Hello, I agree merging this, but we can only enable this on x86_64, aarch64 and armv5tel. i586 does not support BPF_JIT and does not know this sysctl option. Could you please submit an updated patch? -Michael > On 2 Apr 2021, at 20:37, Peter Müller wrote: > > Hello Michael, > > especially after https://lists.ipfire.org/pipermail/development/2021-April/009804.html, > I would really like to bring this up once more. > > From my point of view, it is safe to turn on that sysctl, as no user should ever load > anything into BPF directly on an IPFire 2.x machine, especially not if that abuses some > JIT oddities. > > At least on my semi-productive testing machine, this does not break anything I am aware of. > > Thanks, and best regards, > Peter Müller > > >> Hello Michael, >> >>> Hi Peter, >>> >>>> On 7 Jun 2020, at 18:02, Peter Müller wrote: >>>> >>>> This is recommended by the Kernel Self Protection Project, and although >>>> we do not take advantage of the BPF JIT at this time, we should set this >>>> nevertheless in order to avoid potential security vulnerabilities. >>> >>> I do not really understand what you are trying to achieve here. >> >> I am trying to achieve enabling of BPF JIT hardening. >> >>> Please state more clearly *why* you think this is a useful change for IPFire. >>> >>> As far as I am aware, the kernel internally uses BPF. >> >> Yes, to my knowledge, this is exactly the point. The Kernel is using it, and >> we should make sure it is properly hardened then. If this sysctl is helping, >> I do not see a reason why not turning it on. >> >> Thanks, and best regards, >> Peter Müller >> >>> -Michael >>> >>> P.S. How the f*** is this not already the default in the Linux kernel? Performance only, eh? >>> >>>> >>>> Fixes: #12384 >>>> >>>> Signed-off-by: Peter Müller >>>> --- >>>> config/etc/sysctl.conf | 3 +++ >>>> 1 file changed, 3 insertions(+) >>>> >>>> diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf >>>> index 7e7ebee44..3f4c828f9 100644 >>>> --- a/config/etc/sysctl.conf >>>> +++ b/config/etc/sysctl.conf >>>> @@ -49,6 +49,9 @@ kernel.dmesg_restrict = 1 >>>> fs.protected_symlinks = 1 >>>> fs.protected_hardlinks = 1 >>>> >>>> +# Turn on BPF JIT hardening, if the JIT is enabled. >>>> +net.core.bpf_jit_harden = 2 >>>> + >>>> # Minimal preemption granularity for CPU-bound tasks: >>>> # (default: 1 msec# (1 + ilog(ncpus)), units: nanoseconds) >>>> kernel.sched_min_granularity_ns = 10000000 >>>> -- >>>> 2.26.2 >>>