Skip to content

Commit

Permalink
units: make sure importd has CAP_LINUX_IMMUTABLE flag
Browse files Browse the repository at this point in the history 
Since d8f9686 we use the chattr +i flag
for marking containers in directories as reead-only. But to do so we
need the cap for it, hence grant it.

Fixes: systemd#19115
  • Loading branch information
@poettering @yuwata
poettering authored and yuwata committed May 22, 2021
1 parent af92e46 commit 86204ae
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion units/systemd-importd.service.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ Documentation=man:org.freedesktop.import1(5)
ExecStart={{ROOTLIBEXECDIR}}/systemd-importd
BusName=org.freedesktop.import1
KillMode=mixed
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_SYS_ADMIN CAP_SETPCAP CAP_DAC_OVERRIDE
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_SYS_ADMIN CAP_SETPCAP CAP_DAC_OVERRIDE CAP_LINUX_IMMUTABLE
NoNewPrivileges=yes
MemoryDenyWriteExecute=yes
ProtectHostname=yes
Expand Down

0 comments on commit 86204ae

Please sign in to comment.