@quaresmajose could you please add the sense of this commit to the commit message. What does it fix or improve?

@MrCry0 sure, I can add the help text from kernel kconfig

Disables unprivileged BPF by default by setting the corresponding /proc/sys/kernel/unprivileged_bpf_disabled knob to 2. An admin can still reenable it by setting it to 0 later on, or permanently disable it by setting it to 1 (from which no other transition to 0 is possible anymore).

Unprivileged BPF could be used to exploit certain potential speculative execution side-channel vulnerabilities on unmitigated affected hardware.

If you are unsure how to answer this question, answer Y.

This fix will mitigate the Spectre V2

Jul 22 21:30:48 intel-corei7-64 kernel: Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization
Jul 22 21:30:48 intel-corei7-64 kernel: Spectre V2 : WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible via Spectre v2 BHB attacks!
Jul 22 21:30:48 intel-corei7-64 kernel: Spectre V2 : Mitigation: Enhanced IBRS
Jul 22 21:30:48 intel-corei7-64 kernel: Spectre V2 : Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch
Jul 22 21:30:48 intel-corei7-64 kernel: Spectre V2 : mitigation: Enabling conditional Indirect Branch Prediction Barrier

@MrCry0 sure, I can add the help text from kernel kconfig

Disables unprivileged BPF by default by setting the corresponding /proc/sys/kernel/unprivileged_bpf_disabled knob to 2. An admin can still reenable it by setting it to 0 later on, or permanently disable it by setting it to 1 (from which no other transition to 0 is possible anymore).

Unprivileged BPF could be used to exploit certain potential speculative execution side-channel vulnerabilities on unmitigated affected hardware.

If you are unsure how to answer this question, answer Y.

This fix will mitigate the Spectre V2

Jul 22 21:30:48 intel-corei7-64 kernel: Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization
Jul 22 21:30:48 intel-corei7-64 kernel: Spectre V2 : WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible via Spectre v2 BHB attacks!
Jul 22 21:30:48 intel-corei7-64 kernel: Spectre V2 : Mitigation: Enhanced IBRS
Jul 22 21:30:48 intel-corei7-64 kernel: Spectre V2 : Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch
Jul 22 21:30:48 intel-corei7-64 kernel: Spectre V2 : mitigation: Enabling conditional Indirect Branch Prediction Barrier

Thanks. It would be helpful to add the information on which vulnerabilities this commit prevents use. In the commit message, not in the PR.

Say,

"Unprivileged BPF could be used to exploit certain potential speculative execution
side-channel vulnerabilities on unmitigated affected hardware. Disabling unprivileged
BPF prevents using the vulnerability CVE-2017-5715 and some others."