linux/kernel/bpf/Kconfig
<<
>>
Prefs 
   1# SPDX-License-Identifier: GPL-2.0-only
   2
   3# BPF interpreter that, for example, classic socket filters depend on.
   4config BPF
   5        bool
   6
   7# Used by archs to tell that they support BPF JIT compiler plus which
   8# flavour. Only one of the two can be selected for a specific arch since
   9# eBPF JIT supersedes the cBPF JIT.
  10
  11# Classic BPF JIT (cBPF)
  12config HAVE_CBPF_JIT
  13        bool
  14
  15# Extended BPF JIT (eBPF)
  16config HAVE_EBPF_JIT
  17        bool
  18
  19# Used by archs to tell that they want the BPF JIT compiler enabled by
  20# default for kernels that were compiled with BPF JIT support.
  21config ARCH_WANT_DEFAULT_BPF_JIT
  22        bool
  23
  24menu "BPF subsystem"
  25
  26config BPF_SYSCALL
  27        bool "Enable bpf() system call"
  28        select BPF
  29        select IRQ_WORK
  30        select TASKS_TRACE_RCU
  31        select BINARY_PRINTF
  32        select NET_SOCK_MSG if NET
  33        default n
  34        help
  35          Enable the bpf() system call that allows to manipulate BPF programs
  36          and maps via file descriptors.
  37
  38config BPF_JIT
  39        bool "Enable BPF Just In Time compiler"
  40        depends on BPF
  41        depends on HAVE_CBPF_JIT || HAVE_EBPF_JIT
  42        depends on MODULES
  43        help
  44          BPF programs are normally handled by a BPF interpreter. This option
  45          allows the kernel to generate native code when a program is loaded
  46          into the kernel. This will significantly speed-up processing of BPF
  47          programs.
  48
  49          Note, an admin should enable this feature changing:
  50          /proc/sys/net/core/bpf_jit_enable
  51          /proc/sys/net/core/bpf_jit_harden   (optional)
  52          /proc/sys/net/core/bpf_jit_kallsyms (optional)
  53
  54config BPF_JIT_ALWAYS_ON
  55        bool "Permanently enable BPF JIT and remove BPF interpreter"
  56        depends on BPF_SYSCALL && HAVE_EBPF_JIT && BPF_JIT
  57        help
  58          Enables BPF JIT and removes BPF interpreter to avoid speculative
  59          execution of BPF instructions by the interpreter.
  60
  61config BPF_JIT_DEFAULT_ON
  62        def_bool ARCH_WANT_DEFAULT_BPF_JIT || BPF_JIT_ALWAYS_ON
  63        depends on HAVE_EBPF_JIT && BPF_JIT
  64
  65config BPF_UNPRIV_DEFAULT_OFF
  66        bool "Disable unprivileged BPF by default"
  67        default y
  68        depends on BPF_SYSCALL
  69        help
  70          Disables unprivileged BPF by default by setting the corresponding
  71          /proc/sys/kernel/unprivileged_bpf_disabled knob to 2. An admin can
  72          still reenable it by setting it to 0 later on, or permanently
  73          disable it by setting it to 1 (from which no other transition to
  74          0 is possible anymore).
  75
  76          Unprivileged BPF could be used to exploit certain potential
  77          speculative execution side-channel vulnerabilities on unmitigated
  78          affected hardware.
  79
  80          If you are unsure how to answer this question, answer Y.
  81
  82source "kernel/bpf/preload/Kconfig"
  83
  84config BPF_LSM
  85        bool "Enable BPF LSM Instrumentation"
  86        depends on BPF_EVENTS
  87        depends on BPF_SYSCALL
  88        depends on SECURITY
  89        depends on BPF_JIT
  90        help
  91          Enables instrumentation of the security hooks with BPF programs for
  92          implementing dynamic MAC and Audit Policies.
  93
  94          If you are unsure how to answer this question, answer N.
  95
  96endmenu # "BPF subsystem"
  97
Hosted by Missing Link Electronics. The original LXR software by the LXR community, this experimental version by lxr@linux.no.