[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [RFC] locking down rsyslog.service


On 10/11/23 19:14, Michael Biebl wrote:

- CAP_NET_ADMIN: use of setsockopt()
- CAP_SYS_ADMIN: exceed /proc/sys/fs/file-max, the system-wide limit on the number of open files, in system calls that open files (e.g. accept execve), use of setns(),...

I see, thanks!

I looked over the code quickly, it seems the only privileged setsockopt() calls are to set larger buffer sizes.

It may be good to lobby for these and the open file limit to be added to CAP_SYS_RESOURCE, that would allow locking it down further in the future.


Reply to: