From 13a141f04613948e42ab4fce2bf54b49f151b7bd Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 16 Feb 2018 16:24:19 +0100
Subject: [PATCH] namespace: protect bpf file system as part of
 ProtectKernelTunables=

It also exposes kernel objects, let's better include this in
ProtectKernelTunables=.
---
 src/core/namespace.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/core/namespace.c b/src/core/namespace.c
index f605d239bc2..705a204bb3f 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -106,6 +106,7 @@ static const MountEntry protect_kernel_tunables_table[] = {
         { "/sys",                READONLY,     false },
         { "/sys/kernel/debug",   READONLY,     true  },
         { "/sys/kernel/tracing", READONLY,     true  },
+        { "/sys/fs/bpf",         READONLY,     true  },
         { "/sys/fs/cgroup",      READWRITE,    false }, /* READONLY is set by ProtectControlGroups= option */
         { "/sys/fs/selinux",     READWRITE,    true  },
 };
-- 
2.47.3