@@ -67,10 +67,18 @@ config BPF_JIT_DEFAULT_ON
def_bool ARCH_WANT_DEFAULT_BPF_JIT || BPF_JIT_ALWAYS_ON
depends on HAVE_EBPF_JIT && BPF_JIT
+config BPF_UNPRIV
+ bool "Unprivileged BPF"
+ default y
+ depends on BPF_SYSCALL
+ help
+ Enables unprivileged BPF and the corresponding
+ /proc/sys/kernel/unprivileged_bpf_disabled knob.
+
config BPF_UNPRIV_DEFAULT_OFF
bool "Disable unprivileged BPF by default"
default y
- depends on BPF_SYSCALL
+ depends on BPF_UNPRIV
help
Disables unprivileged BPF by default by setting the corresponding
/proc/sys/kernel/unprivileged_bpf_disabled knob to 2. An admin can
@@ -53,7 +53,9 @@ static DEFINE_IDR(link_idr);
static DEFINE_SPINLOCK(link_idr_lock);
int sysctl_unprivileged_bpf_disabled __read_mostly =
- IS_BUILTIN(CONFIG_BPF_UNPRIV_DEFAULT_OFF) ? 2 : 0;
+ IS_BUILTIN(CONFIG_BPF_UNPRIV) ?
+ (IS_BUILTIN(CONFIG_BPF_UNPRIV_DEFAULT_OFF) ? 2 : 0)
+ : 1;
static const struct bpf_map_ops * const bpf_map_types[] = {
#define BPF_PROG_TYPE(_id, _name, prog_ctx_type, kern_ctx_type)
@@ -184,6 +184,7 @@ void __weak unpriv_ebpf_notify(int new_state)
{
}
+#ifdef CONFIG_BPF_UNPRIV
static int bpf_unpriv_handler(struct ctl_table *table, int write,
void *buffer, size_t *lenp, loff_t *ppos)
{
@@ -206,6 +207,7 @@ static int bpf_unpriv_handler(struct ctl_table *table, int write,
return ret;
}
+#endif /* CONFIG_BPF_UNPRIV */
#endif /* CONFIG_BPF_SYSCALL && CONFIG_SYSCTL */
/*
@@ -2300,6 +2302,7 @@ static struct ctl_table kern_table[] = {
},
#endif
#ifdef CONFIG_BPF_SYSCALL
+#ifdef CONFIG_BPF_UNPRIV
{
.procname = "unprivileged_bpf_disabled",
.data = &sysctl_unprivileged_bpf_disabled,
@@ -2309,6 +2312,7 @@ static struct ctl_table kern_table[] = {
.extra1 = SYSCTL_ZERO,
.extra2 = SYSCTL_TWO,
},
+#endif
{
.procname = "bpf_stats_enabled",
.data = &bpf_stats_enabled_key.key,