core: implement RestrictNetworkInterfaces=

This commit introduces all the logic to load and attach the BPF programs to restrict network interfaces when a unit specifying it is loaded. Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
author: Mauricio Vásquez <mauricio@kinvolk.io> 2021-01-21 11:08:19 -0500
committer: Mauricio Vásquez <mauricio@kinvolk.io> 2021-08-18 15:55:53 -0500
commit: 6f50d4f7d6406648232c8cc121ec3f9ea969de1c (patch)
tree: 442ec2af63ca882a8dcdf40d8bb968bc25c62ed0 /src/core/cgroup.h
parent: dc83b840d33e30fcd4363e26b933fa5cce410c4a (diff)
download: systemd-6f50d4f7d6406648232c8cc121ec3f9ea969de1c.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/src/core/cgroup.h b/src/core/cgroup.h
index 3f8cad899d..99bf7e22d8 100644
--- a/src/core/cgroup.h
+++ b/src/core/cgroup.h
@@ -160,6 +160,9 @@ struct CGroupContext {
         char **ip_filters_egress;
         LIST_HEAD(CGroupBPFForeignProgram, bpf_foreign_programs);
 
+        Set *restrict_network_interfaces;
+        bool restrict_network_interfaces_is_allow_list;
+
         /* For legacy hierarchies */
         uint64_t cpu_shares;
         uint64_t startup_cpu_shares;
author	Mauricio Vásquez <mauricio@kinvolk.io>	2021-01-21 11:08:19 -0500
committer	Mauricio Vásquez <mauricio@kinvolk.io>	2021-08-18 15:55:53 -0500
commit	6f50d4f7d6406648232c8cc121ec3f9ea969de1c (patch)
tree	442ec2af63ca882a8dcdf40d8bb968bc25c62ed0 /src/core/cgroup.h
parent	dc83b840d33e30fcd4363e26b933fa5cce410c4a (diff)
download	systemd-6f50d4f7d6406648232c8cc121ec3f9ea969de1c.tar.gz