[PATCH net-next 0/3] eBPF Seccomp filters

Lorenzo Colitti lorenzo at google.com
Thu Feb 15 08:35:07 UTC 2018


On Thu, Feb 15, 2018 at 1:30 PM, Alexei Starovoitov
<alexei.starovoitov at gmail.com> wrote:
> Specifically for android we added bpf_lsm hooks, cookie/uid helpers,
> and read-only maps.
> Lorenzo,
> there was a claim in this thread that bpf is disabled on android.
> Can you please clarify ?

It's not compiled out, at least at the moment.
https://android.googlesource.com/kernel/configs/+/master/android-4.9/android-base.cfg
has CONFIG_BPF_SYSCALL=y. As with many things on Android, use of EBPF
is (heavily) restricted via selinux, and I'm not aware of any plans to
allow unprivileged applications to use EBPF, or even or any usecases
other than network accounting. Even for this use case, we're looking
at having the program being completely read-only and baked into the
system image.

I definitely don't have a complete view of things though. Also, bear
in mind that none of this code has been released yet, so things could
change.


More information about the Containers mailing list