mirror of
https://github.com/systemd/systemd-stable.git
synced 2025-01-11 05:17:44 +03:00
homed: add missing capabilities for SMB/CIFS backend
In 2020 mount.cifs started to require a bunch for caps to work. let's add them to the capability bounding set. Also, SMB support obviously needs network access, hence open that up. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1962920
This commit is contained in:
Lennart Poettering
parent
1f08acf406
commit
169764332a
@ -16,19 +16,18 @@ After=home.mount
|
|||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
BusName=org.freedesktop.home1
|
BusName=org.freedesktop.home1
|
||||||
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
|
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE CAP_SETPCAP CAP_DAC_READ_SEARCH
|
||||||
DeviceAllow=/dev/loop-control rw
|
DeviceAllow=/dev/loop-control rw
|
||||||
DeviceAllow=/dev/mapper/control rw
|
DeviceAllow=/dev/mapper/control rw
|
||||||
DeviceAllow=block-* rw
|
DeviceAllow=block-* rw
|
||||||
DeviceAllow=char-hidraw rw
|
DeviceAllow=char-hidraw rw
|
||||||
ExecStart={{ROOTLIBEXECDIR}}/systemd-homed
|
ExecStart={{ROOTLIBEXECDIR}}/systemd-homed
|
||||||
IPAddressDeny=any
|
|
||||||
KillMode=mixed
|
KillMode=mixed
|
||||||
LimitNOFILE={{HIGH_RLIMIT_NOFILE}}
|
LimitNOFILE={{HIGH_RLIMIT_NOFILE}}
|
||||||
LockPersonality=yes
|
LockPersonality=yes
|
||||||
MemoryDenyWriteExecute=yes
|
MemoryDenyWriteExecute=yes
|
||||||
NoNewPrivileges=yes
|
NoNewPrivileges=yes
|
||||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_ALG
|
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_ALG AF_INET AF_INET6
|
||||||
RestrictNamespaces=mnt
|
RestrictNamespaces=mnt
|
||||||
RestrictRealtime=yes
|
RestrictRealtime=yes
|
||||||
StateDirectory=systemd/home
|
StateDirectory=systemd/home
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user