]> git.ipfire.org Git - thirdparty/systemd.git/commit - src/core/execute.c
projects / thirdparty / systemd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 184b4f7) | patch
core: use LSM BPF functions to implement RestrictFileSystems=
authorIago Lopez Galeiras <iagol@microsoft.com>
Tue, 5 Oct 2021 11:18:49 +0000 (13:18 +0200)
committerIago Lopez Galeiras <iagol@microsoft.com>
Wed, 6 Oct 2021 08:52:14 +0000 (10:52 +0200)
commitb1994387d3cb50b212fc4815941a8ff40d60cd85
treefef8dae9681c45cd38c86a33d88499bf43875814tree | snapshot
parent184b4f78cfbded54a6e06bbe1152256c204a7a73commit | diff
core: use LSM BPF functions to implement RestrictFileSystems=

It attaches the LSM BPF program when the system manager starts up.

It populates the hash of maps BPF map when services that have
RestrictFileSystems= set start.

It cleans up the hash of maps when the unit cgroup is pruned.

To pass the file descriptor of the BPF map we add it to the keep_fds
array.
src/basic/cgroup-util.h diff | blob | blame | history
src/core/cgroup.c diff | blob | blame | history
src/core/cgroup.h diff | blob | blame | history
src/core/execute.c diff | blob | blame | history
src/core/execute.h diff | blob | blame | history
src/core/main.c diff | blob | blame | history
src/core/manager.c diff | blob | blame | history
Unnamed repository; edit this file 'description' to name the repository.