From: Luca Boccassi <bluca@debian.org>
Date: Tue, 26 Jul 2022 16:41:51 +0000 (+0100)
Subject: portable: set PrivateTmp=yes in trusted profile too
X-Git-Tag: v252-rc1~570
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f2d26cd89b195e53f184387f1a5b97a98512c82a;p=thirdparty%2Fsystemd.git

portable: set PrivateTmp=yes in trusted profile too

When running on images you don't want to modify the /tmp
directory even if it's writable, and often it will just
be read-only. Set PrivateTmp=yes.

Fixes https://github.com/systemd/systemd/issues/23592
---

diff --git a/src/portable/profile/trusted/service.conf b/src/portable/profile/trusted/service.conf
index 9a6af70b939..04deeb2262e 100644
--- a/src/portable/profile/trusted/service.conf
+++ b/src/portable/profile/trusted/service.conf
@@ -1,7 +1,8 @@
-# The "trusted" profile for services, i.e. no restrictions are applied
+# The "trusted" profile for services, i.e. no restrictions are applied apart from a private /tmp
 
 [Service]
 MountAPIVFS=yes
+PrivateTmp=yes
 BindPaths=/run
 BindReadOnlyPaths=/etc/machine-id
 BindReadOnlyPaths=/etc/resolv.conf