This is recommended by the Kernel Self Protection Project, and although we do not take advantage of the BPF JIT at this time, we should set this nevertheless in order to avoid potential security vulnerabilities.
Fixes: #12384
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/etc/sysctl.conf | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index 7e7ebee44..3f4c828f9 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -49,6 +49,9 @@ kernel.dmesg_restrict = 1 fs.protected_symlinks = 1 fs.protected_hardlinks = 1
+# Turn on BPF JIT hardening, if the JIT is enabled. +net.core.bpf_jit_harden = 2 + # Minimal preemption granularity for CPU-bound tasks: # (default: 1 msec# (1 + ilog(ncpus)), units: nanoseconds) kernel.sched_min_granularity_ns = 10000000