On Di, 13.12.22 22:34, Farblos (AKFKQU.9DF7RP@xxxxxxxxxxxxxxx) wrote: > I can imagine that the latter scenario is not supported or requires > additional configuration (which?), but I have not found any hints on that, > neither in systemd.resource-control(5) nor in [1.] or [8.] from that man > page. The relevant mechanisms are implemented via eBPF, which the kernel restricts to privileged processes, which means --user systemd will have a hard time. There were discussions and some work done to allow signed eBPF programs which the kernel would then allow even from unpriv userspace, but this didn't materialize so far. I think it would be great solution for us. Most of our sandboxing settings degrade gracefully if the backing kernel concept is not available in the kernel, or not accessible due to privs. We generally value portability of service files more than the sandboxing settings, currently. Lennart -- Lennart Poettering, Berlin
Re: Using IPAddressAllow/IPAddressDeny on --user scopes
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: Using IPAddressAllow/IPAddressDeny on --user scopes
- From: Lennart Poettering <lennart@xxxxxxxxxxxxxx>
- Date: Wed, 14 Dec 2022 18:34:24 +0100
- Cc: systemd-devel@xxxxxxxxxxxxxxxxxxxxx
- In-reply-to: <aa57634a20b44652961db56ce778006c@vodafonemail.de>
- References: <aa57634a20b44652961db56ce778006c@vodafonemail.de>
- Follow-Ups:
- References:
- Using IPAddressAllow/IPAddressDeny on --user scopes
- From: Farblos
- Using IPAddressAllow/IPAddressDeny on --user scopes
- Prev by Date: Trying to understand change in PCR 4 extension behavior
- Next by Date: Re: Using IPAddressAllow/IPAddressDeny on --userscopes
- Previous by thread: Using IPAddressAllow/IPAddressDeny on --user scopes
- Next by thread: Antw: [EXT] Re: [systemd‑devel] Using IPAddressAllow/IPAddressDeny on ‑‑user scopes
- Index(es):
 |