From b23f245bfa6ad860692a78d4acb71933608bab32 Mon Sep 17 00:00:00 2001
From: Alexander Popov <alex.popov@linux.com>
Date: Mon, 24 Jul 2023 00:14:45 +0300
Subject: [PATCH] Check the net.core.bpf_jit_harden sysctl

---
 kconfig_hardened_check/checks.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/kconfig_hardened_check/checks.py b/kconfig_hardened_check/checks.py
index 4a994e7..fc63f3a 100644
--- a/kconfig_hardened_check/checks.py
+++ b/kconfig_hardened_check/checks.py
@@ -583,7 +583,6 @@ def add_sysctl_checks(l, arch):
 #    user.max_user_namespaces=0 (for Debian, also see kernel.unprivileged_userns_clone)
 #    what about bpf_jit_enable?
 #    kernel.unprivileged_bpf_disabled=1
-#    net.core.bpf_jit_harden=2
 #    vm.unprivileged_userfaultfd=0
 #        (at first, it disabled unprivileged userfaultfd,
 #         and since v5.11 it enables unprivileged userfaultfd for user-mode only)
@@ -607,4 +606,7 @@ def add_sysctl_checks(l, arch):
 #
 # Calling the SysctlCheck class constructor:
 #   SysctlCheck(reason, decision, name, expected)
+
+    l += [SysctlCheck('self_protection', 'kspp', 'net.core.bpf_jit_harden', '2')]
+
     l += [SysctlCheck('self_protection', 'kspp', 'kernel.dmesg_restrict', '1')]
-- 
2.31.1