Bug#1039896: systemd: Please consider enabling the BPF_FRAMEWORK config
Control: close -1 256~rc1-1 On Thu, 24 Aug 2023 11:45:41 +0200 Michael Biebl wrote: > On Thu, 29 Jun 2023 11:24:33 +0100 Luca Boccassi wrote: > > On Thu, 29 Jun 2023 10:16:19 + undef wrote: > > > Package: systemd > > > Version: 252.6-1 > > > Severity: wishlist > > > X-Debbugs-Cc: Undef > > > > > > Dear Maintainer, > > > > > > This config, enabled by adding `-DBPF_FRAMEWORK=true` would allow > > settings such as > > > `IPAddressAllow` and RestrictFileSystems` to be used to harden > > services on Debian systems. > > > > > > `CONFIG_BPF_LSM` seems to already be enabled in Debian's kernels so > > in theory the only > > > change required should be adding the above setting to the Systemd > > build. > > > > We intentionally kept it disabled as libbpf broke API and ABI recently, > > and we don't want to be caught in the crossfire here, we need stable > > interfaces. > > Further in the trixie dev cycle we can see what the situation is, and > > whether compatibility was maintained or it broke again, and re- > > evaluate. > > Nod, being a bit more cautious and letting libbpf development settle a > bit seems like a reasonable idea. A year later and things seems to have settled now, and there are more and more features needing this (like the nsresourced stuff), so it is now enabled. -- Kind regards, Luca Boccassi signature.asc Description: This is a digitally signed message part
Bug#1039896: systemd: Please consider enabling the BPF_FRAMEWORK config
On Thu, 29 Jun 2023 11:24:33 +0100 Luca Boccassi wrote: On Thu, 29 Jun 2023 10:16:19 + undef wrote: > Package: systemd > Version: 252.6-1 > Severity: wishlist > X-Debbugs-Cc: Undef > > Dear Maintainer, > > This config, enabled by adding `-DBPF_FRAMEWORK=true` would allow settings such as > `IPAddressAllow` and RestrictFileSystems` to be used to harden services on Debian systems. > > `CONFIG_BPF_LSM` seems to already be enabled in Debian's kernels so in theory the only > change required should be adding the above setting to the Systemd build. We intentionally kept it disabled as libbpf broke API and ABI recently, and we don't want to be caught in the crossfire here, we need stable interfaces. Further in the trixie dev cycle we can see what the situation is, and whether compatibility was maintained or it broke again, and re- evaluate. Nod, being a bit more cautious and letting libbpf development settle a bit seems like a reasonable idea. Michael OpenPGP_signature.asc Description: OpenPGP digital signature
Bug#1039896: systemd: Please consider enabling the BPF_FRAMEWORK config
On Thu, 29 Jun 2023 10:16:19 + undef wrote: > Package: systemd > Version: 252.6-1 > Severity: wishlist > X-Debbugs-Cc: Undef > > Dear Maintainer, > > This config, enabled by adding `-DBPF_FRAMEWORK=true` would allow settings such as > `IPAddressAllow` and RestrictFileSystems` to be used to harden services on Debian systems. > > `CONFIG_BPF_LSM` seems to already be enabled in Debian's kernels so in theory the only > change required should be adding the above setting to the Systemd build. We intentionally kept it disabled as libbpf broke API and ABI recently, and we don't want to be caught in the crossfire here, we need stable interfaces. Further in the trixie dev cycle we can see what the situation is, and whether compatibility was maintained or it broke again, and re- evaluate. -- Kind regards, Luca Boccassi signature.asc Description: This is a digitally signed message part
Bug#1039896: systemd: Please consider enabling the BPF_FRAMEWORK config
Package: systemd Version: 252.6-1 Severity: wishlist X-Debbugs-Cc: Undef Dear Maintainer, This config, enabled by adding `-DBPF_FRAMEWORK=true` would allow settings such as `IPAddressAllow` and RestrictFileSystems` to be used to harden services on Debian systems. `CONFIG_BPF_LSM` seems to already be enabled in Debian's kernels so in theory the only change required should be adding the above setting to the Systemd build. Thank you for considering. -- Package-specific info: -- System Information: Debian Release: 12.0 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.35-1.qubes.fc32.x86_64 (SMP w/16 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages systemd depends on: ii libacl12.3.1-3 ii libaudit1 1:3.0.9-1 ii libblkid1 2.38.1-5+b1 ii libc6 2.36-9 ii libcap21:2.66-4 ii libcryptsetup122:2.6.1-4~deb12u1 ii libfdisk1 2.38.1-5+b1 ii libgcrypt201.10.1-3 ii libkmod2 30+20221128-1 ii liblz4-1 1.9.4-1 ii liblzma5 5.4.1-0.2 ii libmount1 2.38.1-5+b1 ii libp11-kit00.24.1-2 ii libseccomp22.5.4-1+b3 ii libselinux13.4-1+b6 ii libssl33.0.9-1 ii libsystemd-shared 252.6-1 ii libsystemd0252.6-1 ii libzstd1 1.5.4+dfsg2-5 ii mount 2.38.1-5+b1 Versions of packages systemd recommends: ii dbus [default-dbus-system-bus] 1.14.6-1 ii systemd-timesyncd [time-daemon] 252.6-1 Versions of packages systemd suggests: ii libfido2-11.12.0-2+b1 ii libqrencode4 4.1.1-1 pn libtss2-esys-3.0.2-0 pn libtss2-mu0 pn libtss2-rc0 ii policykit-1 122-3 ii polkitd 122-3 pn systemd-boot ii systemd-container 252.6-1 pn systemd-homed ii systemd-resolved 252.6-1 pn systemd-userdbd Versions of packages systemd is related to: ii dbus-user-session 1.14.6-1 pn dracut ii initramfs-tools0.142 ii libnss-systemd 252.6-1 ii libpam-systemd 252.6-1 ii udev 252.6-1 -- no debconf information