From: Peter Müller <peter.mueller@ipfire.org>
Date: Fri, 9 Apr 2021 19:13:52 +0000 (+0200)
Subject: sysctl.conf: Turn on BPF JIT hardening, if the JIT is enabled
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=45022af1b80270039d649cde6071fe30344ae443;p=people%2Fstevee%2Fipfire-2.x.git

sysctl.conf: Turn on BPF JIT hardening, if the JIT is enabled

The second version of this patch splits this up into different
architecture-specific sysctl config files, as i586 does not support BPF
JIT, hence the net.core.bpf_jit_harden does not exist on that
architecture.

Fixes: #12384

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/config/etc/sysctl-aarch64.conf b/config/etc/sysctl-aarch64.conf
new file mode 100644
index 0000000000..9f840806d8
--- /dev/null
+++ b/config/etc/sysctl-aarch64.conf
@@ -0,0 +1,2 @@
+# Turn on BPF JIT hardening, if the JIT is enabled.
+net.core.bpf_jit_harden = 2
diff --git a/config/etc/sysctl-armv5tel.conf b/config/etc/sysctl-armv5tel.conf
new file mode 100644
index 0000000000..9f840806d8
--- /dev/null
+++ b/config/etc/sysctl-armv5tel.conf
@@ -0,0 +1,2 @@
+# Turn on BPF JIT hardening, if the JIT is enabled.
+net.core.bpf_jit_harden = 2
diff --git a/config/etc/sysctl-x86_64.conf b/config/etc/sysctl-x86_64.conf
index 7384bed513..c7abecc5d0 100644
--- a/config/etc/sysctl-x86_64.conf
+++ b/config/etc/sysctl-x86_64.conf
@@ -1,3 +1,6 @@
 # Improve KASLR effectiveness for mmap
 vm.mmap_rnd_bits = 32
 vm.mmap_rnd_compat_bits = 16
+
+# Turn on BPF JIT hardening, if the JIT is enabled.
+net.core.bpf_jit_harden = 2