Greetings, CONFIG_BPF_JIT_ALWAYS_ON was introduced because of spectre. However, it has dependency on BPF_SYSCALL, this forces a system that needs BPF JIT (because of seccomp) but didn't have BPF_SYSCALL previously, includes BPF_SYSCALL, and opens up BPF loading from userspace. The work around for this is to implement LSM to prevent loading of BPF. Is it possible to remove this dependency in the kernel ? Thanks Best Regards, Jeff Xu
