From: Lennart Poettering <lennart@poettering.net>
Date: Sat, 23 Aug 2025 06:08:06 +0000 (+0200)
Subject: mountfsd: uncomment CapabilityBoundingSet= line
X-Git-Tag: v259-rc1~514
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=818bd1dfa1e4ac222b1fc5d238807e49fd1d7939;p=thirdparty%2Fsystemd.git

mountfsd: uncomment CapabilityBoundingSet= line

Since mountfsd was added in 702a52f4b5d49cce11e2adbc740deb3b644e2de0 the
caps bounding set line was commented. That's an accident. Fix that. (We
need to add a bunch of caps to the list).
---

diff --git a/units/systemd-mountfsd.service.in b/units/systemd-mountfsd.service.in
index 381408da9cc..6fd80359e32 100644
--- a/units/systemd-mountfsd.service.in
+++ b/units/systemd-mountfsd.service.in
@@ -18,7 +18,7 @@ Before=sysinit.target shutdown.target
 DefaultDependencies=no
 
 [Service]
-#CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE CAP_BPF CAP_PERFMON CAP_SETGID CAP_SETUID
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE CAP_BPF CAP_PERFMON CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_CHOWN CAP_SYS_ADMIN
 ExecStart={{LIBEXECDIR}}/systemd-mountfsd
 IPAddressDeny=any
 LimitNOFILE={{HIGH_RLIMIT_NOFILE}}