- l += [SysctlCheck('self_protection', 'kspp', 'net.core.bpf_jit_harden', '2')]
+ # Use an omnipresent kconfig symbol to see if we have a kconfig file for checking
+ have_kconfig = KconfigCheck('-', '-', 'LOCALVERSION', 'is present')
+
+ l += [OR(SysctlCheck('self_protection', 'kspp', 'net.core.bpf_jit_harden', '2'),
+ AND(KconfigCheck('-', '-', 'BPF_JIT', 'is not set'),
+ have_kconfig))]
+ # Choosing a right value for 'kernel.oops_limit' and 'kernel.warn_limit' is not easy.
+ # A small value (e.g. 1, which is recommended by KSPP) allows easy DoS.
+ # A large value (e.g. 10000, which is default 'kernel.oops_limit') may miss the exploit attempt.
+ # Let's choose 100 as a reasonable compromise.
+ l += [SysctlCheck('self_protection', 'a13xp0p0v', 'kernel.oops_limit', '100')]
+ l += [SysctlCheck('self_protection', 'a13xp0p0v', 'kernel.warn_limit', '100')]