Re: Using IPAddressAllow/IPAddressDeny on --userscopes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



[Sorry, first reply was to Lennart only...]

Thanks.

> The relevant mechanisms are implemented via eBPF, which the kernel
> restricts to privileged processes, which means --user systemd will
> have a hard time.

I have been expecting something like that. But this is a restriction of
systemd, not the kernel, right? In other words, it is possible for a
privileged user to attach BPF to an unprivileged cgroup, say, using
bpftool, isn't it? (I could find that out myself, but most likely not
the next one:)

Assuming that it is possible kernel-wise, what is systemd's take on
attaching "non-systemd" BPF to some unprivileged cgroup that it manages?
Will it consider that "trampling on its toes"?

Jens






[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux