system/systemd
system/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd synced 2024-10-04 15:21:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

units: make sure importd has CAP_LINUX_IMMUTABLE flag

Browse source 
Since d8f9686c0f we use the chattr +i flag
for marking containers in directories as reead-only. But to do so we
need the cap for it, hence grant it.

Fixes: #19115
This commit is contained in:
Lennart Poettering 2021-05-21 22:04:33 +02:00 committed by Yu Watanabe
parent af92e46527
commit 86204ae145
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
units/systemd-importd.service.in
View file

@ -16,7 +16,7 @@ Documentation=man:org.freedesktop.import1(5)
ExecStart={{ROOTLIBEXECDIR}}/systemd-importd
BusName=org.freedesktop.import1
KillMode=mixed
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_SYS_ADMIN CAP_SETPCAP CAP_DAC_OVERRIDE
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_SYS_ADMIN CAP_SETPCAP CAP_DAC_OVERRIDE CAP_LINUX_IMMUTABLE
NoNewPrivileges=yes
MemoryDenyWriteExecute=yes
ProtectHostname=yes