From: Paul Chaignon <paul.chaignon@gmail.com>
To: bot+bpf-ci@kernel.org
Cc: paulhoussel2@gmail.com, paul.houssel@orange.com,
andrii@kernel.org, yonghong.song@linux.dev, kpsingh@kernel.org,
ast@kernel.org, song@kernel.org, martin.lau@kernel.org,
christian.koenig@amd.com, fw@strlen.de, tjmercier@google.com,
lirongqing@baidu.com, alibuda@linux.alibaba.com, kuba@kernel.org,
sdf@fomichev.me, bpf@vger.kernel.org, daniel@iogearbox.net,
eddyz87@gmail.com, clm@meta.com, ihor.solodrai@linux.dev
Subject: Re: [PATCH v3 1/2] bpf: render CGROUP_LSM_NUM configurable as a KConfig
Date: Wed, 6 May 2026 18:11:17 +0200 [thread overview]
Message-ID: <aftoJQRKGhosKT9B@mail.gmail.com> (raw)
In-Reply-To: <283f244ee4c180a4a69cf5cffdbeffea1a0928262758906384f3512e09fe3c44@mail.kernel.org>
On Wed, May 06, 2026 at 03:52:37PM +0000, bot+bpf-ci@kernel.org wrote:
> > diff --git a/include/linux/bpf-cgroup-defs.h b/include/linux/bpf-cgroup-defs.h
> > index c9e6b26abab6..9ab5ca3dbaba 100644
> > --- a/include/linux/bpf-cgroup-defs.h
> > +++ b/include/linux/bpf-cgroup-defs.h
> > @@ -12,7 +12,7 @@ struct bpf_prog_array;
> >
> > #ifdef CONFIG_BPF_LSM
> > /* Maximum number of concurrently attachable per-cgroup LSM hooks. */
> > -#define CGROUP_LSM_NUM 10
> > +#define CGROUP_LSM_NUM CONFIG_CGROUP_LSM_NUM
> > #else
> > #define CGROUP_LSM_NUM 0
> > #endif
>
> [ ... ]
>
> > diff --git a/kernel/bpf/Kconfig b/kernel/bpf/Kconfig
> > index eb3de35734f0..050af0b72651 100644
> > --- a/kernel/bpf/Kconfig
> > +++ b/kernel/bpf/Kconfig
> > @@ -101,4 +101,23 @@ config BPF_LSM
> >
> > If you are unsure how to answer this question, answer N.
> >
> > +config CGROUP_LSM_NUM
> > + int "Maximum number of per-cgroup LSM hooks"
> > + depends on BPF_LSM
> > + depends on CGROUP_BPF
> > + range 0 300
> ^^^
>
> Should the minimum range be 1 instead of 0? When CONFIG_CGROUP_LSM_NUM=0,
> the enum in include/linux/bpf-cgroup-defs.h calculates:
That makes sense to me, especially since we already have CONFIG_BPF_LSM
to disable BPF LSM altogether. CONFIG_CGROUP_LSM_NUM=0 could be useful
if we wanted to offer a way to disable per-cgroup LSM specifically, but
then you'd need to rework things a bit as pointed out by the bot. I'm
not sure it's worth it.
>
> enum cgroup_bpf_attach_type {
> ...
> CGROUP_LSM_START,
> CGROUP_LSM_END = CGROUP_LSM_START + CGROUP_LSM_NUM - 1,
> ...
> };
>
> This results in CGROUP_LSM_END being less than CGROUP_LSM_START (END =
> START - 1), which contradicts C enum range conventions. While the runtime
> behavior stays safe since bpf_cgroup_atype_find returns -E2BIG for empty
> arrays, the enum definition is semantically incorrect.
>
> The Kconfig help text refers to "Maximum number of concurrently attachable
> per-cgroup LSM hooks" which suggests at least one hook should be
> attachable.
>
> > + default 10
> > + help
> > + Maximum number of concurrently attachable per-cgroup LSM hooks.
> > + Increasing this value has two memory costs:
> > + - 8 bytes per added hook (due to growing
> > + cgroup_lsm_atype[] array in kernel/bpf/cgroup.c)
> > +
> > + - 25 bytes per added hook, because each hook adds a value to
> > + MAX_CGROUP_BPF_ATTACH_TYPE and thus increases the
> > + effective, progs, flags and revisions arrays in struct
> > + cgroup_bpf
> > +
> > + If you are unsure, leave the default value.
> > +
> > endmenu # "BPF subsystem"
>
>
> ---
> AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
> See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
>
> CI run summary: https://github.com/kernel-patches/bpf/actions/runs/25444641622
next prev parent reply other threads:[~2026-05-06 16:11 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-06 15:05 [PATCH v3 0/2] Introduce CONFIG_CGROUP_LSM_NUM to render BPF_LSM_CGROUP attachment limit configurable Paul Houssel
2026-05-06 15:05 ` [PATCH v3 1/2] bpf: render CGROUP_LSM_NUM configurable as a KConfig Paul Houssel
2026-05-06 15:52 ` bot+bpf-ci
2026-05-06 16:11 ` Paul Chaignon [this message]
2026-05-06 21:08 ` sashiko-bot
2026-05-07 16:39 ` Paul Houssel
2026-05-08 22:16 ` Alexei Starovoitov
2026-05-06 15:05 ` [PATCH v3 2/2] selftests/bpf: add tests to verify the enforcement of CONFIG_CGROUP_LSM_NUM Paul Houssel
2026-05-06 16:05 ` Paul Chaignon
2026-05-06 21:24 ` sashiko-bot
2026-05-06 16:13 ` [PATCH v3 0/2] Introduce CONFIG_CGROUP_LSM_NUM to render BPF_LSM_CGROUP attachment limit configurable Paul Chaignon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aftoJQRKGhosKT9B@mail.gmail.com \
--to=paul.chaignon@gmail.com \
--cc=alibuda@linux.alibaba.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bot+bpf-ci@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=christian.koenig@amd.com \
--cc=clm@meta.com \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=fw@strlen.de \
--cc=ihor.solodrai@linux.dev \
--cc=kpsingh@kernel.org \
--cc=kuba@kernel.org \
--cc=lirongqing@baidu.com \
--cc=martin.lau@kernel.org \
--cc=paul.houssel@orange.com \
--cc=paulhoussel2@gmail.com \
--cc=sdf@fomichev.me \
--cc=song@kernel.org \
--cc=tjmercier@google.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.