From 720fb219cea1fea99c2bba1d01f771eb43b2000b Mon Sep 17 00:00:00 2001
From: Rolf Neugebauer <rolf.neugebauer@docker.com>
Date: Mon, 25 Dec 2017 15:32:57 +0100
Subject: [PATCH] pkg/sysctl: Prevent ebpf privilege escalation

On 4.9.x and 4.14.x kernels ebpf verifier bugs allow ebpf
programs to access (read/write) random memory. Setting
kernel.unprivileged_bpf_disabled=1 mitigates this somewhat
until it is fixed upstream.

See:
- https://lwn.net/Articles/742170
- https://lwn.net/Articles/742169

Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
---
 pkg/sysctl/etc/sysctl.d/00-linuxkit.conf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkg/sysctl/etc/sysctl.d/00-linuxkit.conf b/pkg/sysctl/etc/sysctl.d/00-linuxkit.conf
index db498738e..9e7f17dfa 100644
--- a/pkg/sysctl/etc/sysctl.d/00-linuxkit.conf
+++ b/pkg/sysctl/etc/sysctl.d/00-linuxkit.conf
@@ -26,3 +26,6 @@ kernel.dmesg_restrict = 1
 kernel.perf_event_paranoid = 3
 fs.protected_hardlinks = 1
 fs.protected_symlinks = 1
+# Prevent ebpf privilege escalation
+# see: https://lwn.net/Articles/742170
+kernel.unprivileged_bpf_disabled=1