[systemd-devel] Using IPAddressAllow/IPAddressDeny on --userscopes
Farblos
AKFKQU.9DF7RP at vodafonemail.de
Fri Dec 16 20:53:59 UTC 2022
[Sorry, first reply was to Lennart only...]
Thanks.
> The relevant mechanisms are implemented via eBPF, which the kernel
> restricts to privileged processes, which means --user systemd will
> have a hard time.
I have been expecting something like that. But this is a restriction of
systemd, not the kernel, right? In other words, it is possible for a
privileged user to attach BPF to an unprivileged cgroup, say, using
bpftool, isn't it? (I could find that out myself, but most likely not
the next one:)
Assuming that it is possible kernel-wise, what is systemd's take on
attaching "non-systemd" BPF to some unprivileged cgroup that it manages?
Will it consider that "trampling on its toes"?
Jens
More information about the systemd-devel
mailing list