units: relax sandbox so that uidmap stuff can work

author Lennart Poettering <lennart@poettering.net>

Mon, 15 Nov 2021 15:21:59 +0000 (16:21 +0100)

committer Yu Watanabe <watanabe.yu+github@gmail.com>

Tue, 16 Nov 2021 01:41:36 +0000 (10:41 +0900)
author Lennart Poettering <lennart@poettering.net>
Mon, 15 Nov 2021 15:21:59 +0000 (16:21 +0100)
committer Yu Watanabe <watanabe.yu+github@gmail.com>
Tue, 16 Nov 2021 01:41:36 +0000 (10:41 +0900)
diff --git a/units/systemd-homed.service.in b/units/systemd-homed.service.in

index f8198c45b72fa995876c5344cf1d42e8cac71e72..b03c6879c9a11e86339847427fad1a27777127e9 100644 (file)
--- a/units/systemd-homed.service.in
+++ b/units/systemd-homed.service.in
@@ -16,7 +16,7 @@ After=home.mount
  
  [Service]
  BusName=org.freedesktop.home1
-CapabilityBoundingSet=CAP_SYS_ADMIN CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE CAP_SETPCAP CAP_DAC_READ_SEARCH
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE CAP_SETPCAP CAP_DAC_READ_SEARCH CAP_SETFCAP
  DeviceAllow=/dev/loop-control rw
  DeviceAllow=/dev/mapper/control rw
  DeviceAllow=block-* rw
@@ -28,7 +28,7 @@ LockPersonality=yes
  MemoryDenyWriteExecute=yes
  NoNewPrivileges=yes
  RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_ALG AF_INET AF_INET6
-RestrictNamespaces=mnt
+RestrictNamespaces=mnt user
  RestrictRealtime=yes
  StateDirectory=systemd/home
  SystemCallArchitectures=native
author	Lennart Poettering <lennart@poettering.net>
	Mon, 15 Nov 2021 15:21:59 +0000 (16:21 +0100)
committer	Yu Watanabe <watanabe.yu+github@gmail.com>
	Tue, 16 Nov 2021 01:41:36 +0000 (10:41 +0900)