38 lines
1.3 KiB
Diff
38 lines
1.3 KiB
Diff
From 21d0826711b750367edaf01645aac1d03b3b7611 Mon Sep 17 00:00:00 2001
|
|
From: Sami Kerola <kerolasa@iki.fi>
|
|
Date: Wed, 3 Mar 2021 20:51:18 +0000
|
|
Subject: [PATCH] rdisc: remove PrivateUsers=yes from systemd service file
|
|
|
|
Quoting systemd.exec(5) manual page 'Specifically this means that the
|
|
process will have zero process capabilities on the host's user namespace'.
|
|
That does not combine will with CAP_NET_RAW that needs to take effect host's
|
|
namespace.
|
|
|
|
Secondly add CapabilityBoundingSet that is will ensure capabilities are
|
|
limited to the one and only capability it needs.
|
|
|
|
Fixes: https://github.com/iputils/iputils/issues/314
|
|
Reference: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateUsers=
|
|
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
|
|
---
|
|
systemd/rdisc.service.in | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/systemd/rdisc.service.in b/systemd/rdisc.service.in
|
|
index 4e2a1ec..6ef7fc3 100644
|
|
--- a/systemd/rdisc.service.in
|
|
+++ b/systemd/rdisc.service.in
|
|
@@ -9,8 +9,8 @@ EnvironmentFile=-/etc/sysconfig/rdisc
|
|
ExecStart=@sbindir@/rdisc -f -t $OPTIONS $SEND_ADDRESS $RECEIVE_ADDRESS
|
|
|
|
AmbientCapabilities=CAP_NET_RAW
|
|
+CapabilityBoundingSet=CAP_NET_RAW
|
|
PrivateTmp=yes
|
|
-PrivateUsers=yes
|
|
ProtectSystem=strict
|
|
ProtectHome=yes
|
|
ProtectControlGroups=yes
|
|
--
|
|
2.23.0
|
|
|