namespace: protect bpf file system as part of ProtectKernelTunables=

It also exposes kernel objects, let's better include this in ProtectKernelTunables=.
2026-03-06 15:02:31 -08:00 · 2018-02-16 16:24:19 +01:00
parent 6590080851
commit 13a141f046
1 changed files with 1 additions and 0 deletions
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -106,6 +106,7 @@ static const MountEntry protect_kernel_tunables_table[] = {
        { "/sys",                READONLY,     false },
        { "/sys/kernel/debug",   READONLY,     true  },
        { "/sys/kernel/tracing", READONLY,     true  },
+        { "/sys/fs/bpf",         READONLY,     true  },
        { "/sys/fs/cgroup",      READWRITE,    false }, /* READONLY is set by ProtectControlGroups= option */
        { "/sys/fs/selinux",     READWRITE,    true  },
 };