From 169764332af0a85e52e01f7b9cb28cc05cee038f Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 31 Aug 2021 10:04:06 +0200 Subject: [PATCH] homed: add missing capabilities for SMB/CIFS backend In 2020 mount.cifs started to require a bunch for caps to work. let's add them to the capability bounding set. Also, SMB support obviously needs network access, hence open that up. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1962920 --- units/systemd-homed.service.in | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/units/systemd-homed.service.in b/units/systemd-homed.service.in index 0576f84697..f8198c45b7 100644 --- a/units/systemd-homed.service.in +++ b/units/systemd-homed.service.in @@ -16,19 +16,18 @@ After=home.mount [Service] BusName=org.freedesktop.home1 -CapabilityBoundingSet=CAP_SYS_ADMIN CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE +CapabilityBoundingSet=CAP_SYS_ADMIN CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE CAP_SETPCAP CAP_DAC_READ_SEARCH DeviceAllow=/dev/loop-control rw DeviceAllow=/dev/mapper/control rw DeviceAllow=block-* rw DeviceAllow=char-hidraw rw ExecStart={{ROOTLIBEXECDIR}}/systemd-homed -IPAddressDeny=any KillMode=mixed LimitNOFILE={{HIGH_RLIMIT_NOFILE}} LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes -RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_ALG +RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_ALG AF_INET AF_INET6 RestrictNamespaces=mnt RestrictRealtime=yes StateDirectory=systemd/home