From: Alexander Popov <alex.popov@linux.com>
Date: Fri, 16 Oct 2020 15:05:37 +0000 (+0300)
Subject: Withdraw my recommendation about BPF_JIT
X-Git-Tag: v0.5.9~16
X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=4c7a125eb7a2fe97c5b3e81dad4768b45d915d0a;p=kconfig-hardened-check.git

Withdraw my recommendation about BPF_JIT

CLIP OS wiki and Kees say that BPF interpreter is worse for the kernel
security than BPF_JIT.

So for now I withdraw my recommendation about BPF_JIT.

N.B. LOCKDOWN disables BPF_SYSCALL, but not BPF_JIT.
---

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index ca593db..fe69e1e 100644
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -41,6 +41,7 @@
 #    kernel.kexec_load_disabled=1
 #    kernel.yama.ptrace_scope=3
 #    user.max_user_namespaces=0
+#    what about bpf_jit_enable?
 #    kernel.unprivileged_bpf_disabled=1
 #    net.core.bpf_jit_harden=2
 #
@@ -492,7 +493,6 @@ def construct_checklist(l, arch):
     l += [OptCheck('cut_attack_surface', 'my', 'IP_DCCP', 'is not set')]
     l += [OptCheck('cut_attack_surface', 'my', 'IP_SCTP', 'is not set')]
     l += [OptCheck('cut_attack_surface', 'my', 'FTRACE', 'is not set')] # refers to LOCKDOWN
-    l += [OptCheck('cut_attack_surface', 'my', 'BPF_JIT', 'is not set')]
     l += [OptCheck('cut_attack_surface', 'my', 'VIDEO_VIVID', 'is not set')]
     l += [OptCheck('cut_attack_surface', 'my', 'INPUT_EVBUG', 'is not set')] # Can be used as a keylogger