This is recommended by the Kernel Self Protection Project, and although
we do not take advantage of the BPF JIT at this time, we should set this
nevertheless in order to avoid potential security vulnerabilities.
Fixes: #12384
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
config/etc/sysctl.conf | 3 +++
1 file changed, 3 insertions(+)
diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index 7e7ebee44..3f4c828f9 100644
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -49,6 +49,9 @@ kernel.dmesg_restrict = 1
fs.protected_symlinks = 1
fs.protected_hardlinks = 1
+# Turn on BPF JIT hardening, if the JIT is enabled.
+net.core.bpf_jit_harden = 2
+
# Minimal preemption granularity for CPU-bound tasks:
# (default: 1 msec# (1 + ilog(ncpus)), units: nanoseconds)
kernel.sched_min_granularity_ns = 10000000
--
2.26.2