sysctl.conf: Turn on BPF JIT hardening, if the JIT is enabled

Message ID 80294752-603e-be9a-9faf-5348116d3e09@ipfire.org
State Superseded
Headers
Series sysctl.conf: Turn on BPF JIT hardening, if the JIT is enabled |

Commit Message

Peter Müller June 7, 2020, 5:02 p.m. UTC
  This is recommended by the Kernel Self Protection Project, and although
we do not take advantage of the BPF JIT at this time, we should set this
nevertheless in order to avoid potential security vulnerabilities.

Fixes: #12384

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 config/etc/sysctl.conf | 3 +++
 1 file changed, 3 insertions(+)
  

Comments

Michael Tremer June 8, 2020, 9:07 a.m. UTC | #1
Hi Peter,

> On 7 Jun 2020, at 18:02, Peter Müller <peter.mueller@ipfire.org> wrote:
> 
> This is recommended by the Kernel Self Protection Project, and although
> we do not take advantage of the BPF JIT at this time, we should set this
> nevertheless in order to avoid potential security vulnerabilities.

I do not really understand what you are trying to achieve here.

Please state more clearly *why* you think this is a useful change for IPFire.

As far as I am aware, the kernel internally uses BPF.

-Michael

P.S. How the f*** is this not already the default in the Linux kernel? Performance only, eh?

> 
> Fixes: #12384
> 
> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
> ---
> config/etc/sysctl.conf | 3 +++
> 1 file changed, 3 insertions(+)
> 
> diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
> index 7e7ebee44..3f4c828f9 100644
> --- a/config/etc/sysctl.conf
> +++ b/config/etc/sysctl.conf
> @@ -49,6 +49,9 @@ kernel.dmesg_restrict = 1
> fs.protected_symlinks = 1
> fs.protected_hardlinks = 1
> 
> +# Turn on BPF JIT hardening, if the JIT is enabled.
> +net.core.bpf_jit_harden = 2
> +
> # Minimal preemption granularity for CPU-bound tasks:
> # (default: 1 msec#  (1 + ilog(ncpus)), units: nanoseconds)
> kernel.sched_min_granularity_ns = 10000000
> -- 
> 2.26.2
  
Peter Müller June 9, 2020, 6 p.m. UTC | #2
Hello Michael,

> Hi Peter,
> 
>> On 7 Jun 2020, at 18:02, Peter Müller <peter.mueller@ipfire.org> wrote:
>>
>> This is recommended by the Kernel Self Protection Project, and although
>> we do not take advantage of the BPF JIT at this time, we should set this
>> nevertheless in order to avoid potential security vulnerabilities.
> 
> I do not really understand what you are trying to achieve here.

I am trying to achieve enabling of BPF JIT hardening.

> Please state more clearly *why* you think this is a useful change for IPFire.
>
> As far as I am aware, the kernel internally uses BPF.

Yes, to my knowledge, this is exactly the point. The Kernel is using it, and
we should make sure it is properly hardened then. If this sysctl is helping,
I do not see a reason why not turning it on.

Thanks, and best regards,
Peter Müller

> -Michael
> 
> P.S. How the f*** is this not already the default in the Linux kernel? Performance only, eh?
> 
>>
>> Fixes: #12384
>>
>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
>> ---
>> config/etc/sysctl.conf | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
>> index 7e7ebee44..3f4c828f9 100644
>> --- a/config/etc/sysctl.conf
>> +++ b/config/etc/sysctl.conf
>> @@ -49,6 +49,9 @@ kernel.dmesg_restrict = 1
>> fs.protected_symlinks = 1
>> fs.protected_hardlinks = 1
>>
>> +# Turn on BPF JIT hardening, if the JIT is enabled.
>> +net.core.bpf_jit_harden = 2
>> +
>> # Minimal preemption granularity for CPU-bound tasks:
>> # (default: 1 msec#  (1 + ilog(ncpus)), units: nanoseconds)
>> kernel.sched_min_granularity_ns = 10000000
>> -- 
>> 2.26.2
>
  
Peter Müller April 2, 2021, 7:37 p.m. UTC | #3
Hello Michael,

especially after https://lists.ipfire.org/pipermail/development/2021-April/009804.html,
I would really like to bring this up once more.

From my point of view, it is safe to turn on that sysctl, as no user should ever load
anything into BPF directly on an IPFire 2.x machine, especially not if that abuses some
JIT oddities.

At least on my semi-productive testing machine, this does not break anything I am aware of.

Thanks, and best regards,
Peter Müller


> Hello Michael,
> 
>> Hi Peter,
>>
>>> On 7 Jun 2020, at 18:02, Peter Müller <peter.mueller@ipfire.org> wrote:
>>>
>>> This is recommended by the Kernel Self Protection Project, and although
>>> we do not take advantage of the BPF JIT at this time, we should set this
>>> nevertheless in order to avoid potential security vulnerabilities.
>>
>> I do not really understand what you are trying to achieve here.
> 
> I am trying to achieve enabling of BPF JIT hardening.
> 
>> Please state more clearly *why* you think this is a useful change for IPFire.
>>
>> As far as I am aware, the kernel internally uses BPF.
> 
> Yes, to my knowledge, this is exactly the point. The Kernel is using it, and
> we should make sure it is properly hardened then. If this sysctl is helping,
> I do not see a reason why not turning it on.
> 
> Thanks, and best regards,
> Peter Müller
> 
>> -Michael
>>
>> P.S. How the f*** is this not already the default in the Linux kernel? Performance only, eh?
>>
>>>
>>> Fixes: #12384
>>>
>>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
>>> ---
>>> config/etc/sysctl.conf | 3 +++
>>> 1 file changed, 3 insertions(+)
>>>
>>> diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
>>> index 7e7ebee44..3f4c828f9 100644
>>> --- a/config/etc/sysctl.conf
>>> +++ b/config/etc/sysctl.conf
>>> @@ -49,6 +49,9 @@ kernel.dmesg_restrict = 1
>>> fs.protected_symlinks = 1
>>> fs.protected_hardlinks = 1
>>>
>>> +# Turn on BPF JIT hardening, if the JIT is enabled.
>>> +net.core.bpf_jit_harden = 2
>>> +
>>> # Minimal preemption granularity for CPU-bound tasks:
>>> # (default: 1 msec#  (1 + ilog(ncpus)), units: nanoseconds)
>>> kernel.sched_min_granularity_ns = 10000000
>>> -- 
>>> 2.26.2
>>
  
Michael Tremer April 6, 2021, 10:10 a.m. UTC | #4
Hello,

I agree merging this, but we can only enable this on x86_64, aarch64 and armv5tel.

i586 does not support BPF_JIT and does not know this sysctl option.

Could you please submit an updated patch?

-Michael

> On 2 Apr 2021, at 20:37, Peter Müller <peter.mueller@ipfire.org> wrote:
> 
> Hello Michael,
> 
> especially after https://lists.ipfire.org/pipermail/development/2021-April/009804.html,
> I would really like to bring this up once more.
> 
> From my point of view, it is safe to turn on that sysctl, as no user should ever load
> anything into BPF directly on an IPFire 2.x machine, especially not if that abuses some
> JIT oddities.
> 
> At least on my semi-productive testing machine, this does not break anything I am aware of.
> 
> Thanks, and best regards,
> Peter Müller
> 
> 
>> Hello Michael,
>> 
>>> Hi Peter,
>>> 
>>>> On 7 Jun 2020, at 18:02, Peter Müller <peter.mueller@ipfire.org> wrote:
>>>> 
>>>> This is recommended by the Kernel Self Protection Project, and although
>>>> we do not take advantage of the BPF JIT at this time, we should set this
>>>> nevertheless in order to avoid potential security vulnerabilities.
>>> 
>>> I do not really understand what you are trying to achieve here.
>> 
>> I am trying to achieve enabling of BPF JIT hardening.
>> 
>>> Please state more clearly *why* you think this is a useful change for IPFire.
>>> 
>>> As far as I am aware, the kernel internally uses BPF.
>> 
>> Yes, to my knowledge, this is exactly the point. The Kernel is using it, and
>> we should make sure it is properly hardened then. If this sysctl is helping,
>> I do not see a reason why not turning it on.
>> 
>> Thanks, and best regards,
>> Peter Müller
>> 
>>> -Michael
>>> 
>>> P.S. How the f*** is this not already the default in the Linux kernel? Performance only, eh?
>>> 
>>>> 
>>>> Fixes: #12384
>>>> 
>>>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
>>>> ---
>>>> config/etc/sysctl.conf | 3 +++
>>>> 1 file changed, 3 insertions(+)
>>>> 
>>>> diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
>>>> index 7e7ebee44..3f4c828f9 100644
>>>> --- a/config/etc/sysctl.conf
>>>> +++ b/config/etc/sysctl.conf
>>>> @@ -49,6 +49,9 @@ kernel.dmesg_restrict = 1
>>>> fs.protected_symlinks = 1
>>>> fs.protected_hardlinks = 1
>>>> 
>>>> +# Turn on BPF JIT hardening, if the JIT is enabled.
>>>> +net.core.bpf_jit_harden = 2
>>>> +
>>>> # Minimal preemption granularity for CPU-bound tasks:
>>>> # (default: 1 msec#  (1 + ilog(ncpus)), units: nanoseconds)
>>>> kernel.sched_min_granularity_ns = 10000000
>>>> -- 
>>>> 2.26.2
>>>
  

Patch

diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index 7e7ebee44..3f4c828f9 100644
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -49,6 +49,9 @@  kernel.dmesg_restrict = 1
 fs.protected_symlinks = 1
 fs.protected_hardlinks = 1
 
+# Turn on BPF JIT hardening, if the JIT is enabled.
+net.core.bpf_jit_harden = 2
+
 # Minimal preemption granularity for CPU-bound tasks:
 # (default: 1 msec#  (1 + ilog(ncpus)), units: nanoseconds)
 kernel.sched_min_granularity_ns = 10000000