Unprivileged eBPF disabled by default for Ubuntu 20.04 LTS, 18.04 LTS, 16.04 ESM

As part of the most recent round of kernel security updates for Ubuntu, another set of cross-domain transient execution attacks were addressed. Known as BTI and BHI (branch target / history injection respectively) these attacks allow a local unprivileged user to leak privileged information from the kernel via execution of code gadgets. Currently the only known way to perform these attacks is by unprivileged users loading their own code gadgets into the kernel as eBPF code.

Traditionally unprivileged users were allowed to load eBPF programs by default in Ubuntu 20.04 LTS, 18.04 LTS and 16.04 ESM - however, on more recent Ubuntu releases (21.10 and the currently in-development 22.04 LTS) this was disabled by default, and so only privileged users could load eBPF programs. Whilst eBPF was originally intended to be safe for use by unprivileged users, due to a history of security vulnerabilities which allow unprivileged users to perform privilege escalation attacks through eBPF, it was decided to disable this feature by default as an additional hardening measure on these more recent Ubuntu releases.

As such, to help mitigate this new attack and to guard against any future possible privilege escalation attacks via eBPF, the ability for unprivileged users to load eBPF code into the kernel has now been disabled by default on Ubuntu 20.04 LTS, Ubuntu 18.04 LTS and Ubuntu 16.04 ESM as well.

Admins can re-enable this ability if needed it via sysctl:

$ sudo sysctl kernel.unprivileged_bpf_disabled=0

Admins can disable unprivileged eBPF until the next boot via:

$ sudo sysctl kernel.unprivileged_bpf_disabled=1

Admins can disable it, but allow it to be re-enabled by an admin without rebooting, via:

$ sudo sysctl kernel.unprivileged_bpf_disabled=2

To see the current status of unprivileged eBPF, do:

$ sysctl kernel.unprivileged_bpf_disabled

A result value of 1 or 2 indicates that unprivileged eBPF is disabled.

As noted above, unprivileged eBPF is disabled by default, but could be re-enabled by an admin via sysctl as detailed above, in Ubuntu since the introduction of the 5.13 and newer kernels in Ubuntu 21.10 and Ubuntu 20.04.4 LTS hardware enablement (HWE) kernels. Support for disabling unprivileged eBPF with the possibility of re-enabling without a reboot has been backported to the 5.4, 4.15, and 4.4 kernels as well as made the default setting as of 2022-03-08.