From b23f245bfa6ad860692a78d4acb71933608bab32 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Mon, 24 Jul 2023 00:14:45 +0300 Subject: [PATCH] Check the net.core.bpf_jit_harden sysctl --- kconfig_hardened_check/checks.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/kconfig_hardened_check/checks.py b/kconfig_hardened_check/checks.py index 4a994e7..fc63f3a 100644 --- a/kconfig_hardened_check/checks.py +++ b/kconfig_hardened_check/checks.py @@ -583,7 +583,6 @@ def add_sysctl_checks(l, arch): # user.max_user_namespaces=0 (for Debian, also see kernel.unprivileged_userns_clone) # what about bpf_jit_enable? # kernel.unprivileged_bpf_disabled=1 -# net.core.bpf_jit_harden=2 # vm.unprivileged_userfaultfd=0 # (at first, it disabled unprivileged userfaultfd, # and since v5.11 it enables unprivileged userfaultfd for user-mode only) @@ -607,4 +606,7 @@ def add_sysctl_checks(l, arch): # # Calling the SysctlCheck class constructor: # SysctlCheck(reason, decision, name, expected) + + l += [SysctlCheck('self_protection', 'kspp', 'net.core.bpf_jit_harden', '2')] + l += [SysctlCheck('self_protection', 'kspp', 'kernel.dmesg_restrict', '1')] -- 2.31.1