From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 22 Jan 2015 17:55:08 +0000 (+0100)
Subject: importd: run daemon at minimal capabilities
X-Git-Tag: v219~344
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=commitdiff_plain;h=e57565dd5bae380122ba1b6c34cbba1d44f44d1f;ds=inline

importd: run daemon at minimal capabilities
---

diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in
index b9cb97e6b..26759ea0f 100644
--- a/units/systemd-importd.service.in
+++ b/units/systemd-importd.service.in
@@ -12,8 +12,9 @@ Documentation=man:systemd-importd.service(8)
 [Service]
 ExecStart=@rootlibexecdir@/systemd-importd
 BusName=org.freedesktop.import1
+CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_SYS_ADMIN CAP_SETPCAP
+NoNewPrivileges=yes
 WatchdogSec=1min
 PrivateTmp=yes
-PrivateDevices=yes
 ProtectSystem=full
 ProtectHome=yes