From 319f57d098c5722c854a68cf9785c97fb7f408fa Mon Sep 17 00:00:00 2001 From: Tavi Date: Thu, 9 May 2024 12:16:25 -0400 Subject: [PATCH] Enable BPF JIT hardening by default as per GrapheneOS, eg. https://github.com/GrapheneOS-Archive/kernel_msm-coral/commit/65f68fd04f582108d6f23eff0838334fbf5cb7b1 Signed-off-by: Tavi --- Scripts/Common/Post.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Scripts/Common/Post.sh b/Scripts/Common/Post.sh index 769c2110..8745ce88 100644 --- a/Scripts/Common/Post.sh +++ b/Scripts/Common/Post.sh @@ -42,6 +42,10 @@ else sed -i 's/static bool slab_nomerge __ro_after_init = !IS_ENABLED(CONFIG_SLAB_MERGE_DEFAULT);/static bool slab_nomerge __ro_after_init = true;/' kernel/*/*/mm/slab_common.c &>/dev/null || true; #4.13+ fi; +#Enable BPF JIT hardening +sed -i 's/int bpf_jit_harden __read_mostly;/int bpf_jit_harden __read_mostly = 2;/' kernel/*/*/kernel/bpf/core.c &>/dev/null || true; +sed -i 's/int bpf_jit_harden __read_mostly;/int bpf_jit_harden __read_mostly = 2;/' kernel/*/*/kernel/bpf/core.c &>/dev/null || true; + #Enable page poisoning #Commented as set by defconfig #sed -i 's/= IS_ENABLED(CONFIG_PAGE_POISONING_ENABLE_DEFAULT);/= true;/' kernel/*/*/mm/page_poison.c &>/dev/null || true; #4.4+ #XXX: shouldn't be enabled past 5.3