From: Artem Savkov <asavkov@xxxxxxxxxx> [kernel] bpf: set default value for bpf_jit_harden JIRA: https://issues.redhat.com/browse/RHEL-51896 Upstream Status: RHEL only Forwardport from rhel9: 4a4798ed0a475 ("[kernel] bpf: set default value for bpf_jit_harden") The patch for configuring boot-time value for these options has been proposed [1] and rejected upstream. [1] https://lkml.org/lkml/2018/5/23/449 Set default values for net.bpf_jit_harden sysctl. - net.bpf_jit_harden is set to 1: it's a compromise between the fact that by default we do not have unprivileged BPF enabled (and there's little reason for enforcing constant blinding for root programs by default, considering performance tradeoffs), and providing some sane default for users that still want unprivileged BPF (and enable it via the boot option), Signed-off-by: Jiri Olsa <jolsa@xxxxxxxxxx> Signed-off-by: Artem Savkov <asavkov@xxxxxxxxxx> diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c index blahblah..blahblah 100644 --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c @@ -566,7 +566,12 @@ void bpf_prog_kallsyms_del_all(struct bpf_prog *fp) /* All BPF JIT sysctl knobs here. */ int bpf_jit_enable __read_mostly = IS_BUILTIN(CONFIG_BPF_JIT_DEFAULT_ON); int bpf_jit_kallsyms __read_mostly = IS_BUILTIN(CONFIG_BPF_JIT_DEFAULT_ON); +#ifdef CONFIG_RHEL_DIFFERENCES +/* RHEL-only: set it to 1 by default */ +int bpf_jit_harden __read_mostly = 1; +#else int bpf_jit_harden __read_mostly; +#endif /* CONFIG_RHEL_DIFFERENCES */ long bpf_jit_limit __read_mostly; long bpf_jit_limit_max __read_mostly; -- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/3309 -- _______________________________________________ kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue