summaryrefslogtreecommitdiff
path: root/NEWS
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2017-02-22 01:36:12 +0100
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2017-02-21 19:36:12 -0500
commit05f426d2b80cefc171fc7756bb92df8373f8145a (patch)
treed943c1a4622a56f34080447a28068505129bd8e0 /NEWS
parentc22569eeeafa94cf510267071f5b75c4ab714e09 (diff)
NEWS: add a comment about udev's MemoryDenyWriteExecute= setting (#5414)
Apparently if people are adventurous enought to run Go programs in udev rules they might run into problems with MemoryDenyWriteExecute=. I am pretty sure the best way out is for the toolchain generating programs incompatible with W^X to be fixed, but this still deserves documentation. This was forgotten for the 232 release, hence add it now, retroactively. See: #5400
Diffstat (limited to 'NEWS')
-rw-r--r--NEWS7
1 files changed, 7 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index 954a83a0b6..a3b3fef627 100644
--- a/NEWS
+++ b/NEWS
@@ -357,6 +357,13 @@ CHANGES WITH 233 in spe
CHANGES WITH 232:
+ * udev now runs with MemoryDenyWriteExecute=, RestrictRealtime= and
+ RestrictAddressFamilies= enabled. These sandboxing options should
+ generally be compatible with the various external udev call-out
+ binaries we are aware of, however there may be exceptions, in
+ particular when exotic languages for these call-outs are used. In
+ this case, consider turning off these settings locally.
+
* The new RemoveIPC= option can be used to remove IPC objects owned by
the user or group of a service when that service exits.