From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id oii4OfXv22NxDwEAbAwnHQ (envelope-from ) for ; Thu, 02 Feb 2023 18:16:38 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id YOm5OPXv22MNYAEAauVa8A (envelope-from ) for ; Thu, 02 Feb 2023 18:16:37 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 9A87417925 for ; Thu, 2 Feb 2023 18:16:03 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pNd9p-0007VI-Bh; Thu, 02 Feb 2023 12:13:57 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pNd9n-0007V2-GO for help-guix@gnu.org; Thu, 02 Feb 2023 12:13:55 -0500 Received: from out5-smtp.messagingengine.com ([66.111.4.29]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pNd9l-0006r1-70 for help-guix@gnu.org; Thu, 02 Feb 2023 12:13:54 -0500 Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 8D8E75C01FA; Thu, 2 Feb 2023 12:13:49 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Thu, 02 Feb 2023 12:13:49 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=remworks.net; h= cc:cc:content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm2; t=1675358029; x=1675444429; bh=vCEt3KpTeN eejjcvlm6g6nS8ktBTvOnl68hgKYo9zWw=; b=nb3QiF4E79zLhyJWeNUS0KvoHD Yc23Jykrz/Ni2R5DMNOc/4QgHa6U4pfK89KNGK789FDKVyYu48wFlRdzbXl6U3Xv 8yZLWdJClhFYLVAesllLHFFr8SMWhFnw4ur7S/TBSHYNDk2jTwyEf9kZNSzgAj2O 6d0hXD4nXGtz8VhFqCfeZM3tOEhufLy/Ay5MlX2rYBs4DTRpPZxGjwm2HsdyOgNt r6EW5kHiSp6o+Y1/HdhsRiKdZ03FZbwJ90UNVc5Vqq37tKXfqW89IIrD3G96Uby1 QSyyn+fr0ZB7knyHALOn/8mQHQDo62wP3phgSENX9mOZflGkEOE3aTkE+9Qw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:date:date:feedback-id :feedback-id:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm3; t=1675358029; x=1675444429; bh=vCEt3KpTeNeejjcvlm6g6nS8ktBT vOnl68hgKYo9zWw=; b=NQPaAUmcyZn7jNfMraT2yzi85hsj9hs9GSyy+aFxo27p O+MUAMvY5+A1FLjS5qz3B3JXn7U9WeFta2xsOF71qejkaxLW4lSbNEq9EnBkI180 hFJFdKuHlQdso5ylO6hPozu5qJXVlTVLKpb3C4Atf/MVIT/wPM3Ztg/uO1pFEvtg fJ6xyBqCeb6KppfT7L4He3ct168BcLsYlCzsruotGKNFITOSPE9GWLnraXhDBRw5 y655umoRufYmaqyDWMIUSrvJ6QrCcpkx7XuRGrtv6GO6g6e/4t+JqkIMpIGO9E5d 0PbAKSM6wi3gClxXfQQz6Gzf/SkFgudS1eEqqeUe6A== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrudefkedgleegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfhgfhffvvefujgffkfggtgesthdtredttdertdenucfhrhhomheptfgvmhgt ohcuvhgrnhcukdhtucggvggvrhcuoehrvghmtghosehrvghmfihorhhkshdrnhgvtheqne cuggftrfgrthhtvghrnhepkeduveegfedufeelhedvuedvhfeufedtteevkeehhfeigfev lefhgeeukedtfeevnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilh hfrhhomheprhgvmhgtohesrhgvmhifohhrkhhsrdhnvght X-ME-Proxy: Feedback-ID: i568842cc:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 2 Feb 2023 12:13:48 -0500 (EST) References: <87fsbpnzil.fsf@nckx> <87bkmdnp69.fsf@nckx> User-agent: mu4e 1.8.13; emacs 28.2 From: Remco van 't Veer To: Tobias Geerinckx-Rice Cc: Ekaitz Zarraga , Christian Gelinek , help-guix@gnu.org Subject: Re: Disabling unprivileged BPF by default in our kernels In-reply-to: <87bkmdnp69.fsf@nckx> Date: Thu, 02 Feb 2023 18:13:45 +0100 Message-ID: <87lelg56t2.fsf@remworks.net> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=66.111.4.29; envelope-from=remco@remworks.net; helo=out5-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: help-guix-bounces+larch=yhetil.org@gnu.org X-TUID: jc8uoEi+RCGO 2023/02/01 20:43, Tobias Geerinckx-Rice: >> What does Debian's kconfig list for CONFIG_BPF_UNPRIV_DEFAULT_OFF? > > I've always had this option set to Y in my own kernels, and it has > never so much as inconvenienced me. However, I'm not a BPF power > user. > > Does anyone know any serious and concrete drawbacks to setting this > option in all Guix kernels, to increase default security & better > align with other major distros? There is a linux-libre-bpf package so I'd expect BPF power users to use that. So I guess adding it to the default-extra-linux-options should be fine. R.