From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject:
 Re: [PATCH v2] sysctl.conf: Turn on BPF JIT hardening, if the JIT is enabled
Date: Mon, 12 Apr 2021 19:58:20 +0200
Message-ID: <e6ded926-372b-0785-bde3-27f2be83901d@ipfire.org>
In-Reply-To: <E0CD1EDB-F503-4DA7-83C9-F982254D856F@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2323783306288449155=="
List-Id: <development.lists.ipfire.org>

--===============2323783306288449155==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello Michael,

thanks for your reply.

Usually, I do not include shipping details or instructions to my patches, sin=
ce they made things less
flexible and I failed to be consistent here. Sorry for causing additional wor=
kload on your side here.

Thanks, and best regards,
Peter M=C3=BCller


> Hello,
>=20
> Thanks for the patch, but this broken shipping the files which I hopefully =
fixed properly here:
>=20
>   https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommitdiff;h=3D7ae1dcb33e2=
7d2ea354acd6e7093741781e4092d
>=20
> Best,
> -Michael
>=20
>> On 9 Apr 2021, at 20:13, Peter M=C3=BCller <peter.mueller(a)ipfire.org> wr=
ote:
>>
>> The second version of this patch splits this up into different
>> architecture-specific sysctl config files, as i586 does not support BPF
>> JIT, hence the net.core.bpf_jit_harden does not exist on that
>> architecture.
>>
>> Fixes: #12384
>>
>> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
>> ---
>> config/etc/sysctl-aarch64.conf  | 2 ++
>> config/etc/sysctl-armv5tel.conf | 2 ++
>> config/etc/sysctl-x86_64.conf   | 3 +++
>> 3 files changed, 7 insertions(+)
>> create mode 100644 config/etc/sysctl-aarch64.conf
>> create mode 100644 config/etc/sysctl-armv5tel.conf
>>
>> diff --git a/config/etc/sysctl-aarch64.conf b/config/etc/sysctl-aarch64.co=
nf
>> new file mode 100644
>> index 000000000..9f840806d
>> --- /dev/null
>> +++ b/config/etc/sysctl-aarch64.conf
>> @@ -0,0 +1,2 @@
>> +# Turn on BPF JIT hardening, if the JIT is enabled.
>> +net.core.bpf_jit_harden =3D 2
>> diff --git a/config/etc/sysctl-armv5tel.conf b/config/etc/sysctl-armv5tel.=
conf
>> new file mode 100644
>> index 000000000..9f840806d
>> --- /dev/null
>> +++ b/config/etc/sysctl-armv5tel.conf
>> @@ -0,0 +1,2 @@
>> +# Turn on BPF JIT hardening, if the JIT is enabled.
>> +net.core.bpf_jit_harden =3D 2
>> diff --git a/config/etc/sysctl-x86_64.conf b/config/etc/sysctl-x86_64.conf
>> index 7384bed51..c7abecc5d 100644
>> --- a/config/etc/sysctl-x86_64.conf
>> +++ b/config/etc/sysctl-x86_64.conf
>> @@ -1,3 +1,6 @@
>> # Improve KASLR effectiveness for mmap
>> vm.mmap_rnd_bits =3D 32
>> vm.mmap_rnd_compat_bits =3D 16
>> +
>> +# Turn on BPF JIT hardening, if the JIT is enabled.
>> +net.core.bpf_jit_harden =3D 2
>> --=20
>> 2.26.2
>>
>=20

--===============2323783306288449155==--