50 lines
1.9 KiB
Diff
50 lines
1.9 KiB
Diff
From 5281235691ff5b64702d9cfb3f704fd069c6169d Mon Sep 17 00:00:00 2001
|
|
From: Frantisek Sumsal <frantisek@sumsal.cz>
|
|
Date: Tue, 13 Jan 2026 17:45:45 +0100
|
|
Subject: [PATCH] Revert "coredump: also stop forwarding non-dumpable
|
|
processes"
|
|
|
|
This reverts commit 69d7d75a872d319b5fda048044238a735dce3834.
|
|
|
|
Reverts: RHEL-104135
|
|
---
|
|
src/coredump/coredump.c | 15 ++-------------
|
|
1 file changed, 2 insertions(+), 13 deletions(-)
|
|
|
|
diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c
|
|
index 048eb53546..19d4d02437 100644
|
|
--- a/src/coredump/coredump.c
|
|
+++ b/src/coredump/coredump.c
|
|
@@ -1560,21 +1560,10 @@ static int receive_ucred(int transport_fd, struct ucred *ret_ucred) {
|
|
return 0;
|
|
}
|
|
|
|
-static int can_forward_coredump(Context *context, pid_t pid) {
|
|
+static int can_forward_coredump(pid_t pid) {
|
|
_cleanup_free_ char *cgroup = NULL, *path = NULL, *unit = NULL;
|
|
int r;
|
|
|
|
- assert(context);
|
|
-
|
|
- /* We don't use %F/pidfd to pin down the crashed process yet. We need to avoid a situation where the
|
|
- * attacker crashes a SUID process or a root daemon and quickly replaces it with a namespaced process
|
|
- * and we forward the initial part of the coredump to the attacker, inside the namespace.
|
|
- *
|
|
- * TODO: relax this check when %F is implemented and used.
|
|
- */
|
|
- if (context->dumpable != 1)
|
|
- return false;
|
|
-
|
|
r = cg_pid_get_path(SYSTEMD_CGROUP_CONTROLLER, pid, &cgroup);
|
|
if (r < 0)
|
|
return r;
|
|
@@ -1618,7 +1607,7 @@ static int forward_coredump_to_container(Context *context) {
|
|
if (r < 0)
|
|
return log_debug_errno(r, "Failed to get namespace leader: %m");
|
|
|
|
- r = can_forward_coredump(context, leader_pid);
|
|
+ r = can_forward_coredump(leader_pid);
|
|
if (r < 0)
|
|
return log_debug_errno(r, "Failed to check if coredump can be forwarded: %m");
|
|
if (r == 0)
|