kernel/bpf/Kconfig - linux - Git at Google

 # SPDX-License-Identifier: GPL-2.0-only

 # BPF interpreter that, for example, classic socket filters depend on.
 config BPF
 	bool

 # Used by archs to tell that they support BPF JIT compiler plus which
 # flavour. Only one of the two can be selected for a specific arch since
 # eBPF JIT supersedes the cBPF JIT.

 # Classic BPF JIT (cBPF)
 config HAVE_CBPF_JIT
 	bool

 # Extended BPF JIT (eBPF)
 config HAVE_EBPF_JIT
 	bool

 # Used by archs to tell that they want the BPF JIT compiler enabled by
 # default for kernels that were compiled with BPF JIT support.
 config ARCH_WANT_DEFAULT_BPF_JIT
 	bool

 menu "BPF subsystem"

 config BPF_SYSCALL
 	bool "Enable bpf() system call"
 	select BPF
 	select IRQ_WORK
 	select TASKS_TRACE_RCU
 	select BINARY_PRINTF
 	select NET_SOCK_MSG if NET
 	default n
 	help
 	  Enable the bpf() system call that allows to manipulate BPF programs
 	  and maps via file descriptors.

 config BPF_JIT
 	bool "Enable BPF Just In Time compiler"
 	depends on BPF
 	depends on HAVE_CBPF_JIT || HAVE_EBPF_JIT
 	depends on MODULES
 	help
 	  BPF programs are normally handled by a BPF interpreter. This option
 	  allows the kernel to generate native code when a program is loaded
 	  into the kernel. This will significantly speed-up processing of BPF
 	  programs.

 	  Note, an admin should enable this feature changing:
 	  /proc/sys/net/core/bpf_jit_enable
 	  /proc/sys/net/core/bpf_jit_harden   (optional)
 	  /proc/sys/net/core/bpf_jit_kallsyms (optional)

 config BPF_JIT_ALWAYS_ON
 	bool "Permanently enable BPF JIT and remove BPF interpreter"
 	depends on BPF_SYSCALL && HAVE_EBPF_JIT && BPF_JIT
 	help
 	  Enables BPF JIT and removes BPF interpreter to avoid speculative
 	  execution of BPF instructions by the interpreter.

 config BPF_JIT_DEFAULT_ON
 	def_bool ARCH_WANT_DEFAULT_BPF_JIT || BPF_JIT_ALWAYS_ON
 	depends on HAVE_EBPF_JIT && BPF_JIT

 config BPF_UNPRIV_DEFAULT_OFF
 	bool "Disable unprivileged BPF by default"
 	default y
 	depends on BPF_SYSCALL
 	help
 	  Disables unprivileged BPF by default by setting the corresponding
 	  /proc/sys/kernel/unprivileged_bpf_disabled knob to 2. An admin can
 	  still reenable it by setting it to 0 later on, or permanently
 	  disable it by setting it to 1 (from which no other transition to
 	  0 is possible anymore).

 	  Unprivileged BPF could be used to exploit certain potential
 	  speculative execution side-channel vulnerabilities on unmitigated
 	  affected hardware.

 	  If you are unsure how to answer this question, answer Y.

 source "kernel/bpf/preload/Kconfig"

 config BPF_LSM
 	bool "Enable BPF LSM Instrumentation"
 	depends on BPF_EVENTS
 	depends on BPF_SYSCALL
 	depends on SECURITY
 	depends on BPF_JIT
 	help
 	  Enables instrumentation of the security hooks with BPF programs for
 	  implementing dynamic MAC and Audit Policies.

 	  If you are unsure how to answer this question, answer N.

 endmenu # "BPF subsystem"
	# SPDX-License-Identifier: GPL-2.0-only

	# BPF interpreter that, for example, classic socket filters depend on.
	config BPF
	bool

	# Used by archs to tell that they support BPF JIT compiler plus which
	# flavour. Only one of the two can be selected for a specific arch since
	# eBPF JIT supersedes the cBPF JIT.

	# Classic BPF JIT (cBPF)
	config HAVE_CBPF_JIT
	bool

	# Extended BPF JIT (eBPF)
	config HAVE_EBPF_JIT
	bool

	# Used by archs to tell that they want the BPF JIT compiler enabled by
	# default for kernels that were compiled with BPF JIT support.
	config ARCH_WANT_DEFAULT_BPF_JIT
	bool

	menu "BPF subsystem"

	config BPF_SYSCALL
	bool "Enable bpf() system call"
	select BPF
	select IRQ_WORK
	select TASKS_TRACE_RCU
	select BINARY_PRINTF
	select NET_SOCK_MSG if NET
	default n
	help
	Enable the bpf() system call that allows to manipulate BPF programs
	and maps via file descriptors.

	config BPF_JIT
	bool "Enable BPF Just In Time compiler"
	depends on BPF
	depends on HAVE_CBPF_JIT \|\| HAVE_EBPF_JIT
	depends on MODULES
	help
	BPF programs are normally handled by a BPF interpreter. This option
	allows the kernel to generate native code when a program is loaded
	into the kernel. This will significantly speed-up processing of BPF
	programs.

	Note, an admin should enable this feature changing:
	/proc/sys/net/core/bpf_jit_enable
	/proc/sys/net/core/bpf_jit_harden (optional)
	/proc/sys/net/core/bpf_jit_kallsyms (optional)

	config BPF_JIT_ALWAYS_ON
	bool "Permanently enable BPF JIT and remove BPF interpreter"
	depends on BPF_SYSCALL && HAVE_EBPF_JIT && BPF_JIT
	help
	Enables BPF JIT and removes BPF interpreter to avoid speculative
	execution of BPF instructions by the interpreter.

	config BPF_JIT_DEFAULT_ON
	def_bool ARCH_WANT_DEFAULT_BPF_JIT \|\| BPF_JIT_ALWAYS_ON
	depends on HAVE_EBPF_JIT && BPF_JIT

	config BPF_UNPRIV_DEFAULT_OFF
	bool "Disable unprivileged BPF by default"
	default y
	depends on BPF_SYSCALL
	help
	Disables unprivileged BPF by default by setting the corresponding
	/proc/sys/kernel/unprivileged_bpf_disabled knob to 2. An admin can
	still reenable it by setting it to 0 later on, or permanently
	disable it by setting it to 1 (from which no other transition to
	0 is possible anymore).

	Unprivileged BPF could be used to exploit certain potential
	speculative execution side-channel vulnerabilities on unmitigated
	affected hardware.

	If you are unsure how to answer this question, answer Y.

	source "kernel/bpf/preload/Kconfig"

	config BPF_LSM
	bool "Enable BPF LSM Instrumentation"
	depends on BPF_EVENTS
	depends on BPF_SYSCALL
	depends on SECURITY
	depends on BPF_JIT
	help
	Enables instrumentation of the security hooks with BPF programs for
	implementing dynamic MAC and Audit Policies.

	If you are unsure how to answer this question, answer N.

	endmenu # "BPF subsystem"