From: Lennart Poettering <lennart@poettering.net>
Date: Sat, 23 Aug 2025 06:08:06 +0000 (+0200)
Subject: mountfsd: uncomment CapabilityBoundingSet= line
X-Git-Tag: v257.10~8
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=978a4348c10aa74f9311cf12a9d6be0b6728a66c;p=thirdparty%2Fsystemd.git

mountfsd: uncomment CapabilityBoundingSet= line

Since mountfsd was added in 702a52f4b5d49cce11e2adbc740deb3b644e2de0 the
caps bounding set line was commented. That's an accident. Fix that. (We
need to add a bunch of caps to the list).

(cherry picked from commit 818bd1dfa1e4ac222b1fc5d238807e49fd1d7939)
(cherry picked from commit 897018cc472d4bcd6d0cd749f8fdf75b81518da4)
---

diff --git a/units/systemd-mountfsd.service.in b/units/systemd-mountfsd.service.in
index 20a9b425abd..c34e5606e20 100644
--- a/units/systemd-mountfsd.service.in
+++ b/units/systemd-mountfsd.service.in
@@ -17,7 +17,7 @@ Before=sysinit.target shutdown.target
 DefaultDependencies=no
 
 [Service]
-#CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE CAP_BPF CAP_PERFMON CAP_SETGID CAP_SETUID
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE CAP_BPF CAP_PERFMON CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_CHOWN CAP_SYS_ADMIN
 ExecStart={{LIBEXECDIR}}/systemd-mountfsd
 IPAddressDeny=any
 LimitNOFILE={{HIGH_RLIMIT_NOFILE}}