Tails

Currently, Tails does not save coredumps due to PAM restricting resource limits (RLIMIT_CORE is set to 0). This means that both benign bugs, and exploit attempts that trigger a variety of failures will be very difficult to analyze. Segfaults and assertions for example are often triggered upon failed exploit attempts and exploits which require multiple tries to succeed. I propose Tails enable coredumps and log them to a unified directory to make it easier for the more tech-savvy individuals to limit the lifetime of exploits used against Tails users.

The simplest way to do that on a regular Linux system would be through these commands:

# Enable coredumps and limit their maximum size using PAM
echo "* - core 32768" >> /etc/security/limits.conf

# Create a sticky directory to store the core files
mkdir -m 1777 /var/coredumps

# Don't let the coredump directory take up too much space
echo "tmpfs /var/coredumps tmpfs nodev,nosuid,noexec,size=256M 0 0" >> /etc/fstab

# Save all coredumps to the new directory, and give them unique names (example format)
echo "kernel.core_pattern = /var/coredumps/%e.%P" >> /etc/sysctl.d/coredumps.conf

# Dumping setuid binaries is safe, because the directory is sticky
echo "fs.suid_dumpable = 1" >> /etc/sysctl.d/coredumps.conf

# A reboot is the easiest way for all of this to take effect
shutdown -r now

Note that this can also be accomplished with systemd-coredump (not installed by default on Tails), which configures the kernel.core_pattern sysctl to pipe all coredumps to that program, which them processes them and logs them to systemd’s ugly binary journal. I’m not suggesting it primarily because I know nothing about it.

Please consider enabling coredumps on Tails. It will help dissuade attackers from attempting to use valuable exploits against Tails users, and will make attacks in general easier to catch and analyze.