sysctl.conf: Turn on BPF JIT hardening, if the JIT is enabled

The second version of this patch splits this up into different
architecture-specific sysctl config files, as i586 does not support BPF
JIT, hence the net.core.bpf_jit_harden does not exist on that
architecture.

Fixes: #12384
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/config/etc/sysctl-aarch64.conf b/config/etc/sysctl-aarch64.conf
new file mode 100644 (file)
index 0000000..9f84080
--- /dev/null
+++ b/config/etc/sysctl-aarch64.conf
@@ -0,0 +1,2 @@
+# Turn on BPF JIT hardening, if the JIT is enabled.
+net.core.bpf_jit_harden = 2

diff --git a/config/etc/sysctl-armv5tel.conf b/config/etc/sysctl-armv5tel.conf
new file mode 100644 (file)
index 0000000..9f84080
--- /dev/null
+++ b/config/etc/sysctl-armv5tel.conf
@@ -0,0 +1,2 @@
+# Turn on BPF JIT hardening, if the JIT is enabled.
+net.core.bpf_jit_harden = 2

diff --git a/config/etc/sysctl-x86_64.conf b/config/etc/sysctl-x86_64.conf
index 7384bed513164a3c8e51cd533b9751ab80be6df2..c7abecc5d0c75ad56d2dbcf6065df9405e33c8a5 100644 (file)
--- a/config/etc/sysctl-x86_64.conf
+++ b/config/etc/sysctl-x86_64.conf
@@ -1,3 +1,6 @@
 # Improve KASLR effectiveness for mmap
 vm.mmap_rnd_bits = 32
 vm.mmap_rnd_compat_bits = 16
+
+# Turn on BPF JIT hardening, if the JIT is enabled.
+net.core.bpf_jit_harden = 2