Hello Michael,
Hi Peter,
On 7 Jun 2020, at 18:02, Peter Müller peter.mueller@ipfire.org wrote:
This is recommended by the Kernel Self Protection Project, and although we do not take advantage of the BPF JIT at this time, we should set this nevertheless in order to avoid potential security vulnerabilities.
I do not really understand what you are trying to achieve here.
I am trying to achieve enabling of BPF JIT hardening.
Please state more clearly *why* you think this is a useful change for IPFire.
As far as I am aware, the kernel internally uses BPF.
Yes, to my knowledge, this is exactly the point. The Kernel is using it, and we should make sure it is properly hardened then. If this sysctl is helping, I do not see a reason why not turning it on.
Thanks, and best regards, Peter Müller
-Michael
P.S. How the f*** is this not already the default in the Linux kernel? Performance only, eh?
Fixes: #12384
Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/etc/sysctl.conf | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index 7e7ebee44..3f4c828f9 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -49,6 +49,9 @@ kernel.dmesg_restrict = 1 fs.protected_symlinks = 1 fs.protected_hardlinks = 1
+# Turn on BPF JIT hardening, if the JIT is enabled. +net.core.bpf_jit_harden = 2
# Minimal preemption granularity for CPU-bound tasks: # (default: 1 msec# (1 + ilog(ncpus)), units: nanoseconds) kernel.sched_min_granularity_ns = 10000000 -- 2.26.2