On Mon, Apr 4, 2022 at 3:03 PM Matteo Croce <[email protected]> wrote:
>
> From: Matteo Croce <[email protected]>
>
> Add a compile time option to permanently disable unprivileged BPF and
> the corresponding sysctl handler so that there's absolutely no
> concern about unprivileged BPF being enabled from userspace during
> runtime. Special purpose kernels can benefit from the build-time
> assurance that unprivileged eBPF is disabled in all of their kernel
> builds rather than having to rely on userspace to permanently disable
> it at boot time.
> The default behaviour is left unchanged, which is: unprivileged BPF
> compiled in but disabled at boot.
That is an insane level of "security" paranoia.
If you're so concerned about bpf do CONFIG_BPF_SYSCALL=n