summaryrefslogtreecommitdiff
path: root/units/systemd-homed.service.in
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2021-08-31 10:04:06 +0200
committerLennart Poettering <lennart@poettering.net>2021-08-31 10:51:42 +0200
commit169764332af0a85e52e01f7b9cb28cc05cee038f (patch)
tree9f0bd92a2443d708280f3be9a80ff9f8620eaa16 /units/systemd-homed.service.in
parent1f08acf406a3b9e1b713efbbec137997a877253c (diff)
downloadsystemd-169764332af0a85e52e01f7b9cb28cc05cee038f.tar.gz
homed: add missing capabilities for SMB/CIFS backend
In 2020 mount.cifs started to require a bunch for caps to work. let's add them to the capability bounding set. Also, SMB support obviously needs network access, hence open that up. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1962920
Diffstat (limited to 'units/systemd-homed.service.in')
-rw-r--r--units/systemd-homed.service.in5
1 files changed, 2 insertions, 3 deletions
diff --git a/units/systemd-homed.service.in b/units/systemd-homed.service.in
index 0576f84697..f8198c45b7 100644
--- a/units/systemd-homed.service.in
+++ b/units/systemd-homed.service.in
@@ -16,19 +16,18 @@ After=home.mount
[Service]
BusName=org.freedesktop.home1
-CapabilityBoundingSet=CAP_SYS_ADMIN CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE CAP_SETPCAP CAP_DAC_READ_SEARCH
DeviceAllow=/dev/loop-control rw
DeviceAllow=/dev/mapper/control rw
DeviceAllow=block-* rw
DeviceAllow=char-hidraw rw
ExecStart={{ROOTLIBEXECDIR}}/systemd-homed
-IPAddressDeny=any
KillMode=mixed
LimitNOFILE={{HIGH_RLIMIT_NOFILE}}
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
-RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_ALG
+RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_ALG AF_INET AF_INET6
RestrictNamespaces=mnt
RestrictRealtime=yes
StateDirectory=systemd/home
View Lorry Controller Status