README: document LSM BPF requirements

2024-10-01 13:55:20 +00:00 · 2020-12-22 20:27:50 +01:00 · 2020-12-22 20:27:50 +01:00 · ec31dd5a98
parent 8216741cf9
commit ec31dd5a98
1 changed files with 8 additions and 1 deletions
--- a/9
+++ b/9
@ -35,7 +35,7 @@ REQUIREMENTS:
        Linux kernel >= 4.17 for cgroup-bpf socket address hooks
        Linux kernel >= 5.3 for bounded-loops in BPF program
        Linux kernel >= 5.4 for signed Verity images support
-        Linux kernel >= 5.7 for BPF links
+        Linux kernel >= 5.7 for BPF links and the BPF LSM hook

        Kernel Config Options:
          CONFIG_DEVTMPFS
@ -119,6 +119,13 @@ REQUIREMENTS:
        Required for signed Verity images support:
          CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG

+        Required for RestrictFileSystems= in service units:
+          CONFIG_BPF
+          CONFIG_BPF_SYSCALL
+          CONFIG_BPF_LSM
+          CONFIG_DEBUG_INFO_BTF
+          CONFIG_LSM="...,bpf" or kernel booted with lsm="...,bpf".
+
        We recommend to turn off Real-Time group scheduling in the
        kernel when using systemd. RT group scheduling effectively
        makes RT scheduling unavailable for most userspace, since it