linux (5.10.46-4) unstable; urgency=medium
* From Linux 5.10.46-4, unprivileged calls to bpf() are disabled by
default, mitigating several security issues. However, an admin can
still change this setting later on, if needed, by writing 0 or 1 to
the kernel.unprivileged_bpf_disabled sysctl.
If you prefer to keep unprivileged calls to bpf() enabled, set the
sysctl:
kernel.unprivileged_bpf_disabled = 0
which is the upstream default.
-- Salvatore Bonaccorso <carnil@debian.org> Mon, 02 Aug 2021 22:59:24 +0200
linux (5.10~rc7-1~exp2) unstable; urgency=medium
* From Linux 5.10, all users are allowed to create user namespaces by
default. This will allow programs such as web browsers and container
managers to create more restricted sandboxes for untrusted or
less-trusted code, without the need to run as root or to use a
setuid-root helper.
The previous Debian default was to restrict this feature to processes
running as root, because it exposed more security issues in the
kernel. However, the security benefits of more widespread sandboxing
probably now outweigh this risk.
If you prefer to keep this feature restricted, set the sysctl:
kernel.unprivileged_userns_clone = 0
-- Ben Hutchings <benh@debian.org> Sun, 13 Dec 2020 17:11:36 +0100
Generated by dwww version 1.16 on Tue Dec 16 05:21:20 CET 2025.