* [PATCH] sysctl.conf: Turn on BPF JIT hardening, if the JIT is enabled @ 2020-06-07 17:02 Peter Müller 2020-06-08 9:07 ` Michael Tremer 0 siblings, 1 reply; 5+ messages in thread From: Peter Müller @ 2020-06-07 17:02 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 865 bytes --] This is recommended by the Kernel Self Protection Project, and although we do not take advantage of the BPF JIT at this time, we should set this nevertheless in order to avoid potential security vulnerabilities. Fixes: #12384 Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> --- config/etc/sysctl.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index 7e7ebee44..3f4c828f9 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -49,6 +49,9 @@ kernel.dmesg_restrict = 1 fs.protected_symlinks = 1 fs.protected_hardlinks = 1 +# Turn on BPF JIT hardening, if the JIT is enabled. +net.core.bpf_jit_harden = 2 + # Minimal preemption granularity for CPU-bound tasks: # (default: 1 msec# (1 + ilog(ncpus)), units: nanoseconds) kernel.sched_min_granularity_ns = 10000000 -- 2.26.2 ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] sysctl.conf: Turn on BPF JIT hardening, if the JIT is enabled 2020-06-07 17:02 [PATCH] sysctl.conf: Turn on BPF JIT hardening, if the JIT is enabled Peter Müller @ 2020-06-08 9:07 ` Michael Tremer 2020-06-09 18:00 ` Peter Müller 0 siblings, 1 reply; 5+ messages in thread From: Michael Tremer @ 2020-06-08 9:07 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 1350 bytes --] Hi Peter, > On 7 Jun 2020, at 18:02, Peter Müller <peter.mueller(a)ipfire.org> wrote: > > This is recommended by the Kernel Self Protection Project, and although > we do not take advantage of the BPF JIT at this time, we should set this > nevertheless in order to avoid potential security vulnerabilities. I do not really understand what you are trying to achieve here. Please state more clearly *why* you think this is a useful change for IPFire. As far as I am aware, the kernel internally uses BPF. -Michael P.S. How the f*** is this not already the default in the Linux kernel? Performance only, eh? > > Fixes: #12384 > > Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> > --- > config/etc/sysctl.conf | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf > index 7e7ebee44..3f4c828f9 100644 > --- a/config/etc/sysctl.conf > +++ b/config/etc/sysctl.conf > @@ -49,6 +49,9 @@ kernel.dmesg_restrict = 1 > fs.protected_symlinks = 1 > fs.protected_hardlinks = 1 > > +# Turn on BPF JIT hardening, if the JIT is enabled. > +net.core.bpf_jit_harden = 2 > + > # Minimal preemption granularity for CPU-bound tasks: > # (default: 1 msec# (1 + ilog(ncpus)), units: nanoseconds) > kernel.sched_min_granularity_ns = 10000000 > -- > 2.26.2 ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] sysctl.conf: Turn on BPF JIT hardening, if the JIT is enabled 2020-06-08 9:07 ` Michael Tremer @ 2020-06-09 18:00 ` Peter Müller 2021-04-02 19:37 ` Peter Müller 0 siblings, 1 reply; 5+ messages in thread From: Peter Müller @ 2020-06-09 18:00 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 1720 bytes --] Hello Michael, > Hi Peter, > >> On 7 Jun 2020, at 18:02, Peter Müller <peter.mueller(a)ipfire.org> wrote: >> >> This is recommended by the Kernel Self Protection Project, and although >> we do not take advantage of the BPF JIT at this time, we should set this >> nevertheless in order to avoid potential security vulnerabilities. > > I do not really understand what you are trying to achieve here. I am trying to achieve enabling of BPF JIT hardening. > Please state more clearly *why* you think this is a useful change for IPFire. > > As far as I am aware, the kernel internally uses BPF. Yes, to my knowledge, this is exactly the point. The Kernel is using it, and we should make sure it is properly hardened then. If this sysctl is helping, I do not see a reason why not turning it on. Thanks, and best regards, Peter Müller > -Michael > > P.S. How the f*** is this not already the default in the Linux kernel? Performance only, eh? > >> >> Fixes: #12384 >> >> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> >> --- >> config/etc/sysctl.conf | 3 +++ >> 1 file changed, 3 insertions(+) >> >> diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf >> index 7e7ebee44..3f4c828f9 100644 >> --- a/config/etc/sysctl.conf >> +++ b/config/etc/sysctl.conf >> @@ -49,6 +49,9 @@ kernel.dmesg_restrict = 1 >> fs.protected_symlinks = 1 >> fs.protected_hardlinks = 1 >> >> +# Turn on BPF JIT hardening, if the JIT is enabled. >> +net.core.bpf_jit_harden = 2 >> + >> # Minimal preemption granularity for CPU-bound tasks: >> # (default: 1 msec# (1 + ilog(ncpus)), units: nanoseconds) >> kernel.sched_min_granularity_ns = 10000000 >> -- >> 2.26.2 > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] sysctl.conf: Turn on BPF JIT hardening, if the JIT is enabled 2020-06-09 18:00 ` Peter Müller @ 2021-04-02 19:37 ` Peter Müller 2021-04-06 10:10 ` Michael Tremer 0 siblings, 1 reply; 5+ messages in thread From: Peter Müller @ 2021-04-02 19:37 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 2275 bytes --] Hello Michael, especially after https://lists.ipfire.org/pipermail/development/2021-April/009804.html, I would really like to bring this up once more. >From my point of view, it is safe to turn on that sysctl, as no user should ever load anything into BPF directly on an IPFire 2.x machine, especially not if that abuses some JIT oddities. At least on my semi-productive testing machine, this does not break anything I am aware of. Thanks, and best regards, Peter Müller > Hello Michael, > >> Hi Peter, >> >>> On 7 Jun 2020, at 18:02, Peter Müller <peter.mueller(a)ipfire.org> wrote: >>> >>> This is recommended by the Kernel Self Protection Project, and although >>> we do not take advantage of the BPF JIT at this time, we should set this >>> nevertheless in order to avoid potential security vulnerabilities. >> >> I do not really understand what you are trying to achieve here. > > I am trying to achieve enabling of BPF JIT hardening. > >> Please state more clearly *why* you think this is a useful change for IPFire. >> >> As far as I am aware, the kernel internally uses BPF. > > Yes, to my knowledge, this is exactly the point. The Kernel is using it, and > we should make sure it is properly hardened then. If this sysctl is helping, > I do not see a reason why not turning it on. > > Thanks, and best regards, > Peter Müller > >> -Michael >> >> P.S. How the f*** is this not already the default in the Linux kernel? Performance only, eh? >> >>> >>> Fixes: #12384 >>> >>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> >>> --- >>> config/etc/sysctl.conf | 3 +++ >>> 1 file changed, 3 insertions(+) >>> >>> diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf >>> index 7e7ebee44..3f4c828f9 100644 >>> --- a/config/etc/sysctl.conf >>> +++ b/config/etc/sysctl.conf >>> @@ -49,6 +49,9 @@ kernel.dmesg_restrict = 1 >>> fs.protected_symlinks = 1 >>> fs.protected_hardlinks = 1 >>> >>> +# Turn on BPF JIT hardening, if the JIT is enabled. >>> +net.core.bpf_jit_harden = 2 >>> + >>> # Minimal preemption granularity for CPU-bound tasks: >>> # (default: 1 msec# (1 + ilog(ncpus)), units: nanoseconds) >>> kernel.sched_min_granularity_ns = 10000000 >>> -- >>> 2.26.2 >> ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] sysctl.conf: Turn on BPF JIT hardening, if the JIT is enabled 2021-04-02 19:37 ` Peter Müller @ 2021-04-06 10:10 ` Michael Tremer 0 siblings, 0 replies; 5+ messages in thread From: Michael Tremer @ 2021-04-06 10:10 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 2677 bytes --] Hello, I agree merging this, but we can only enable this on x86_64, aarch64 and armv5tel. i586 does not support BPF_JIT and does not know this sysctl option. Could you please submit an updated patch? -Michael > On 2 Apr 2021, at 20:37, Peter Müller <peter.mueller(a)ipfire.org> wrote: > > Hello Michael, > > especially after https://lists.ipfire.org/pipermail/development/2021-April/009804.html, > I would really like to bring this up once more. > > From my point of view, it is safe to turn on that sysctl, as no user should ever load > anything into BPF directly on an IPFire 2.x machine, especially not if that abuses some > JIT oddities. > > At least on my semi-productive testing machine, this does not break anything I am aware of. > > Thanks, and best regards, > Peter Müller > > >> Hello Michael, >> >>> Hi Peter, >>> >>>> On 7 Jun 2020, at 18:02, Peter Müller <peter.mueller(a)ipfire.org> wrote: >>>> >>>> This is recommended by the Kernel Self Protection Project, and although >>>> we do not take advantage of the BPF JIT at this time, we should set this >>>> nevertheless in order to avoid potential security vulnerabilities. >>> >>> I do not really understand what you are trying to achieve here. >> >> I am trying to achieve enabling of BPF JIT hardening. >> >>> Please state more clearly *why* you think this is a useful change for IPFire. >>> >>> As far as I am aware, the kernel internally uses BPF. >> >> Yes, to my knowledge, this is exactly the point. The Kernel is using it, and >> we should make sure it is properly hardened then. If this sysctl is helping, >> I do not see a reason why not turning it on. >> >> Thanks, and best regards, >> Peter Müller >> >>> -Michael >>> >>> P.S. How the f*** is this not already the default in the Linux kernel? Performance only, eh? >>> >>>> >>>> Fixes: #12384 >>>> >>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> >>>> --- >>>> config/etc/sysctl.conf | 3 +++ >>>> 1 file changed, 3 insertions(+) >>>> >>>> diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf >>>> index 7e7ebee44..3f4c828f9 100644 >>>> --- a/config/etc/sysctl.conf >>>> +++ b/config/etc/sysctl.conf >>>> @@ -49,6 +49,9 @@ kernel.dmesg_restrict = 1 >>>> fs.protected_symlinks = 1 >>>> fs.protected_hardlinks = 1 >>>> >>>> +# Turn on BPF JIT hardening, if the JIT is enabled. >>>> +net.core.bpf_jit_harden = 2 >>>> + >>>> # Minimal preemption granularity for CPU-bound tasks: >>>> # (default: 1 msec# (1 + ilog(ncpus)), units: nanoseconds) >>>> kernel.sched_min_granularity_ns = 10000000 >>>> -- >>>> 2.26.2 >>> ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-04-06 10:10 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-06-07 17:02 [PATCH] sysctl.conf: Turn on BPF JIT hardening, if the JIT is enabled Peter Müller 2020-06-08 9:07 ` Michael Tremer 2020-06-09 18:00 ` Peter Müller 2021-04-02 19:37 ` Peter Müller 2021-04-06 10:10 ` Michael Tremer
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox