- fixed systemd sandboxing (gh#openSUSE#651)

leonardohn · May 11, 2021 · c6e9ff6 · c6e9ff6
1 parent 4f10920
commit c6e9ff6
Show file tree

Hide file tree

Showing 6 changed files with 11 additions and 13 deletions.
diff --git a/data/boot.service b/data/boot.service
@@ -10,9 +10,6 @@ CapabilityBoundingSet=CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN
 LockPersonality=true
 NoNewPrivileges=false
 PrivateNetwork=true
-ProtectControlGroups=true
 ProtectHostname=true
-ProtectKernelLogs=true
-ProtectKernelTunables=true
 RestrictAddressFamilies=AF_UNIX
 RestrictRealtime=true
diff --git a/data/cleanup.service b/data/cleanup.service
@@ -13,9 +13,6 @@ CapabilityBoundingSet=CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN
 LockPersonality=true
 NoNewPrivileges=false
 PrivateNetwork=true
-ProtectControlGroups=true
 ProtectHostname=true
-ProtectKernelLogs=true
-ProtectKernelTunables=true
 RestrictAddressFamilies=AF_UNIX
 RestrictRealtime=true
diff --git a/data/snapperd.service b/data/snapperd.service
@@ -11,9 +11,6 @@ CapabilityBoundingSet=CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN
 LockPersonality=true
 NoNewPrivileges=false
 PrivateNetwork=true
-ProtectControlGroups=true
 ProtectHostname=true
-ProtectKernelLogs=true
-ProtectKernelTunables=true
 RestrictAddressFamilies=AF_UNIX
 RestrictRealtime=true
diff --git a/data/systemd-sandboxing.txt b/data/systemd-sandboxing.txt
@@ -14,10 +14,15 @@ ProtectKernelModules=true breaks LVM.
 
 CapabilityBoundingSet=CAP_SYS_NICE is also needed by LVM.
 
-ProtectHome=true breaks diff for LVM.
+ProtectHome=true, ProtectControlGroups=true, ProtectKernelLogs=true
+and ProtectKernelTunables=true breaks diff for LVM.
 
 SystemCallFilter=@mount breaks almost everything with older systemd,
 e.g. on SLE15 SP1.
 
 CapabilityBoundingSet=CAP_FOWNER is needed if for home directories.
 
+Finally do not forget the hooks.
+
+Have a lot of fun...
+
diff --git a/data/timeline.service b/data/timeline.service
@@ -11,9 +11,6 @@ CapabilityBoundingSet=CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN
 LockPersonality=true
 NoNewPrivileges=false
 PrivateNetwork=true
-ProtectControlGroups=true
 ProtectHostname=true
-ProtectKernelLogs=true
-ProtectKernelTunables=true
 RestrictAddressFamilies=AF_UNIX
 RestrictRealtime=true
diff --git a/package/snapper.changes b/package/snapper.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Tue May 11 10:01:30 CEST 2021 - [email protected]
+
+- fixed systemd sandboxing (gh#openSUSE/snapper#651)
+
 -------------------------------------------------------------------
 Tue May 04 08:35:28 CEST 2021 - [email protected]