From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 16 Feb 2018 15:24:19 +0000 (+0100)
Subject: namespace: protect bpf file system as part of ProtectKernelTunables=
X-Git-Tag: v238~68^2~4
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=13a141f04613948e42ab4fce2bf54b49f151b7bd;p=thirdparty%2Fsystemd.git

namespace: protect bpf file system as part of ProtectKernelTunables=

It also exposes kernel objects, let's better include this in
ProtectKernelTunables=.
---

diff --git a/src/core/namespace.c b/src/core/namespace.c
index f605d239bc2..705a204bb3f 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -106,6 +106,7 @@ static const MountEntry protect_kernel_tunables_table[] = {
         { "/sys",                READONLY,     false },
         { "/sys/kernel/debug",   READONLY,     true  },
         { "/sys/kernel/tracing", READONLY,     true  },
+        { "/sys/fs/bpf",         READONLY,     true  },
         { "/sys/fs/cgroup",      READWRITE,    false }, /* READONLY is set by ProtectControlGroups= option */
         { "/sys/fs/selinux",     READWRITE,    true  },
 };