mirror of
https://github.com/systemd/systemd.git
synced 2024-11-23 10:13:34 +08:00
4ac1755be2
In924453c225ProtectHome was set to true for systemd-coredump in order to reduce risk, since an attacker could craft a malicious binary in order to compromise systemd-coredump. At that point the object analysis was done in the main systemd-coredump process. Because of this systemd-coredump is unable to product symbolicated call-stacks for binaries running under /home ("n/a" is shown instead of function names). However, later in61aea456c1systemd-coredump was changed to do the object analysis in a forked process, covering those security concerns. Let's set ProtectHome to read-only so that systemd-coredump produces symbolicated call-stacks for processes running under /home.
45 lines
1.1 KiB
SYSTEMD
45 lines
1.1 KiB
SYSTEMD
# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
#
|
|
# This file is part of systemd.
|
|
#
|
|
# systemd is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU Lesser General Public License as published by
|
|
# the Free Software Foundation; either version 2.1 of the License, or
|
|
# (at your option) any later version.
|
|
|
|
[Unit]
|
|
Description=Process Core Dump
|
|
Documentation=man:systemd-coredump(8)
|
|
DefaultDependencies=no
|
|
Conflicts=shutdown.target
|
|
After=systemd-journald.socket
|
|
Requires=systemd-journald.socket
|
|
Before=shutdown.target
|
|
|
|
[Service]
|
|
ExecStart=-{{LIBEXECDIR}}/systemd-coredump
|
|
IPAddressDeny=any
|
|
LockPersonality=yes
|
|
MemoryDenyWriteExecute=yes
|
|
Nice=9
|
|
NoNewPrivileges=yes
|
|
OOMScoreAdjust=500
|
|
PrivateDevices=yes
|
|
PrivateNetwork=yes
|
|
PrivateTmp=yes
|
|
ProtectControlGroups=yes
|
|
ProtectHome=read-only
|
|
ProtectHostname=yes
|
|
ProtectKernelModules=yes
|
|
ProtectKernelTunables=yes
|
|
ProtectKernelLogs=yes
|
|
ProtectSystem=strict
|
|
RestrictAddressFamilies=AF_UNIX
|
|
RestrictRealtime=yes
|
|
RestrictSUIDSGID=yes
|
|
RuntimeMaxSec=5min
|
|
StateDirectory=systemd/coredump
|
|
SystemCallArchitectures=native
|
|
SystemCallErrorNumber=EPERM
|
|
SystemCallFilter=@system-service @mount
|