You are not logged in.
Following this post: https://kinvolk.io/blog/2021/04/extendi … with-ebpf/
I should be able to restrict the network interface of a systemd service using RestrictNetworkInterfaces=, however running
sudo systemd-run -t -p RestrictNetworkInterfaces="lo" ping archlinux.org
I am still able to successfully ping archlinux.org after restricting the service to the loopback interface, denying my main network interface doesn't work either
sudo systemd-run -t -p RestrictNetworkInterfaces="~enp34s0" ping archlinux.org
All the required kernel options are enabled ( see the table matrix at the end of the article )
zgrep -e "CONFIG_BPF=" -e "CONFIG_BPF_SYSCALL=" -e "CONFIG_CGROUP_BPF=" /proc/config.gz
CONFIG_BPF=y
CONFIG_BPF_SYSCALL=y
CONFIG_CGROUP_BPF=y
uname --kernel-release
5.15.12-arch1-1
pacman -Qi libbpf
Version: 0.6.1-1
systemctl --version
systemd 250 (250.1-1-arch)
+PAM +AUDIT -SELINUX -APPARMOR -IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT -QRENCODE +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK +XKBCOMMON +UTMP -SYSVINIT default-hierarchy=unified
Any feedback will be greatly appreciated, thanks !
Offline
Welcome to the forum.
I did not get it to work either. Btw: you still need to enable the kernel boot option for bpf, if you have not.
But I think the fail is related to the following bug, currently worked on: https://github.com/systemd/systemd/pull/22025
On fedora, it does not work either: https://bugzilla.redhat.com/show_bug.cgi?id=2035608
Offline
Thanks for the feedback,
I think the lsm=on ( if it's the one your talking about ) kernel boot parameter is only related to the "RestrictFileSystems=" option, I may be wrong I do not have a lot of experience tinkering with this stuff
I will wait for an working update and then mark this post as solved
Offline
You're right, I read the requirements regarding "RestrictNetworkInterfaces=" only too quick.
Frankly, this sort of bug is astounding. I don't see in what circumstances the new feature worked at all, with its roll-out release.
Offline
According to the Fedora bugreport, systemd has to be compiled with BPF_FRAMEWORK. Arch, however, compiles systemd without this feature: https://bugs.archlinux.org/task/73566
Last edited by mradermaxlol (2022-03-01 19:42:44)
Offline