aboutsummaryrefslogtreecommitdiff
path: root/units
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2015-02-17 17:19:57 +0100
committerLennart Poettering <lennart@poettering.net>2015-02-17 17:49:21 +0100
commit90adaa25e894a580930ef2c3e65ab8db8295515a (patch)
tree32cefc482936a9dc4d6f6183fa900d917b443504 /units
parentbootctl: add sd-boot support (diff)
downloadsystemd-90adaa25e894a580930ef2c3e65ab8db8295515a.tar.gz
systemd-90adaa25e894a580930ef2c3e65ab8db8295515a.tar.bz2
systemd-90adaa25e894a580930ef2c3e65ab8db8295515a.zip
machined: move logic for bind mounting into containers from machinectl to machined
This extends the bus interface, adding BindMountMachine() for bind mounting directories from the host into the container.
Diffstat (limited to 'units')
-rw-r--r--units/systemd-machined.service.in11
1 files changed, 5 insertions, 6 deletions
diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
index 15f34d9db..19c33959d 100644
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -15,10 +15,9 @@ After=machine.slice
[Service]
ExecStart=@rootlibexecdir@/systemd-machined
BusName=org.freedesktop.machine1
-CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH
+CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE
WatchdogSec=1min
-PrivateTmp=yes
-PrivateDevices=yes
-PrivateNetwork=yes
-ProtectSystem=full
-ProtectHome=yes
+
+# Note that machined cannot be placed in a mount namespace, since it
+# needs access to the host's mount namespace in order to implement the
+# "machinectl bind" operation.