Hi Peter,

> On 7 Jun 2020, at 18:02, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> This is recommended by the Kernel Self Protection Project, and although
> we do not take advantage of the BPF JIT at this time, we should set this
> nevertheless in order to avoid potential security vulnerabilities.

I do not really understand what you are trying to achieve here.

Please state more clearly *why* you think this is a useful change for IPFire.

As far as I am aware, the kernel internally uses BPF.

-Michael

P.S. How the f*** is this not already the default in the Linux kernel? Performance only, eh?

> 
> Fixes: #12384
> 
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/etc/sysctl.conf | 3 +++
> 1 file changed, 3 insertions(+)
> 
> diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
> index 7e7ebee44..3f4c828f9 100644
> --- a/config/etc/sysctl.conf
> +++ b/config/etc/sysctl.conf
> @@ -49,6 +49,9 @@ kernel.dmesg_restrict = 1
> fs.protected_symlinks = 1
> fs.protected_hardlinks = 1
> 
> +# Turn on BPF JIT hardening, if the JIT is enabled.
> +net.core.bpf_jit_harden = 2
> +
> # Minimal preemption granularity for CPU-bound tasks:
> # (default: 1 msec#  (1 + ilog(ncpus)), units: nanoseconds)
> kernel.sched_min_granularity_ns = 10000000
> -- 
> 2.26.2