[systemd-devel] Using IPAddressAllow/IPAddressDeny on --user scopes
Lennart Poettering
lennart at poettering.net
Wed Dec 14 17:34:24 UTC 2022
On Di, 13.12.22 22:34, Farblos (AKFKQU.9DF7RP at vodafonemail.de) wrote:
> I can imagine that the latter scenario is not supported or requires
> additional configuration (which?), but I have not found any hints on that,
> neither in systemd.resource-control(5) nor in [1.] or [8.] from that man
> page.
The relevant mechanisms are implemented via eBPF, which the kernel
restricts to privileged processes, which means --user systemd will
have a hard time.
There were discussions and some work done to allow signed eBPF
programs which the kernel would then allow even from unpriv userspace,
but this didn't materialize so far. I think it would be great solution
for us.
Most of our sandboxing settings degrade gracefully if the backing
kernel concept is not available in the kernel, or not accessible due
to privs. We generally value portability of service files more than
the sandboxing settings, currently.
Lennart
--
Lennart Poettering, Berlin
More information about the systemd-devel
mailing list