techne/kernel.org

#+title: Kernel
#+setupfile: ../org-templates/page.org

** Disable core dumps in Linux

*** limits.conf and sysctl
Edit ~/etc/security/limits.conf~ and append the following lines:
#+BEGIN_SRC bash
 * hard core 0
 * soft core 0
#+END_SRC

Edit ~/etc/sysctl.d/9999-disable-core-dump.conf~:
#+BEGIN_SRC bash
fs.suid_dumpable=0
kernel.core_pattern=|/bin/false
#+END_SRC

#+BEGIN_SRC bash
sudo sysctl -p /etc/sysctl.d/9999-disable-core-dump.conf
#+END_SRC

- ~/bin/false~ exits with a failure status code. The default value for ~kernel.core_pattern~ is ~core~ on a Debian server and ~|/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h~ on a Fedora desktop. These commands are executed upon crashes. In the case of ~/bin/false~, nothing happens, and core dump is disabled.
- ~fs.suid_dumpable=0~ Any process that has changed privilege levels or is execute only will not be dumped. Other values include ~1~, which is debug mode, and all processes dump core when possible. The current user owns the core dump, no security is applied. ~2~, suidsafe mode, in which any Linux program that would generally not be dumped is dumped regardless, but only if the ~kernel.core_pattern~ in sysctl is set to a valid program.

*** systemd
#+BEGIN_SRC bash
sudo mkdir /etc/systemd/coredump.conf.d/
sudo nvim /etc/systemd/coredump.conf.d/custom.conf
#+END_SRC

#+BEGIN_SRC systemd
[Coredump]
Storage=none
ProcessSizeMax=0
#+END_SRC

- ~Storage=none~ and ~ProcessSizeMax=0~ disables all coredump handling except for a log entry under systemd.

#+BEGIN_SRC bash
sudo systemctl daemon-reload
#+END_SRC

Edit ~/etc/systemd/system.conf~. Make sure ~DefaultLimitCORE~ is commented out.
#+BEGIN_SRC systemd
#DefaultLimitCORE=infinity
#+END_SRC

#+BEGIN_SRC bash
sudo systemctl daemon-reexec
#+END_SRC