mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
update TODO
This commit is contained in:
parent
ae4c61bacc
commit
440531c839
31
TODO
31
TODO
@ -130,6 +130,37 @@ Deprecations and removals:
|
|||||||
|
|
||||||
Features:
|
Features:
|
||||||
|
|
||||||
|
* signed bpf loading: to address need for signature verification for bpf
|
||||||
|
programs when they are loaded, and given the bpf folks don't think this is
|
||||||
|
realistic in kernel space, maybe add small daemon that facilitates this
|
||||||
|
loading on request of clients, validates signatures and then loads the
|
||||||
|
programs. This daemon should be the only daemon with privs to do load BPF on
|
||||||
|
the system. It might be a good idea to run this daemon already in the initrd,
|
||||||
|
and leave it around during the initrd transition, to continue serve requests.
|
||||||
|
Should then live in its own fs namespace that inherits from the initrd's
|
||||||
|
fs tree, not from the host, to isolate it properly. Should set
|
||||||
|
PR_SET_DUMPABLE so that it cannot be ptraced from the host. Should have
|
||||||
|
CAP_SYS_BPF as only service around.
|
||||||
|
|
||||||
|
* add a mechanism we can drop capabilities from pid1 *before* transitioning
|
||||||
|
from initrd to host. i.e. before we transition into the slightly lower trust
|
||||||
|
domain that is the host systems we might want to get rid of some caps.
|
||||||
|
Example: CAP_SYS_BPF in the signed bpf loading logic above. (We already have
|
||||||
|
CapabilityBoundingSet= in system.conf, but that is enforced when pid 1
|
||||||
|
initializes, rather then when it transitions to the next.)
|
||||||
|
|
||||||
|
* maybe add a new standard slice where process that are started in the initrd
|
||||||
|
and stick around for the whole system runtime (i.e. root fs storage daemons,
|
||||||
|
the bpf loader daemon discussed above, and such) are placed. maybe
|
||||||
|
protected.slice or so? Then write docs that suggest that services like this
|
||||||
|
set Slice=protected.sice, RefuseManualStart=yes, RefuseManualStop=yes and a
|
||||||
|
couple of other things.
|
||||||
|
|
||||||
|
* improve inode_same_at() to use AT_HANDLE_FID flag in name_to_handle_at() to
|
||||||
|
compare inode identity, rather than .st_ino – where available. Kernel FS
|
||||||
|
folks gave up on idea that inode numbers are fs-wide unique, and suggest
|
||||||
|
using the file handle/AT_HANDLE_FID instead.
|
||||||
|
|
||||||
* add feature to xopenat() that implements O_REGULAR in userspace: i.e. let's
|
* add feature to xopenat() that implements O_REGULAR in userspace: i.e. let's
|
||||||
open the inode via O_PATH first, then validate its type, and then convert to
|
open the inode via O_PATH first, then validate its type, and then convert to
|
||||||
proper fd via fd_reopen()
|
proper fd via fd_reopen()
|
||||||
|
Loading…
Reference in New Issue
Block a user