[OS-BUILD PATCH] [kernel] bpf: set default value for bpf_jit_harden

Tue, 06 Aug 2024 06:09:23 -0700 

From: Artem Savkov <[email protected]>

[kernel] bpf: set default value for bpf_jit_harden

JIRA: https://issues.redhat.com/browse/RHEL-51896
Upstream Status: RHEL only

Forwardport from rhel9: 4a4798ed0a475 ("[kernel]
bpf: set default value for bpf_jit_harden")

The patch for configuring boot-time value for these
options has been proposed [1] and rejected upstream.

[1] https://lkml.org/lkml/2018/5/23/449

Set default values for net.bpf_jit_harden sysctl.

 - net.bpf_jit_harden is set to 1: it's a compromise between the fact that
   by default we do not have unprivileged BPF enabled (and there's little
   reason for enforcing constant blinding for root programs by default,
   considering performance tradeoffs), and providing some sane default for
   users that still want unprivileged BPF (and enable it via the boot
   option),

Signed-off-by: Jiri Olsa <[email protected]>
Signed-off-by: Artem Savkov <[email protected]>

diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index blahblah..blahblah 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -566,7 +566,12 @@ void bpf_prog_kallsyms_del_all(struct bpf_prog *fp)
 /* All BPF JIT sysctl knobs here. */
 int bpf_jit_enable   __read_mostly = IS_BUILTIN(CONFIG_BPF_JIT_DEFAULT_ON);
 int bpf_jit_kallsyms __read_mostly = IS_BUILTIN(CONFIG_BPF_JIT_DEFAULT_ON);
+#ifdef CONFIG_RHEL_DIFFERENCES
 int bpf_jit_harden   __read_mostly;
+#else
+/* RHEL-only: set it to 1 by default */
+int bpf_jit_harden   __read_mostly = 1;
+#endif /* CONFIG_RHEL_DIFFERENCES */
 long bpf_jit_limit   __read_mostly;
 long bpf_jit_limit_max __read_mostly;
 

--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/3309

-- 
_______________________________________________
kernel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to