On Mon, Apr 4, 2022 at 3:03 PM Matteo Croce <mcroce@xxxxxxxxxxxxxxxxxxx> wrote: > > From: Matteo Croce <mcroce@xxxxxxxxxxxxx> > > Add a compile time option to permanently disable unprivileged BPF and > the corresponding sysctl handler so that there's absolutely no > concern about unprivileged BPF being enabled from userspace during > runtime. Special purpose kernels can benefit from the build-time > assurance that unprivileged eBPF is disabled in all of their kernel > builds rather than having to rely on userspace to permanently disable > it at boot time. > The default behaviour is left unchanged, which is: unprivileged BPF > compiled in but disabled at boot. That is an insane level of "security" paranoia. If you're so concerned about bpf do CONFIG_BPF_SYSCALL=n
