[systemd-bugs] [Bug 87354] RFE: sandbox systemd-coredump even further when dissecting coredumps with libelf-utils
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Thu Feb 11 17:34:52 CET 2016
https://bugs.freedesktop.org/show_bug.cgi?id=87354
Lennart Poettering <lennart at poettering.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #7 from Lennart Poettering <lennart at poettering.net> ---
PR #2555 now moves the coredump processing into a service of its own, so that
the kernel core_pattern hook process only collects some metadata and the
immediately passes off everything to a process maintained as systemd service,
that is locked down using systemd's resource management and sandboxing. it now
lives in a network namespace and similar things.
The tool now also drops privileges to become the "systemd-coredump" user while
processing coredumps, but only for system user processes. For normal user
processes it becomes the uid of the crashing process, which I think is the
right approach.
I think this kinda settles this bug, closing.
--
You are receiving this mail because:
You are the assignee for the bug.
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-bugs/attachments/20160211/e31e9654/attachment.html>
More information about the systemd-bugs
mailing list