From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject:
 [PATCH v2] sysctl.conf: Turn on BPF JIT hardening, if the JIT is enabled
Date: Fri, 09 Apr 2021 21:13:52 +0200
Message-ID: <e64adbb7-eeaa-db72-e421-da6a20fe5705@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7586308185273893579=="
List-Id: <development.lists.ipfire.org>

--===============7586308185273893579==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

The second version of this patch splits this up into different
architecture-specific sysctl config files, as i586 does not support BPF
JIT, hence the net.core.bpf_jit_harden does not exist on that
architecture.

Fixes: #12384

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/etc/sysctl-aarch64.conf  | 2 ++
 config/etc/sysctl-armv5tel.conf | 2 ++
 config/etc/sysctl-x86_64.conf   | 3 +++
 3 files changed, 7 insertions(+)
 create mode 100644 config/etc/sysctl-aarch64.conf
 create mode 100644 config/etc/sysctl-armv5tel.conf

diff --git a/config/etc/sysctl-aarch64.conf b/config/etc/sysctl-aarch64.conf
new file mode 100644
index 000000000..9f840806d
--- /dev/null
+++ b/config/etc/sysctl-aarch64.conf
@@ -0,0 +1,2 @@
+# Turn on BPF JIT hardening, if the JIT is enabled.
+net.core.bpf_jit_harden = 2
diff --git a/config/etc/sysctl-armv5tel.conf b/config/etc/sysctl-armv5tel.conf
new file mode 100644
index 000000000..9f840806d
--- /dev/null
+++ b/config/etc/sysctl-armv5tel.conf
@@ -0,0 +1,2 @@
+# Turn on BPF JIT hardening, if the JIT is enabled.
+net.core.bpf_jit_harden = 2
diff --git a/config/etc/sysctl-x86_64.conf b/config/etc/sysctl-x86_64.conf
index 7384bed51..c7abecc5d 100644
--- a/config/etc/sysctl-x86_64.conf
+++ b/config/etc/sysctl-x86_64.conf
@@ -1,3 +1,6 @@
 # Improve KASLR effectiveness for mmap
 vm.mmap_rnd_bits = 32
 vm.mmap_rnd_compat_bits = 16
+
+# Turn on BPF JIT hardening, if the JIT is enabled.
+net.core.bpf_jit_harden = 2
-- 
2.26.2


--===============7586308185273893579==--