kernel: Enable new BPF_JIT_ALWAYS_ON

This option is not enabled by default, but disables the BPF interpreter which can be used to inject speculative execution into the kernel. Enabled it as it seems like a good security measure. Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
2025-07-28 21:18:28 +00:00 · 2018-02-01 13:45:58 +00:00 · 2018-02-01 13:45:58 +00:00 · 82f3f9ae9a
commit 82f3f9ae9a
parent a6a5f69c8d
4 changed files with 4 additions and 0 deletions
--- a/kernel/config-4.14.x-aarch64
+++ b/kernel/config-4.14.x-aarch64
@ -199,6 +199,7 @@ CONFIG_SIGNALFD=y
 CONFIG_TIMERFD=y
 CONFIG_EVENTFD=y
 CONFIG_BPF_SYSCALL=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
 CONFIG_SHMEM=y
 CONFIG_AIO=y
 CONFIG_ADVISE_SYSCALLS=y
--- a/kernel/config-4.14.x-x86_64
+++ b/kernel/config-4.14.x-x86_64
@ -224,6 +224,7 @@ CONFIG_SIGNALFD=y
 CONFIG_TIMERFD=y
 CONFIG_EVENTFD=y
 CONFIG_BPF_SYSCALL=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
 CONFIG_SHMEM=y
 CONFIG_AIO=y
 CONFIG_ADVISE_SYSCALLS=y
--- a/kernel/config-4.9.x-aarch64
+++ b/kernel/config-4.9.x-aarch64
@ -188,6 +188,7 @@ CONFIG_SIGNALFD=y
 CONFIG_TIMERFD=y
 CONFIG_EVENTFD=y
 CONFIG_BPF_SYSCALL=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
 CONFIG_SHMEM=y
 CONFIG_AIO=y
 CONFIG_ADVISE_SYSCALLS=y
--- a/kernel/config-4.9.x-x86_64
+++ b/kernel/config-4.9.x-x86_64
@ -217,6 +217,7 @@ CONFIG_SIGNALFD=y
 CONFIG_TIMERFD=y
 CONFIG_EVENTFD=y
 CONFIG_BPF_SYSCALL=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
 CONFIG_SHMEM=y
 CONFIG_AIO=y
 CONFIG_ADVISE_SYSCALLS=y