Do not automatically enable the linux kernel's BPF JIT compiler

The default value of kernel.unprivileged_bpf_disabled is 0 which means
this is enabling the BPF JIT compiler for unprivileged users. Given that
this is a known attack vector for Spectre variant 1 (CVE-2017-5753) this
is not a setting that a utility should be tampering with.

Tshark's and dumpcap's help message is changed by Balint Reczey to suggest
enabling BPF manually after considering security-related implications.

Change-Id: I1cc34cbd6e84485eba9dee79a8700aa388354885
Signed-off-by: Balint Reczey <balint.reczey@canonical.com>
Bug: 14313
Reviewed-on: https://code.wireshark.org/review/25192
Reviewed-by: Balint Reczey <balint@balintreczey.hu>
Petri-Dish: Balint Reczey <balint@balintreczey.hu>
Reviewed-by: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>

1 files changed, 4 insertions, 3 deletions

diff --git a/tshark.c b/tshark.c
index 7d0b453199..f7100a407d 100644
--- a/tshark.c
+++ b/tshark.c
@@ -454,9 +454,10 @@ print_usage(FILE *output)
   fprintf(output, "                           use \"-G help\" for more help\n");
 #ifdef __linux__
   fprintf(output, "\n");
-  fprintf(output, "WARNING: dumpcap will enable kernel BPF JIT compiler if available.\n");
-  fprintf(output, "You might want to reset it\n");
-  fprintf(output, "By doing \"echo 0 > /proc/sys/net/core/bpf_jit_enable\"\n");
+  fprintf(output, "Dumpcap can benefit from an enabled BPF JIT compiler if available.\n");
+  fprintf(output, "You might want to enable it by executing:\n");
+  fprintf(output, " \"echo 1 > /proc/sys/net/core/bpf_jit_enable\"\n");
+  fprintf(output, "Note that this can make your system less secure!\n");
 #endif
 
 }