mirror of
https://github.com/linuxkit/linuxkit.git
synced 2025-07-23 02:51:55 +00:00
kernel: Enable new BPF_JIT_ALWAYS_ON
This option is not enabled by default, but disables the BPF interpreter which can be used to inject speculative execution into the kernel. Enabled it as it seems like a good security measure. Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This commit is contained in:
parent
a6a5f69c8d
commit
82f3f9ae9a
@ -199,6 +199,7 @@ CONFIG_SIGNALFD=y
|
||||
CONFIG_TIMERFD=y
|
||||
CONFIG_EVENTFD=y
|
||||
CONFIG_BPF_SYSCALL=y
|
||||
CONFIG_BPF_JIT_ALWAYS_ON=y
|
||||
CONFIG_SHMEM=y
|
||||
CONFIG_AIO=y
|
||||
CONFIG_ADVISE_SYSCALLS=y
|
||||
|
@ -224,6 +224,7 @@ CONFIG_SIGNALFD=y
|
||||
CONFIG_TIMERFD=y
|
||||
CONFIG_EVENTFD=y
|
||||
CONFIG_BPF_SYSCALL=y
|
||||
CONFIG_BPF_JIT_ALWAYS_ON=y
|
||||
CONFIG_SHMEM=y
|
||||
CONFIG_AIO=y
|
||||
CONFIG_ADVISE_SYSCALLS=y
|
||||
|
@ -188,6 +188,7 @@ CONFIG_SIGNALFD=y
|
||||
CONFIG_TIMERFD=y
|
||||
CONFIG_EVENTFD=y
|
||||
CONFIG_BPF_SYSCALL=y
|
||||
CONFIG_BPF_JIT_ALWAYS_ON=y
|
||||
CONFIG_SHMEM=y
|
||||
CONFIG_AIO=y
|
||||
CONFIG_ADVISE_SYSCALLS=y
|
||||
|
@ -217,6 +217,7 @@ CONFIG_SIGNALFD=y
|
||||
CONFIG_TIMERFD=y
|
||||
CONFIG_EVENTFD=y
|
||||
CONFIG_BPF_SYSCALL=y
|
||||
CONFIG_BPF_JIT_ALWAYS_ON=y
|
||||
CONFIG_SHMEM=y
|
||||
CONFIG_AIO=y
|
||||
CONFIG_ADVISE_SYSCALLS=y
|
||||
|
Loading…
Reference in New Issue
Block a user