FS#61642 - Following Arch Linux Security Guide on BPF JIT not possible because of Kernel Config option
Attached to Project:
Arch Linux
Opened by Björn Wiedenmann (rtfm3514) - Tuesday, 05 February 2019, 19:55 GMT
Last edited by Jelle van der Waa (jelly) - Wednesday, 24 April 2019, 21:02 GMT
Opened by Björn Wiedenmann (rtfm3514) - Tuesday, 05 February 2019, 19:55 GMT
Last edited by Jelle van der Waa (jelly) - Wednesday, 24 April 2019, 21:02 GMT
|
Details
Description:
Following Arch Linux Security Guide on BPF JIT not possible because of Kernel Config option Hi, I am trying to implement some steps from https://wiki.archlinux.org/index.php/security#Keep_BPF_JIT_compiler_disabled but it seems like the option cannot be disabled with the current kernel config: https://git.archlinux.org/svntogit/packages.git/tree/trunk/config.x86_64?h=packages/linux-hardened : [...] 221 CONFIG_BPF_SYSCALL=y 222 CONFIG_BPF_JIT_ALWAYS_ON=y [...] I was wondering, is this done on purpose, or did the option just "sneak by" ? Additional info: Name : linux-hardened Version : 4.20.6.a-1 (mainline kernel package might also be affected?) Steps to reproduce: # echo 0 > /proc/sys/net/core/bpf_jit_enable echo: write error: invalid argument Thanks a lot, rtfm3514 |
This task depends upon
Closed by Jelle van der Waa (jelly)
Wednesday, 24 April 2019, 21:02 GMT
Reason for closing: Not a bug
Wednesday, 24 April 2019, 21:02 GMT
Reason for closing: Not a bug
Comment by
Jake Kreiger (Magali75) - Tuesday,
05 February 2019, 20:52 GMT
It was done on purpose to defend against spectre attacks, see
https://github.com/torvalds/linux/commit/290af86629b25ffd1ed6232c4e9107da031705cb
. Arch wiki has garbage info.
Comment by
Björn Wiedenmann (rtfm3514) -
Wednesday, 06 February 2019, 13:08 GMT
Oh, thanks a lot for the clarification. I will have this closed
then.