units: make sure importd has CAP_LINUX_IMMUTABLE flag

Since d8f9686c0f1f276c0a687d9bd69f3adf33f15a95 we use the chattr +i flag for marking containers in directories as reead-only. But to do so we need the cap for it, hence grant it. Fixes: #19115
author: Lennart Poettering <lennart@poettering.net> 2021-05-21 22:04:33 +0200
committer: Yu Watanabe <watanabe.yu+github@gmail.com> 2021-05-22 16:02:02 +0900
commit: 86204ae145e38a4557981a92ce91a8ce4318e181 (patch)
tree: e42742375d4bcbce508f759c60be54fd7f66944c /units/systemd-importd.service.in
parent: af92e46527c82871d6fe1c3e7f06d3175c685ff6 (diff)
download: systemd-86204ae145e38a4557981a92ce91a8ce4318e181.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in
index da31b2dc20..080cc646a9 100644
--- a/units/systemd-importd.service.in
+++ b/units/systemd-importd.service.in
@@ -16,7 +16,7 @@ Documentation=man:org.freedesktop.import1(5)
 ExecStart={{ROOTLIBEXECDIR}}/systemd-importd
 BusName=org.freedesktop.import1
 KillMode=mixed
-CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_SYS_ADMIN CAP_SETPCAP CAP_DAC_OVERRIDE
+CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_SYS_ADMIN CAP_SETPCAP CAP_DAC_OVERRIDE CAP_LINUX_IMMUTABLE
 NoNewPrivileges=yes
 MemoryDenyWriteExecute=yes
 ProtectHostname=yes
author	Lennart Poettering <lennart@poettering.net>	2021-05-21 22:04:33 +0200
committer	Yu Watanabe <watanabe.yu+github@gmail.com>	2021-05-22 16:02:02 +0900
commit	86204ae145e38a4557981a92ce91a8ce4318e181 (patch)
tree	e42742375d4bcbce508f759c60be54fd7f66944c /units/systemd-importd.service.in
parent	af92e46527c82871d6fe1c3e7f06d3175c685ff6 (diff)
download	systemd-86204ae145e38a4557981a92ce91a8ce4318e181.tar.gz