From: Adrian Vovk <adrianvovk@gmail.com>
Date: Wed, 6 Nov 2024 18:17:04 +0000 (-0500)
Subject: sysupdated: Permit mount namespaces
X-Git-Tag: v257-rc2~50^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=31616d00efe80f07793af46f9bf9bcad1d5a7526;p=thirdparty%2Fsystemd.git

sysupdated: Permit mount namespaces

dissect-image tries to use mount namespaces to dissect images without
polluting the host mounts. This change allows it to do that.
---

diff --git a/units/systemd-sysupdated.service.in b/units/systemd-sysupdated.service.in
index 28671fbc54c..ae0adf3d64a 100644
--- a/units/systemd-sysupdated.service.in
+++ b/units/systemd-sysupdated.service.in
@@ -21,7 +21,7 @@ NoNewPrivileges=yes
 MemoryDenyWriteExecute=yes
 ProtectHostname=yes
 RestrictRealtime=yes
-RestrictNamespaces=net
+RestrictNamespaces=net mnt
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 SystemCallFilter=@system-service @mount
 SystemCallErrorNumber=EPERM