diff options
author | Adrian Vovk <adrianvovk@gmail.com> | 2024-11-06 19:17:04 +0100 |
---|---|---|
committer | Adrian Vovk <adrianvovk@gmail.com> | 2024-11-06 21:44:11 +0100 |
commit | 31616d00efe80f07793af46f9bf9bcad1d5a7526 (patch) | |
tree | d306e87113f9bec82e91231f634a2e4cb7496a15 | |
parent | sysupdated: Make sure targets we skip are skipped (diff) | |
download | systemd-31616d00efe80f07793af46f9bf9bcad1d5a7526.tar.xz systemd-31616d00efe80f07793af46f9bf9bcad1d5a7526.zip |
sysupdated: Permit mount namespaces
dissect-image tries to use mount namespaces to dissect images without
polluting the host mounts. This change allows it to do that.
-rw-r--r-- | units/systemd-sysupdated.service.in | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/units/systemd-sysupdated.service.in b/units/systemd-sysupdated.service.in index 28671fbc54..ae0adf3d64 100644 --- a/units/systemd-sysupdated.service.in +++ b/units/systemd-sysupdated.service.in @@ -21,7 +21,7 @@ NoNewPrivileges=yes MemoryDenyWriteExecute=yes ProtectHostname=yes RestrictRealtime=yes -RestrictNamespaces=net +RestrictNamespaces=net mnt RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 SystemCallFilter=@system-service @mount SystemCallErrorNumber=EPERM |