coredump: analyze object with libdwelf in forked process

Parsing objects is risky as data could be malformed or malicious, so avoid doing that from the main systemd-coredump process and instead fork another process, and set it to avoid generating core files itself.
author: Luca Boccassi <luca.boccassi@microsoft.com> 2021-11-21 18:05:28 +0100
committer: Luca Boccassi <luca.boccassi@microsoft.com> 2021-11-30 17:49:58 +0100
commit: 61aea456c12c54f49c4a76259af130e576130ce9 (patch)
tree: 2949292609f07bcdea764ec98b1a7e5d7cd5e1dc /units
parent: coredump: use _cleanup_ pattern (diff)
download: systemd-61aea456c12c54f49c4a76259af130e576130ce9.tar.xz
systemd-61aea456c12c54f49c4a76259af130e576130ce9.zip
1 files changed, 1 insertions, 2 deletions
diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
index 6bf2817a8c..15bfb243b4 100644
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@@ -35,11 +35,10 @@ ProtectKernelTunables=yes
 ProtectKernelLogs=yes
 ProtectSystem=strict
 RestrictAddressFamilies=AF_UNIX
-RestrictNamespaces=yes
 RestrictRealtime=yes
 RestrictSUIDSGID=yes
 RuntimeMaxSec=5min
 StateDirectory=systemd/coredump
 SystemCallArchitectures=native
 SystemCallErrorNumber=EPERM
-SystemCallFilter=@system-service
+SystemCallFilter=@system-service @mount
author	Luca Boccassi <luca.boccassi@microsoft.com>	2021-11-21 18:05:28 +0100
committer	Luca Boccassi <luca.boccassi@microsoft.com>	2021-11-30 17:49:58 +0100
commit	61aea456c12c54f49c4a76259af130e576130ce9 (patch)
tree	2949292609f07bcdea764ec98b1a7e5d7cd5e1dc /units
parent	coredump: use _cleanup_ pattern (diff)
download	systemd-61aea456c12c54f49c4a76259af130e576130ce9.tar.xz systemd-61aea456c12c54f49c4a76259af130e576130ce9.zip