From 6e111d2811b12e67879e66fc9fdf39cc96977681 Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Tue, 26 Jul 2022 17:41:51 +0100 Subject: [PATCH] portable: set PrivateTmp=yes in trusted profile too When running on images you don't want to modify the /tmp directory even if it's writable, and often it will just be read-only. Set PrivateTmp=yes. Fixes https://github.com/systemd/systemd/issues/23592 (cherry picked from commit f2d26cd89b195e53f184387f1a5b97a98512c82a) --- src/portable/profile/trusted/service.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/portable/profile/trusted/service.conf b/src/portable/profile/trusted/service.conf index 9a6af70b93..04deeb2262 100644 --- a/src/portable/profile/trusted/service.conf +++ b/src/portable/profile/trusted/service.conf @@ -1,7 +1,8 @@ -# The "trusted" profile for services, i.e. no restrictions are applied +# The "trusted" profile for services, i.e. no restrictions are applied apart from a private /tmp [Service] MountAPIVFS=yes +PrivateTmp=yes BindPaths=/run BindReadOnlyPaths=/etc/machine-id BindReadOnlyPaths=/etc/resolv.conf