units: make sure importd has CAP_LINUX_IMMUTABLE flag

author Lennart Poettering <lennart@poettering.net>

Fri, 21 May 2021 20:04:33 +0000 (22:04 +0200)

committer Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>

Fri, 9 Jul 2021 16:25:39 +0000 (18:25 +0200)
author Lennart Poettering <lennart@poettering.net>
Fri, 21 May 2021 20:04:33 +0000 (22:04 +0200)
committer Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Fri, 9 Jul 2021 16:25:39 +0000 (18:25 +0200)
diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in

index afe395687ddf5f0552c921b6ea95e7e50454fb85..7ed6f3f217ceb75629867978c65a3ab9af3fdd04 100644 (file)
--- a/units/systemd-importd.service.in
+++ b/units/systemd-importd.service.in
@@ -16,7 +16,7 @@ Documentation=man:org.freedesktop.import1(5)
  ExecStart=@rootlibexecdir@/systemd-importd
  BusName=org.freedesktop.import1
  KillMode=mixed
-CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_SYS_ADMIN CAP_SETPCAP CAP_DAC_OVERRIDE
+CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_SYS_ADMIN CAP_SETPCAP CAP_DAC_OVERRIDE CAP_LINUX_IMMUTABLE
  NoNewPrivileges=yes
  MemoryDenyWriteExecute=yes
  ProtectHostname=yes
author	Lennart Poettering <lennart@poettering.net>
	Fri, 21 May 2021 20:04:33 +0000 (22:04 +0200)
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
	Fri, 9 Jul 2021 16:25:39 +0000 (18:25 +0200)