mirror of
https://github.com/systemd/systemd
synced 2024-10-01 13:55:20 +00:00
portable: drop explicit PrivateTmp=yes from profiles
It is already implied by DynamicUser=yes if not set, but dropping it allows users to instead define TemporaryFileSystem=/tmp/ /var/tmp/ in their portable services, which has fewer side effects.
This commit is contained in:
parent
0e551b04ef
commit
ac6f17987d
|
@ -12,7 +12,6 @@ CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER
|
||||||
CAP_FSETID CAP_IPC_LOCK CAP_IPC_OWNER CAP_KILL CAP_MKNOD CAP_NET_ADMIN \
|
CAP_FSETID CAP_IPC_LOCK CAP_IPC_OWNER CAP_KILL CAP_MKNOD CAP_NET_ADMIN \
|
||||||
CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_SETGID CAP_SETPCAP \
|
CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_SETGID CAP_SETPCAP \
|
||||||
CAP_SETUID CAP_SYS_ADMIN CAP_SYS_CHROOT CAP_SYS_NICE CAP_SYS_RESOURCE
|
CAP_SETUID CAP_SYS_ADMIN CAP_SYS_CHROOT CAP_SYS_NICE CAP_SYS_RESOURCE
|
||||||
PrivateTmp=yes
|
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
PrivateUsers=yes
|
PrivateUsers=yes
|
||||||
ProtectSystem=strict
|
ProtectSystem=strict
|
||||||
|
|
|
@ -10,7 +10,6 @@ RemoveIPC=yes
|
||||||
CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER \
|
CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER \
|
||||||
CAP_FSETID CAP_IPC_LOCK CAP_IPC_OWNER CAP_KILL CAP_MKNOD CAP_SETGID CAP_SETPCAP \
|
CAP_FSETID CAP_IPC_LOCK CAP_IPC_OWNER CAP_KILL CAP_MKNOD CAP_SETGID CAP_SETPCAP \
|
||||||
CAP_SETUID CAP_SYS_ADMIN CAP_SYS_CHROOT CAP_SYS_NICE CAP_SYS_RESOURCE
|
CAP_SETUID CAP_SYS_ADMIN CAP_SYS_CHROOT CAP_SYS_NICE CAP_SYS_RESOURCE
|
||||||
PrivateTmp=yes
|
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
PrivateUsers=yes
|
PrivateUsers=yes
|
||||||
ProtectSystem=strict
|
ProtectSystem=strict
|
||||||
|
|
|
@ -7,7 +7,6 @@ BindReadOnlyPaths=/etc/machine-id
|
||||||
DynamicUser=yes
|
DynamicUser=yes
|
||||||
RemoveIPC=yes
|
RemoveIPC=yes
|
||||||
CapabilityBoundingSet=
|
CapabilityBoundingSet=
|
||||||
PrivateTmp=yes
|
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
PrivateUsers=yes
|
PrivateUsers=yes
|
||||||
ProtectSystem=strict
|
ProtectSystem=strict
|
||||||
|
|
Loading…
Reference in a new issue