From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject:
 Re: [PATCH v2] sysctl.conf: Turn on BPF JIT hardening, if the JIT is enabled
Date: Mon, 12 Apr 2021 10:19:18 +0100
Message-ID: <E0CD1EDB-F503-4DA7-83C9-F982254D856F@ipfire.org>
In-Reply-To: <e64adbb7-eeaa-db72-e421-da6a20fe5705@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3010450107137552668=="
List-Id: <development.lists.ipfire.org>

--===============3010450107137552668==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello,

Thanks for the patch, but this broken shipping the files which I hopefully fi=
xed properly here:

  https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommitdiff;h=3D7ae1dcb33e27d=
2ea354acd6e7093741781e4092d

Best,
-Michael

> On 9 Apr 2021, at 20:13, Peter M=C3=BCller <peter.mueller(a)ipfire.org> wro=
te:
>=20
> The second version of this patch splits this up into different
> architecture-specific sysctl config files, as i586 does not support BPF
> JIT, hence the net.core.bpf_jit_harden does not exist on that
> architecture.
>=20
> Fixes: #12384
>=20
> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
> ---
> config/etc/sysctl-aarch64.conf  | 2 ++
> config/etc/sysctl-armv5tel.conf | 2 ++
> config/etc/sysctl-x86_64.conf   | 3 +++
> 3 files changed, 7 insertions(+)
> create mode 100644 config/etc/sysctl-aarch64.conf
> create mode 100644 config/etc/sysctl-armv5tel.conf
>=20
> diff --git a/config/etc/sysctl-aarch64.conf b/config/etc/sysctl-aarch64.conf
> new file mode 100644
> index 000000000..9f840806d
> --- /dev/null
> +++ b/config/etc/sysctl-aarch64.conf
> @@ -0,0 +1,2 @@
> +# Turn on BPF JIT hardening, if the JIT is enabled.
> +net.core.bpf_jit_harden =3D 2
> diff --git a/config/etc/sysctl-armv5tel.conf b/config/etc/sysctl-armv5tel.c=
onf
> new file mode 100644
> index 000000000..9f840806d
> --- /dev/null
> +++ b/config/etc/sysctl-armv5tel.conf
> @@ -0,0 +1,2 @@
> +# Turn on BPF JIT hardening, if the JIT is enabled.
> +net.core.bpf_jit_harden =3D 2
> diff --git a/config/etc/sysctl-x86_64.conf b/config/etc/sysctl-x86_64.conf
> index 7384bed51..c7abecc5d 100644
> --- a/config/etc/sysctl-x86_64.conf
> +++ b/config/etc/sysctl-x86_64.conf
> @@ -1,3 +1,6 @@
> # Improve KASLR effectiveness for mmap
> vm.mmap_rnd_bits =3D 32
> vm.mmap_rnd_compat_bits =3D 16
> +
> +# Turn on BPF JIT hardening, if the JIT is enabled.
> +net.core.bpf_jit_harden =3D 2
> --=20
> 2.26.2
>=20


--===============3010450107137552668==--