From 9534ce54858c67363b841cdbdc315140437bfdb4 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 20 Apr 2011 03:34:58 +0200
Subject: [PATCH] units: set capability bounding set for syslog services

---
 TODO                                  | 12 ++++++++++--
 units/systemd-kmsg-syslogd.service.in |  1 +
 units/systemd-logger.service.in       |  1 +
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/TODO b/TODO
index 5c4577e37..326acaf83 100644
--- a/TODO
+++ b/TODO
@@ -25,12 +25,18 @@ F15:
 * don't trim empty cgroups
   https://bugzilla.redhat.com/show_bug.cgi?id=678555
 
-* drop cap bounding set in logger, hostnamed, readahead, ...
-
 * make anaconda write timeout=0 for encrypted devices
 
+* Fix assert http://lists.freedesktop.org/archives/systemd-devel/2011-April/001910.html
+
 Features:
 
+* maybe lower default timeout to 2min?
+
+* GC unreferenced jobs (such as .device jobs)
+
+* support wildcard expansion in ListeStream= and friends
+
 * Add ListenSpecial to .socket units for /proc/kmsg and similar friends?
 
 * avoid DefaultStandardOutput=syslog to have any effect on StandardInput=socket services
@@ -205,6 +211,8 @@ Features:
 
 * allow runtime changing of log level and target
 
+* drop cap bounding set in readahead and other services
+
 External:
 
 * udisks should not use udisks-part-id, instead use blkid. also not probe /dev/loopxxx
diff --git a/units/systemd-kmsg-syslogd.service.in b/units/systemd-kmsg-syslogd.service.in
index aea758373..b20889e5e 100644
--- a/units/systemd-kmsg-syslogd.service.in
+++ b/units/systemd-kmsg-syslogd.service.in
@@ -16,3 +16,4 @@ ExecStart=@rootlibexecdir@/systemd-kmsg-syslogd
 NotifyAccess=all
 StandardOutput=null
 Sockets=syslog.socket
+CapabilityBoundingSet=CAP_DAC_OVERRIDE
diff --git a/units/systemd-logger.service.in b/units/systemd-logger.service.in
index 484df7a23..5f7fe4093 100644
--- a/units/systemd-logger.service.in
+++ b/units/systemd-logger.service.in
@@ -17,3 +17,4 @@ After=syslog.socket
 ExecStart=@rootlibexecdir@/systemd-logger
 NotifyAccess=all
 StandardOutput=null
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_SETUID CAP_SETGID
-- 
2.30.2