Hi Peter,
On 7 Jun 2020, at 18:02, Peter Müller peter.mueller@ipfire.org wrote:
This is recommended by the Kernel Self Protection Project, and although we do not take advantage of the BPF JIT at this time, we should set this nevertheless in order to avoid potential security vulnerabilities.
I do not really understand what you are trying to achieve here.
Please state more clearly *why* you think this is a useful change for IPFire.
As far as I am aware, the kernel internally uses BPF.
-Michael
P.S. How the f*** is this not already the default in the Linux kernel? Performance only, eh?
Fixes: #12384
Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/etc/sysctl.conf | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index 7e7ebee44..3f4c828f9 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -49,6 +49,9 @@ kernel.dmesg_restrict = 1 fs.protected_symlinks = 1 fs.protected_hardlinks = 1
+# Turn on BPF JIT hardening, if the JIT is enabled. +net.core.bpf_jit_harden = 2
# Minimal preemption granularity for CPU-bound tasks: # (default: 1 msec# (1 + ilog(ncpus)), units: nanoseconds) kernel.sched_min_granularity_ns = 10000000 -- 2.26.2