1
2
3
4config BPF
5 bool
6
7
8
9
10
11
12config HAVE_CBPF_JIT
13 bool
14
15
16config HAVE_EBPF_JIT
17 bool
18
19
20
21config ARCH_WANT_DEFAULT_BPF_JIT
22 bool
23
24menu "BPF subsystem"
25
26config BPF_SYSCALL
27 bool "Enable bpf() system call"
28 select BPF
29 select IRQ_WORK
30 select TASKS_TRACE_RCU
31 select BINARY_PRINTF
32 select NET_SOCK_MSG if NET
33 default n
34 help
35 Enable the bpf() system call that allows to manipulate BPF programs
36 and maps via file descriptors.
37
38config BPF_JIT
39 bool "Enable BPF Just In Time compiler"
40 depends on BPF
41 depends on HAVE_CBPF_JIT || HAVE_EBPF_JIT
42 depends on MODULES
43 help
44 BPF programs are normally handled by a BPF interpreter. This option
45 allows the kernel to generate native code when a program is loaded
46 into the kernel. This will significantly speed-up processing of BPF
47 programs.
48
49 Note, an admin should enable this feature changing:
50 /proc/sys/net/core/bpf_jit_enable
51 /proc/sys/net/core/bpf_jit_harden (optional)
52 /proc/sys/net/core/bpf_jit_kallsyms (optional)
53
54config BPF_JIT_ALWAYS_ON
55 bool "Permanently enable BPF JIT and remove BPF interpreter"
56 depends on BPF_SYSCALL && HAVE_EBPF_JIT && BPF_JIT
57 help
58 Enables BPF JIT and removes BPF interpreter to avoid speculative
59 execution of BPF instructions by the interpreter.
60
61config BPF_JIT_DEFAULT_ON
62 def_bool ARCH_WANT_DEFAULT_BPF_JIT || BPF_JIT_ALWAYS_ON
63 depends on HAVE_EBPF_JIT && BPF_JIT
64
65config BPF_UNPRIV_DEFAULT_OFF
66 bool "Disable unprivileged BPF by default"
67 default y
68 depends on BPF_SYSCALL
69 help
70 Disables unprivileged BPF by default by setting the corresponding
71 /proc/sys/kernel/unprivileged_bpf_disabled knob to 2. An admin can
72 still reenable it by setting it to 0 later on, or permanently
73 disable it by setting it to 1 (from which no other transition to
74 0 is possible anymore).
75
76 Unprivileged BPF could be used to exploit certain potential
77 speculative execution side-channel vulnerabilities on unmitigated
78 affected hardware.
79
80 If you are unsure how to answer this question, answer Y.
81
82source "kernel/bpf/preload/Kconfig"
83
84config BPF_LSM
85 bool "Enable BPF LSM Instrumentation"
86 depends on BPF_EVENTS
87 depends on BPF_SYSCALL
88 depends on SECURITY
89 depends on BPF_JIT
90 help
91 Enables instrumentation of the security hooks with BPF programs for
92 implementing dynamic MAC and Audit Policies.
93
94 If you are unsure how to answer this question, answer N.
95
96endmenu
97