README: document LSM BPF requirements

author: Iago López Galeiras <iagol@microsoft.com> 2020-12-22 20:27:50 +0100
committer: Iago Lopez Galeiras <iagol@microsoft.com> 2021-10-06 10:52:15 +0200
commit: ec31dd5a9865fccfa5fa295b5e17ddae61f19468 (patch)
tree: 475e6e96c14d346feed0f5930a5e155079cbe712
parent: 8216741cf9df00f7d71fa52ae933ecd129f94265 (diff)
download: systemd-ec31dd5a9865fccfa5fa295b5e17ddae61f19468.tar.gz
1 files changed, 8 insertions, 1 deletions
diff --git a/README b/README
index 6a151a49e9..3811abfe06 100644
--- a/README
+++ b/README
@@ -35,7 +35,7 @@ REQUIREMENTS:
         Linux kernel >= 4.17 for cgroup-bpf socket address hooks
         Linux kernel >= 5.3 for bounded-loops in BPF program
         Linux kernel >= 5.4 for signed Verity images support
-        Linux kernel >= 5.7 for BPF links
+        Linux kernel >= 5.7 for BPF links and the BPF LSM hook
 
         Kernel Config Options:
           CONFIG_DEVTMPFS
@@ -119,6 +119,13 @@ REQUIREMENTS:
         Required for signed Verity images support:
           CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG
 
+        Required for RestrictFileSystems= in service units:
+          CONFIG_BPF
+          CONFIG_BPF_SYSCALL
+          CONFIG_BPF_LSM
+          CONFIG_DEBUG_INFO_BTF
+          CONFIG_LSM="...,bpf" or kernel booted with lsm="...,bpf".
+
         We recommend to turn off Real-Time group scheduling in the
         kernel when using systemd. RT group scheduling effectively
         makes RT scheduling unavailable for most userspace, since it
author	Iago López Galeiras <iagol@microsoft.com>	2020-12-22 20:27:50 +0100
committer	Iago Lopez Galeiras <iagol@microsoft.com>	2021-10-06 10:52:15 +0200
commit	ec31dd5a9865fccfa5fa295b5e17ddae61f19468 (patch)
tree	475e6e96c14d346feed0f5930a5e155079cbe712
parent	8216741cf9df00f7d71fa52ae933ecd129f94265 (diff)
download	systemd-ec31dd5a9865fccfa5fa295b5e17ddae61f19468.tar.gz