# SPDX-License-Identifier: GPL-2.0-only
-config DEFCONFIG_LIST
- string
- depends on !UML
- option defconfig_list
- default "/lib/modules/$(shell,uname -r)/.config"
- default "/etc/kernel-config"
- default "/boot/config-$(shell,uname -r)"
- default "arch/$(SRCARCH)/configs/$(KBUILD_DEFCONFIG)"
-
config CC_VERSION_TEXT
string
default "$(CC_VERSION_TEXT)"
- Ensure full rebuild when the compiler is updated
include/linux/compiler-version.h contains this option in the comment
- line so fixdep adds include/config/cc/version/text.h into the
+ line so fixdep adds include/config/CC_VERSION_TEXT into the
auto-generated dependency. When the compiler is updated, syncconfig
will touch it and then every file will be rebuilt.
default $(cc-version) if CC_IS_CLANG
default 0
+config AS_IS_GNU
+ def_bool $(success,test "$(as-name)" = GNU)
+
+config AS_IS_LLVM
+ def_bool $(success,test "$(as-name)" = LLVM)
+
+config AS_VERSION
+ int
+ # Use clang version if this is the integrated assembler
+ default CLANG_VERSION if AS_IS_LLVM
+ default $(as-version)
+
config LD_IS_BFD
def_bool $(success,test "$(ld-name)" = BFD)
source "kernel/irq/Kconfig"
source "kernel/time/Kconfig"
+ source "kernel/bpf/Kconfig"
source "kernel/Kconfig.preempt"
menu "CPU/Task time and stats accounting"
help
Arch has userfaultfd write protection support
+config HAVE_ARCH_USERFAULTFD_MINOR
+ bool
+ help
+ Arch has userfaultfd minor fault support
+
config MEMBARRIER
bool "Enable membarrier() system call" if EXPERT
default y
# syscall, maps, verifier
- config BPF_LSM
- bool "LSM Instrumentation with BPF"
- depends on BPF_EVENTS
- depends on BPF_SYSCALL
- depends on SECURITY
- depends on BPF_JIT
- help
- Enables instrumentation of the security hooks with eBPF programs for
- implementing dynamic MAC and Audit Policies.
-
- If you are unsure how to answer this question, answer N.
-
- config BPF_SYSCALL
- bool "Enable bpf() system call"
- select BPF
- select IRQ_WORK
- select TASKS_TRACE_RCU
- select BINARY_PRINTF
- select NET_SOCK_MSG if INET
- default n
- help
- Enable the bpf() system call that allows to manipulate eBPF
- programs and maps via file descriptors.
-
- config ARCH_WANT_DEFAULT_BPF_JIT
- bool
-
- config BPF_JIT_ALWAYS_ON
- bool "Permanently enable BPF JIT and remove BPF interpreter"
- depends on BPF_SYSCALL && HAVE_EBPF_JIT && BPF_JIT
- help
- Enables BPF JIT and removes BPF interpreter to avoid
- speculative execution of BPF instructions by the interpreter
-
- config BPF_JIT_DEFAULT_ON
- def_bool ARCH_WANT_DEFAULT_BPF_JIT || BPF_JIT_ALWAYS_ON
- depends on HAVE_EBPF_JIT && BPF_JIT
-
- source "kernel/bpf/preload/Kconfig"
-
config USERFAULTFD
bool "Enable userfaultfd() system call"
depends on MMU
config EMBEDDED
bool "Embedded system"
- option allnoconfig_y
select EXPERT
help
This option should be enabled if compiling the kernel for
menuconfig MODULES
bool "Enable loadable module support"
- option modules
+ modules
help
Kernel modules are small pieces of compiled code which can
be inserted in the running kernel, rather than being
config MODULE_SIG_ALL
bool "Automatically sign all modules"
default y
- depends on MODULE_SIG
+ depends on MODULE_SIG || IMA_APPRAISE_MODSIG
help
Sign all modules during make modules_install. Without this option,
modules must be signed manually, using the scripts/sign-file tool.
choice
prompt "Which hash algorithm should modules be signed with?"
- depends on MODULE_SIG
+ depends on MODULE_SIG || IMA_APPRAISE_MODSIG
help
This determines which sort of hashing algorithm will be used during
signature generation. This algorithm _must_ be built into the kernel
config MODULE_SIG_HASH
string
- depends on MODULE_SIG
+ depends on MODULE_SIG || IMA_APPRAISE_MODSIG
default "sha1" if MODULE_SIG_SHA1
default "sha224" if MODULE_SIG_SHA224
default "sha256" if MODULE_SIG_SHA256
default "sha384" if MODULE_SIG_SHA384
default "sha512" if MODULE_SIG_SHA512
-config MODULE_COMPRESS
- bool "Compress modules on installation"
+choice
+ prompt "Module compression mode"
help
+ This option allows you to choose the algorithm which will be used to
+ compress modules when 'make modules_install' is run. (or, you can
+ choose to not compress modules at all.)
- Compresses kernel modules when 'make modules_install' is run; gzip or
- xz depending on "Compression algorithm" below.
+ External modules will also be compressed in the same way during the
+ installation.
- module-init-tools MAY support gzip, and kmod MAY support gzip and xz.
+ For modules inside an initrd or initramfs, it's more efficient to
+ compress the whole initrd or initramfs instead.
- Out-of-tree kernel modules installed using Kbuild will also be
- compressed upon installation.
+ This is fully compatible with signed modules.
- Note: for modules inside an initrd or initramfs, it's more efficient
- to compress the whole initrd or initramfs instead.
+ Please note that the tool used to load modules needs to support the
+ corresponding algorithm. module-init-tools MAY support gzip, and kmod
+ MAY support gzip, xz and zstd.
- Note: This is fully compatible with signed modules.
+ Your build system needs to provide the appropriate compression tool
+ to compress the modules.
- If in doubt, say N.
+ If in doubt, select 'None'.
-choice
- prompt "Compression algorithm"
- depends on MODULE_COMPRESS
- default MODULE_COMPRESS_GZIP
+config MODULE_COMPRESS_NONE
+ bool "None"
help
- This determines which sort of compression will be used during
- 'make modules_install'.
-
- GZIP (default) and XZ are supported.
+ Do not compress modules. The installed modules are suffixed
+ with .ko.
config MODULE_COMPRESS_GZIP
bool "GZIP"
+ help
+ Compress modules with GZIP. The installed modules are suffixed
+ with .ko.gz.
config MODULE_COMPRESS_XZ
bool "XZ"
+ help
+ Compress modules with XZ. The installed modules are suffixed
+ with .ko.xz.
+
+config MODULE_COMPRESS_ZSTD
+ bool "ZSTD"
+ help
+ Compress modules with ZSTD. The installed modules are suffixed
+ with .ko.zst.
endchoice
If unsure, say N.
+config MODPROBE_PATH
+ string "Path to modprobe binary"
+ default "/sbin/modprobe"
+ help
+ When kernel code requests a module, it does so by calling
+ the "modprobe" userspace utility. This option allows you to
+ set the path where that binary is found. This can be changed
+ at runtime via the sysctl file
+ /proc/sys/kernel/modprobe. Setting this to the empty string
+ removes the kernel's ability to request modules (but
+ userspace can still load modules explicitly).
+
config TRIM_UNUSED_KSYMS
bool "Trim unused exported kernel symbols" if EXPERT
depends on !COMPILE_TEST
mutex_unlock(&bpf_stats_enabled_mutex);
return ret;
}
- #endif
+
+ static int bpf_unpriv_handler(struct ctl_table *table, int write,
+ void *buffer, size_t *lenp, loff_t *ppos)
+ {
+ int ret, unpriv_enable = *(int *)table->data;
+ bool locked_state = unpriv_enable == 1;
+ struct ctl_table tmp = *table;
+
+ if (write && !capable(CAP_SYS_ADMIN))
+ return -EPERM;
+
+ tmp.data = &unpriv_enable;
+ ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos);
+ if (write && !ret) {
+ if (locked_state && unpriv_enable != 1)
+ return -EPERM;
+ *(int *)table->data = unpriv_enable;
+ }
+ return ret;
+ }
+ #endif /* CONFIG_BPF_SYSCALL && CONFIG_SYSCTL */
/*
* /proc/sys support
.data = &sysctl_unprivileged_bpf_disabled,
.maxlen = sizeof(sysctl_unprivileged_bpf_disabled),
.mode = 0644,
- /* only handle a transition from default "0" to "1" */
- .proc_handler = proc_dointvec_minmax,
- .extra1 = SYSCTL_ONE,
- .extra2 = SYSCTL_ONE,
+ .proc_handler = bpf_unpriv_handler,
+ .extra1 = SYSCTL_ZERO,
+ .extra2 = &two,
},
{
.procname = "bpf_stats_enabled",
#ifdef CONFIG_COMPACTION
{
.procname = "compact_memory",
- .data = &sysctl_compact_memory,
+ .data = NULL,
.maxlen = sizeof(int),
.mode = 0200,
.proc_handler = sysctl_compaction_handler,
projects / linux.git / commitdiff