From 31616d00efe80f07793af46f9bf9bcad1d5a7526 Mon Sep 17 00:00:00 2001 From: Adrian Vovk Date: Wed, 6 Nov 2024 13:17:04 -0500 Subject: [PATCH] sysupdated: Permit mount namespaces dissect-image tries to use mount namespaces to dissect images without polluting the host mounts. This change allows it to do that. --- units/systemd-sysupdated.service.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/units/systemd-sysupdated.service.in b/units/systemd-sysupdated.service.in index 28671fbc54c..ae0adf3d64a 100644 --- a/units/systemd-sysupdated.service.in +++ b/units/systemd-sysupdated.service.in @@ -21,7 +21,7 @@ NoNewPrivileges=yes MemoryDenyWriteExecute=yes ProtectHostname=yes RestrictRealtime=yes -RestrictNamespaces=net +RestrictNamespaces=net mnt RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 SystemCallFilter=@system-service @mount SystemCallErrorNumber=EPERM -- 2.47.3