mountfsd: Add CAP_SYS_PTRACE and CAP_SYS_CHROOT

CAP_SYS_PTRACE for making sure we can open mount namespaces of
peers via /proc/<pid>/ns and CAP_SYS_CHROOT for making sure we can
join those mount namespaces.
This commit is contained in:
Daan De Meyer
2026-03-20 14:14:28 +01:00
committed by Daan De Meyer
parent 93f1546b93
commit bb7486db61

View File

@@ -18,7 +18,7 @@ Before=sysinit.target shutdown.target
DefaultDependencies=no
[Service]
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE CAP_BPF CAP_PERFMON CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_CHOWN CAP_SYS_ADMIN
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE CAP_BPF CAP_PERFMON CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_CHOWN CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYS_CHROOT
ExecStart={{LIBEXECDIR}}/systemd-mountfsd
IPAddressDeny=any
LimitNOFILE={{HIGH_RLIMIT_NOFILE}}