bpf: enable hardening mode 1 for jited images

This will harden non-root programs from kernel side, but not root-only ones. Helps also to increase coverage a bit since syzkaller generates programs for both cases. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
author: Daniel Borkmann <daniel@iogearbox.net> 2018-06-07 11:13:48 +0200
committer: Dmitry Vyukov <dvyukov@google.com> 2018-06-07 12:39:12 +0300
commit: ac9b19d2e43594316f9865f88bbc47463f284ca5 (patch)
tree: a67395323dc81a37dbef8d6a389edbdea0d0f6f8 /tools
parent: b17ae9398ce13bba91e6e7f2249df9dedbf8e561 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/tools/create-image.sh b/tools/create-image.sh
index 395a2a08d..93b067721 100755
--- a/tools/create-image.sh
+++ b/tools/create-image.sh
@@ -24,6 +24,7 @@ echo "kernel.printk = 7 4 1 3" | sudo tee -a $DIR/etc/sysctl.conf
 echo 'debug.exception-trace = 0' | sudo tee -a $DIR/etc/sysctl.conf
 echo "net.core.bpf_jit_enable = 1" | sudo tee -a $DIR/etc/sysctl.conf
 echo "net.core.bpf_jit_kallsyms = 1" | sudo tee -a $DIR/etc/sysctl.conf
+echo "net.core.bpf_jit_harden = 1" | sudo tee -a $DIR/etc/sysctl.conf
 echo "kernel.softlockup_all_cpu_backtrace = 1" | sudo tee -a $DIR/etc/sysctl.conf
 echo "kernel.kptr_restrict = 0" | sudo tee -a $DIR/etc/sysctl.conf
 echo "kernel.watchdog_thresh = 60" | sudo tee -a $DIR/etc/sysctl.conf
author	Daniel Borkmann <daniel@iogearbox.net>	2018-06-07 11:13:48 +0200
committer	Dmitry Vyukov <dvyukov@google.com>	2018-06-07 12:39:12 +0300
commit	ac9b19d2e43594316f9865f88bbc47463f284ca5 (patch)
tree	a67395323dc81a37dbef8d6a389edbdea0d0f6f8 /tools
parent	b17ae9398ce13bba91e6e7f2249df9dedbf8e561 (diff)