No announcement yet.

Systemd Now Allows Custom BPF Programs To Be Loaded On Cgroups

  • Filter
  • Time
  • Show
Clear All
new posts

  • #31
    There's still a lot of people who browse this forum from work, so let's maybe be a bit more careful about the images we post. It's not puritanical, but professional. Even if they seem the same thing, the one we actually care about involves having to explain how relevant our network traffic is to our jobs. Though the pictures aren't really any worse than the words, the "classy" internet conversation usually gets a lot less scrutiny than the images. Until someone starts posting fanfics, I guess.

    That said, I *know* the barrier to entry for comments is a lot lower on systemd, Redhat and Wayland posts. But we can still try. Reading industry updates on someone else's time is a treasure I'd rather like to keep.


    • #32
      Originally posted by skeevy420 View Post
      Compiled from known sources (AUR/OBS) and binaries compiled from a random party with sources you don't select (PPA) are not the same. All have the same "at your own risk" disclaimer, but that's about as similar as they are. The OBS still has that "binary from a random place" stigmata that PPAs have, but at least you know the packages used at build time and have control over the building process.
      The only difference is that AUR compiles and/or builds the package on your own system (yes there are binary-only AURs too, you are downloading and repackaging binaries from somewhere), and that OBS allows you to compile stuff with their own infrastructure if you want.
      Otherwise AUR, OBS and PPAs are exactly the same. Places where you can find anything and there is no official distro maintainer guaranteeing that it isn't bullshit.

      Suse's release model is the closest Linux distribution analog to Windows since both are the only ones who really support both LTS and rolling release. There's Fedora/RHEL where one is free, one isn't, one is LTS, one isn't...only they're managed by different groups, unlike Suse or Windows, so they don't count.
      FYI: the "free" RHEL is called CentOS, and both Fedora and CentOS are paid for by Red Hat.

      Also SUSE and OpenSUSE are managed by "different groups" in the same way. The people on the opensource side are not necessarily involved with the SUSE enterprise side.

      Windows 10 LTSB doesn't always run what Windows 10 Pro/Home can run due to it lagging behind in regards to various features.
      Afaik the only things that break are apps, win32 applications are fine.

      I see a bunch of words that only make up half a sentence.
      If lacking a comma breaks your text parsing algorithms, I suggest you to update them asap.

      While it's not the first time that I get breakage on third party stuff made for Leap, when I try to install it in Tumbleweed.


      • #33
        Originally posted by starshipeleven View Post
        The current way to "specify rules for programs" is designed for servers (unsurprisingly), and you need to install and manually configure AppArmor or SELinux for each specific application you want to lock down like that. It's powerful and it works as it tracks the application process, but it's not terribly user-friendly.
        At this point I know this method to start application without Internet access:

        sudo setcap cap_sys_admin+ep /usr/bin/unshare
        unshare -n google-chrome

        But it is not good solution - program needs to be manually started via `unshare` every time...

        Do you know maybe how to configure SELinux to block Internet access for one particular application/process? I tried to find it but without success - everyone saying it could be done via SELinux but no info how...


        • #34
          Originally posted by Danniello View Post
          Do you know maybe how to configure SELinux to block Internet access for one particular application/process? I tried to find it but without success - everyone saying it could be done via SELinux but no info how...
          You need to create a policy configuration for it first. Look at documentation to create SELinux policies for a new program.

          There is a GUI tool that does help a bit, try to set it to listen and connect only on some random high TCP/UDP ports so it should block normal traffic (that goes to ports 80 and 433 and other known ports)

          It's somewhat similar for AppArmor, you basically need to learn its syntax and write a config file for it.

          I know it is possible to do because I've seeen enough configurations that do that (see here for httpd) , but I never did much with SELinux or AppArmor myself because it's stupidly complex and it's not my job (I work mostly with Windows servers).