]> git.ipfire.org Git - thirdparty/systemd.git/commitdiff
projects / thirdparty / systemd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a509603)
sysupdated: Permit mount namespaces 35052/head
authorAdrian Vovk <adrianvovk@gmail.com>
Wed, 6 Nov 2024 18:17:04 +0000 (13:17 -0500)
committerAdrian Vovk <adrianvovk@gmail.com>
Wed, 6 Nov 2024 20:44:11 +0000 (15:44 -0500)
dissect-image tries to use mount namespaces to dissect images without
polluting the host mounts. This change allows it to do that.

units/systemd-sysupdated.service.in patch | blob | blame | history

diff --git a/units/systemd-sysupdated.service.in b/units/systemd-sysupdated.service.in
index 28671fbc54ca7ccf731ff625ebe13e51ee4e89ab..ae0adf3d64a76cce1ed025810692278722b9b283 100644 (file)
--- a/units/systemd-sysupdated.service.in
+++ b/units/systemd-sysupdated.service.in
@@ -21,7 +21,7 @@ NoNewPrivileges=yes
 MemoryDenyWriteExecute=yes
 ProtectHostname=yes
 RestrictRealtime=yes
-RestrictNamespaces=net
+RestrictNamespaces=net mnt
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 SystemCallFilter=@system-service @mount
 SystemCallErrorNumber=EPERM
Unnamed repository; edit this file 'description' to name the repository.