From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 21 May 2021 20:04:33 +0000 (+0200)
Subject: units: make sure importd has CAP_LINUX_IMMUTABLE flag
X-Git-Tag: v248.4~129
X-Git-Url: http://git-history.diyao.me/?a=commitdiff_plain;h=3578564efb3a104ad8c686cd142d6dbbe5674892;p=systemd%2F.git

units: make sure importd has CAP_LINUX_IMMUTABLE flag

Since d8f9686c0f1f276c0a687d9bd69f3adf33f15a95 we use the chattr +i flag
for marking containers in directories as reead-only. But to do so we
need the cap for it, hence grant it.

Fixes: #19115
(cherry picked from commit 86204ae145e38a4557981a92ce91a8ce4318e181)
---

diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in
index afe395687d..7ed6f3f217 100644
--- a/units/systemd-importd.service.in
+++ b/units/systemd-importd.service.in
@@ -16,7 +16,7 @@ Documentation=man:org.freedesktop.import1(5)
 ExecStart=@rootlibexecdir@/systemd-importd
 BusName=org.freedesktop.import1
 KillMode=mixed
-CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_SYS_ADMIN CAP_SETPCAP CAP_DAC_OVERRIDE
+CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_SYS_ADMIN CAP_SETPCAP CAP_DAC_OVERRIDE CAP_LINUX_IMMUTABLE
 NoNewPrivileges=yes
 MemoryDenyWriteExecute=yes
 ProtectHostname=yes