* [PATCH v2] sysctl.conf: Turn on BPF JIT hardening, if the JIT is enabled @ 2021-04-09 19:13 Peter Müller 2021-04-12 9:19 ` Michael Tremer 0 siblings, 1 reply; 4+ messages in thread From: Peter Müller @ 2021-04-09 19:13 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 1485 bytes --] The second version of this patch splits this up into different architecture-specific sysctl config files, as i586 does not support BPF JIT, hence the net.core.bpf_jit_harden does not exist on that architecture. Fixes: #12384 Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> --- config/etc/sysctl-aarch64.conf | 2 ++ config/etc/sysctl-armv5tel.conf | 2 ++ config/etc/sysctl-x86_64.conf | 3 +++ 3 files changed, 7 insertions(+) create mode 100644 config/etc/sysctl-aarch64.conf create mode 100644 config/etc/sysctl-armv5tel.conf diff --git a/config/etc/sysctl-aarch64.conf b/config/etc/sysctl-aarch64.conf new file mode 100644 index 000000000..9f840806d --- /dev/null +++ b/config/etc/sysctl-aarch64.conf @@ -0,0 +1,2 @@ +# Turn on BPF JIT hardening, if the JIT is enabled. +net.core.bpf_jit_harden = 2 diff --git a/config/etc/sysctl-armv5tel.conf b/config/etc/sysctl-armv5tel.conf new file mode 100644 index 000000000..9f840806d --- /dev/null +++ b/config/etc/sysctl-armv5tel.conf @@ -0,0 +1,2 @@ +# Turn on BPF JIT hardening, if the JIT is enabled. +net.core.bpf_jit_harden = 2 diff --git a/config/etc/sysctl-x86_64.conf b/config/etc/sysctl-x86_64.conf index 7384bed51..c7abecc5d 100644 --- a/config/etc/sysctl-x86_64.conf +++ b/config/etc/sysctl-x86_64.conf @@ -1,3 +1,6 @@ # Improve KASLR effectiveness for mmap vm.mmap_rnd_bits = 32 vm.mmap_rnd_compat_bits = 16 + +# Turn on BPF JIT hardening, if the JIT is enabled. +net.core.bpf_jit_harden = 2 -- 2.26.2 ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v2] sysctl.conf: Turn on BPF JIT hardening, if the JIT is enabled 2021-04-09 19:13 [PATCH v2] sysctl.conf: Turn on BPF JIT hardening, if the JIT is enabled Peter Müller @ 2021-04-12 9:19 ` Michael Tremer 2021-04-12 17:58 ` Peter Müller 0 siblings, 1 reply; 4+ messages in thread From: Michael Tremer @ 2021-04-12 9:19 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 1928 bytes --] Hello, Thanks for the patch, but this broken shipping the files which I hopefully fixed properly here: https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=7ae1dcb33e27d2ea354acd6e7093741781e4092d Best, -Michael > On 9 Apr 2021, at 20:13, Peter Müller <peter.mueller(a)ipfire.org> wrote: > > The second version of this patch splits this up into different > architecture-specific sysctl config files, as i586 does not support BPF > JIT, hence the net.core.bpf_jit_harden does not exist on that > architecture. > > Fixes: #12384 > > Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> > --- > config/etc/sysctl-aarch64.conf | 2 ++ > config/etc/sysctl-armv5tel.conf | 2 ++ > config/etc/sysctl-x86_64.conf | 3 +++ > 3 files changed, 7 insertions(+) > create mode 100644 config/etc/sysctl-aarch64.conf > create mode 100644 config/etc/sysctl-armv5tel.conf > > diff --git a/config/etc/sysctl-aarch64.conf b/config/etc/sysctl-aarch64.conf > new file mode 100644 > index 000000000..9f840806d > --- /dev/null > +++ b/config/etc/sysctl-aarch64.conf > @@ -0,0 +1,2 @@ > +# Turn on BPF JIT hardening, if the JIT is enabled. > +net.core.bpf_jit_harden = 2 > diff --git a/config/etc/sysctl-armv5tel.conf b/config/etc/sysctl-armv5tel.conf > new file mode 100644 > index 000000000..9f840806d > --- /dev/null > +++ b/config/etc/sysctl-armv5tel.conf > @@ -0,0 +1,2 @@ > +# Turn on BPF JIT hardening, if the JIT is enabled. > +net.core.bpf_jit_harden = 2 > diff --git a/config/etc/sysctl-x86_64.conf b/config/etc/sysctl-x86_64.conf > index 7384bed51..c7abecc5d 100644 > --- a/config/etc/sysctl-x86_64.conf > +++ b/config/etc/sysctl-x86_64.conf > @@ -1,3 +1,6 @@ > # Improve KASLR effectiveness for mmap > vm.mmap_rnd_bits = 32 > vm.mmap_rnd_compat_bits = 16 > + > +# Turn on BPF JIT hardening, if the JIT is enabled. > +net.core.bpf_jit_harden = 2 > -- > 2.26.2 > ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v2] sysctl.conf: Turn on BPF JIT hardening, if the JIT is enabled 2021-04-12 9:19 ` Michael Tremer @ 2021-04-12 17:58 ` Peter Müller 2021-04-13 9:47 ` Michael Tremer 0 siblings, 1 reply; 4+ messages in thread From: Peter Müller @ 2021-04-12 17:58 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 2289 bytes --] Hello Michael, thanks for your reply. Usually, I do not include shipping details or instructions to my patches, since they made things less flexible and I failed to be consistent here. Sorry for causing additional workload on your side here. Thanks, and best regards, Peter Müller > Hello, > > Thanks for the patch, but this broken shipping the files which I hopefully fixed properly here: > > https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=7ae1dcb33e27d2ea354acd6e7093741781e4092d > > Best, > -Michael > >> On 9 Apr 2021, at 20:13, Peter Müller <peter.mueller(a)ipfire.org> wrote: >> >> The second version of this patch splits this up into different >> architecture-specific sysctl config files, as i586 does not support BPF >> JIT, hence the net.core.bpf_jit_harden does not exist on that >> architecture. >> >> Fixes: #12384 >> >> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> >> --- >> config/etc/sysctl-aarch64.conf | 2 ++ >> config/etc/sysctl-armv5tel.conf | 2 ++ >> config/etc/sysctl-x86_64.conf | 3 +++ >> 3 files changed, 7 insertions(+) >> create mode 100644 config/etc/sysctl-aarch64.conf >> create mode 100644 config/etc/sysctl-armv5tel.conf >> >> diff --git a/config/etc/sysctl-aarch64.conf b/config/etc/sysctl-aarch64.conf >> new file mode 100644 >> index 000000000..9f840806d >> --- /dev/null >> +++ b/config/etc/sysctl-aarch64.conf >> @@ -0,0 +1,2 @@ >> +# Turn on BPF JIT hardening, if the JIT is enabled. >> +net.core.bpf_jit_harden = 2 >> diff --git a/config/etc/sysctl-armv5tel.conf b/config/etc/sysctl-armv5tel.conf >> new file mode 100644 >> index 000000000..9f840806d >> --- /dev/null >> +++ b/config/etc/sysctl-armv5tel.conf >> @@ -0,0 +1,2 @@ >> +# Turn on BPF JIT hardening, if the JIT is enabled. >> +net.core.bpf_jit_harden = 2 >> diff --git a/config/etc/sysctl-x86_64.conf b/config/etc/sysctl-x86_64.conf >> index 7384bed51..c7abecc5d 100644 >> --- a/config/etc/sysctl-x86_64.conf >> +++ b/config/etc/sysctl-x86_64.conf >> @@ -1,3 +1,6 @@ >> # Improve KASLR effectiveness for mmap >> vm.mmap_rnd_bits = 32 >> vm.mmap_rnd_compat_bits = 16 >> + >> +# Turn on BPF JIT hardening, if the JIT is enabled. >> +net.core.bpf_jit_harden = 2 >> -- >> 2.26.2 >> > ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v2] sysctl.conf: Turn on BPF JIT hardening, if the JIT is enabled 2021-04-12 17:58 ` Peter Müller @ 2021-04-13 9:47 ` Michael Tremer 0 siblings, 0 replies; 4+ messages in thread From: Michael Tremer @ 2021-04-13 9:47 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 2602 bytes --] Hello, > On 12 Apr 2021, at 18:58, Peter Müller <peter.mueller(a)ipfire.org> wrote: > > Hello Michael, > > thanks for your reply. > > Usually, I do not include shipping details or instructions to my patches, since they made things less > flexible and I failed to be consistent here. Sorry for causing additional workload on your side here. That is true for the core update files, but this was in the root files which generally are being updated by patches. -Michael > > Thanks, and best regards, > Peter Müller > > >> Hello, >> >> Thanks for the patch, but this broken shipping the files which I hopefully fixed properly here: >> >> https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=7ae1dcb33e27d2ea354acd6e7093741781e4092d >> >> Best, >> -Michael >> >>> On 9 Apr 2021, at 20:13, Peter Müller <peter.mueller(a)ipfire.org> wrote: >>> >>> The second version of this patch splits this up into different >>> architecture-specific sysctl config files, as i586 does not support BPF >>> JIT, hence the net.core.bpf_jit_harden does not exist on that >>> architecture. >>> >>> Fixes: #12384 >>> >>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> >>> --- >>> config/etc/sysctl-aarch64.conf | 2 ++ >>> config/etc/sysctl-armv5tel.conf | 2 ++ >>> config/etc/sysctl-x86_64.conf | 3 +++ >>> 3 files changed, 7 insertions(+) >>> create mode 100644 config/etc/sysctl-aarch64.conf >>> create mode 100644 config/etc/sysctl-armv5tel.conf >>> >>> diff --git a/config/etc/sysctl-aarch64.conf b/config/etc/sysctl-aarch64.conf >>> new file mode 100644 >>> index 000000000..9f840806d >>> --- /dev/null >>> +++ b/config/etc/sysctl-aarch64.conf >>> @@ -0,0 +1,2 @@ >>> +# Turn on BPF JIT hardening, if the JIT is enabled. >>> +net.core.bpf_jit_harden = 2 >>> diff --git a/config/etc/sysctl-armv5tel.conf b/config/etc/sysctl-armv5tel.conf >>> new file mode 100644 >>> index 000000000..9f840806d >>> --- /dev/null >>> +++ b/config/etc/sysctl-armv5tel.conf >>> @@ -0,0 +1,2 @@ >>> +# Turn on BPF JIT hardening, if the JIT is enabled. >>> +net.core.bpf_jit_harden = 2 >>> diff --git a/config/etc/sysctl-x86_64.conf b/config/etc/sysctl-x86_64.conf >>> index 7384bed51..c7abecc5d 100644 >>> --- a/config/etc/sysctl-x86_64.conf >>> +++ b/config/etc/sysctl-x86_64.conf >>> @@ -1,3 +1,6 @@ >>> # Improve KASLR effectiveness for mmap >>> vm.mmap_rnd_bits = 32 >>> vm.mmap_rnd_compat_bits = 16 >>> + >>> +# Turn on BPF JIT hardening, if the JIT is enabled. >>> +net.core.bpf_jit_harden = 2 >>> -- >>> 2.26.2 >>> >> ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-04-13 9:47 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-04-09 19:13 [PATCH v2] sysctl.conf: Turn on BPF JIT hardening, if the JIT is enabled Peter Müller 2021-04-12 9:19 ` Michael Tremer 2021-04-12 17:58 ` Peter Müller 2021-04-13 9:47 ` Michael Tremer
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox