From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject:
 Re: [PATCH v2] sysctl.conf: Turn on BPF JIT hardening, if the JIT is enabled
Date: Tue, 13 Apr 2021 10:47:02 +0100
Message-ID: <86025DA6-F531-4956-9A36-96EC604BF17C@ipfire.org>
In-Reply-To: <e6ded926-372b-0785-bde3-27f2be83901d@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0807276816032291714=="
List-Id: <development.lists.ipfire.org>

--===============0807276816032291714==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello,

> On 12 Apr 2021, at 18:58, Peter M=C3=BCller <peter.mueller(a)ipfire.org> wr=
ote:
>=20
> Hello Michael,
>=20
> thanks for your reply.
>=20
> Usually, I do not include shipping details or instructions to my patches, s=
ince they made things less
> flexible and I failed to be consistent here. Sorry for causing additional w=
orkload on your side here.

That is true for the core update files, but this was in the root files which =
generally are being updated by patches.

-Michael

>=20
> Thanks, and best regards,
> Peter M=C3=BCller
>=20
>=20
>> Hello,
>>=20
>> Thanks for the patch, but this broken shipping the files which I hopefully=
 fixed properly here:
>>=20
>>  https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommitdiff;h=3D7ae1dcb33e2=
7d2ea354acd6e7093741781e4092d
>>=20
>> Best,
>> -Michael
>>=20
>>> On 9 Apr 2021, at 20:13, Peter M=C3=BCller <peter.mueller(a)ipfire.org> w=
rote:
>>>=20
>>> The second version of this patch splits this up into different
>>> architecture-specific sysctl config files, as i586 does not support BPF
>>> JIT, hence the net.core.bpf_jit_harden does not exist on that
>>> architecture.
>>>=20
>>> Fixes: #12384
>>>=20
>>> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
>>> ---
>>> config/etc/sysctl-aarch64.conf  | 2 ++
>>> config/etc/sysctl-armv5tel.conf | 2 ++
>>> config/etc/sysctl-x86_64.conf   | 3 +++
>>> 3 files changed, 7 insertions(+)
>>> create mode 100644 config/etc/sysctl-aarch64.conf
>>> create mode 100644 config/etc/sysctl-armv5tel.conf
>>>=20
>>> diff --git a/config/etc/sysctl-aarch64.conf b/config/etc/sysctl-aarch64.c=
onf
>>> new file mode 100644
>>> index 000000000..9f840806d
>>> --- /dev/null
>>> +++ b/config/etc/sysctl-aarch64.conf
>>> @@ -0,0 +1,2 @@
>>> +# Turn on BPF JIT hardening, if the JIT is enabled.
>>> +net.core.bpf_jit_harden =3D 2
>>> diff --git a/config/etc/sysctl-armv5tel.conf b/config/etc/sysctl-armv5tel=
.conf
>>> new file mode 100644
>>> index 000000000..9f840806d
>>> --- /dev/null
>>> +++ b/config/etc/sysctl-armv5tel.conf
>>> @@ -0,0 +1,2 @@
>>> +# Turn on BPF JIT hardening, if the JIT is enabled.
>>> +net.core.bpf_jit_harden =3D 2
>>> diff --git a/config/etc/sysctl-x86_64.conf b/config/etc/sysctl-x86_64.conf
>>> index 7384bed51..c7abecc5d 100644
>>> --- a/config/etc/sysctl-x86_64.conf
>>> +++ b/config/etc/sysctl-x86_64.conf
>>> @@ -1,3 +1,6 @@
>>> # Improve KASLR effectiveness for mmap
>>> vm.mmap_rnd_bits =3D 32
>>> vm.mmap_rnd_compat_bits =3D 16
>>> +
>>> +# Turn on BPF JIT hardening, if the JIT is enabled.
>>> +net.core.bpf_jit_harden =3D 2
>>> --=20
>>> 2.26.2
>>>=20
>>=20


--===============0807276816032291714==--