Bug#1079567: systemd: Should not raise errors when not (all) BPF features are available
Josh Triplett
josh at joshtriplett.org
Sat Aug 24 23:44:59 BST 2024
On Sat, 24 Aug 2024 18:23:00 +0200 Diederik de Haas <didi.debian at cknow.org> wrote:
> I think/assume it's great that systemd would use kernel features like
> BPF *if* they're available. But if not, it should not throw an ERROR.
Security features should not fail open; they should fail closed.
Launching a service without the expected restrictions could open a
security hole on a user's system.
Ideally the error message could be improved, such as by more clearly
identifying the exact unit that's using the security feature.
More information about the Pkg-systemd-maintainers
mailing list