From 71bbd876b743a98affd89dfe097c15a1048a63bf Mon Sep 17 00:00:00 2001
From: Emily <vcs@emily.moe>
Date: Sat, 4 Apr 2020 23:12:06 +0100
Subject: [PATCH] nixos/hardened: don't set kernel.unprivileged_bpf_disabled

Upstreamed in anthraxx/linux-hardened@1a3e0c283028533527595a91d9504d2b7eabc977.
---
 nixos/modules/profiles/hardened.nix | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix
index 052909d63f53..8889c6440f44 100644
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@@ -79,10 +79,6 @@ with lib;
   # Hide kptrs even for processes with CAP_SYSLOG
   boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;
 
-  # Unprivileged access to bpf() has been used for privilege escalation in
-  # the past
-  boot.kernel.sysctl."kernel.unprivileged_bpf_disabled" = mkDefault true;
-
   # Disable bpf() JIT (to eliminate spray attacks)
   boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false;