From: Etienne Cordonnier <ecordonnier@snap.com>
Date: Fri, 6 Sep 2024 08:36:28 +0000 (+0200)
Subject: coredump: set ProtectHome to read-only
X-Git-Tag: v257-rc1~535
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4ac1755be2d6c141fae7e57c42936e507c5b54e3;p=thirdparty%2Fsystemd.git

coredump: set ProtectHome to read-only

In https://github.com/systemd/systemd/pull/5283/commits/924453c22599cc246746a0233b2f52a27ade0819
ProtectHome was set to true for systemd-coredump in order to reduce risk, since an attacker could craft a malicious binary in order to compromise systemd-coredump.
At that point the object analysis was done in the main systemd-coredump process.
Because of this systemd-coredump is unable to product symbolicated call-stacks for binaries running under /home ("n/a" is shown instead of function names).

However, later in https://github.com/systemd/systemd/commit/61aea456c12c54f49c4a76259af130e576130ce9 systemd-coredump was changed to do the object analysis in a forked process,
covering those security concerns.

Let's set ProtectHome to read-only so that systemd-coredump produces symbolicated call-stacks for processes running under /home.
---

diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
index 012c60d2f68..fa3206d07b5 100644
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@@ -28,7 +28,7 @@ PrivateDevices=yes
 PrivateNetwork=yes
 PrivateTmp=yes
 ProtectControlGroups=yes
-ProtectHome=yes
+ProtectHome=read-only
 ProtectHostname=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes