Antw: [EXT] Re: [systemd‑devel] Using IPAddressAllow/IPAddressDeny on ‑‑user scopes

["Ulrich Windl" <Ulrich.Windl@xxxxxxxxxxxxxxxxxxxx>]

>>> Lennart Poettering <lennart@xxxxxxxxxxxxxx> schrieb am 14.12.2022 um 18:34
in
Nachricht <Y5oJICQrU0EuThkH@gardel-login>:
> On Di, 13.12.22 22:34, Farblos (AKFKQU.9DF7RP@xxxxxxxxxxxxxxx) wrote:
> 
>> I can imagine that the latter scenario is not supported or requires
>> additional configuration (which?), but I have not found any hints on that,
>> neither in systemd.resource‑control(5) nor in [1.] or [8.] from that man
>> page.
> 
> The relevant mechanisms are implemented via eBPF, which the kernel
> restricts to privileged processes, which means ‑‑user systemd will
> have a hard time.
> 
> There were discussions and some work done to allow signed eBPF
> programs which the kernel would then allow even from unpriv userspace,
> but this didn't materialize so far. I think it would be great solution
> for us.
> 
> Most of our sandboxing settings degrade gracefully if the backing
> kernel concept is not available in the kernel, or not accessible due
> to privs. We generally value portability of service files more than
> the sandboxing settings, currently.

BUT: Shouldn't there be an error message for the --user case?

> 
> Lennart
> 
> ‑‑
> Lennart Poettering, Berlin