]> git.ipfire.org Git - thirdparty/systemd.git/commitdiff
projects / thirdparty / systemd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 88fce09)
coredump: drop RestrictSUIDSGID= option (#38640)
authorMichal Sekletar <msekletar@users.noreply.github.com>
Wed, 20 Aug 2025 10:42:30 +0000 (12:42 +0200)
committerGitHub <noreply@github.com>
Wed, 20 Aug 2025 10:42:30 +0000 (11:42 +0100)
systemd-coredump sandbox already has ProtectSystem=strict hence all non
API filesystems are made read-only, thus RestrictSUIDSGID= doesn't buy
us much.

On top of that systemd-coredump's EnterNamespace= feature requires
openat2() to work correctly and that is implicitly blocked by
RestrictSUIDSGID=.

Follow-up for 8f8148cb08bf9f2c0e1f7fe6a5e6eb383115957b

units/systemd-coredump@.service.in patch | blob | blame | history

diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
index c74dc7a5a117124d49954440b3668059c5646f84..f492c826fefac08ec606ef7d3d018342e67daddd 100644 (file)
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@@ -36,7 +36,6 @@ ProtectKernelLogs=yes
 ProtectSystem=strict
 RestrictAddressFamilies=AF_UNIX
 RestrictRealtime=yes
-RestrictSUIDSGID=yes
 RuntimeMaxSec=5min
 StateDirectory=systemd/coredump
 SystemCallArchitectures=native
Unnamed repository; edit this file 'description' to name the repository.