diff options
author | Jon DeVree <nuxi@vault24.org> | 2018-01-08 01:22:53 -0500 |
---|---|---|
committer | Gerald Combs <gerald@wireshark.org> | 2018-01-08 23:12:09 +0000 |
commit | 51e0d22ec6db124abca69a1cc35905c9342c884a (patch) | |
tree | 05c689e57feb8a808976100d98cf076d75846039 /dumpcap.c | |
parent | aaa980e356a844b89f0a25ce34bd88956d8fc79d (diff) |
Do not automatically enable the linux kernel's BPF JIT compiler
The default value of kernel.unprivileged_bpf_disabled is 0 which means
this is enabling the BPF JIT compiler for unprivileged users. Given that
this is a known attack vector for Spectre variant 1 (CVE-2017-5753) this
is not a setting that a utility should be tampering with.
Tshark's and dumpcap's help message is changed by Balint Reczey to suggest
enabling BPF manually after considering security-related implications.
Change-Id: I1cc34cbd6e84485eba9dee79a8700aa388354885
Signed-off-by: Balint Reczey <balint.reczey@canonical.com>
Bug: 14313
Reviewed-on: https://code.wireshark.org/review/25192
Reviewed-by: Balint Reczey <balint@balintreczey.hu>
Petri-Dish: Balint Reczey <balint@balintreczey.hu>
Reviewed-by: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Diffstat (limited to 'dumpcap.c')
-rw-r--r-- | dumpcap.c | 37 |
1 files changed, 4 insertions, 33 deletions
@@ -150,32 +150,6 @@ static void capture_loop_stop(void); /** Close a pipe, or socket if \a from_socket is TRUE */ static void cap_pipe_close(int pipe_fd, gboolean from_socket _U_); -#ifdef __linux__ -/* - * Enable kernel BPF JIT compiler if available. - * If any calls fail, just drive on - the JIT compiler might not be - * enabled, but filtering will still work, and it's not clear what - * we could do if the calls fail; should we just report the error - * and not continue to capture, should we report it as a warning, or - * what? - */ -static void -enable_kernel_bpf_jit_compiler(void) -{ - int fd; - ssize_t written _U_; - static const char file[] = "/proc/sys/net/core/bpf_jit_enable"; - - fd = ws_open(file, O_WRONLY); - if (fd < 0) - return; - - written = ws_write(fd, "1", strlen("1")); - - ws_close(fd); -} -#endif - #if !defined (__linux__) #ifndef HAVE_PCAP_BREAKLOOP /* @@ -502,9 +476,10 @@ print_usage(FILE *output) fprintf(output, " -h display this help and exit\n"); fprintf(output, "\n"); #ifdef __linux__ - fprintf(output, "WARNING: dumpcap will enable kernel BPF JIT compiler if available.\n"); - fprintf(output, "You might want to reset it\n"); - fprintf(output, "By doing \"echo 0 > /proc/sys/net/core/bpf_jit_enable\"\n"); + fprintf(output, "Dumpcap can benefit from an enabled BPF JIT compiler if available.\n"); + fprintf(output, "You might want to enable it by executing:\n"); + fprintf(output, " \"echo 1 > /proc/sys/net/core/bpf_jit_enable\"\n"); + fprintf(output, "Note that this can make your system less secure!\n"); fprintf(output, "\n"); #endif fprintf(output, "Example: dumpcap -i eth0 -a duration:60 -w output.pcapng\n"); @@ -4663,10 +4638,6 @@ main(int argc, char *argv[]) #endif /* SIGINFO */ #endif /* _WIN32 */ -#ifdef __linux__ - enable_kernel_bpf_jit_compiler(); -#endif - /* ----------------------------------------------------------------- */ /* Privilege and capability handling */ /* Cases: */ |