From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject:
 Re: [PATCH] sysctl.conf: Turn on BPF JIT hardening, if the JIT is enabled
Date: Tue, 06 Apr 2021 11:10:47 +0100
Message-ID: <88495F26-CF50-49AB-B5A9-670C4250B0A0@ipfire.org>
In-Reply-To: <aa7c0ee6-b190-cb21-0323-08ea97bb39bd@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1119688692823907467=="
List-Id: <development.lists.ipfire.org>

--===============1119688692823907467==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello,

I agree merging this, but we can only enable this on x86_64, aarch64 and armv=
5tel.

i586 does not support BPF_JIT and does not know this sysctl option.

Could you please submit an updated patch?

-Michael

> On 2 Apr 2021, at 20:37, Peter M=C3=BCller <peter.mueller(a)ipfire.org> wro=
te:
>=20
> Hello Michael,
>=20
> especially after https://lists.ipfire.org/pipermail/development/2021-April/=
009804.html,
> I would really like to bring this up once more.
>=20
> From my point of view, it is safe to turn on that sysctl, as no user should=
 ever load
> anything into BPF directly on an IPFire 2.x machine, especially not if that=
 abuses some
> JIT oddities.
>=20
> At least on my semi-productive testing machine, this does not break anythin=
g I am aware of.
>=20
> Thanks, and best regards,
> Peter M=C3=BCller
>=20
>=20
>> Hello Michael,
>>=20
>>> Hi Peter,
>>>=20
>>>> On 7 Jun 2020, at 18:02, Peter M=C3=BCller <peter.mueller(a)ipfire.org> =
wrote:
>>>>=20
>>>> This is recommended by the Kernel Self Protection Project, and although
>>>> we do not take advantage of the BPF JIT at this time, we should set this
>>>> nevertheless in order to avoid potential security vulnerabilities.
>>>=20
>>> I do not really understand what you are trying to achieve here.
>>=20
>> I am trying to achieve enabling of BPF JIT hardening.
>>=20
>>> Please state more clearly *why* you think this is a useful change for IPF=
ire.
>>>=20
>>> As far as I am aware, the kernel internally uses BPF.
>>=20
>> Yes, to my knowledge, this is exactly the point. The Kernel is using it, a=
nd
>> we should make sure it is properly hardened then. If this sysctl is helpin=
g,
>> I do not see a reason why not turning it on.
>>=20
>> Thanks, and best regards,
>> Peter M=C3=BCller
>>=20
>>> -Michael
>>>=20
>>> P.S. How the f*** is this not already the default in the Linux kernel? Pe=
rformance only, eh?
>>>=20
>>>>=20
>>>> Fixes: #12384
>>>>=20
>>>> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
>>>> ---
>>>> config/etc/sysctl.conf | 3 +++
>>>> 1 file changed, 3 insertions(+)
>>>>=20
>>>> diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
>>>> index 7e7ebee44..3f4c828f9 100644
>>>> --- a/config/etc/sysctl.conf
>>>> +++ b/config/etc/sysctl.conf
>>>> @@ -49,6 +49,9 @@ kernel.dmesg_restrict =3D 1
>>>> fs.protected_symlinks =3D 1
>>>> fs.protected_hardlinks =3D 1
>>>>=20
>>>> +# Turn on BPF JIT hardening, if the JIT is enabled.
>>>> +net.core.bpf_jit_harden =3D 2
>>>> +
>>>> # Minimal preemption granularity for CPU-bound tasks:
>>>> # (default: 1 msec#  (1 + ilog(ncpus)), units: nanoseconds)
>>>> kernel.sched_min_granularity_ns =3D 10000000
>>>> --=20
>>>> 2.26.2
>>>=20


--===============1119688692823907467==--