Bug#1039896: systemd: Please consider enabling the BPF_FRAMEWORK config
Luca Boccassi
bluca at debian.org
Sun May 26 17:47:03 BST 2024
Control: close -1 256~rc1-1
On Thu, 24 Aug 2023 11:45:41 +0200 Michael Biebl <biebl at debian.org>
wrote:
> On Thu, 29 Jun 2023 11:24:33 +0100 Luca Boccassi <bluca at debian.org>
wrote:
> > On Thu, 29 Jun 2023 10:16:19 +0000 undef <debian at undef.tools>
wrote:
> > > Package: systemd
> > > Version: 252.6-1
> > > Severity: wishlist
> > > X-Debbugs-Cc: Undef <debian at undef.tools>
> > >
> > > Dear Maintainer,
> > >
> > > This config, enabled by adding `-DBPF_FRAMEWORK=true` would allow
> > settings such as
> > > `IPAddressAllow` and RestrictFileSystems` to be used to harden
> > services on Debian systems.
> > >
> > > `CONFIG_BPF_LSM` seems to already be enabled in Debian's kernels
so
> > in theory the only
> > > change required should be adding the above setting to the Systemd
> > build.
> >
> > We intentionally kept it disabled as libbpf broke API and ABI
recently,
> > and we don't want to be caught in the crossfire here, we need
stable
> > interfaces.
> > Further in the trixie dev cycle we can see what the situation is,
and
> > whether compatibility was maintained or it broke again, and re-
> > evaluate.
>
> Nod, being a bit more cautious and letting libbpf development settle
a
> bit seems like a reasonable idea.
A year later and things seems to have settled now, and there are more
and more features needing this (like the nsresourced stuff), so it is
now enabled.
--
Kind regards,
Luca Boccassi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20240526/044be8ea/attachment.sig>
More information about the Pkg-systemd-maintainers
mailing list