units: relax sandbox so that uidmap stuff can work

The uidmap suff requires additional caps and userns to work in some cases. Allow it. Follow-up for: 1147c538bb
2024-07-22 18:55:10 +00:00 · 2021-11-15 16:21:59 +01:00 · 2021-11-15 16:21:59 +01:00 · 12a9f68f06
parent 228b1decc6
commit 12a9f68f06
1 changed files with 2 additions and 2 deletions
--- a/units/systemd-homed.service.in
+++ b/units/systemd-homed.service.in
@ -16,7 +16,7 @@ After=home.mount

 [Service]
 BusName=org.freedesktop.home1
-CapabilityBoundingSet=CAP_SYS_ADMIN CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE CAP_SETPCAP CAP_DAC_READ_SEARCH
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE CAP_SETPCAP CAP_DAC_READ_SEARCH CAP_SETFCAP
 DeviceAllow=/dev/loop-control rw
 DeviceAllow=/dev/mapper/control rw
 DeviceAllow=block-* rw
@ -28,7 +28,7 @@ LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_ALG AF_INET AF_INET6
-RestrictNamespaces=mnt
+RestrictNamespaces=mnt user
 RestrictRealtime=yes
 StateDirectory=systemd/home
 SystemCallArchitectures=native