From: Arvin Schnell Date: Mon, 17 May 2021 06:40:36 +0000 (+0200) Subject: - fixed systemd sandboxing (bsc#1186095) X-Git-Tag: v0.9.1~9^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F655%2Fhead;p=thirdparty%2Fsnapper.git - fixed systemd sandboxing (bsc#1186095) --- diff --git a/data/boot.service b/data/boot.service index cce5c467..5ec3f9a2 100644 --- a/data/boot.service +++ b/data/boot.service @@ -6,7 +6,7 @@ ConditionPathExists=/etc/snapper/configs/root Type=oneshot ExecStart=/usr/bin/snapper --config root create --cleanup-algorithm number --description "boot" -CapabilityBoundingSet=CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE +CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE LockPersonality=true NoNewPrivileges=false PrivateNetwork=true diff --git a/data/cleanup.service b/data/cleanup.service index 2baab5c0..9f6e7843 100644 --- a/data/cleanup.service +++ b/data/cleanup.service @@ -9,7 +9,7 @@ ExecStart=/usr/lib/snapper/systemd-helper --cleanup IOSchedulingClass=idle CPUSchedulingPolicy=idle -CapabilityBoundingSet=CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE +CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE LockPersonality=true NoNewPrivileges=false PrivateNetwork=true diff --git a/data/snapperd.service b/data/snapperd.service index 48f75dd5..6dbda8c0 100644 --- a/data/snapperd.service +++ b/data/snapperd.service @@ -7,7 +7,7 @@ Type=dbus BusName=org.opensuse.Snapper ExecStart=/usr/sbin/snapperd -CapabilityBoundingSet=CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE +CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE LockPersonality=true NoNewPrivileges=false PrivateNetwork=true diff --git a/data/systemd-sandboxing.txt b/data/systemd-sandboxing.txt index 8a90dc3d..d475060f 100644 --- a/data/systemd-sandboxing.txt +++ b/data/systemd-sandboxing.txt @@ -22,6 +22,9 @@ e.g. on SLE15 SP1. CapabilityBoundingSet=CAP_FOWNER is needed if for home directories. +CapabilityBoundingSet=CAP_DAC_OVERRIDE is needed for directory +comparison (in some cases) - but not if using btrfs send/receive. + Finally do not forget the hooks. Have a lot of fun... diff --git a/data/timeline.service b/data/timeline.service index 66c3bb01..d74bf6b4 100644 --- a/data/timeline.service +++ b/data/timeline.service @@ -7,7 +7,7 @@ Documentation=man:snapper(8) man:snapper-configs(5) Type=simple ExecStart=/usr/lib/snapper/systemd-helper --timeline -CapabilityBoundingSet=CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE +CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE LockPersonality=true NoNewPrivileges=false PrivateNetwork=true diff --git a/package/snapper.changes b/package/snapper.changes index 20ab1f08..2745e108 100644 --- a/package/snapper.changes +++ b/package/snapper.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Mon May 17 08:39:58 CEST 2021 - aschnell@suse.com + +- fixed systemd sandboxing (bsc#1186095) + ------------------------------------------------------------------- Tue May 11 10:01:30 CEST 2021 - aschnell@suse.com