From: Luca Boccassi Date: Wed, 8 May 2024 19:16:05 +0000 (+0100) Subject: portable: drop explicit PrivateTmp=yes from profiles X-Git-Tag: v257-rc1~1121^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F32724%2Fhead;p=thirdparty%2Fsystemd.git portable: drop explicit PrivateTmp=yes from profiles It is already implied by DynamicUser=yes if not set, but dropping it allows users to instead define TemporaryFileSystem=/tmp/ /var/tmp/ in their portable services, which has fewer side effects. --- diff --git a/src/portable/profile/default/service.conf b/src/portable/profile/default/service.conf index 5c447d66417..d2551ef8c8a 100644 --- a/src/portable/profile/default/service.conf +++ b/src/portable/profile/default/service.conf @@ -12,7 +12,6 @@ CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_FSETID CAP_IPC_LOCK CAP_IPC_OWNER CAP_KILL CAP_MKNOD CAP_NET_ADMIN \ CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_SETGID CAP_SETPCAP \ CAP_SETUID CAP_SYS_ADMIN CAP_SYS_CHROOT CAP_SYS_NICE CAP_SYS_RESOURCE -PrivateTmp=yes PrivateDevices=yes PrivateUsers=yes ProtectSystem=strict diff --git a/src/portable/profile/nonetwork/service.conf b/src/portable/profile/nonetwork/service.conf index cd7f75c2e3a..83e4770e787 100644 --- a/src/portable/profile/nonetwork/service.conf +++ b/src/portable/profile/nonetwork/service.conf @@ -10,7 +10,6 @@ RemoveIPC=yes CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER \ CAP_FSETID CAP_IPC_LOCK CAP_IPC_OWNER CAP_KILL CAP_MKNOD CAP_SETGID CAP_SETPCAP \ CAP_SETUID CAP_SYS_ADMIN CAP_SYS_CHROOT CAP_SYS_NICE CAP_SYS_RESOURCE -PrivateTmp=yes PrivateDevices=yes PrivateUsers=yes ProtectSystem=strict diff --git a/src/portable/profile/strict/service.conf b/src/portable/profile/strict/service.conf index f924e1096f3..bb877c517d1 100644 --- a/src/portable/profile/strict/service.conf +++ b/src/portable/profile/strict/service.conf @@ -7,7 +7,6 @@ BindReadOnlyPaths=/etc/machine-id DynamicUser=yes RemoveIPC=yes CapabilityBoundingSet= -PrivateTmp=yes PrivateDevices=yes PrivateUsers=yes ProtectSystem=strict