Hi, On 10/17/23 01:24, Michael Prokop wrote:
# Restrict access to the various process namespace types the Linux kernel provides RestrictNamespaces=true
There is one plugin that uses namespaces. I wonder if it would make sense to split it out into a separate package, and have that package override the default configuration if it's installed.
The capability set for rsyslog could be reduced quite a lot further if we could lobby the Linux kernel maintainers to add the open file limit (in CAP_SYS_ADMIN) and the socket buffer size limit (in CAP_NET_ADMIN) to CAP_SYS_RESOURCE), my expectation would be that these are the most common reasons these capabilities are set in other services as well.
Could systemd be taught that certain capabilities are required depending on kernel version?
Simon