- fixed systemd sandboxing (bsc#1185596)

diff --git a/data/boot.service b/data/boot.service
index 2496143b8b73ce6dcc45fe95d3cfcf376cff84fc..ef8b8a38ad05bb21bbf6adcf8b22a0a4c6a4491c 100644 (file)
--- a/data/boot.service
+++ b/data/boot.service
@@ -6,7 +6,7 @@ ConditionPathExists=/etc/snapper/configs/root
 Type=oneshot
 ExecStart=/usr/bin/snapper --config root create --cleanup-algorithm number --description "boot"
 
-CapabilityBoundingSet=CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE
+CapabilityBoundingSet=CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE
 LockPersonality=true
 NoNewPrivileges=false
 PrivateNetwork=true

diff --git a/data/cleanup.service b/data/cleanup.service
index f2180d0c9b90a90e61dcaa7dd90dbd45197544b6..b4f5f240e054e9e7fc4dd2cc985d58ae87d7c655 100644 (file)
--- a/data/cleanup.service
+++ b/data/cleanup.service
@@ -9,7 +9,7 @@ ExecStart=/usr/lib/snapper/systemd-helper --cleanup
 IOSchedulingClass=idle
 CPUSchedulingPolicy=idle
 
-CapabilityBoundingSet=CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE
+CapabilityBoundingSet=CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE
 LockPersonality=true
 NoNewPrivileges=false
 PrivateNetwork=true

diff --git a/data/snapperd.service b/data/snapperd.service
index bb72585043af40ae7bf55c14f1d7c13ff4460b29..206ed3124db0e7e0333bab89cdcad5cc557a517e 100644 (file)
--- a/data/snapperd.service
+++ b/data/snapperd.service
@@ -7,7 +7,7 @@ Type=dbus
 BusName=org.opensuse.Snapper
 ExecStart=/usr/sbin/snapperd
 
-CapabilityBoundingSet=CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE
+CapabilityBoundingSet=CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE
 LockPersonality=true
 NoNewPrivileges=false
 PrivateNetwork=true

diff --git a/data/systemd-sandboxing.txt b/data/systemd-sandboxing.txt
index 143e5dcbc9a49ca6e23ad84399a6e675f1796212..ef0893bde0f26acb2250e390473dfee127d8bc1b 100644 (file)
--- a/data/systemd-sandboxing.txt
+++ b/data/systemd-sandboxing.txt
@@ -19,3 +19,5 @@ ProtectHome=true breaks diff for LVM.
 SystemCallFilter=@mount breaks almost everything with older systemd,
 e.g. on SLE15 SP1.
 
+CapabilityBoundingSet=CAP_FOWNER is needed if for home directories.
+

diff --git a/data/timeline.service b/data/timeline.service
index 5302fcd74a511392b3c2c33a09b7ff9df0cee0bf..44005103b4f4105e155d94ee93bb9fe13f5db2a7 100644 (file)
--- a/data/timeline.service
+++ b/data/timeline.service
@@ -7,7 +7,7 @@ Documentation=man:snapper(8) man:snapper-configs(5)
 Type=simple
 ExecStart=/usr/lib/snapper/systemd-helper --timeline
 
-CapabilityBoundingSet=CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE
+CapabilityBoundingSet=CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE
 LockPersonality=true
 NoNewPrivileges=false
 PrivateNetwork=true

diff --git a/package/snapper.changes b/package/snapper.changes
index 6938a90bde665e4ce7baa151ece345470a36a701..4e322258216c8ed1eaf2c90deee1ce2cef26d51a 100644 (file)
--- a/package/snapper.changes
+++ b/package/snapper.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Tue May 04 08:35:28 CEST 2021 - aschnell@suse.com
+
+- fixed systemd sandboxing (bsc#1185596)
+
 -------------------------------------------------------------------
 Wed Apr 28 10:17:14 CEST 2021 - aschnell@suse.com