Withdraw my recommendation about BPF_JIT

author Alexander Popov <alex.popov@linux.com>

Fri, 16 Oct 2020 15:05:37 +0000 (18:05 +0300)

committer Alexander Popov <alex.popov@linux.com>

Fri, 16 Oct 2020 15:05:37 +0000 (18:05 +0300)
author Alexander Popov <alex.popov@linux.com>
Fri, 16 Oct 2020 15:05:37 +0000 (18:05 +0300)
committer Alexander Popov <alex.popov@linux.com>
Fri, 16 Oct 2020 15:05:37 +0000 (18:05 +0300)
diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py

index ca593db5f7b3582f13a292e12391b6f10678004e..fe69e1e8d0bbaa69b00741bd63de90f80ee0e8b5 100644 (file)
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -41,6 +41,7 @@
  #    kernel.kexec_load_disabled=1
  #    kernel.yama.ptrace_scope=3
  #    user.max_user_namespaces=0
+#    what about bpf_jit_enable?
  #    kernel.unprivileged_bpf_disabled=1
  #    net.core.bpf_jit_harden=2
  #
@@ -492,7 +493,6 @@ def construct_checklist(l, arch):
      l += [OptCheck('cut_attack_surface', 'my', 'IP_DCCP', 'is not set')]
      l += [OptCheck('cut_attack_surface', 'my', 'IP_SCTP', 'is not set')]
      l += [OptCheck('cut_attack_surface', 'my', 'FTRACE', 'is not set')] # refers to LOCKDOWN
-    l += [OptCheck('cut_attack_surface', 'my', 'BPF_JIT', 'is not set')]
      l += [OptCheck('cut_attack_surface', 'my', 'VIDEO_VIVID', 'is not set')]
      l += [OptCheck('cut_attack_surface', 'my', 'INPUT_EVBUG', 'is not set')] # Can be used as a keylogger
author	Alexander Popov <alex.popov@linux.com>
	Fri, 16 Oct 2020 15:05:37 +0000 (18:05 +0300)
committer	Alexander Popov <alex.popov@linux.com>
	Fri, 16 Oct 2020 15:05:37 +0000 (18:05 +0300)