From 818bd1dfa1e4ac222b1fc5d238807e49fd1d7939 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Sat, 23 Aug 2025 08:08:06 +0200 Subject: [PATCH] mountfsd: uncomment CapabilityBoundingSet= line Since mountfsd was added in 702a52f4b5d49cce11e2adbc740deb3b644e2de0 the caps bounding set line was commented. That's an accident. Fix that. (We need to add a bunch of caps to the list). --- units/systemd-mountfsd.service.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/units/systemd-mountfsd.service.in b/units/systemd-mountfsd.service.in index 381408da9c..6fd80359e3 100644 --- a/units/systemd-mountfsd.service.in +++ b/units/systemd-mountfsd.service.in @@ -18,7 +18,7 @@ Before=sysinit.target shutdown.target DefaultDependencies=no [Service] -#CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE CAP_BPF CAP_PERFMON CAP_SETGID CAP_SETUID +CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE CAP_BPF CAP_PERFMON CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_CHOWN CAP_SYS_ADMIN ExecStart={{LIBEXECDIR}}/systemd-mountfsd IPAddressDeny=any LimitNOFILE={{HIGH_RLIMIT_NOFILE}}