From: Michal Sekletar <msekletar@users.noreply.github.com>
Date: Wed, 20 Aug 2025 10:42:30 +0000 (+0200)
Subject: coredump: drop RestrictSUIDSGID= option (#38640)
X-Git-Tag: v258-rc3~5
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fb56da5b6eb80f4400ea7241fa98d90d245d7fde;p=thirdparty%2Fsystemd.git

coredump: drop RestrictSUIDSGID= option (#38640)

systemd-coredump sandbox already has ProtectSystem=strict hence all non
API filesystems are made read-only, thus RestrictSUIDSGID= doesn't buy
us much.

On top of that systemd-coredump's EnterNamespace= feature requires
openat2() to work correctly and that is implicitly blocked by
RestrictSUIDSGID=.

Follow-up for 8f8148cb08bf9f2c0e1f7fe6a5e6eb383115957b
---

diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
index c74dc7a5a11..f492c826fef 100644
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@@ -36,7 +36,6 @@ ProtectKernelLogs=yes
 ProtectSystem=strict
 RestrictAddressFamilies=AF_UNIX
 RestrictRealtime=yes
-RestrictSUIDSGID=yes
 RuntimeMaxSec=5min
 StateDirectory=systemd/coredump
 SystemCallArchitectures=native