NEWS: add a comment about udev's MemoryDenyWriteExecute= setting (#5414)

Apparently if people are adventurous enought to run Go programs in udev rules they might run into problems with MemoryDenyWriteExecute=. I am pretty sure the best way out is for the toolchain generating programs incompatible with W^X to be fixed, but this still deserves documentation. This was forgotten for the 232 release, hence add it now, retroactively. See: #5400
2017-02-22 01:36:12 +01:00 · 2017-02-22 01:36:12 +01:00 · 05f426d2b8
parent c22569eeea
commit 05f426d2b8
1 changed files with 7 additions and 0 deletions
--- a/7
+++ b/7
@ -357,6 +357,13 @@ CHANGES WITH 233 in spe

 CHANGES WITH 232:

+        * udev now runs with MemoryDenyWriteExecute=, RestrictRealtime= and
+          RestrictAddressFamilies= enabled. These sandboxing options should
+          generally be compatible with the various external udev call-out
+          binaries we are aware of, however there may be exceptions, in
+          particular when exotic languages for these call-outs are used. In
+          this case, consider turning off these settings locally.
+
        * The new RemoveIPC= option can be used to remove IPC objects owned by
          the user or group of a service when that service exits.