From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 22 Feb 2017 00:36:12 +0000 (+0100)
Subject: NEWS: add a comment about udev's MemoryDenyWriteExecute= setting (#5414)
X-Git-Tag: v233~49
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=05f426d2b80cefc171fc7756bb92df8373f8145a;p=thirdparty%2Fsystemd.git

NEWS: add a comment about udev's MemoryDenyWriteExecute= setting (#5414)

Apparently if people are adventurous enought to run Go programs in udev
rules they might run into problems with MemoryDenyWriteExecute=.

I am pretty sure the best way out is for the toolchain generating
programs incompatible with W^X to be fixed, but this still deserves
documentation.

This was forgotten for the 232 release, hence add it now, retroactively.

See: #5400
---

diff --git a/NEWS b/NEWS
index 954a83a0b6e..a3b3fef6276 100644
--- a/NEWS
+++ b/NEWS
@@ -357,6 +357,13 @@ CHANGES WITH 233 in spe
 
 CHANGES WITH 232:
 
+        * udev now runs with MemoryDenyWriteExecute=, RestrictRealtime= and
+          RestrictAddressFamilies= enabled. These sandboxing options should
+          generally be compatible with the various external udev call-out
+          binaries we are aware of, however there may be exceptions, in
+          particular when exotic languages for these call-outs are used. In
+          this case, consider turning off these settings locally.
+
         * The new RemoveIPC= option can be used to remove IPC objects owned by
           the user or group of a service when that service exits.