From c6e9ff6b84ae3f77f827f67410911f2b33ad57a8 Mon Sep 17 00:00:00 2001 From: Arvin Schnell Date: Tue, 11 May 2021 10:02:08 +0200 Subject: [PATCH] - fixed systemd sandboxing (gh#openSUSE/snapper#651) --- data/boot.service | 3 --- data/cleanup.service | 3 --- data/snapperd.service | 3 --- data/systemd-sandboxing.txt | 7 ++++++- data/timeline.service | 3 --- package/snapper.changes | 5 +++++ 6 files changed, 11 insertions(+), 13 deletions(-) diff --git a/data/boot.service b/data/boot.service index ef8b8a38..cce5c467 100644 --- a/data/boot.service +++ b/data/boot.service @@ -10,9 +10,6 @@ CapabilityBoundingSet=CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN LockPersonality=true NoNewPrivileges=false PrivateNetwork=true -ProtectControlGroups=true ProtectHostname=true -ProtectKernelLogs=true -ProtectKernelTunables=true RestrictAddressFamilies=AF_UNIX RestrictRealtime=true diff --git a/data/cleanup.service b/data/cleanup.service index b4f5f240..2baab5c0 100644 --- a/data/cleanup.service +++ b/data/cleanup.service @@ -13,9 +13,6 @@ CapabilityBoundingSet=CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN LockPersonality=true NoNewPrivileges=false PrivateNetwork=true -ProtectControlGroups=true ProtectHostname=true -ProtectKernelLogs=true -ProtectKernelTunables=true RestrictAddressFamilies=AF_UNIX RestrictRealtime=true diff --git a/data/snapperd.service b/data/snapperd.service index 206ed312..48f75dd5 100644 --- a/data/snapperd.service +++ b/data/snapperd.service @@ -11,9 +11,6 @@ CapabilityBoundingSet=CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN LockPersonality=true NoNewPrivileges=false PrivateNetwork=true -ProtectControlGroups=true ProtectHostname=true -ProtectKernelLogs=true -ProtectKernelTunables=true RestrictAddressFamilies=AF_UNIX RestrictRealtime=true diff --git a/data/systemd-sandboxing.txt b/data/systemd-sandboxing.txt index ef0893bd..8a90dc3d 100644 --- a/data/systemd-sandboxing.txt +++ b/data/systemd-sandboxing.txt @@ -14,10 +14,15 @@ ProtectKernelModules=true breaks LVM. CapabilityBoundingSet=CAP_SYS_NICE is also needed by LVM. -ProtectHome=true breaks diff for LVM. +ProtectHome=true, ProtectControlGroups=true, ProtectKernelLogs=true +and ProtectKernelTunables=true breaks diff for LVM. SystemCallFilter=@mount breaks almost everything with older systemd, e.g. on SLE15 SP1. CapabilityBoundingSet=CAP_FOWNER is needed if for home directories. +Finally do not forget the hooks. + +Have a lot of fun... + diff --git a/data/timeline.service b/data/timeline.service index 44005103..66c3bb01 100644 --- a/data/timeline.service +++ b/data/timeline.service @@ -11,9 +11,6 @@ CapabilityBoundingSet=CAP_FOWNER CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN LockPersonality=true NoNewPrivileges=false PrivateNetwork=true -ProtectControlGroups=true ProtectHostname=true -ProtectKernelLogs=true -ProtectKernelTunables=true RestrictAddressFamilies=AF_UNIX RestrictRealtime=true diff --git a/package/snapper.changes b/package/snapper.changes index 4e322258..20ab1f08 100644 --- a/package/snapper.changes +++ b/package/snapper.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Tue May 11 10:01:30 CEST 2021 - aschnell@suse.com + +- fixed systemd sandboxing (gh#openSUSE/snapper#651) + ------------------------------------------------------------------- Tue May 04 08:35:28 CEST 2021 - aschnell@suse.com