1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-22 13:33:56 +03:00

homed: add missing capabilities for SMB/CIFS backend

In 2020 mount.cifs started to require a bunch for caps to work. let's
add them to the capability bounding set.

Also, SMB support obviously needs network access, hence open that up.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1962920
This commit is contained in:
Lennart Poettering 2021-08-31 10:04:06 +02:00
parent 1f08acf406
commit 169764332a

View File

@ -16,19 +16,18 @@ After=home.mount
[Service]
BusName=org.freedesktop.home1
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE CAP_SETPCAP CAP_DAC_READ_SEARCH
DeviceAllow=/dev/loop-control rw
DeviceAllow=/dev/mapper/control rw
DeviceAllow=block-* rw
DeviceAllow=char-hidraw rw
ExecStart={{ROOTLIBEXECDIR}}/systemd-homed
IPAddressDeny=any
KillMode=mixed
LimitNOFILE={{HIGH_RLIMIT_NOFILE}}
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_ALG
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_ALG AF_INET AF_INET6
RestrictNamespaces=mnt
RestrictRealtime=yes
StateDirectory=systemd/home