mirror of
https://github.com/systemd/systemd.git
synced 2026-06-30 19:57:29 +00:00
mountfsd: Add CAP_SYS_PTRACE and CAP_SYS_CHROOT
CAP_SYS_PTRACE for making sure we can open mount namespaces of peers via /proc/<pid>/ns and CAP_SYS_CHROOT for making sure we can join those mount namespaces.
This commit is contained in:
committed by
Daan De Meyer
parent
93f1546b93
commit
bb7486db61
@@ -18,7 +18,7 @@ Before=sysinit.target shutdown.target
|
||||
DefaultDependencies=no
|
||||
|
||||
[Service]
|
||||
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE CAP_BPF CAP_PERFMON CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_CHOWN CAP_SYS_ADMIN
|
||||
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE CAP_BPF CAP_PERFMON CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_CHOWN CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYS_CHROOT
|
||||
ExecStart={{LIBEXECDIR}}/systemd-mountfsd
|
||||
IPAddressDeny=any
|
||||
LimitNOFILE={{HIGH_RLIMIT_NOFILE}}
|
||||
|
||||
Reference in New Issue
Block a user