importd: run daemon at minimal capabilities

author Lennart Poettering <lennart@poettering.net>

Thu, 22 Jan 2015 17:55:08 +0000 (18:55 +0100)

committer Lennart Poettering <lennart@poettering.net>

Thu, 22 Jan 2015 17:55:08 +0000 (18:55 +0100)
author Lennart Poettering <lennart@poettering.net>
Thu, 22 Jan 2015 17:55:08 +0000 (18:55 +0100)
committer Lennart Poettering <lennart@poettering.net>
Thu, 22 Jan 2015 17:55:08 +0000 (18:55 +0100)
diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in

index b9cb97e6b96fee3910772ed1cfb25b10afa21a58..26759ea0fb47ba970f1fbb5aeeee516ea7098e93 100644 (file)
--- a/units/systemd-importd.service.in
+++ b/units/systemd-importd.service.in
@@ -12,8 +12,9 @@ Documentation=man:systemd-importd.service(8)
  [Service]
  ExecStart=@rootlibexecdir@/systemd-importd
  BusName=org.freedesktop.import1
  [Service]
  ExecStart=@rootlibexecdir@/systemd-importd
  BusName=org.freedesktop.import1
+CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_SYS_ADMIN CAP_SETPCAP
+NoNewPrivileges=yes
  WatchdogSec=1min
  PrivateTmp=yes
  WatchdogSec=1min
  PrivateTmp=yes
-PrivateDevices=yes
  ProtectSystem=full
  ProtectHome=yes
  ProtectSystem=full
  ProtectHome=yes
author	Lennart Poettering <lennart@poettering.net>
	Thu, 22 Jan 2015 17:55:08 +0000 (18:55 +0100)
committer	Lennart Poettering <lennart@poettering.net>
	Thu, 22 Jan 2015 17:55:08 +0000 (18:55 +0100)