projects
/
kconfig-hardened-check.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (from parent 1:
59f734d
)
Check the net.core.bpf_jit_harden sysctl
author
Alexander Popov
<alex.popov@linux.com>
Sun, 23 Jul 2023 21:14:45 +0000
(
00:14
+0300)
committer
Alexander Popov
<alex.popov@linux.com>
Sun, 23 Jul 2023 21:14:45 +0000
(
00:14
+0300)
kconfig_hardened_check/checks.py
patch
|
blob
|
history
diff --git
a/kconfig_hardened_check/checks.py
b/kconfig_hardened_check/checks.py
index 4a994e706b3d6ffd26d1213c4f5b01bdadd722d2..fc63f3a7df593bf2ec1c4235cca04a110fe3dbba 100644
(file)
--- a/
kconfig_hardened_check/checks.py
+++ b/
kconfig_hardened_check/checks.py
@@
-583,7
+583,6
@@
def add_sysctl_checks(l, arch):
# user.max_user_namespaces=0 (for Debian, also see kernel.unprivileged_userns_clone)
# what about bpf_jit_enable?
# kernel.unprivileged_bpf_disabled=1
# user.max_user_namespaces=0 (for Debian, also see kernel.unprivileged_userns_clone)
# what about bpf_jit_enable?
# kernel.unprivileged_bpf_disabled=1
-# net.core.bpf_jit_harden=2
# vm.unprivileged_userfaultfd=0
# (at first, it disabled unprivileged userfaultfd,
# and since v5.11 it enables unprivileged userfaultfd for user-mode only)
# vm.unprivileged_userfaultfd=0
# (at first, it disabled unprivileged userfaultfd,
# and since v5.11 it enables unprivileged userfaultfd for user-mode only)
@@
-607,4
+606,7
@@
def add_sysctl_checks(l, arch):
#
# Calling the SysctlCheck class constructor:
# SysctlCheck(reason, decision, name, expected)
#
# Calling the SysctlCheck class constructor:
# SysctlCheck(reason, decision, name, expected)
+
+ l += [SysctlCheck('self_protection', 'kspp', 'net.core.bpf_jit_harden', '2')]
+
l += [SysctlCheck('self_protection', 'kspp', 'kernel.dmesg_restrict', '1')]
l += [SysctlCheck('self_protection', 'kspp', 'kernel.dmesg_restrict', '1')]