From: Daan De Meyer <daan@amutable.com>
Date: Fri, 20 Mar 2026 13:14:28 +0000 (+0100)
Subject: mountfsd: Add CAP_SYS_PTRACE and CAP_SYS_CHROOT
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bb7486db618f4cf5109abdfef797ee70c47223c0;p=thirdparty%2Fsystemd.git

mountfsd: Add CAP_SYS_PTRACE and CAP_SYS_CHROOT

CAP_SYS_PTRACE for making sure we can open mount namespaces of
peers via /proc/<pid>/ns and CAP_SYS_CHROOT for making sure we can
join those mount namespaces.
---

diff --git a/units/systemd-mountfsd.service.in b/units/systemd-mountfsd.service.in
index 73105007f92..1e996a0def8 100644
--- a/units/systemd-mountfsd.service.in
+++ b/units/systemd-mountfsd.service.in
@@ -18,7 +18,7 @@ Before=sysinit.target shutdown.target
 DefaultDependencies=no
 
 [Service]
-CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE CAP_BPF CAP_PERFMON CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_CHOWN CAP_SYS_ADMIN
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE CAP_BPF CAP_PERFMON CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_CHOWN CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYS_CHROOT
 ExecStart={{LIBEXECDIR}}/systemd-mountfsd
 IPAddressDeny=any
 LimitNOFILE={{HIGH_RLIMIT_NOFILE}}