- fixed systemd sandboxing (bsc#1186095)

diff --git a/data/boot.service b/data/boot.service
index cce5c4671c5db34bd86772ca983712adcba7ddd9..5ec3f9a2c00497e2a4ddf01253374460d8363460 100644 (file)
--- a/data/boot.service
+++ b/data/boot.service
@@ -6,7 +6,7 @@ ConditionPathExists=/etc/snapper/configs/root
 Type=oneshot
 ExecStart=/usr/bin/snapper --config root create --cleanup-algorithm number --description "boot"
 
-CapabilityBoundingSet=CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE
+CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE
 LockPersonality=true
 NoNewPrivileges=false
 PrivateNetwork=true

diff --git a/data/cleanup.service b/data/cleanup.service
index 2baab5c021199bf1c0a15de7887c722316ffd2d7..9f6e7843b0b0f59b359a17d5e0633833e6989b8e 100644 (file)
--- a/data/cleanup.service
+++ b/data/cleanup.service
@@ -9,7 +9,7 @@ ExecStart=/usr/lib/snapper/systemd-helper --cleanup
 IOSchedulingClass=idle
 CPUSchedulingPolicy=idle
 
-CapabilityBoundingSet=CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE
+CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE
 LockPersonality=true
 NoNewPrivileges=false
 PrivateNetwork=true

diff --git a/data/snapperd.service b/data/snapperd.service
index 48f75dd50b533d213ed078d3500c660996da7504..6dbda8c0f8a7e2cfa66a3ed15b20cecf88dfeb06 100644 (file)
--- a/data/snapperd.service
+++ b/data/snapperd.service
@@ -7,7 +7,7 @@ Type=dbus
 BusName=org.opensuse.Snapper
 ExecStart=/usr/sbin/snapperd
 
-CapabilityBoundingSet=CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE
+CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE
 LockPersonality=true
 NoNewPrivileges=false
 PrivateNetwork=true

diff --git a/data/systemd-sandboxing.txt b/data/systemd-sandboxing.txt
index 8a90dc3db8fe219035ba654b0e8fea91c28cce46..d475060f92f9ad6520a85f817b1e38a33f57633d 100644 (file)
--- a/data/systemd-sandboxing.txt
+++ b/data/systemd-sandboxing.txt
@@ -22,6 +22,9 @@ e.g. on SLE15 SP1.
 
 CapabilityBoundingSet=CAP_FOWNER is needed if for home directories.
 
+CapabilityBoundingSet=CAP_DAC_OVERRIDE is needed for directory
+comparison (in some cases) - but not if using btrfs send/receive.
+
 Finally do not forget the hooks.
 
 Have a lot of fun...

diff --git a/data/timeline.service b/data/timeline.service
index 66c3bb01c73bbbd49548b2c84ddfcebd340ef085..d74bf6b4abb8da3c94742a3077df8aabe3c0a1f9 100644 (file)
--- a/data/timeline.service
+++ b/data/timeline.service
@@ -7,7 +7,7 @@ Documentation=man:snapper(8) man:snapper-configs(5)
 Type=simple
 ExecStart=/usr/lib/snapper/systemd-helper --timeline
 
-CapabilityBoundingSet=CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE
+CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE
 LockPersonality=true
 NoNewPrivileges=false
 PrivateNetwork=true

diff --git a/package/snapper.changes b/package/snapper.changes
index 20ab1f08805f3c4e07bd8c37099bd8b05d71809d..2745e1081c9847635518cd305cb1748ae1a0e451 100644 (file)
--- a/package/snapper.changes
+++ b/package/snapper.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Mon May 17 08:39:58 CEST 2021 - aschnell@suse.com
+
+- fixed systemd sandboxing (bsc#1186095)
+
 -------------------------------------------------------------------
 Tue May 11 10:01:30 CEST 2021 - aschnell@suse.com