From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 18 Nov 2022 13:58:30 +0000 (+0100)
Subject: update TODO
X-Git-Tag: v253-rc1~497
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d995ccd7b55f403846093ceb61a149c9f52247d7;p=thirdparty%2Fsystemd.git

update TODO
---

diff --git a/TODO b/TODO
index 78d8064c9df..cd80d05e7a0 100644
--- a/TODO
+++ b/TODO
@@ -121,6 +121,12 @@ Deprecations and removals:
 
 Features:
 
+* maybe prohibit setuid() to the nobody user, to lock things down, via seccomp.
+  the nobody is not a user any code should run under, ever, as that user would
+  possibly get a lot of access to resources it really shouldn't be getting
+  access to due to the userns + nfs semantics of the user. Alternatively: use
+  the seccomp log action, and allow it.
+
 * sd-boot: add a new PE section .bls or so that carries a cpio with additional
   boot loader entries (both type1 and type2). Then when initializing, find this
   section, iterate through it and populate menu with it. cpio is simple enough