bpf_jit_enable=0 prevents sysctl from loading

MaxStirner · 2019-07-23 06:52:38

When setting "net.core.bpf_jit_enable=0" in the 99-sysctl.conf file for added security, the conf file fails to load at boot time. I noticed this started with the 4.15 kernel. I thought this regression would iron itself out, but it still occurs. Any thoughts why this happens?

Last edited by MaxStirner (2019-07-23 06:55:03)

Nickolas0 · 2019-07-23 17:29:42

Arch Linux kernels have set CONFIG_BPF_JIT_ALWAYS_ON which isn't overridable and was indeed introduced in Linux 4.15. This is hardening recommendation against spectre exploits.

I would recommend to use

net.core.bpf_jit_harden=2

instead.

MaxStirner · 2019-07-24 06:34:26

Interesting. All these hardening tweaks I see online will tell you to disable BPD JIT, but you say otherwise. I’ll take your word for it. Thank you for the information.

Nickolas0 · 2019-07-24 10:57:03

Those hardening tweaks were probably written before spectre attacks were discovered. Anyway you shouldn't trust random folk on the net, you can read rationale behind this config here: https://git.kernel.org/pub/scm/linux/ke … da031705cb

loqs · 2019-07-24 10:58:33

[1] the commit that added CONFIG_BPF_JIT_ALWAYS_ON
[2] commit to documentation noting net.core.bpf_jit_enable will always be 1 with CONFIG_BPF_JIT_ALWAYS_ON=Y
You could also disable BPF for none root users [3] with

kernel.unprivileged_bpf_disabled = 1

[1] https://github.com/torvalds/linux/commi … da031705cb
[2] https://github.com/torvalds/linux/commi … 7b59977f59
[3] https://github.com/torvalds/linux/commi … 2393530afc

Arch Linux

#1 2019-07-23 06:52:38

bpf_jit_enable=0 prevents sysctl from loading

#2 2019-07-23 17:29:42

Re: bpf_jit_enable=0 prevents sysctl from loading

#3 2019-07-24 06:34:26

Re: bpf_jit_enable=0 prevents sysctl from loading

#4 2019-07-24 10:57:03

Re: bpf_jit_enable=0 prevents sysctl from loading

#5 2019-07-24 10:58:33

Re: bpf_jit_enable=0 prevents sysctl from loading

Board footer