TODO: mention the new Landlock LSM as a way to implement sandboxing for systemd --user

author: Luca Boccassi <luca.boccassi@microsoft.com> 2021-06-02 19:13:05 +0100
committer: Luca Boccassi <luca.boccassi@microsoft.com> 2021-06-02 19:13:28 +0100
commit: 88511a3712bcf8c1922ef21abc9e18798e61a80e (patch)
tree: e54d713fbe3a0bbd0622553034fa8cf74cfa6baf /TODO
parent: e91035abf0555e0ca85d24a1e02a32063728d9e6 (diff)
download: systemd-88511a3712bcf8c1922ef21abc9e18798e61a80e.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/TODO b/TODO
index 5e91ddffd5..0b6733aa35 100644
--- a/TODO
+++ b/TODO
@@ -858,6 +858,9 @@ Features:
   on PID 1 with the relevant signals, and makes relevant files in /sys and
   /proc (such as the sysrq stuff) unavailable
 
+* Support ReadWritePaths/ReadOnlyPaths/InaccessiblePaths in systemd --user instances
+  via the new unprivileged Landlock LSM (https://landlock.io)
+
 * make sure the ratelimit object can deal with USEC_INFINITY as way to turn off things
 
 * journalctl: make sure -f ends when the container indicated by -M terminates
author	Luca Boccassi <luca.boccassi@microsoft.com>	2021-06-02 19:13:05 +0100
committer	Luca Boccassi <luca.boccassi@microsoft.com>	2021-06-02 19:13:28 +0100
commit	88511a3712bcf8c1922ef21abc9e18798e61a80e (patch)
tree	e54d713fbe3a0bbd0622553034fa8cf74cfa6baf /TODO
parent	e91035abf0555e0ca85d24a1e02a32063728d9e6 (diff)
download	systemd-88511a3712bcf8c1922ef21abc9e18798e61a80e.tar.gz