From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 31 Aug 2021 08:04:06 +0000 (+0200)
Subject: homed: add missing capabilities for SMB/CIFS backend
X-Git-Tag: v250-rc1~752^2~4
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=169764332af0a85e52e01f7b9cb28cc05cee038f;p=thirdparty%2Fsystemd.git

homed: add missing capabilities for SMB/CIFS backend

In 2020 mount.cifs started to require a bunch for caps to work. let's
add them to the capability bounding set.

Also, SMB support obviously needs network access, hence open that up.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1962920
---

diff --git a/units/systemd-homed.service.in b/units/systemd-homed.service.in
index 0576f846974..f8198c45b72 100644
--- a/units/systemd-homed.service.in
+++ b/units/systemd-homed.service.in
@@ -16,19 +16,18 @@ After=home.mount
 
 [Service]
 BusName=org.freedesktop.home1
-CapabilityBoundingSet=CAP_SYS_ADMIN CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE CAP_SETPCAP CAP_DAC_READ_SEARCH
 DeviceAllow=/dev/loop-control rw
 DeviceAllow=/dev/mapper/control rw
 DeviceAllow=block-* rw
 DeviceAllow=char-hidraw rw
 ExecStart={{ROOTLIBEXECDIR}}/systemd-homed
-IPAddressDeny=any
 KillMode=mixed
 LimitNOFILE={{HIGH_RLIMIT_NOFILE}}
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
-RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_ALG
+RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_ALG AF_INET AF_INET6
 RestrictNamespaces=mnt
 RestrictRealtime=yes
 StateDirectory=systemd/home