Systemd has eBPF based resource-control features to limit file-system and network-interface access [1][2]
For these to be usable the corresponding eBPFs that come with systemd need to be compiled an deployed to the system - this could now be done by setting the PACKAGECONFIG+="bpf-framework" in the target build-setup. Then clang-native (from meta-clang [3]) could be used to provide the bpf-compiler, that then systemds build-setup uses to pre-compile these eBPFs; the other build requirements are bpftool-native and libbpf (both form meta-openembedded/meta-oe). On the system the only run-time dependency is then libbpf to load these pre-compiled filters. And "some kernel switches" [4]: CONFIG_BPF CONFIG_BPF_SYSCALL CONFIG_CGROUP_BPF To use/test these run for example: $> systemd-run -t -p RestrictNetworkInterfaces=enp0s3 ping 8.8.8.8 which would result in 100% packet-loss, if the default route goes over another interface. Link: https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#RestrictFileSystems= Link: https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#RestrictNetworkInterfaces= Link: https://github.com/kraj/meta-clang Link: https://kinvolk.io/blog/2021/04/extending-systemd-security-features-with-ebpf/ =========
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#200452): https://lists.openembedded.org/g/openembedded-core/message/200452 Mute This Topic: https://lists.openembedded.org/mt/106572375/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
