From: Alexander Popov <alex.popov@linux.com>
Date: Sun, 23 Jul 2023 21:14:45 +0000 (+0300)
Subject: Check the net.core.bpf_jit_harden sysctl
X-Git-Tag: v0.6.6~111
X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=b23f245bfa6ad860692a78d4acb71933608bab32;hp=59f734d0799495797819a140b532b7fc1932ded2;p=kconfig-hardened-check.git

Check the net.core.bpf_jit_harden sysctl
---

diff --git a/kconfig_hardened_check/checks.py b/kconfig_hardened_check/checks.py
index 4a994e7..fc63f3a 100644
--- a/kconfig_hardened_check/checks.py
+++ b/kconfig_hardened_check/checks.py
@@ -583,7 +583,6 @@ def add_sysctl_checks(l, arch):
 #    user.max_user_namespaces=0 (for Debian, also see kernel.unprivileged_userns_clone)
 #    what about bpf_jit_enable?
 #    kernel.unprivileged_bpf_disabled=1
-#    net.core.bpf_jit_harden=2
 #    vm.unprivileged_userfaultfd=0
 #        (at first, it disabled unprivileged userfaultfd,
 #         and since v5.11 it enables unprivileged userfaultfd for user-mode only)
@@ -607,4 +606,7 @@ def add_sysctl_checks(l, arch):
 #
 # Calling the SysctlCheck class constructor:
 #   SysctlCheck(reason, decision, name, expected)
+
+    l += [SysctlCheck('self_protection', 'kspp', 'net.core.bpf_jit_harden', '2')]
+
     l += [SysctlCheck('self_protection', 'kspp', 'kernel.dmesg_restrict', '1')]