Add details on BPF hardening and split the sysctls

2025-07-09 15:30:45 +07:00 · 2024-08-26 12:40:04 +10:00
parent 2c356e8b0e
commit 9e91c98cc9
2 changed files with 21 additions and 4 deletions
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@ -58,15 +58,16 @@ kernel.dmesg_restrict=1
 ##
 #kernel.printk=3 3 3 3

-## Restrict eBPF access to CAP_BPF and enable associated JIT compiler hardening.
+## Restrict eBPF access to CAP_BPF.
+## Disables unprivileged calls to bpf() without recovery.
 ##
 ## https://en.wikipedia.org/wiki/EBPF#Security
+## https://lwn.net/Articles/660331/
 ##
 ## KSPP=yes
-## KSPP sets the sysctls.
+## KSPP sets the sysctl.
 ##
 kernel.unprivileged_bpf_disabled=1
-net.core.bpf_jit_harden=2

 ## Restrict loading TTY line disciplines to users with CAP_SYS_MODULE.
 ## Prevents unprivileged users from loading vulnerable line disciplines with the TIOCSETD ioctl.
@ -348,6 +349,19 @@ vm.swappiness=1
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-network
 ## https://wiki.archlinux.org/title/Sysctl#TCP/IP_stack_hardening

+## Enable hardening of the BPF JIT compiler for all users.
+## Provides some mitigation against JIT spraying.
+##
+## https://en.wikipedia.org/wiki/JIT_spraying
+## https://www.blackhat.com/docs/eu-16/materials/eu-16-Reshetova-Randomization-Can't-Stop-BPF-JIT-Spray-wp.pdf
+## https://lwn.net/Articles/686098/
+## https://lwn.net/Articles/525609/
+##
+## KSPP=yes
+## KSPP sets the sysctl.
+##
+net.core.bpf_jit_harden=2
+
 ## Enable TCP SYN cookie protection to assist against SYN flood attacks.
 ##
 ## https://en.wikipedia.org/wiki/SYN_flood