From ac9b19d2e43594316f9865f88bbc47463f284ca5 Mon Sep 17 00:00:00 2001
From: Daniel Borkmann <daniel@iogearbox.net>
Date: Thu, 7 Jun 2018 11:13:48 +0200
Subject: bpf: enable hardening mode 1 for jited images

This will harden non-root programs from kernel side, but not
root-only ones. Helps also to increase coverage a bit since
syzkaller generates programs for both cases.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
---
 tools/create-image.sh | 1 +
 1 file changed, 1 insertion(+)

(limited to 'tools')

diff --git a/tools/create-image.sh b/tools/create-image.sh
index 395a2a08d..93b067721 100755
--- a/tools/create-image.sh
+++ b/tools/create-image.sh
@@ -24,6 +24,7 @@ echo "kernel.printk = 7 4 1 3" | sudo tee -a $DIR/etc/sysctl.conf
 echo 'debug.exception-trace = 0' | sudo tee -a $DIR/etc/sysctl.conf
 echo "net.core.bpf_jit_enable = 1" | sudo tee -a $DIR/etc/sysctl.conf
 echo "net.core.bpf_jit_kallsyms = 1" | sudo tee -a $DIR/etc/sysctl.conf
+echo "net.core.bpf_jit_harden = 1" | sudo tee -a $DIR/etc/sysctl.conf
 echo "kernel.softlockup_all_cpu_backtrace = 1" | sudo tee -a $DIR/etc/sysctl.conf
 echo "kernel.kptr_restrict = 0" | sudo tee -a $DIR/etc/sysctl.conf
 echo "kernel.watchdog_thresh = 60" | sudo tee -a $DIR/etc/sysctl.conf
-- 
cgit mrf-deployment