Merge pull request openSUSE#652 from aschnell/master

fixed systemd sandboxing
leonardohn · May 11, 2021 · 57f2b40 · 57f2b40
2 parents 4f10920 + 44a6e4c
commit 57f2b40
Show file tree

Hide file tree

Showing 7 changed files with 11 additions and 17 deletions.
diff --git a/configure.ac b/configure.ac
@@ -51,10 +51,6 @@ AC_DEFINE_UNQUOTED([LVCHANGEBIN], ["$LVCHANGEBIN"], [Path of lvchange program.])
 AC_DEFINE_UNQUOTED([LVMBIN], ["$LVMBIN"], [Path of lvm program.])
 AC_DEFINE_UNQUOTED([LVRENAMEBIN], ["$LVRENAMEBIN"], [Path of lvrename program.])
 
-dnl Automake 1.11 enables silent compilation
-dnl Disable it by "configure --disable-silent-rules" or "make V=1"
-m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
-
 CFLAGS="${CFLAGS} -std=c99 -Wall -Wextra -Wformat -Wmissing-prototypes -Wno-unused-parameter"
 CXXFLAGS="${CXXFLAGS} -std=c++11 -Wall -Wextra -Wformat -Wnon-virtual-dtor -Wno-unused-parameter"
 

diff --git a/data/boot.service b/data/boot.service
@@ -10,9 +10,6 @@ CapabilityBoundingSet=CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN
 LockPersonality=true
 NoNewPrivileges=false
 PrivateNetwork=true
-ProtectControlGroups=true
 ProtectHostname=true
-ProtectKernelLogs=true
-ProtectKernelTunables=true
 RestrictAddressFamilies=AF_UNIX
 RestrictRealtime=true
diff --git a/data/cleanup.service b/data/cleanup.service
@@ -13,9 +13,6 @@ CapabilityBoundingSet=CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN
 LockPersonality=true
 NoNewPrivileges=false
 PrivateNetwork=true
-ProtectControlGroups=true
 ProtectHostname=true
-ProtectKernelLogs=true
-ProtectKernelTunables=true
 RestrictAddressFamilies=AF_UNIX
 RestrictRealtime=true
diff --git a/data/snapperd.service b/data/snapperd.service
@@ -11,9 +11,6 @@ CapabilityBoundingSet=CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN
 LockPersonality=true
 NoNewPrivileges=false
 PrivateNetwork=true
-ProtectControlGroups=true
 ProtectHostname=true
-ProtectKernelLogs=true
-ProtectKernelTunables=true
 RestrictAddressFamilies=AF_UNIX
 RestrictRealtime=true
diff --git a/data/systemd-sandboxing.txt b/data/systemd-sandboxing.txt
@@ -14,10 +14,15 @@ ProtectKernelModules=true breaks LVM.
 
 CapabilityBoundingSet=CAP_SYS_NICE is also needed by LVM.
 
-ProtectHome=true breaks diff for LVM.
+ProtectHome=true, ProtectControlGroups=true, ProtectKernelLogs=true
+and ProtectKernelTunables=true breaks diff for LVM.
 
 SystemCallFilter=@mount breaks almost everything with older systemd,
 e.g. on SLE15 SP1.
 
 CapabilityBoundingSet=CAP_FOWNER is needed if for home directories.
 
+Finally do not forget the hooks.
+
+Have a lot of fun...
+
diff --git a/data/timeline.service b/data/timeline.service
@@ -11,9 +11,6 @@ CapabilityBoundingSet=CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN
 LockPersonality=true
 NoNewPrivileges=false
 PrivateNetwork=true
-ProtectControlGroups=true
 ProtectHostname=true
-ProtectKernelLogs=true
-ProtectKernelTunables=true
 RestrictAddressFamilies=AF_UNIX
 RestrictRealtime=true
diff --git a/package/snapper.changes b/package/snapper.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Tue May 11 10:01:30 CEST 2021 - [email protected]
+
+- fixed systemd sandboxing (gh#openSUSE/snapper#651)
+
 -------------------------------------------------------------------
 Tue May 04 08:35:28 CEST 2021 - [email protected]