main/alpine-baselayout: disable unprivileged eBPF by default

author: Ariadne Conill <ariadne@dereferenced.org> 2020-02-14 17:10:16 +0000
committer: Ariadne Conill <ariadne@dereferenced.org> 2020-02-14 17:10:38 +0000
commit: 4e286992d5ed751f6ca60eb18d77313bb0868513 (patch)
tree: 4dfa01ed3cfadf6b8a772be2aecd475e11455729 /main
parent: adf72d007528e03f9500ad6d40ad55d5b458cbdb (diff)
download: aports-4e286992d5ed751f6ca60eb18d77313bb0868513.tar.bz2
aports-4e286992d5ed751f6ca60eb18d77313bb0868513.tar.xz
1 files changed, 6 insertions, 1 deletions
diff --git a/main/alpine-baselayout/APKBUILD b/main/alpine-baselayout/APKBUILD
index 405b7da95a..346d87c60a 100644
--- a/main/alpine-baselayout/APKBUILD
+++ b/main/alpine-baselayout/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=alpine-baselayout
 pkgver=3.2.0
-pkgrel=3
+pkgrel=4
 pkgdesc="Alpine base dir structure and init scripts"
 url="https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout"
 arch="all"
@@ -189,6 +189,11 @@ package() {
 		# escalation vulnerabilities.
 		fs.protected_hardlinks = 1
 		fs.protected_symlinks = 1
+
+		# Disable unprivileged use of the bpf(2) syscall.
+		# Allowing unprivileged use of the bpf(2) syscall may allow a
+		# malicious user to compromise the machine.
+		kernel.unprivileged_bpf_disabled = 1
 	EOF
 	cat > "$pkgdir"/etc/fstab <<-EOF
 		/dev/cdrom	/media/cdrom	iso9660	noauto,ro 0 0
author	Ariadne Conill <ariadne@dereferenced.org>	2020-02-14 17:10:16 +0000
committer	Ariadne Conill <ariadne@dereferenced.org>	2020-02-14 17:10:38 +0000
commit	4e286992d5ed751f6ca60eb18d77313bb0868513 (patch)
tree	4dfa01ed3cfadf6b8a772be2aecd475e11455729 /main
parent	adf72d007528e03f9500ad6d40ad55d5b458cbdb (diff)
download	aports-4e286992d5ed751f6ca60eb18d77313bb0868513.tar.bz2 aports-4e286992d5ed751f6ca60eb18d77313bb0868513.tar.xz