From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] sysctl.conf: Turn on BPF JIT hardening, if the JIT is enabled Date: Mon, 08 Jun 2020 10:07:52 +0100 Message-ID: In-Reply-To: <80294752-603e-be9a-9faf-5348116d3e09@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1975505300628530176==" List-Id: --===============1975505300628530176== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Peter, > On 7 Jun 2020, at 18:02, Peter M=C3=BCller wro= te: >=20 > This is recommended by the Kernel Self Protection Project, and although > we do not take advantage of the BPF JIT at this time, we should set this > nevertheless in order to avoid potential security vulnerabilities. I do not really understand what you are trying to achieve here. Please state more clearly *why* you think this is a useful change for IPFire. As far as I am aware, the kernel internally uses BPF. -Michael P.S. How the f*** is this not already the default in the Linux kernel? Perfor= mance only, eh? >=20 > Fixes: #12384 >=20 > Signed-off-by: Peter M=C3=BCller > --- > config/etc/sysctl.conf | 3 +++ > 1 file changed, 3 insertions(+) >=20 > diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf > index 7e7ebee44..3f4c828f9 100644 > --- a/config/etc/sysctl.conf > +++ b/config/etc/sysctl.conf > @@ -49,6 +49,9 @@ kernel.dmesg_restrict =3D 1 > fs.protected_symlinks =3D 1 > fs.protected_hardlinks =3D 1 >=20 > +# Turn on BPF JIT hardening, if the JIT is enabled. > +net.core.bpf_jit_harden =3D 2 > + > # Minimal preemption granularity for CPU-bound tasks: > # (default: 1 msec# (1 + ilog(ncpus)), units: nanoseconds) > kernel.sched_min_granularity_ns =3D 10000000 > --=20 > 2.26.2 --===============1975505300628530176==--