linux-image: Add NEWS entry documenting that unprivileged calls to bpf() are disabled by default in Debian.

2 files changed, 18 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index 20df988d3c7d..0fbb302a59e5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,8 @@ linux (5.10.46-4) UNRELEASED; urgency=medium
   * Ignore ABI changes for bpf_offload_dev_create and bpf_verifier_log_write
   * bpf: Add kconfig knob for disabling unpriv bpf by default
   * init: Enable BPF_UNPRIV_DEFAULT_OFF (Closes: #990411)
+  * linux-image: Add NEWS entry documenting that unprivileged calls to bpf() are
+    disabled by default in Debian.
 
  -- Salvatore Bonaccorso <carnil@debian.org>  Mon, 02 Aug 2021 12:36:15 +0200
 
diff --git a/debian/linux-image.NEWS b/debian/linux-image.NEWS
index 899e30abcaa2..f8e1fc022907 100644
--- a/debian/linux-image.NEWS
+++ b/debian/linux-image.NEWS
@@ -1,3 +1,19 @@
+linux (5.10.46-4) unstable; urgency=medium
+
+  * From Linux 5.10.46-4, unprivileged calls to bpf() are disabled by
+    default, mitigating several security issues. However, an admin can
+    still change this setting later on, if needed, by writing 0 or 1 to
+    the kernel.unprivileged_bpf_disabled sysctl.
+
+    If you prefer to keep unprivileged calls to bpf() enabled, set the
+    sysctl:
+
+    kernel.unprivileged_bpf_disabled = 0
+
+    which is the upstream default.
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Mon, 02 Aug 2021 22:59:24 +0200
+
 linux (5.10~rc7-1~exp2) unstable; urgency=medium
 
   * From Linux 5.10, all users are allowed to create user namespaces by