Systemd has eBPF based resource-control features to limit file-system and network-interface access [1][2]
For these to be usable the corresponding eBPFs that come with systemd need to be compiled an deployed to the system - this could now be done by setting the PACKAGECONFIG+="bpf-framework" in the target build-setup. Then clang-native (from meta-clang [3]) could be used to provide the bpf-compiler, that then systemds build-setup uses to pre-compile these eBPFs; the other build requirements are bpftool-native and libbpf (both form meta-openembedded/meta-oe). On the system the only run-time dependency is then libbpf to load these pre-compiled filters. And "some kernel switches" [4]: CONFIG_BPF CONFIG_BPF_SYSCALL CONFIG_CGROUP_BPF To use/test these run for example: $> systemd-run -t -p RestrictNetworkInterfaces=enp0s3 ping 8.8.8.8 which would result in 100% packet-loss, if the default route goes over another interface. Link: https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#RestrictFileSystems= Link: https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#RestrictNetworkInterfaces= Link: https://github.com/kraj/meta-clang Link: https://kinvolk.io/blog/2021/04/extending-systemd-security-features-with-ebpf/ ========= changes with v2: rework hardcoded recipe-sysroot = oe-specific patch, to an upstreamed patch in systemd's meson.build see: https://github.com/systemd/systemd/pull/33427
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#200948): https://lists.openembedded.org/g/openembedded-core/message/200948 Mute This Topic: https://lists.openembedded.org/mt/106778248/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
