diff options
author | Jon DeVree <nuxi@vault24.org> | 2018-01-08 01:22:53 -0500 |
---|---|---|
committer | Gerald Combs <gerald@wireshark.org> | 2018-01-08 23:12:09 +0000 |
commit | 51e0d22ec6db124abca69a1cc35905c9342c884a (patch) | |
tree | 05c689e57feb8a808976100d98cf076d75846039 /tshark.c | |
parent | aaa980e356a844b89f0a25ce34bd88956d8fc79d (diff) |
Do not automatically enable the linux kernel's BPF JIT compiler
The default value of kernel.unprivileged_bpf_disabled is 0 which means
this is enabling the BPF JIT compiler for unprivileged users. Given that
this is a known attack vector for Spectre variant 1 (CVE-2017-5753) this
is not a setting that a utility should be tampering with.
Tshark's and dumpcap's help message is changed by Balint Reczey to suggest
enabling BPF manually after considering security-related implications.
Change-Id: I1cc34cbd6e84485eba9dee79a8700aa388354885
Signed-off-by: Balint Reczey <balint.reczey@canonical.com>
Bug: 14313
Reviewed-on: https://code.wireshark.org/review/25192
Reviewed-by: Balint Reczey <balint@balintreczey.hu>
Petri-Dish: Balint Reczey <balint@balintreczey.hu>
Reviewed-by: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Diffstat (limited to 'tshark.c')
-rw-r--r-- | tshark.c | 7 |
1 files changed, 4 insertions, 3 deletions
@@ -454,9 +454,10 @@ print_usage(FILE *output) fprintf(output, " use \"-G help\" for more help\n"); #ifdef __linux__ fprintf(output, "\n"); - fprintf(output, "WARNING: dumpcap will enable kernel BPF JIT compiler if available.\n"); - fprintf(output, "You might want to reset it\n"); - fprintf(output, "By doing \"echo 0 > /proc/sys/net/core/bpf_jit_enable\"\n"); + fprintf(output, "Dumpcap can benefit from an enabled BPF JIT compiler if available.\n"); + fprintf(output, "You might want to enable it by executing:\n"); + fprintf(output, " \"echo 1 > /proc/sys/net/core/bpf_jit_enable\"\n"); + fprintf(output, "Note that this can make your system less secure!\n"); #endif } |