From: Peter Palfrader <peter@palfrader.org>
Date: Fri, 22 Dec 2017 20:35:33 +0000 (+0100)
Subject: disable unprivileged BPF loading
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=2cabdcc6df70e88f47ed865207985578553b99d5;p=mirror%2Fdsa-puppet.git

disable unprivileged BPF loading
---

diff --git a/modules/debian_org/manifests/init.pp b/modules/debian_org/manifests/init.pp
index b94e2a736..616be7522 100644
--- a/modules/debian_org/manifests/init.pp
+++ b/modules/debian_org/manifests/init.pp
@@ -329,4 +329,11 @@ class debian_org {
 			package { 'irqbalance': ensure => installed }
 		}
 	}
+
+
+	# https://www.decadent.org.uk/ben/blog/bpf-security-issues-in-debian.html
+	site::sysctl { 'unprivileged_bpf_disabled':
+		key   => 'kernel.unprivileged_bpf_disabled',
+		value => '1',
+	}
 }