You are not logged in.
When setting "net.core.bpf_jit_enable=0" in the 99-sysctl.conf file for added security, the conf file fails to load at boot time. I noticed this started with the 4.15 kernel. I thought this regression would iron itself out, but it still occurs. Any thoughts why this happens?
Last edited by MaxStirner (2019-07-23 06:55:03)
Offline
Arch Linux kernels have set CONFIG_BPF_JIT_ALWAYS_ON which isn't overridable and was indeed introduced in Linux 4.15. This is hardening recommendation against spectre exploits.
I would recommend to use
net.core.bpf_jit_harden=2
instead.
Offline
Interesting. All these hardening tweaks I see online will tell you to disable BPD JIT, but you say otherwise. I’ll take your word for it. Thank you for the information.
Offline
Those hardening tweaks were probably written before spectre attacks were discovered. Anyway you shouldn't trust random folk on the net, you can read rationale behind this config here: https://git.kernel.org/pub/scm/linux/ke … da031705cb
Offline
[1] the commit that added CONFIG_BPF_JIT_ALWAYS_ON
[2] commit to documentation noting net.core.bpf_jit_enable will always be 1 with CONFIG_BPF_JIT_ALWAYS_ON=Y
You could also disable BPF for none root users [3] with
kernel.unprivileged_bpf_disabled = 1
[1] https://github.com/torvalds/linux/commi … da031705cb
[2] https://github.com/torvalds/linux/commi … 7b59977f59
[3] https://github.com/torvalds/linux/commi … 2393530afc
Offline