Update NEWS

author Topi Miettinen <topimiettinen@users.noreply.github.com>

Tue, 23 Feb 2021 17:58:28 +0000 (17:58 +0000)

committer Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>

Tue, 23 Feb 2021 18:34:13 +0000 (19:34 +0100)
author Topi Miettinen <topimiettinen@users.noreply.github.com>
Tue, 23 Feb 2021 17:58:28 +0000 (17:58 +0000)
committer Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Tue, 23 Feb 2021 18:34:13 +0000 (19:34 +0100)
diff --git a/NEWS b/NEWS

index 3ff30898d6cea3fb17c6a3a58abfaa7c6d1085a3..3ca517af448291af13fbb82a7de281b2f775aa8e 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -118,7 +118,7 @@ CHANGES WITH 248:
            unified v2 cgroup hierachy is used, and "v1" means that legacy v1
            hierarchy or the hybrid hierarchy are used.
  
-        * The tables of system calls in seccomps filters are now automatically
+        * The tables of system calls in seccomp filters are now automatically
            generated from kernel lists exported on
            https://fedora.juszkiewicz.com.pl/syscalls.html.
  
@@ -223,8 +223,10 @@ CHANGES WITH 248:
            as device properties under the /sys/class/dmi/id/ pseudo device.
  
          * /dev/ is not mounted noexec anymore. This didn't provide any
-          significant security benefits and would conflicts with the executable
-          mappings used with /dev/sgx device nodes.
+          significant security benefits and would conflict with the executable
+          mappings used with /dev/sgx device nodes. The previous behaviour can
+          be restored for individual services with NoExecPaths=/dev (or by allow-
+          listing and excluding /dev from ExecPaths=).
  
          * Permissions for /dev/vsock are now set to 0o666, and /dev/vhost-vsock
            and /dev/vhost-net are owned by the kvm group.
author	Topi Miettinen <topimiettinen@users.noreply.github.com>
	Tue, 23 Feb 2021 17:58:28 +0000 (17:58 +0000)
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
	Tue, 23 Feb 2021 18:34:13 +0000 (19:34 +0100)