units: relax sandbox so that uidmap stuff can work

The uidmap suff requires additional caps and userns to work in some cases. Allow it. Follow-up for: 1147c538bbb6a2d3d5ba2e40f1437bcbeb22b33e
author: Lennart Poettering <lennart@poettering.net> 2021-11-15 16:21:59 +0100
committer: Yu Watanabe <watanabe.yu+github@gmail.com> 2021-11-16 10:41:36 +0900
commit: 12a9f68f068f8f9d5069d38b155b4e351725948a (patch)
tree: 22075b210b913556679440fc64f76e73ead569a9 /units/systemd-homed.service.in
parent: 228b1decc6fdfaf6e05047cfddad5e2bd343b222 (diff)
download: systemd-12a9f68f068f8f9d5069d38b155b4e351725948a.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/units/systemd-homed.service.in b/units/systemd-homed.service.in
index f8198c45b7..b03c6879c9 100644
--- a/units/systemd-homed.service.in
+++ b/units/systemd-homed.service.in
@@ -16,7 +16,7 @@ After=home.mount
 
 [Service]
 BusName=org.freedesktop.home1
-CapabilityBoundingSet=CAP_SYS_ADMIN CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE CAP_SETPCAP CAP_DAC_READ_SEARCH
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE CAP_SETPCAP CAP_DAC_READ_SEARCH CAP_SETFCAP
 DeviceAllow=/dev/loop-control rw
 DeviceAllow=/dev/mapper/control rw
 DeviceAllow=block-* rw
@@ -28,7 +28,7 @@ LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_ALG AF_INET AF_INET6
-RestrictNamespaces=mnt
+RestrictNamespaces=mnt user
 RestrictRealtime=yes
 StateDirectory=systemd/home
 SystemCallArchitectures=native
author	Lennart Poettering <lennart@poettering.net>	2021-11-15 16:21:59 +0100
committer	Yu Watanabe <watanabe.yu+github@gmail.com>	2021-11-16 10:41:36 +0900
commit	12a9f68f068f8f9d5069d38b155b4e351725948a (patch)
tree	22075b210b913556679440fc64f76e73ead569a9 /units/systemd-homed.service.in
parent	228b1decc6fdfaf6e05047cfddad5e2bd343b222 (diff)
download	systemd-12a9f68f068f8f9d5069d38b155b4e351725948a.tar.gz