No announcement yet.

Systemd Now Allows Custom BPF Programs To Be Loaded On Cgroups

  • Filter
  • Time
  • Show
Clear All
new posts

  • tg--
    There's a conceptual difference between Android and Linux.
    In Linux, if you run an application, it runs under your user. In Android, each application gets their private user ID, which makes it trivial to block its traffic in iptables, which afwall utilizes.

    This is a very simple solution, but has many downsides, and thus isn't exactly well-liked in the Linux world, as it breaks a LOT of existing expectations and applications.
    It works for Android since Google is in full control over the whole stack and there is no interoperability with any other operating system to consider.

    The cgroups approach, which is now quite popular in Linux could achieve the same, without all the downsides, but we're still far away for being able to use it universally.
    Right now systemd (and some other init-systems/service-mangers) only launch system-applications and only those easily get their own cgroup.
    With the BPF feature it is indeed quite easy to build per-service (or in some sense per-application) firewall rules, that are performant and work well.

    To get the feature for every user application, you would have to give every user application their own cgroup, which right now does not happen.
    Systemd currently largely doesn't touch this (though it could in theory, because there is user-session support), and nobody seems to work on it.
    Besides using systemd user-sessions (which would launch applications in cgroups for users) to achieve this, the common desktops (Gnome or KDE and others) could implement a similar feature in their own launcher, but as far as I know this hasn't happened as well.

    I certainly hope we will get each and every simple application in their own cgroup at some point, which would be a great usability and security benefit.

    Leave a comment:

  • Danny3
    Does this mean that we can finally have a firewall where we can simply specify rules for programs instead of pretty stupid rules for ports?
    I'm waiting for years that at least one Linux distro catch up to Android when it comes to firewall security and easy of use.
    On a rooted Android phone you can simply install AFWall+
    Then you can simply specify which applications are allowed to use the network / internet. It's very simple and easy to understand.
    Why it can't be the same on Linux?
    Hopefully systemd will solve also this problem.

    Leave a comment:

  • Candy
    SystemD is a body of religious beliefs and practices launched in March 2010 by German author Lennart Poettering (1980). Poettering initially developed a program of ideas called SystemD, which was distributed through the GNU Foundation. The foundation soon entered bankruptcy, and Poettering lost the rights to his seminal publication SystemD: The Modern Science of Mental Health in (unknown). He then recharacterized the subject as a religion and renamed it systemd.

    Leave a comment:

  • Systemd Now Allows Custom BPF Programs To Be Loaded On Cgroups

    Phoronix: Systemd Now Allows Custom BPF Programs To Be Loaded On Cgroups

    Systemd now allows loading of custom BPF programs for network traffic filtering that are applied to all sockets created by processes of a given systemd unit...