On 17.11.2020 13:26, Robert Marcano via devel wrote:
User d9k on IRC found the culprit. It is low-memory-monitor. The latest
commit [1] for it tries to not mess with the value with 1 is set, but it
should not mess with it ever.
That's why all user-space "OOM killers" must have the following lines in
their .service files:
DynamicUser=true
AmbientCapabilities=CAP_KILL CAP_IPC_LOCK
ProtectSystem=strict
ProtectHome=true
I think FESCo should create a special policy for such preinstalled by
default daemons. Running them as root is too dangerous.
Earlier, in cooperation with the upstream, we fixed the earlyoom daemon.
It has no root access to the system and can only kill processes using
ambient capabilities.
--
Sincerely,
Vitaly Zaitsev (vitaly@xxxxxxxxxxxxxx)
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
