coredump: drop RestrictSUIDSGID= option (#38640)

systemd-coredump sandbox already has ProtectSystem=strict hence all non API filesystems are made read-only, thus RestrictSUIDSGID= doesn't buy us much. On top of that systemd-coredump's EnterNamespace= feature requires openat2() to work correctly and that is implicitly blocked by RestrictSUIDSGID=. Follow-up for 8f8148cb08
2025-09-10 22:52:49 +02:00 · 2025-08-20 12:42:30 +02:00
parent 88fce09026
commit fb56da5b6e
1 changed files with 0 additions and 1 deletions
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@@ -36,7 +36,6 @@ ProtectKernelLogs=yes
 ProtectSystem=strict
 RestrictAddressFamilies=AF_UNIX
 RestrictRealtime=yes
-RestrictSUIDSGID=yes
 RuntimeMaxSec=5min
 StateDirectory=systemd/coredump
 SystemCallArchitectures=native