Bug#1039896: systemd: Please consider enabling the BPF_FRAMEWORK config
Michael Biebl
biebl at debian.org
Thu Aug 24 10:45:41 BST 2023
On Thu, 29 Jun 2023 11:24:33 +0100 Luca Boccassi <bluca at debian.org> wrote:
> On Thu, 29 Jun 2023 10:16:19 +0000 undef <debian at undef.tools> wrote:
> > Package: systemd
> > Version: 252.6-1
> > Severity: wishlist
> > X-Debbugs-Cc: Undef <debian at undef.tools>
> >
> > Dear Maintainer,
> >
> > This config, enabled by adding `-DBPF_FRAMEWORK=true` would allow
> settings such as
> > `IPAddressAllow` and RestrictFileSystems` to be used to harden
> services on Debian systems.
> >
> > `CONFIG_BPF_LSM` seems to already be enabled in Debian's kernels so
> in theory the only
> > change required should be adding the above setting to the Systemd
> build.
>
> We intentionally kept it disabled as libbpf broke API and ABI recently,
> and we don't want to be caught in the crossfire here, we need stable
> interfaces.
> Further in the trixie dev cycle we can see what the situation is, and
> whether compatibility was maintained or it broke again, and re-
> evaluate.
Nod, being a bit more cautious and letting libbpf development settle a
bit seems like a reasonable idea.
Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20230824/21fffebe/attachment.sig>
More information about the Pkg-systemd-maintainers
mailing list