summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIago López Galeiras <iagol@microsoft.com>2020-12-22 20:27:50 +0100
committerIago Lopez Galeiras <iagol@microsoft.com>2021-10-06 10:52:15 +0200
commitec31dd5a9865fccfa5fa295b5e17ddae61f19468 (patch)
tree475e6e96c14d346feed0f5930a5e155079cbe712
parent8216741cf9df00f7d71fa52ae933ecd129f94265 (diff)
downloadsystemd-ec31dd5a9865fccfa5fa295b5e17ddae61f19468.tar.gz
README: document LSM BPF requirements
-rw-r--r--README9
1 files changed, 8 insertions, 1 deletions
diff --git a/README b/README
index 6a151a49e9..3811abfe06 100644
--- a/README
+++ b/README
@@ -35,7 +35,7 @@ REQUIREMENTS:
Linux kernel >= 4.17 for cgroup-bpf socket address hooks
Linux kernel >= 5.3 for bounded-loops in BPF program
Linux kernel >= 5.4 for signed Verity images support
- Linux kernel >= 5.7 for BPF links
+ Linux kernel >= 5.7 for BPF links and the BPF LSM hook
Kernel Config Options:
CONFIG_DEVTMPFS
@@ -119,6 +119,13 @@ REQUIREMENTS:
Required for signed Verity images support:
CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG
+ Required for RestrictFileSystems= in service units:
+ CONFIG_BPF
+ CONFIG_BPF_SYSCALL
+ CONFIG_BPF_LSM
+ CONFIG_DEBUG_INFO_BTF
+ CONFIG_LSM="...,bpf" or kernel booted with lsm="...,bpf".
+
We recommend to turn off Real-Time group scheduling in the
kernel when using systemd. RT group scheduling effectively
makes RT scheduling unavailable for most userspace, since it