TODO: mention the new Landlock LSM as a way to implement sandboxing for systemd ...

author Luca Boccassi <luca.boccassi@microsoft.com>

Wed, 2 Jun 2021 18:13:05 +0000 (19:13 +0100)

committer Luca Boccassi <luca.boccassi@microsoft.com>

Wed, 2 Jun 2021 18:13:28 +0000 (19:13 +0100)
author Luca Boccassi <luca.boccassi@microsoft.com>
Wed, 2 Jun 2021 18:13:05 +0000 (19:13 +0100)
committer Luca Boccassi <luca.boccassi@microsoft.com>
Wed, 2 Jun 2021 18:13:28 +0000 (19:13 +0100)
diff --git a/TODO b/TODO

index 5e91ddffd5918be768e6a4f015771e1811ee08dd..0b6733aa35425e93e2941cdfc66aebe3a8966798 100644 (file)
--- a/TODO
+++ b/TODO
@@ -858,6 +858,9 @@ Features:
    on PID 1 with the relevant signals, and makes relevant files in /sys and
    /proc (such as the sysrq stuff) unavailable
  
+* Support ReadWritePaths/ReadOnlyPaths/InaccessiblePaths in systemd --user instances
+  via the new unprivileged Landlock LSM (https://landlock.io)
+
  * make sure the ratelimit object can deal with USEC_INFINITY as way to turn off things
  
  * journalctl: make sure -f ends when the container indicated by -M terminates
author	Luca Boccassi <luca.boccassi@microsoft.com>
	Wed, 2 Jun 2021 18:13:05 +0000 (19:13 +0100)
committer	Luca Boccassi <luca.boccassi@microsoft.com>
	Wed, 2 Jun 2021 18:13:28 +0000 (19:13 +0100)