From 2cabdcc6df70e88f47ed865207985578553b99d5 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Fri, 22 Dec 2017 21:35:33 +0100
Subject: [PATCH] disable unprivileged BPF loading

---
 modules/debian_org/manifests/init.pp | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/modules/debian_org/manifests/init.pp b/modules/debian_org/manifests/init.pp
index b94e2a736..616be7522 100644
--- a/modules/debian_org/manifests/init.pp
+++ b/modules/debian_org/manifests/init.pp
@@ -329,4 +329,11 @@ class debian_org {
 			package { 'irqbalance': ensure => installed }
 		}
 	}
+
+
+	# https://www.decadent.org.uk/ben/blog/bpf-security-issues-in-debian.html
+	site::sysctl { 'unprivileged_bpf_disabled':
+		key   => 'kernel.unprivileged_bpf_disabled',
+		value => '1',
+	}
 }
-- 
2.20.1