From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH] sysctl.conf: Turn on BPF JIT hardening, if the JIT is enabled Date: Fri, 02 Apr 2021 21:37:47 +0200 Message-ID: In-Reply-To: <7e6697a9-62f1-95b1-fdc4-d16a7f7825bf@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8692553559762049776==" List-Id: --===============8692553559762049776== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Michael, especially after https://lists.ipfire.org/pipermail/development/2021-April/00= 9804.html, I would really like to bring this up once more. >>From my point of view, it is safe to turn on that sysctl, as no user should = ever load anything into BPF directly on an IPFire 2.x machine, especially not if that a= buses some JIT oddities. At least on my semi-productive testing machine, this does not break anything = I am aware of. Thanks, and best regards, Peter M=C3=BCller > Hello Michael, >=20 >> Hi Peter, >> >>> On 7 Jun 2020, at 18:02, Peter M=C3=BCller w= rote: >>> >>> This is recommended by the Kernel Self Protection Project, and although >>> we do not take advantage of the BPF JIT at this time, we should set this >>> nevertheless in order to avoid potential security vulnerabilities. >> >> I do not really understand what you are trying to achieve here. >=20 > I am trying to achieve enabling of BPF JIT hardening. >=20 >> Please state more clearly *why* you think this is a useful change for IPFi= re. >> >> As far as I am aware, the kernel internally uses BPF. >=20 > Yes, to my knowledge, this is exactly the point. The Kernel is using it, and > we should make sure it is properly hardened then. If this sysctl is helping, > I do not see a reason why not turning it on. >=20 > Thanks, and best regards, > Peter M=C3=BCller >=20 >> -Michael >> >> P.S. How the f*** is this not already the default in the Linux kernel? Per= formance only, eh? >> >>> >>> Fixes: #12384 >>> >>> Signed-off-by: Peter M=C3=BCller >>> --- >>> config/etc/sysctl.conf | 3 +++ >>> 1 file changed, 3 insertions(+) >>> >>> diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf >>> index 7e7ebee44..3f4c828f9 100644 >>> --- a/config/etc/sysctl.conf >>> +++ b/config/etc/sysctl.conf >>> @@ -49,6 +49,9 @@ kernel.dmesg_restrict =3D 1 >>> fs.protected_symlinks =3D 1 >>> fs.protected_hardlinks =3D 1 >>> >>> +# Turn on BPF JIT hardening, if the JIT is enabled. >>> +net.core.bpf_jit_harden =3D 2 >>> + >>> # Minimal preemption granularity for CPU-bound tasks: >>> # (default: 1 msec# (1 + ilog(ncpus)), units: nanoseconds) >>> kernel.sched_min_granularity_ns =3D 10000000 >>> --=20 >>> 2.26.2 >> --===============8692553559762049776==--