Hello Michael, > Hi Peter, > >> On 7 Jun 2020, at 18:02, Peter Müller wrote: >> >> This is recommended by the Kernel Self Protection Project, and although >> we do not take advantage of the BPF JIT at this time, we should set this >> nevertheless in order to avoid potential security vulnerabilities. > > I do not really understand what you are trying to achieve here. I am trying to achieve enabling of BPF JIT hardening. > Please state more clearly *why* you think this is a useful change for IPFire. > > As far as I am aware, the kernel internally uses BPF. Yes, to my knowledge, this is exactly the point. The Kernel is using it, and we should make sure it is properly hardened then. If this sysctl is helping, I do not see a reason why not turning it on. Thanks, and best regards, Peter Müller > -Michael > > P.S. How the f*** is this not already the default in the Linux kernel? Performance only, eh? > >> >> Fixes: #12384 >> >> Signed-off-by: Peter Müller >> --- >> config/etc/sysctl.conf | 3 +++ >> 1 file changed, 3 insertions(+) >> >> diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf >> index 7e7ebee44..3f4c828f9 100644 >> --- a/config/etc/sysctl.conf >> +++ b/config/etc/sysctl.conf >> @@ -49,6 +49,9 @@ kernel.dmesg_restrict = 1 >> fs.protected_symlinks = 1 >> fs.protected_hardlinks = 1 >> >> +# Turn on BPF JIT hardening, if the JIT is enabled. >> +net.core.bpf_jit_harden = 2 >> + >> # Minimal preemption granularity for CPU-bound tasks: >> # (default: 1 msec# (1 + ilog(ncpus)), units: nanoseconds) >> kernel.sched_min_granularity_ns = 10000000 >> -- >> 2.26.2 >