[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAKD1Yr15WP+_fQPc98FOOLFf=AhyAZon08p+=WaY4wJjA9oOJw@mail.gmail.com>
Date: Thu, 15 Feb 2018 17:35:07 +0900
From: Lorenzo Colitti <lorenzo@...gle.com>
To: Alexei Starovoitov <alexei.starovoitov@...il.com>
Cc: Tycho Andersen <tycho@...ho.ws>,
Andy Lutomirski <luto@...capital.net>,
Kees Cook <keescook@...omium.org>,
Will Drewry <wad@...omium.org>,
Daniel Borkmann <daniel@...earbox.net>, netdev@...r.kernel.org,
Linux Containers <containers@...ts.linux-foundation.org>,
Sargun Dhillon <sargun@...gun.me>,
"David S. Miller" <davem@...emloft.net>
Subject: Re: [PATCH net-next 0/3] eBPF Seccomp filters
On Thu, Feb 15, 2018 at 1:30 PM, Alexei Starovoitov
<alexei.starovoitov@...il.com> wrote:
> Specifically for android we added bpf_lsm hooks, cookie/uid helpers,
> and read-only maps.
> Lorenzo,
> there was a claim in this thread that bpf is disabled on android.
> Can you please clarify ?
It's not compiled out, at least at the moment.
https://android.googlesource.com/kernel/configs/+/master/android-4.9/android-base.cfg
has CONFIG_BPF_SYSCALL=y. As with many things on Android, use of EBPF
is (heavily) restricted via selinux, and I'm not aware of any plans to
allow unprivileged applications to use EBPF, or even or any usecases
other than network accounting. Even for this use case, we're looking
at having the program being completely read-only and baked into the
system image.
I definitely don't have a complete view of things though. Also, bear
in mind that none of this code has been released yet, so things could
change.
Powered by blists - more mailing lists