[systemd-devel] Antw: [EXT] Re: [systemd‑devel] Using IPAddressAllow/IPAddressDeny on ‑‑user scopes
Ulrich Windl
Ulrich.Windl at rz.uni-regensburg.de
Thu Dec 15 08:00:24 UTC 2022
>>> Lennart Poettering <lennart at poettering.net> schrieb am 14.12.2022 um 18:34
in
Nachricht <Y5oJICQrU0EuThkH at gardel-login>:
> On Di, 13.12.22 22:34, Farblos (AKFKQU.9DF7RP at vodafonemail.de) wrote:
>
>> I can imagine that the latter scenario is not supported or requires
>> additional configuration (which?), but I have not found any hints on that,
>> neither in systemd.resource‑control(5) nor in [1.] or [8.] from that man
>> page.
>
> The relevant mechanisms are implemented via eBPF, which the kernel
> restricts to privileged processes, which means ‑‑user systemd will
> have a hard time.
>
> There were discussions and some work done to allow signed eBPF
> programs which the kernel would then allow even from unpriv userspace,
> but this didn't materialize so far. I think it would be great solution
> for us.
>
> Most of our sandboxing settings degrade gracefully if the backing
> kernel concept is not available in the kernel, or not accessible due
> to privs. We generally value portability of service files more than
> the sandboxing settings, currently.
BUT: Shouldn't there be an error message for the --user case?
>
> Lennart
>
> ‑‑
> Lennart Poettering, Berlin
More information about the systemd-devel
mailing list