In include/linux/bpf-cgroup-defs.h, CGROUP_LSM_NUM defines the maximum number of BPF_PROG_TYPE_LSM programs that can be simultaneously attached using the `BPF_LSM_CGROUP` attachment type. We set the value to the newly introduced `CONFIG_CGROUP_LSM_NUM` Kconfig option, allowing users and distributions to tune this limit at build time rather than relying on a hardcoded value. The option ranges from 0 to 300 and defaults to 10, preserving the existing behaviour. There are currently 273 LSM hooks but this number is subject to change. I coudn't find a MACRO counting the sum of LSM interfaces and therefore arbitrarily set the threshold to 300. I am open to suggestions on how to set this limit dynamically or not. --- Signed-off-by: Paul Houssel --- include/linux/bpf-cgroup-defs.h | 2 +- kernel/bpf/Kconfig | 13 +++++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/include/linux/bpf-cgroup-defs.h b/include/linux/bpf-cgroup-defs.h index c9e6b26abab6..9ab5ca3dbaba 100644 --- a/include/linux/bpf-cgroup-defs.h +++ b/include/linux/bpf-cgroup-defs.h @@ -12,7 +12,7 @@ struct bpf_prog_array; #ifdef CONFIG_BPF_LSM /* Maximum number of concurrently attachable per-cgroup LSM hooks. */ -#define CGROUP_LSM_NUM 10 +#define CGROUP_LSM_NUM CONFIG_CGROUP_LSM_NUM #else #define CGROUP_LSM_NUM 0 #endif diff --git a/kernel/bpf/Kconfig b/kernel/bpf/Kconfig index eb3de35734f0..7f51598aa8fe 100644 --- a/kernel/bpf/Kconfig +++ b/kernel/bpf/Kconfig @@ -101,4 +101,17 @@ config BPF_LSM If you are unsure how to answer this question, answer N. +config CGROUP_LSM_NUM + int "Maximum number of per-cgroup LSM hooks" + depends on BPF_LSM + depends on CGROUP_BPF + range 0 300 + default 10 + help + Maximum number of concurrently attachable per-cgroup LSM hooks. + Increasing this value increases the size of the cgroup_lsm_atype + structure. + + If you are unsure, leave the default value. + endmenu # "BPF subsystem" -- 2.53.0