bekucera/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-09-10 22:52:49 +02:00
Code Issues Packages Projects Releases Wiki Activity

coredump: drop RestrictSUIDSGID= option (#38640)

Browse Source 
systemd-coredump sandbox already has ProtectSystem=strict hence all non
API filesystems are made read-only, thus RestrictSUIDSGID= doesn't buy
us much.

On top of that systemd-coredump's EnterNamespace= feature requires
openat2() to work correctly and that is implicitly blocked by
RestrictSUIDSGID=.

Follow-up for 8f8148cb08
This commit is contained in:
Michal Sekletar
2025-08-20 12:42:30 +02:00
committed by GitHub
parent 88fce09026
commit fb56da5b6e
1 changed files with 0 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
units/systemd-coredump@.service.in
View File

@@ -36,7 +36,6 @@ ProtectKernelLogs=yes
ProtectSystem=strict ProtectSystem=strict
RestrictAddressFamilies=AF_UNIX RestrictAddressFamilies=AF_UNIX
RestrictRealtime=yes RestrictRealtime=yes
RestrictSUIDSGID=yes
RuntimeMaxSec=5min RuntimeMaxSec=5min
StateDirectory=systemd/coredump StateDirectory=systemd/coredump
SystemCallArchitectures=native SystemCallArchitectures=native