homed: add missing capabilities for SMB/CIFS backend

In 2020 mount.cifs started to require a bunch for caps to work. let's
add them to the capability bounding set.

Also, SMB support obviously needs network access, hence open that up.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1962920

diff --git a/units/systemd-homed.service.in b/units/systemd-homed.service.in
index 0576f84697423b4a9d2e7abeb154fffb25cf2521..f8198c45b72fa995876c5344cf1d42e8cac71e72 100644 (file)
--- a/units/systemd-homed.service.in
+++ b/units/systemd-homed.service.in
@@ -16,19 +16,18 @@ After=home.mount
 
 [Service]
 BusName=org.freedesktop.home1
-CapabilityBoundingSet=CAP_SYS_ADMIN CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE CAP_SETPCAP CAP_DAC_READ_SEARCH
 DeviceAllow=/dev/loop-control rw
 DeviceAllow=/dev/mapper/control rw
 DeviceAllow=block-* rw
 DeviceAllow=char-hidraw rw
 ExecStart={{ROOTLIBEXECDIR}}/systemd-homed
-IPAddressDeny=any
 KillMode=mixed
 LimitNOFILE={{HIGH_RLIMIT_NOFILE}}
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
-RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_ALG
+RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_ALG AF_INET AF_INET6
 RestrictNamespaces=mnt
 RestrictRealtime=yes
 StateDirectory=systemd/home