Withdraw my recommendation about BPF_JIT

CLIP OS wiki and Kees say that BPF interpreter is worse for the kernel security than BPF_JIT. So for now I withdraw my recommendation about BPF_JIT. N.B. LOCKDOWN disables BPF_SYSCALL, but not BPF_JIT.

Withdraw my recommendation about BPF_JIT
CLIP OS wiki and Kees say that BPF interpreter is worse for the kernel security than BPF_JIT. So for now I withdraw my recommendation about BPF_JIT. N.B. LOCKDOWN disables BPF_SYSCALL, but not BPF_JIT.
4c7a125e · Alexander Popov · f1903be8 · 4c7a125e
Commit 4c7a125e authored Oct 16, 2020 by Alexander Popov
Hide whitespace changes
Inline Side-by-side

Showing with 1 additions and 1 deletions

__init__.py kconfig_hardened_check/__init__.py +1 -1

No files found.
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -41,6 +41,7 @@
 #    kernel.kexec_load_disabled=1
 #    kernel.yama.ptrace_scope=3
 #    user.max_user_namespaces=0
+#    what about bpf_jit_enable?
 #    kernel.unprivileged_bpf_disabled=1
 #    net.core.bpf_jit_harden=2
 #
@@ -492,7 +493,6 @@ def construct_checklist(l, arch):
    l += [OptCheck('cut_attack_surface', 'my', 'IP_DCCP', 'is not set')]
    l += [OptCheck('cut_attack_surface', 'my', 'IP_SCTP', 'is not set')]
    l += [OptCheck('cut_attack_surface', 'my', 'FTRACE', 'is not set')] # refers to LOCKDOWN
-    l += [OptCheck('cut_attack_surface', 'my', 'BPF_JIT', 'is not set')]
    l += [OptCheck('cut_attack_surface', 'my', 'VIDEO_VIVID', 'is not set')]
    l += [OptCheck('cut_attack_surface', 'my', 'INPUT_EVBUG', 'is not set')] # Can be used as a keylogger