Withdraw my recommendation about BPF_JIT

[kconfig-hardened-check.git] / kconfig_hardened_check / __init__.py

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index ca593db5f7b3582f13a292e12391b6f10678004e..fe69e1e8d0bbaa69b00741bd63de90f80ee0e8b5 100644 (file)
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -41,6 +41,7 @@
 #    kernel.kexec_load_disabled=1
 #    kernel.yama.ptrace_scope=3
 #    user.max_user_namespaces=0
+#    what about bpf_jit_enable?
 #    kernel.unprivileged_bpf_disabled=1
 #    net.core.bpf_jit_harden=2
 #
@@ -492,7 +493,6 @@ def construct_checklist(l, arch):
     l += [OptCheck('cut_attack_surface', 'my', 'IP_DCCP', 'is not set')]
     l += [OptCheck('cut_attack_surface', 'my', 'IP_SCTP', 'is not set')]
     l += [OptCheck('cut_attack_surface', 'my', 'FTRACE', 'is not set')] # refers to LOCKDOWN
-    l += [OptCheck('cut_attack_surface', 'my', 'BPF_JIT', 'is not set')]
     l += [OptCheck('cut_attack_surface', 'my', 'VIDEO_VIVID', 'is not set')]
     l += [OptCheck('cut_attack_surface', 'my', 'INPUT_EVBUG', 'is not set')] # Can be used as a keylogger