-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
core: pass bpf_outer_map_fd to sd-executor only if RestrictFileSystems was set #30170
Conversation
…s was set It causes SELinux denials to be raised, so restrict it only where needed Follow-up for beb4ae8
The helpers already skip if the FD is < 0
An -rc1 tag has been created and a release is being prepared, so please note that PRs introducing new features and APIs will be held back until the new version has been released. |
I'll look into adding some tests for the bpf stuff. |
019ba7b
to
906f1f0
Compare
906f1f0
to
4a43c2b
Compare
I just accidentally noticed that the BPF stuff has one other side effect:
(notice the extra bpf-map fd) With this PR applied the issue seems to be gone:
|
And just to add to the previous comment - the "issue" is still there if
Not sure if there are any "real" consequences of the extra FD, though. |
lgtm |
It causes SELinux denials to be raised, so restrict it only where needed
Follow-up for beb4ae8
There are no tests for this feature, so no idea if this works or not, completely speculative.