slim: drop CAP_SYS_PTRACE from bounding set (!21) · Merge requests · Debian / runit-services

Andrew Bower requested to merge abower/runit-services:harden-slim into next Feb 20, 2025

This matches the systemd service definition. I've tested this so it is ready to merge if desired.

However, I wonder if it is desired? I wonder why this particular hardening was selected for slim? It limits what you can do when sudo'd to root within a terminal, e.g. nsenter -a -t $(cat /etc/service/exim4/supervise/pid) won't work.

slim: drop CAP_SYS_PTRACE from bounding set

Merge request reports