]> git.ipfire.org Git - thirdparty/systemd.git/commitdiff
projects / thirdparty / systemd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: af92e46)
units: make sure importd has CAP_LINUX_IMMUTABLE flag
authorLennart Poettering <lennart@poettering.net>
Fri, 21 May 2021 20:04:33 +0000 (22:04 +0200)
committerYu Watanabe <watanabe.yu+github@gmail.com>
Sat, 22 May 2021 07:02:02 +0000 (16:02 +0900)
Since d8f9686c0f1f276c0a687d9bd69f3adf33f15a95 we use the chattr +i flag
for marking containers in directories as reead-only. But to do so we
need the cap for it, hence grant it.

Fixes: #19115
units/systemd-importd.service.in patch | blob | blame | history

diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in
index da31b2dc20ceba684d6dfba457b7c823ae734bbf..080cc646a9cc14ae7a80a26dc400e0586137695f 100644 (file)
--- a/units/systemd-importd.service.in
+++ b/units/systemd-importd.service.in
@@ -16,7 +16,7 @@ Documentation=man:org.freedesktop.import1(5)
 ExecStart={{ROOTLIBEXECDIR}}/systemd-importd
 BusName=org.freedesktop.import1
 KillMode=mixed
-CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_SYS_ADMIN CAP_SETPCAP CAP_DAC_OVERRIDE
+CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_SYS_ADMIN CAP_SETPCAP CAP_DAC_OVERRIDE CAP_LINUX_IMMUTABLE
 NoNewPrivileges=yes
 MemoryDenyWriteExecute=yes
 ProtectHostname=yes
Unnamed repository; edit this file 'description' to name the repository.