To prevent unprivileged processes from using the bpf() syscall
the kernel.unprivileged_bpf_disabled kernel parameter must
be set to 1 or 2.
Writing 1 to this entry will disable unprivileged calls to bpf(); once
disabled, calling bpf() without CAP_SYS_ADMIN or CAP_BPF will return -EPERM.
Once set to 1, this can't be cleared from the running kernel anymore.
To set the runtime status of the kernel.unprivileged_bpf_disabled kernel parameter,
run the following command:
$ sudo sysctl -w kernel.unprivileged_bpf_disabled=1
To make sure that the setting is persistent,
add the following line to a file in the directory /etc/sysctl.d:
kernel.unprivileged_bpf_disabled = 1
Writing 2 to this entry will also disable unprivileged calls to bpf(),
however, an admin can still change this setting later on, if needed, by
writing 0 or 1 to this entry.
To set the runtime status of the kernel.unprivileged_bpf_disabled kernel parameter,
run the following command:
$ sudo sysctl -w kernel.unprivileged_bpf_disabled=2
To make sure that the setting is persistent,
add the following line to a file in the directory /etc/sysctl.d:
kernel.unprivileged_bpf_disabled = 2