Skip to content

K
kernel-hardening-checker
Commit b23f245b by Alexander Popov
Options

Check the net.core.bpf_jit_harden sysctl

parent 59f734d0
Showing with 3 additions and 1 deletions
kconfig_hardened_check/checks.py
...@@ -583,7 +583,6 @@ def add_sysctl_checks(l, arch): ...@@ -583,7 +583,6 @@ def add_sysctl_checks(l, arch):
# user.max_user_namespaces=0 (for Debian, also see kernel.unprivileged_userns_clone) # user.max_user_namespaces=0 (for Debian, also see kernel.unprivileged_userns_clone)
# what about bpf_jit_enable? # what about bpf_jit_enable?
# kernel.unprivileged_bpf_disabled=1 # kernel.unprivileged_bpf_disabled=1
# net.core.bpf_jit_harden=2
# vm.unprivileged_userfaultfd=0 # vm.unprivileged_userfaultfd=0
# (at first, it disabled unprivileged userfaultfd, # (at first, it disabled unprivileged userfaultfd,
# and since v5.11 it enables unprivileged userfaultfd for user-mode only) # and since v5.11 it enables unprivileged userfaultfd for user-mode only)
...@@ -607,4 +606,7 @@ def add_sysctl_checks(l, arch): ...@@ -607,4 +606,7 @@ def add_sysctl_checks(l, arch):
# #
# Calling the SysctlCheck class constructor: # Calling the SysctlCheck class constructor:
# SysctlCheck(reason, decision, name, expected) # SysctlCheck(reason, decision, name, expected)
l += [SysctlCheck('self_protection', 'kspp', 'net.core.bpf_jit_harden', '2')]
l += [SysctlCheck('self_protection', 'kspp', 'kernel.dmesg_restrict', '1')] l += [SysctlCheck('self_protection', 'kspp', 'kernel.dmesg_restrict', '1')]
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment