|
||||
#ifdef __linux__
|
||||
enable_kernel_bpf_jit_compiler();
|
||||
#endif
|
||||
|
||||
/* ----------------------------------------------------------------- */
|
||||
/* Privilege and capability handling */
|
||||
/* Cases: */
|
||||
|
|
7
tshark.c
7
tshark.c
|
@ -454,9 +454,10 @@ print_usage(FILE *output)
|
|||
fprintf(output, " use \"-G help\" for more help\n");
|
||||
#ifdef __linux__
|
||||
fprintf(output, "\n");
|
||||
fprintf(output, "WARNING: dumpcap will enable kernel BPF JIT compiler if available.\n");
|
||||
fprintf(output, "You might want to reset it\n");
|
||||
fprintf(output, "By doing \"echo 0 > /proc/sys/net/core/bpf_jit_enable\"\n");
|
||||
fprintf(output, "Dumpcap can benefit from an enabled BPF JIT compiler if available.\n");
|
||||
fprintf(output, "You might want to enable it by executing:\n");
|
||||
fprintf(output, " \"echo 1 > /proc/sys/net/core/bpf_jit_enable\"\n");
|
||||
fprintf(output, "Note that this can make your system less secure!\n");
|
||||
#endif
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue