From 12a9f68f068f8f9d5069d38b155b4e351725948a Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 15 Nov 2021 16:21:59 +0100
Subject: [PATCH] units: relax sandbox so that uidmap stuff can work

The uidmap suff requires additional caps and userns to work in some
cases. Allow it.

Follow-up for: 1147c538bbb6a2d3d5ba2e40f1437bcbeb22b33e
---
 units/systemd-homed.service.in | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/units/systemd-homed.service.in b/units/systemd-homed.service.in
index f8198c45b72..b03c6879c9a 100644
--- a/units/systemd-homed.service.in
+++ b/units/systemd-homed.service.in
@@ -16,7 +16,7 @@ After=home.mount
 
 [Service]
 BusName=org.freedesktop.home1
-CapabilityBoundingSet=CAP_SYS_ADMIN CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE CAP_SETPCAP CAP_DAC_READ_SEARCH
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE CAP_SETPCAP CAP_DAC_READ_SEARCH CAP_SETFCAP
 DeviceAllow=/dev/loop-control rw
 DeviceAllow=/dev/mapper/control rw
 DeviceAllow=block-* rw
@@ -28,7 +28,7 @@ LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_ALG AF_INET AF_INET6
-RestrictNamespaces=mnt
+RestrictNamespaces=mnt user
 RestrictRealtime=yes
 StateDirectory=systemd/home
 SystemCallArchitectures=native