Andrew Geissler | 82c905d | 2020-04-13 13:39:40 -0500 | [diff] [blame] | 1 | From 6e51d529988cfc0bb357751fd767e9f1478e2b81 Mon Sep 17 00:00:00 2001 |
| 2 | From: Alex Kiernan <alex.kiernan@gmail.com> |
| 3 | Date: Thu, 13 Feb 2020 06:08:45 +0000 |
| 4 | Subject: [PATCH] rarpd: rdisc: Drop PrivateUsers |
| 5 | |
| 6 | Neither rarpd nor rdisc can gain the necessary capabilities with |
| 7 | PrivateUsers enabled. |
| 8 | |
| 9 | Upstream-Status: Pending |
| 10 | Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com> |
| 11 | --- |
| 12 | systemd/rarpd.service.in | 1 - |
| 13 | systemd/rdisc.service.in | 3 ++- |
| 14 | 2 files changed, 2 insertions(+), 2 deletions(-) |
| 15 | |
| 16 | diff --git a/systemd/rarpd.service.in b/systemd/rarpd.service.in |
| 17 | index e600c10c93e6..f5d7621a7ce8 100644 |
| 18 | --- a/systemd/rarpd.service.in |
| 19 | +++ b/systemd/rarpd.service.in |
| 20 | @@ -12,7 +12,6 @@ AmbientCapabilities=CAP_NET_RAW |
| 21 | DynamicUser=yes |
| 22 | PrivateTmp=yes |
| 23 | PrivateDevices=yes |
| 24 | -PrivateUsers=yes |
| 25 | ProtectSystem=strict |
| 26 | ProtectHome=yes |
| 27 | ProtectControlGroups=yes |
| 28 | diff --git a/systemd/rdisc.service.in b/systemd/rdisc.service.in |
| 29 | index 4e2a1ec9d0e5..a71b87d36b37 100644 |
| 30 | --- a/systemd/rdisc.service.in |
| 31 | +++ b/systemd/rdisc.service.in |
| 32 | @@ -8,9 +8,10 @@ After=network.target |
| 33 | EnvironmentFile=-/etc/sysconfig/rdisc |
| 34 | ExecStart=@sbindir@/rdisc -f -t $OPTIONS $SEND_ADDRESS $RECEIVE_ADDRESS |
| 35 | |
| 36 | +CapabilityBoundingSet=CAP_NET_RAW |
| 37 | AmbientCapabilities=CAP_NET_RAW |
| 38 | PrivateTmp=yes |
| 39 | -PrivateUsers=yes |
| 40 | +DynamicUser=yes |
| 41 | ProtectSystem=strict |
| 42 | ProtectHome=yes |
| 43 | ProtectControlGroups=yes |
| 44 | -- |
| 45 | 2.17.1 |
| 46 | |