namespace: protect bpf file system as part of ProtectKernelTunables=

author Lennart Poettering <lennart@poettering.net>

Fri, 16 Feb 2018 15:24:19 +0000 (16:24 +0100)

committer Lennart Poettering <lennart@poettering.net>

Wed, 21 Feb 2018 15:43:36 +0000 (16:43 +0100)
author Lennart Poettering <lennart@poettering.net>
Fri, 16 Feb 2018 15:24:19 +0000 (16:24 +0100)
committer Lennart Poettering <lennart@poettering.net>
Wed, 21 Feb 2018 15:43:36 +0000 (16:43 +0100)
diff --git a/src/core/namespace.c b/src/core/namespace.c

index f605d23..705a204 100644 (file)
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -106,6 +106,7 @@ static const MountEntry protect_kernel_tunables_table[] = {
          { "/sys",                READONLY,     false },
          { "/sys/kernel/debug",   READONLY,     true  },
          { "/sys/kernel/tracing", READONLY,     true  },
+        { "/sys/fs/bpf",         READONLY,     true  },
          { "/sys/fs/cgroup",      READWRITE,    false }, /* READONLY is set by ProtectControlGroups= option */
          { "/sys/fs/selinux",     READWRITE,    true  },
  };
author	Lennart Poettering <lennart@poettering.net>
	Fri, 16 Feb 2018 15:24:19 +0000 (16:24 +0100)
committer	Lennart Poettering <lennart@poettering.net>
	Wed, 21 Feb 2018 15:43:36 +0000 (16:43 +0100)